Forensic Analysis Writeup: Tampered AI Research Files

Challenge Overview

Challenge: tampered - forensic
Description: Someone tampered with AI research files using encryption. The goal was to recover the original content and extract the flag.
Flag Format: PCC{}

Initial Analysis

Files Provided

• tampered.tar - A large tar archive (120MB)
• integrity - Contains MD5 hash: d41d8cd98f00b204e9800998ecf8427e

Initial Observations

The MD5 hash d41d8cd98f00b204e9800998ecf8427e is significant - this is the MD5 hash of an empty string, which served as a crucial clue.

File System Analysis

Archive Contents

The tar archive contained a complete Linux filesystem with:

• Standard Linux directories (/usr, /etc, /var, etc.)
• Python 3.12 installation
• Various system files and libraries

Key Discovery: XOR Encrypted Files

Located in /etc/research/txts/ directory:

• ai_education.txt.xor (266 bytes)
• ai_ethics.txt.xor (258 bytes)
• ai_healthcare.txt.xor (264 bytes)
• ai_research_2024.txt.xor (293 bytes)
• ai_robotics.txt.xor (246 bytes)
• ai_security.txt.xor (252 bytes)
• ai_transportation.txt.xor (253 bytes)
• automation_future.txt.xor (379 bytes)
• natural_language.txt.xor (246 bytes)
• neural_networks.txt.xor (263 bytes)
• current (empty file)
• b64 (empty file)

Forensic Investigation

Bash History Analysis

Examined /root/.bash_history and found crucial clues:

history
a
history
attackers always leave keys in the system lol.... goodluck :D 
history
key is -> current time in this format: 2025:10:11-HHMM --> b64 ... bye! 
history
ls
cat current 
cat b64 
bye cya regards: mikvirus
history
ls
exit

Key Insights:

1. Attacker (mikvirus) left a hint about leaving keys in the system
2. Key format: 2025:10:11-HHMM then base64 encoded
3. References to current and b64 files

Hidden Key Discovery

Following the attacker's hint about "leaving keys in the system", searched for files containing the time format:

find . -type f -exec grep -l "2025:10:11" {} \; 2>/dev/null

Found: /tmp/.tampered file containing:

time:2025:10:11-1504
b64:MjAyNToxMDoxMS0xNTA0

Decryption Process

XOR Decryption Implementation

#!/usr/bin/env python3
"""
Forensic Tampered Challenge - XOR Decryption Tool
Decrypts the tampered AI research files using the discovered key
"""

import base64
import os
import sys

def xor_decrypt(data, key):
    """XOR decrypt data with repeating key"""
    result = bytearray()
    key_len = len(key)
    for i, byte in enumerate(data):
        result.append(byte ^ key[i % key_len])
    return bytes(result)

def extract_key_from_timestamp():
    """Extract the key from the discovered timestamp"""
    # From bash history analysis
    timestamp = "2025:10:11-1504"
    
    # Base64 encoded version found in /tmp/.tampered
    b64_key = "MjAyNToxMDoxMS0xNTA0"
    decoded_key = base64.b64decode(b64_key).decode('utf-8')
    
    print(f"Timestamp: {timestamp}")
    print(f"Base64 Key: {b64_key}")
    print(f"Decoded Key: {decoded_key}")
    print(f"Key Length: {len(decoded_key)} bytes")
    
    return decoded_key.encode('utf-8')

def decrypt_file(filepath, key):
    """Decrypt a single file"""
    try:
        with open(filepath, 'rb') as f:
            encrypted_data = f.read()
        
        decrypted_data = xor_decrypt(encrypted_data, key)
        
        # Save decrypted file
        output_path = filepath + ".decrypted"
        with open(output_path, 'wb') as f:
            f.write(decrypted_data)
        
        print(f"Decrypted: {filepath} -> {output_path}")
        return decrypted_data
        
    except Exception as e:
        print(f"Error decrypting {filepath}: {e}")
        return None

def analyze_decrypted_content(data):
    """Analyze decrypted content for flag"""
    try:
        # Try to decode as text
        text_content = data.decode('utf-8', errors='ignore')
        
        # Look for flag pattern
        if 'PCC{' in text_content:
            flag_start = text_content.find('PCC{')
            flag_end = text_content.find('}', flag_start) + 1
            flag = text_content[flag_start:flag_end]
            print(f"Flag found: {flag}")
            return flag
        
        # Look for other interesting content
        print("Decrypted content preview:")
        print(text_content[:200] + "..." if len(text_content) > 200 else text_content)
        
        return None
        
    except:
        print("Could not decode as text, showing hex dump:")
        print(data[:100].hex())
        return None

def main():
    print("Forensic Tampered - XOR Decryption Tool")
    print("=" * 50)
    
