http://nopsr.us/ctf2007prequal/
fore300の問題
fileコマンドで見る
luffy-no-power-mac-g5:~/Documents/TOOL luffy$ file forensics300-e130c3621118e4b891fbceb67e2c94cc.dd
forensics300-e130c3621118e4b891fbceb67e2c94cc.dd: data
stringsコマンドで見る
luffy-no-power-mac-g5:~/Documents/TOOL luffy$ strings forensics300-e130c3621118e4b891fbceb67e2c94cc.dd | wc -l
8400
luffy-no-power-mac-g5:~/Documents/TOOL luffy$ strings forensics300-e130c3621118e4b891fbceb67e2c94cc.dd |more
version
name
state
pool_guid
top_guid
guid
vdev_tree
type
disk
guid
path
/dev/dsk/c1d1p0
devid
>id1,cmdk@AVMware_Virtual_IDE_Hard_Drive=11000000000000000001/q
<< /Type /Page /Parent 10 0 R /Resources 3 0 R /Contents 2 0 R /MediaBox
[0 0 612 792] >>
endobj
3 0 obj
<< /ProcSet [ /PDF /Text /ImageB /ImageC /ImageI ] /ColorSpace << /Cs1
5 0 R >> /Font << /F2.0 7 0 R /F1.0 6 0 R >> /XObject << /Im1 8 0 R
endobj
8 0 obj
<< /Length 9 0 R /Type /XObject /Subtype /Image /Width 10 /Height 16
/ColorSpace 5 0 R /Interpolate true /SMask 11 0 R /BitsPerComponent
8 /Filter /FlateDecode >>
stream
endstream
endobj
9 0 obj
endobj
11 0 obj
<< /Length 12 0 R /Type /XObject /Subtype /Image /Width 10 /Height
16 /ColorSpace /DeviceGray /Interpolate true /BitsPerComponent 8 /Filter
/FlateDecode >>
stream
endstream
endobj
12 0 obj
endobj
13 0 obj
<< /Length 14 0 R /N 3 /Alternate /DeviceRGB /Filter /FlateDecode >>
stream
{@](m
()Y'
R;;\
{3qW
ACioci]g
8tph0
endstream
endobj
14 0 obj
endobj
5 0 obj
[ /ICCBased 13 0 R ]
endobj
10 0 obj
<< /Type /Pages /MediaBox [0 0 612 792] /Count 1 /Kids [ 1 0 R ] >>
endobj
15 0 obj
<< /Type /Catalog /Pages 10 0 R /Version /1.4 >>
endobj
16 0 obj
<< /Length 17 0 R /Length1 8420 /Filter /FlateDecode >>
Solaris ZFS????
pool_guid
top_guid
Solaris ZFS
VMWARE
PDF
Autopsy & sleuthkit で見てみる
luffy-no-power-mac-g5:~ luffy$ /usr/local/autopsy/autopsy
============================================================================
Autopsy Forensic Browser
http://www.sleuthkit.org/autopsy/
ver 2.08
============================================================================
Evidence Locker: /Users/luffy/Documents/evidence
Start Time: Mon Jun 18 00:51:40 2007
Remote Host: localhost
Local Port: 9999
Open an HTML browser on the remote host and paste this URL in it:
http://localhost:9999/autopsy
Keep this process running and use to exit
ASCII Contents of Unit 8385 in forensics300-e130c3621118e4b891fbceb67e2c94cc.dd-disk
j
24 0 obj
<< /Author (Kenneth Shoto!!) /Creator (Firefox) /CreationDate (D:20070314185151-04'00')
/ModDate (D:20070314185151-04'00') /Producer (Mac OS X 10.4.9 Quartz PDFContext)
/Title (kenshoto) >>
endobj
xref
0 25
0000000000 00000 n
0000009920 00000 n
0000000022 00000 n
0000010025 00000 n
0000009900 00000 n
0000011491 00000 n
0000033110 00000 n
0000017775 00000 n
0000010185 00000 n
0000010395 00000 n
0000011527 00000 n
0000010413 00000 n
0000010643 00000 n
0000010662 00000 n
0000011471 000
ASCII Contents of Unit 8448 in forensics300-e130c3621118e4b891fbceb67e2c94cc.dd-disk
%!PS-Adobe-3.0
%RBINumCopies: 1
%%Pages: (atend)
%APL_DSC_Encoding: UTF8
%%Title: (kenshoto)
%%Creator: (Firefox: cgpdftops CUPS filter)
%%CreationDate: (Wednesday, March 14 2007 19:15:09 EDT)
%%For: (Kenneth Shoto!!)
%%DocumentData: Clean7Bit
%%LanguageLevel: 2
%%PageOrder: Ascend
%%EndComments
userdict/dscInfo 5 dict dup begin
/Title(kenshoto)def
/Creator(Firefox: cgpdftops CUPS filter)def
/CreationDate(Wednesday, March 14 2007 19:15:09 EDT)def
/For(Kenneth Shoto!!)def
/Pages 1 def
end put
%%BeginProlog
%
ASCII Contents of Unit 46336 in forensics300-e130c3621118e4b891fbceb67e2c94cc.dd-disk
%!PS-Adobe-3.0
%RBINumCopies: 1
%%Pages: (atend)
%APL_DSC_Encoding: UTF8
%%Title: (kenshoto)
%%Creator: (Firefox: cgpdftops CUPS filter)
%%CreationDate: (Wednesday, March 14 2007 19:16:46 EDT)
%%For: (Kenneth Shoto!!)
%%DocumentData: Clean7Bit
%%LanguageLevel: 2
%%PageOrder: Ascend
%%EndComments
userdict/dscInfo 5 dict dup begin
/Title(kenshoto)def
/Creator(Firefox: cgpdftops CUPS filter)def
/CreationDate(Wednesday, March 14 2007 19:16:46 EDT)def
/For(Kenneth Shoto!!)def
/Pages 1 def
end put
%%BeginProlog
%
ASCII Contents of Unit 46944 in forensics300-e130c3621118e4b891fbceb67e2c94cc.dd-disk
00 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600
600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600
600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600
600 600 600
endobj
7 0 obj
/Type /Font /Subtype /TrueType /BaseFont /FJMYYL+Courier-Bold /FontDescriptor
22 0 R /Widths 23 0 R /FirstChar 32 /LastChar 119 /Encoding /MacRomanEncoding
endobj
24 0 obj
<< /Author (Kenneth Shoto!!) /Creator (Firefox) /CreationDate (D:20070314185202-04'00')
/ModDate (D:20
FTKで掘る
各PDFファイルの
The key for CTF 2007 Quals is:
の後ろの塗りつぶされているところを引っ張ってくる。
1. *******************
2. "in the other file"