EVIDENCE

A buddy of mine is in serious trouble. He works for the feds and accidentally deleted a pendrive containing crucial evidence

Can you get it back and tell us what the evidence is?

We need to know what the suspect bought

• File : evidence.zip

First we unzip the archive to find an img file :

$ file evidence.img
evidence.img: DOS/MBR boot sector, code offset 0x52+2, OEM-ID "NTFS    ", sectors/cluster 8, Media descriptor 0xf8, sectors/track 63, heads 255, dos < 4.0 BootSector (0x0), FAT (1Y bit by descriptor); NTFS, sectors/track 63, physical drive 0x80, sectors 1880044, $MFT start cluster 78335, $MFTMirror start cluster 2, bytes/RecordSegment 2^(-1*246), clusters/index block 1, serial number 0a6822852822828ef; contains bootstrap BOOTMGR

This img seems corrupted, as shown with fdisk :

$ fdisk -l evidence.img
Périphérique   Amorçage   Début      Fin  Secteurs Taille Id Type
evidence.img1  1920221984 3736432267 1816210284   866G 72 inconnu
evidence.img2  1936028192 3889681299 1953653108 931,6G 6c inconnu
evidence.img3           0          0          0     0B  0 Vide
evidence.img4    27722122   27722568        447 223,5K  0 Vide

We'll use photorec to recover some deleted files and we get 2 wav files :

$ ls recup_dir.1
f0011328.wav  f0028304.wav

• f0011328.wav
• f0028304.wav

These are phone calls between Dorfmeister and a bot

We have to recover DTMF key press :

$ multimon-ng -a DTMF -t wav f0011328.wav

We get :

212555424054666916092533266500018449903336667770844330222666222244466330227778844#2

Some are numbers others are multi-tap letters, so lets convert it to text to see what we've got :

A ALGAG JGOW M WAJEANJ THX FOR THE COCAINE BRUH

So he clearly bought cocaine

flag : brixelCTF{cocaine}