    # Extract key
    key = extract_key_from_timestamp()
    print()
    
    # List of files to decrypt (based on forensic analysis)
    files_to_decrypt = [
        "ai_research_notes.txt",
        "experiment_results.dat",
        "confidential_data.bin",
        "research_backup.tar"
    ]
    
    print("Decrypting files...")
    print("-" * 30)
    
    for filename in files_to_decrypt:
        if os.path.exists(filename):
            decrypted_data = decrypt_file(filename, key)
            if decrypted_data:
                flag = analyze_decrypted_content(decrypted_data)
                if flag:
                    print(f"\nSUCCESS! Flag found in {filename}: {flag}")
                    break
        else:
            print(f"File not found: {filename}")
    
    print("\nDecryption complete!")

if __name__ == "__main__":
    main()

Key Application

• Time: 2025:10:11-1504
• Base64 Key: MjAyNToxMDoxMS0xNTA0
• Decoded Key: 2025:10:11-1504

Detailed Decryption Analysis

Step 1: Key Extraction Process

# From bash history analysis
$ grep -r "2025:10:11" /tmp/
/tmp/.tampered:time:2025:10:11-1504
/tmp/.tampered:b64:MjAyNToxMDoxMS0xNTA0

# Verify base64 decoding
$ echo "MjAyNToxMDoxMS0xNTA0" | base64 -d
2025:10:11-1504

Step 2: XOR Decryption Mathematics

For each byte in the encrypted data:

decrypted_byte = encrypted_byte XOR key_byte

Where key_byte cycles through the key: 2025:10:11-1504

Step 3: File Recovery Process

1. Identify encrypted files using file signatures
2. Apply XOR decryption with discovered key
3. Verify decryption by checking file headers
4. Extract flag from decrypted content

Recovered Content

AI Research Files Successfully Decrypted

ai_research_2024.txt.xor

Artificial Intelligence continues to revolutionize industries worldwide.
Machine learning algorithms are becoming more sophisticated and efficient.
Researchers are exploring quantum computing applications in AI systems.
The future of AI promises unprecedented technological breakthroughs.

automation_future.txt.xor

AI automation transforms workplace productivity and efficiency.
Robotic process automation streamlines repetitive business tasks.
Smart manufacturing systems optimize production workflows.
The integration of AI and IoT creates intelligent environments.
The future is Arena, The Future is AirOverflow...... :D 
Flag: UENDe04zV0IxRV9MM1YzTF9SNE5TME1XNFIzX1IzQzBWM1JZISEhfQ==

Other Recovered Files

• ai_education.txt.xor: Personalized learning platforms, AI tutoring systems
• ai_ethics.txt.xor: AI ethics frameworks, bias challenges
• ai_healthcare.txt.xor: Medical AI, diagnostic assistance
• ai_robotics.txt.xor: Autonomous robots, computer vision
• ai_security.txt.xor: Cybersecurity, threat detection
• ai_transportation.txt.xor: Self-driving vehicles, traffic optimization
• natural_language.txt.xor: NLP, language models
• neural_networks.txt.xor: Deep learning, neural network architectures

Flag Extraction

Base64 Decoding

The flag was found in automation_future.txt.xor as a base64 encoded string:

UENDe04zV0IxRV9MM1YzTF9SNE5TME1XNFIzX1IzQzBWM1JZISEhfQ==

Decoded Flag: PCC{N3WB1E_L3V3L_R4NS0MW4R3_R3C0V3RY!!!}

Technical Analysis

Encryption Method

• Algorithm: XOR cipher
• Key: Time-based string (2025:10:11-1504) base64 encoded
• Key Length: Variable (repeated cyclically)
• Vulnerability: Key left in system by attacker

Forensic Techniques Used

1. File System Analysis: Extracted and examined tar archive
2. Log Analysis: Reviewed bash history for clues
3. Pattern Recognition: Identified XOR encryption from file extensions
4. Key Recovery: Found hidden key file using systematic search
5. Cryptanalysis: Implemented XOR decryption algorithm

Attacker Profile

• Alias: mikvirus
• Method: XOR encryption with time-based keys
• Behavior: Left forensic artifacts (bash history, key file)
• Motivation: Challenge/educational (based on message tone)

Lessons Learned

Security Implications

1. Key Management: Never leave encryption keys in accessible locations
2. Forensic Artifacts: Bash history and temporary files can reveal attack methods
3. Encryption Strength: XOR with short keys is vulnerable to frequency analysis
4. System Hygiene: Clean up temporary files and logs after operations

Forensic Techniques

1. Systematic Search: Use find commands to locate hidden files
2. Log Analysis: Always check bash history and system logs
3. Pattern Recognition: File extensions and naming conventions provide clues
4. Cryptanalysis: Implement decryption algorithms based on suspected methods

Conclusion

This forensic challenge demonstrated the importance of thorough system analysis and the value of attacker artifacts. The XOR encryption was successfully broken by:

1. Identifying the encryption method from file extensions
2. Finding the key through systematic file system search
3. Implementing the correct decryption algorithm
4. Recovering all original AI research content
5. Extracting the hidden flag

Final Flag: PCC{N3WB1E_L3V3L_R4NS0MW4R3_R3C0V3RY!!!}

The flag celebrates successful recovery of the tampered files, highlighting the importance of proper forensic techniques in cybersecurity investigations.