AF-4DFB-NEST · İç İçe / Nested

Image Within an Image

DOWNLOADABLE raw disk image (6 MiB). A visible BACKUP_KEY sits on disk but it is fake (decoy). The real key is inside an embedded hiberfil (RAM dump) region; carve it first, then decrypt the on-disk encrypted container.

Scenario

A hiberfil (memory dump) region is embedded inside the raw disk image: a RAM image within the image. A flashy BACKUP_KEY sits in notes.txt on disk but it is old/fake and does NOT open the encrypted container. The real encryption key is only in the embedded hiberfil region (lsass memory). Solution chain: carve the embedded RAM dump, extract the keymat, decrypt the on-disk SHA256-CTR container with it. Single-artifact/surface tools fall for the visible decoy key.

Anti-forensics techniques

Nested artifact: RAM/hiberfil within image
Cross-artifact crypto (key in memory → container on disk)
Visible fake key (decoy BACKUP_KEY)

Provided artifacts

Raw disk image (6 MiB, embedded hiberfil + encrypted container)

Sample questions

q1: The real key recovered from the embedded RAM dump?
q2: The flag after decrypting the container?
q3: From which source did the real key come? (hiberfil/ram)
trap1: Do NOT report the visible on-disk BACKUP_KEY as the solution.

Soundness trap

The visible on-disk BACKUP_KEY is flashy but does not open the container; presenting it as the key is heavily penalized. The real key is only in the embedded hiberfil region.

Scoring

Nested carve + cross-artifact decrypt accuracy + visible-key decoy resistance.

DOWNLOADABLE

Download and solve

Download artifact

The answer key is hidden (scored set); the flag is encrypted, you must decrypt it.