Introduction
Heath Street was a digital forensic challenge at Boston Key Party 2015.
During my time at KGB I learned how to hide all the stuff from alpha-dog. But damn it, I somehow lost some of the most important files
We are also given a file named "secretArchive.6303dd5dbddb15ca9c4307d0291f77f4".
Identification
First we issue a file command to determine the file type.
file secretArchive.6303dd5dbddb15ca9c4307d0291f77f4 secretArchive.6303dd5dbddb15ca9c4307d0291f77f4: Linux rev 1.0 ext4 filesystem data, UUID=035b2734-be8c-46dd-af8f-1b3523dcd9d2 (extents) (huge files)
It appears the file is a Linux ext4 file system, we are going to mount it to view its content.
mount secretArchive.6303dd5dbddb15ca9c4307d0291f77f4 /mnt/tmp
The file system contains 1986 files, most of them are ASCII text from The Venona Story. One file, "secret1337" appears to be different from the others, it's a ZIP archive protected with a password. Unfortunately it's just a decoy.
Recovering deleted files
We are going to extract all deleted files from this Linux file system with extundelete.
extundelete --restore-all secretArchive.6303dd5dbddb15ca9c4307d0291f77f4
The previous command will generate a bunch of new ASCII text files but also a hidden file named ".secret31337".
After issuing a file command we know that this is a KGB Archiver file with compression level 3.
The last step is to download KGB Archiver and decompress the archive to get the flag.