Description: There was a zip file on the desktop. I can’t remember the password for it.
We saw a zip file named: “null password.zip” on the desktop. When opened, there are 2 files which are encrypted. So it was clear that we needed to crack the zip.
First we looked at some hints from the challenge creator ;)
So, Beard-0 looked at a freshly booted VM of the image (since I was lazy + forgot to save the initial snapshot and was already working on another Forensic challenge) and looked at the Temp folder in AppData/Local, there he found a folder name Rar$DI99.160 inside which had one of the file “Null final1.pdf”. From this we looked at known attacks on zip files and found https://en.wikipedia.org/wiki/Known-plaintext_attack
We zipped the “Null final1.pdf” into a zip. Installed the evaluation edition of Ultimate Zip Cracker - http://download.cnet.com/Ultimate-ZIP-Cracker/3000-2092_4-10040839.html
Selected the “Plaintext attack” recovery method.
Chose the “Null final1.pdf” zip file as plaintext file.
And finally we had the unzip’d archive.