Boston Key Party 2015 - Heath Street

Recover deleted files from a Linux ext4 file system and decompress one with KGB Archiver.


Heath Street was a digital forensic challenge at Boston Key Party 2015.

During my time at KGB I learned how to hide all the stuff from alpha-dog. But damn it, I somehow lost some of the most important files

We are also given a file named "secretArchive.6303dd5dbddb15ca9c4307d0291f77f4".


First we issue a file command to determine the file type.

file secretArchive.6303dd5dbddb15ca9c4307d0291f77f4 secretArchive.6303dd5dbddb15ca9c4307d0291f77f4: Linux rev 1.0 ext4 filesystem data, UUID=035b2734-be8c-46dd-af8f-1b3523dcd9d2 (extents) (huge files)

It appears the file is a Linux ext4 file system, we are going to mount it to view its content.

mount secretArchive.6303dd5dbddb15ca9c4307d0291f77f4 /mnt/tmp

The file system contains 1986 files, most of them are ASCII text from The Venona Story. One file, "secret1337" appears to be different from the others, it's a ZIP archive protected with a password. Unfortunately it's just a decoy.

Recovering deleted files

We are going to extract all deleted files from this Linux file system with extundelete.

extundelete --restore-all secretArchive.6303dd5dbddb15ca9c4307d0291f77f4

The previous command will generate a bunch of new ASCII text files but also a hidden file named ".secret31337".
After issuing a file command we know that this is a KGB Archiver file with compression level 3.

The last step is to download KGB Archiver and decompress the archive to get the flag.