Forensicator

This is a write-up of a CTF from dfchallenge.org called "I can't remember my password...T_T" I pursued quite a few dead ends but I've left many of these in because I think they give some context to my thought processes. As well as being a really good challenge digging into NTFS artefacts it also forced me to find alternatives to some of the licenced tools I would usually use but don't have access to at the moment. There is a short TLDR right at the bottom if you're in a hurry! 😜 The scenario: "Michael uses USB to save the file that records password of VPN service that can access to company’s server. One day, he accidentally deleted the folder where the password file was saved on business travel, and he became unable to access the company VPN. Recover the deleted password file on USB and find out the VPN password." The data: system.L01 (MD5: 4ac03fcddce09e122a682da5a3d09fdd) usb.dd (MD5: 4431d5f9e51d6d55f5f58dfe92d42348) The tools I used (on my Wi