SAINTCON 2014 Hackers Challenge Walkthrough: Computer Forensics

You can find the SAINTCON 2014 Hackers Challenge Introduction here.

And this is all the files referenced below:

The challenges referenced below can be found here:

CF100 – I Lost My Keys?


Sometimes what you are looking for is a left over from a very long time ago. Disks are treasure troves of information... If only you know where to look

Disk_Image CF100.dd.gz


Uncompress and you have a DD disk image. Mount it. Nothing meaningful there. (windows users might like this

Ok, lets see if there is anything useful in the full DD image:
strings ~/HC/CF/Files/CF100.dd  | less

| UtahSAINT 2014 | Its not unusual for a drive to contain lots of stuff from previous drive formats because of the fact that simply formating the drive does not remove the previous data. When you are working with confidential data you should be sure to wipe the drive with ZEROS or RANDOM data. There are reasons for ether type of wipe. ZEROS make it obvious that the drive has been wiped, and are used in computer forensic labs to sanitize drives before evidence is copied to them. This preserves the integrity of the evidence. Wiping a drive with RANDOM data makes it nearly impossible to prove that the drive was wiped. When people do not wipe there drives there is often a ton of very valuable data on them… | The HC Key for this challenge is: WIPEYOURDRIVES

CF200 – Invisible Files


What should you do when what you want is no longer there?

Disk_Image CF200.dd.gz


Repeat Step from CF100, but you know it’s not going to be that simple! Uncompress and you have a DD disk image. Mount it. Nothing too useful there. (windows users might like this

Ok, lets see if there is anything useful in the full DD image:
strings ~/HC/CF/Files/CF200.dd  | less or maybe strings ~/HC/CF/Files/CF200.dd  | grep key or on Windows strings CF\Files\image-compressed.dd | findstr key and there it is!

Or maybe: “what should you do when what you want is no longer there?” Undelete!

I like to use for lots of data recovery. (There are hundreds of alternative available.)

Use it, and it will have found a coupe html files that weren’t there before! View the HC Key in the source at the top of one of them.


CF300 – iSee iKnow iFind Nothing


Computers are not the only devices that have data on them...

Image	CF300.tar.gz


Don’t you love that Hogan’s Hero’s reference!

Same rigamarole, extract that tar.gz.

What do we have here? Taking a look at info.plist it is “jer’s iPod” Backup!

LEARN MORE about iDevice backups!

You can a use a tool like this: (I’m told this tool might not work on Windows 8.1, it does work on Windows 7, you can try the OR method below)

Copy the extracted backup into the right folder, ie C:\Users\me\AppData\Roaming\Apple Computer\MobileSync\Backup and the easily browse the contents, and you will find a note.

OR download and open the raw files  If you open the ca3bc056d4da0bbf88b5fb3be254f3b7147e639c file in sqlitebrowser then browse the znote table, you will find a row with the zitle of key and zsummary with the key!


CF400 – Duplicity


The often imitated, but never... 
... duplicated... duplicated... duplicated... duplicated... 
Genie of the Lamp!

Focus on the one photo that is different than all the rest...

Photos	CF400.tar.lrz


Decompress the LRZIP file. (
Yes. From 338K to 1.3G. 10,000 copies of the same image. Beautiful picture of Kolob Canyon! (Yes I recognize that pretty place.)

Or are they the same?

generate a hash of each file to see if the are the same: openssl dgst -md5 * > md5.txt
Parse the list to determine if they all match.

And we find this one is different!
MD5(southernutah-03467.jpg)= f532f4cb9af0fd52fbbdf2b556ae9646

The rest are:
MD5(southernutah-09999.jpg)= c4f87dc0b04babeb6e6ec1fa1a230cb5

So what is actually different?  Visually the appear the same.  Doing a binary diff, they are QUITE different.  And the modified file has no EXIF data.

Here you make the leap to there must be hidden data.


And here you try lots of different steganography tools to see what you can get, and fixate on a tool to try.

I chose and got lucky with

Now, trying to extract nothing is found without a password.  What could that password be?  Let’s take a look at the EXIF data in the original files.  Where exactly is this photo?  Load it into iPhoto and use the places feature, or use or any other exif data viewer and zoom in on the map.  Ah there it is: Kolob Canyons Viewpoint

So steghide extract -sf southernutah-03467.jpg and in KEY.txt we have:


CF500 – Committee Pwn


Each committee member is wearing something that contains data.  This data can only be read at 125kHz.  Each item is worth 50 points.  Totaling 500 points for that part of the challenge.  If you get all the Tags, show your completed challenge list to a TJ, SJ, or JC and you will get a key for an additional 500 points.  Making the challenge worth 1000 points in total.



Go LEARN MORE about RFID, watch the video in the hint. And then find you a Proxmark3  or RFIDler.

Alas I didn’t have one. But I did get one badge scan done on display during a demo.

Something dangerous and interesting about batches of RFID badges, is that they come nearly sequential!  So wrote this quick script to bruteforce the 10 sequential badges!

#!/usr/bin/env ruby
require 'httpclient'

c =

i = 137530098700
while i < 137530098999 do
  # Avoid BruteForce Fail
  sleep 15
  # Convert INT to HEX
  uri = "" + i.to_s(16)
  p uri
  c.ssl_config.ssl_version = :TLSv1
  puts c.get_content(uri)
  i +=1

Well, I took my list of 10 to be verified for the extra 500 points and was told there were actually 11 committee members/badges.  1 badge was not in the batch, knew who’s it was, but no RFID reader available to score the last 500 points.