plaidctf forensic 400 - quick writeup - by alanh0 @ VXRL

1. use tools like "USF Explorer Pro" to recover "disk"
2. firstly you find one file "not_the_key", well it's not key, dig deeper.
3. use the tool "USF Explorer Pro" to recover the "disk" file, there's a folder containing "key.xor_encrypted" and "xor_key"
4. by self-explanatory file names, tried to do xor for these two files
5. python code:
---------------------------
from binascii import unhexlify, hexlify
def get_bytes_from_file(filename):     
    return open(filename, "rb").read()  
encByte = get_bytes_from_file('key.xor_encrypted')
keyByte = get_bytes_from_file('xor_key')
s = ''.join(chr(ord(c1) ^ ord(c2)) for c1, c2 in zip(encByte[-len(keyByte):], keyByte))
print s

---------------------------
6. got the shark :) 
< ZFS_daTa_1s_s4f35t_d4t4 >

the detailed writeup with screenshots / hex analysis approach will be provided soon

Original writeup (http://vxalanh0.blogspot.hk/2014/05/plaidctf-2014-for-400-write-up.html).