Blue Team Labs — “Employee of the Year”

4 min readSep 13


Photo by Martin Sanchez on Unsplash


John received the 'Best Employee of the Year' award for his hard work
at FakeCompany Ltd. Unfortunately, today John deleted some important
files (typical John!). It’s your job to recover the deleted files and
capture all the flags contained within!
given file to investigate

We are given a “.dd” file. DD file is a disk image file and replica of a hard disk drive. The file having extension “.dd” is usually created with an imaging tool called DD. The utility provides command line interface to create disk images in a system running UNIX & LINUX OS.

We can use a tool called “binwalk” to see the contents of the disk. Binwalk is a powerful tool commonly used for analyzing and extracting data from binary files, including disk images.

contents of the recoverfiles.dd

we can see that we have multiple types of data including a PDF, archived files, GIF and a PNG. We can then extract the files to investigate further and answer the questions.

We will use then use a tool called “foremost” to recover the files. Foremost is a forensic program to recover lost files based on their headers, footers, and internal data structures.

Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive.

We can then use “eog” to view the GIF.

To find flag one, we have to go through all the recovered files and view them. I found flag1 in the PNG recovered folder.

I went through the whole file again and got to the zip folder. when unzipped, it gives a series of .xml files inside a word document. when we cat the main document.xml. we see it contains a base64. using cyber-chef, we can decode it and get the flag.

To find flag three, we will head into the PDF folder. I tried opening the file but unfortunately it just shows error. so I assumed maybe it isn’t a PDF file and used file to verify. but it is actually a PDF file. so I tried looking for metadata using exiftool and found the flag as the author of the PDF.

Since it is url encoded, we can use cyberchef to decode it and get the correct flag.

We will use cfdisk to mount it in a virtual environment and find the filesystem type. cfdisk command is used to create, delete, and modify partitions on a disk device. It displays or manipulates the disk partition table by providing a text-based “graphical” interface

For this answer, I was searching for numerous linux disk forensic tools and found one named TestDisk. TestDisk is a free and open-source data recovery utility that helps users recover lost partitions or repair corrupted filesystems. TestDisk can collect detailed information about a corrupted drive.

So I used TestDisk to play with the .dd further and found the original name of the mp4.