English [Juniors CTF 2016] [Forensic 500 – Lost everything but hope] Write Up


Mabel: What`s up, Gruncle???
Stan: I left a phone here and went to the store to sell something useless. When I got back I saw this
*shows a broken mobile*
Mabel: OMG!
Soos: Gonna get some insulating tape.
Stan: Restore the justice!

A few hours later
Dipper: Hm, who could do this?.. Soos, I managed to restore some files, maybe you can help to find something. Will you?
Soos: Of course, Dipper.


The given resource is a zipped file with a directory “sdcard”, containing stuff related to Android.

In the interesting we found:

- /sdcard/Download: 2 images
- /sdcard/Android/data: data from apps like Facebook, VKontakte, Firefox, Telegram
- /sdcard/.vkontakte/cache/audio_messages

The 2 images didn’t contain interesting things and no stenography either.

In the data directory, nothing interesting too.
(If you like music, we retrieved the titles of the 3 songs from com.vkontakte.android/cache: The Beatles – Yesterday, John Lennon – Imagine and The Beatles – Help!. :D)

The remaining file in “.vkontakte/cache/audio_messages” is named “397087112_439151831.ogg” and less than 1KB.
File naming is related to the userid on VK: https://vk.com/id397087112.

Flag was waddles_the_d3stroyer

