0

This is the third part of a forensics challenge in a European CTF, and it is apparently the most difficult one because only three people flagged it among 700 participating. I'm only here for guidance on what could be done and only want an answer for the question in the title of this post. I'll start first by giving an overview of this challenge.
In this part of the challenge, we are given three folders and two files:

1. Downloader: It contains the following files:

    qmgr.jfm, qmgr.db,edbtmp.txt,edbres00001.jrs,edbres00002.jrs,edb.txt,edb.chk, $l30

2. Prefetch : It contains all the Prefetch files.

3. Tasks : This folder contains a lot of of empty folders.

     |___ Microsoft
             
         |_____ Windows

               |________ PLA
               |________ WCM
               |________ SYncCenter
               |________ TaskScheduler
               |________ RemoteApp and Desktop Connections Update

4. $MFT

5. $J

The objective of this challenge:

   Find a password.

My question is the following:

   Is it possible to mount an ntfs partition having only the $MFT and $J files?
Anass Naqqad
  • 1
  • 1
  • 1
    I don't know, never tried, but why do you believe you need to **mount** it? – user10216038 Oct 23 '21 at 00:55
  • I have already seen other forensics CTFs where they give a disk image that you need to repair to find the flag, but in this one, it's different, there is only the $MFT and $J tables, prefetch files and an esedatabase. I don't think any of these would store any data other than references to apps, time of creation or last execution. – Anass Naqqad Oct 23 '21 at 01:38

0 Answers0