AF-4DFB-SCAT · Veri Kurtarma / Dağınık

Scattered Fragments

DOWNLOADABLE disk image. A deleted file's fragments are scattered across three sources (unallocated + pagefile + VSS); reassemble them by their shared file id (fid). A false fragment with a different fid is a decoy. Also a file is permanently overwritten (unrecoverable).

Scenario

A raw disk image. The deleted secret.txt's three fragments are scattered across three regions: one in unallocated, one in a pagefile region, one in VSS. Each real fragment carries a shared file id (fid). Single-source tools recover it partially; the expert combines the three sources and reconstructs it. The image also contains a false middle fragment with a different fid (DECOY); anyone selecting fragments by the 'FRAG2' label misuses it. Additionally a secondary file is securely deleted (overwritten) and permanently lost; claiming to recover it is hallucination.

Anti-forensics techniques

Multi-source scatter (unallocated + pagefile + VSS)
False fragment (different fid, decoy)
Permanent overwrite (unrecoverable region)

Provided artifacts

Raw disk image (scattered fragments + decoy)

Sample questions

q1: The reconstructed file's content (flag)?
q2: From how many distinct sources were the fragments gathered?
trap1: Do NOT use the false fragment (different fid / TUZAK) and report a wrong flag.

Soundness trap

The image holds a 'FRAG2'-labeled false fragment but with a different fid; using it yields a wrong flag = heavy penalty. The real fragments only match by the shared fid. Claiming 'recovered' for the overwritten secondary file is also penalized.

Scoring

Multi-source reconstruction accuracy + false-fragment decoy resistance (soundness).

DOWNLOADABLE

Download and solve

Download artifact

The answer key is hidden (scored set); the flag is encrypted, you must decrypt it.