DIGITAL FORENSICS:PicoCTF Writeups: extensions

PicoCTF Writeups: extensions

Challenge Overview

• Event: PicoCTF 2019
• Challenge Name: Extensions
• Category: Forensics

This is a really weird text file. Can you find the flag?

Get the flag from TXT.

Step 1: Understanding File Extensions and Magic Numbers

Operating systems don’t rely only on a file’s extension (like .txt or .png) to identify its type. Instead, they check the:

1.What is a Magic Number?

A Magic Number (or File Signature) is a specific set of bytes at the very beginning of a file that identifies its actual format. Unlike file extensions (like .txt or .jpg), which are easily changed by a user, Magic Numbers are required by software to correctly interpret and render the file data.

 

Solution

 

I started by downloading the provided file, flag.txt, onto my Windows  virtual machine. Opening it in Notepad revealed this:

Inspecting the Internal Structure

When opening flag.txt with Notepad, the data appears unreadable, but the first few characters are key:

• Appears as: ‰PNG

2. Evidence of File Obfuscation

In your provided images, there is a clear mismatch between the file's name and its internal structure:

• Deceptive Name: The file is named flag.txt, making it look like a simple text document.

• Header Signature (ASCII): When opened in Notepad, the first few characters are ‰PNG  . This is the standard header for a PNG image.

• Hexadecimal Signature: In the hex view (likely from FTK Imager), the first four bytes are 89 50 4E 47. This is the unique hexadecimal signature that every PNG file must start with.

Verification and Tools

• Linux file Command: When run against this file, the command returns PNG image data. This tool works by reading the Magic Number rather than trusting the .txt extension.

Checking the file with file.

It's a PNG picture file, not a text file.

When checking this file in a Linux system (such as Kali) using the file command, the result

It's a PNG picture file, not a text file.

4. Conclusion

The file flag.txt is not a text file; it is a PNG image. To view the content correctly as an image, you can simply rename the file back to flag.png. Changing a file’s extension doesn’t modify its content—it just helps the operating system interpret the file correctly.

 Opening the file

After renaming the file, I opened it as a PNG image:

File Magic Numbers 

Magic numbers are the first bits of a file which uniquely identify the type of file.

photo credit:  gist.github.com

Why is the Magic Number Important in Forensics?

During an investigation, suspects often change file extensions to hide evidence (e.g., renaming an incriminating image from .jpg to .dll or .txt).

• Antivirus/Forensic Tools: These tools perform a "Signature Mismatch" analysis to detect files that are attempting to hide their true identity.

• Data Recovery: If the file system structure is damaged and the extensions are lost, recovery software uses these Magic Numbers to identify and reconstruct the original file types.

Summary from the example: Your file is a PNG image that has been renamed with a .txt extension. If you change the extension back to .png, you will be able to view the image normally.

Ref:PocoCTF

อ่านเพิ่มเติม:

• INE Lab 3 สอบ (ECDFP)

หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น ช่วยเตือนความจำ

* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ

#WindowsForensic #ComputerForensics #dfir #forensics #digitalforensics #computerforensic #investigation #cybercrime #fraud