Deleted#

One of the US Cyber Games administrators deleted a File that they need for the season 5 that they need to give to Brad. Recover the deleted file from the image and provide us with the flag for this file that Brad and Jessica paid a Graphic Artist to create.

File#

One file: SVUSCG.dd-001.001: DOS/MBR boot sector; partition 1 : ID=0x7, active, start-CHS (0x0,32,33), end-CHS (0x1e6,254,63), startsector 2048, 7829504 sectors

Recovering the file#

We can use sleuthkit and its tools fls and icat

Looking at the file output we now that this is an ntfs file starting at 2048 so we use this in our fls command

1
fls -o 2048 -f ntfs SVUSCG.dd-001.001
2
r/r 4-128-1:    $AttrDef
3
r/r 8-128-2:    $BadClus
4
r/r 8-128-1:    $BadClus:$Bad
5
r/r 6-128-4:    $Bitmap
6
r/r 7-128-1:    $Boot
7
d/d 11-144-4:   $Extend
8
r/r 2-128-1:    $LogFile
9
r/r 0-128-6:    $MFT
10
r/r 1-128-1:    $MFTMirr
11
r/r 9-128-8:    $Secure:$SDS
12
r/r 9-144-11:   $Secure:$SDH
13
r/r 9-144-14:   $Secure:$SII
14
r/r 10-128-1:   $UpCase
15
r/r 10-128-4:   $UpCase:$Info
16
r/r 3-128-3:    $Volume
17
r/r 36-128-1:   autorun.inf
18
d/d 37-144-5:   boot
19
r/r 52-128-3:   bootmgr
20
d/d 1120-144-1: CFFG
21
d/d 53-144-1:   efi
22
d/d 1119-144-1: EFSTMPWP
23
r/r 1113-128-3: Email 2 Oct 1.pdf
24
r/r 1114-128-3: Memo Oct 5.pdf
25
r/r 1111-128-3: Perf Oct 20.pdf
26
r/r 1112-128-3: Resignation Oct 21.pdf
27
r/r 63-128-3:   setup.exe
28
d/d 64-144-6:   sources
29
r/r 1115-128-1: stuff.txt
30
d/d 997-144-1:  support
31
d/d 1116-144-1: System Volume Information
32
d/d 1104-144-1: upgrade
33
r/r 1110-128-1: VeraCrypt Setup 1.26.7.exe
34
-/r * 1136-128-3:       2025-06-04_11-48-36.jpg
35
V/V 1280:       $OrphanFiles

Based on the output the only file that was delted was 2025-06-04_11-48-36.jpg so now we extract that using icat -o 2048 -f ntfs SVUSCG.dd-001.001 1136-128-3 > file.jpg

Now we just open file.jpg and our flag is right there