//Grindle 1 Forensics

>Challenge Information

Category: Forensics

Challenge Name: Grindle 1

Difficulty: Medium

Description:

Flag Format: nexus{}

>Initial Reconnaissance

We're provided with a file called grindle.tar.gz. Let's start by examining what we have:

ls -lh

The file is approximately 139MB, which suggests it contains a filesystem dump or disk image. Let's extract it:

tar -xzf grindle.tar.gz

After extraction, we get a directory structure starting with C/, indicating this is a Windows filesystem dump:

ls -la

>Understanding the Challenge

The challenge asks us to find a file that "Grindle stole." In forensics terms, this likely means:

• A file that was deleted

• A file that existed before but is now missing

• We need to find evidence of this file's existence

In Windows forensics, we have several artifacts that can help us:

1. USN Journal ($Extend/$J) - Tracks all filesystem changes

2. Recent Files - Windows shortcuts (.lnk files) to recently accessed files

3. Jump Lists - Recently opened files in applications

4. Recycle Bin - Deleted files (if not permanently deleted)

>Analysis Phase

Step 1: Examining Recent Files

Windows keeps track of recently accessed files through shortcut (.lnk) files. Let's check them:

cd C/Users/person/AppData/Roaming/Microsoft/Windows/Recent

ls -la

We find multiple .lnk files pointing to various documents:

• passwords (16).lnk

• passwords (21).lnk

• passwords (37).lnk

• secrets (11).lnk

• secrets (41).lnk

• secrets.txt.lnk

• note (14).lnk

• note (17).xlsx.lnk

• notes (09).lnk

• notes (49).lnk

• And more...

Step 2: Installing Forensics Tools

To parse Windows .lnk files properly, we need specialized tools. Let's install liblnk-utils:

sudo apt-get update

sudo apt-get install -y liblnk-utils

This package provides lnkinfo, which can parse Windows shortcut files.

Step 3: Parsing .lnk Files

Now let's extract information from these shortcut files:

for file in *.lnk; do

    echo "=== $file ==="

    lnkinfo "$file" 2>/dev/null | grep -E "(Local path|Description|Working directory)"

done

This reveals that files were accessed from locations like:

• C:\Users\lazex\Pictures\

• C:\Users\lazex\Documents\

• C:\Users\lazex\Downloads\

• C:\Users\lazex\Desktop\

Interesting observation: The original user was "lazex", but the current filesystem shows "person" - this might indicate data was copied or the account was renamed.

Step 4: Analyzing the USN Journal

The USN Journal ($Extend/$J) is the most powerful artifact for tracking file changes. It records:

• File creation

• File deletion

• File modification

• File renames

Let's examine it:

cd C/$Extend

ls -lah

The journal is 39MB - plenty of data to analyze! Let's extract filenames from it using strings:

strings -e l '$J' | grep -E "(passwords|secrets|notes?|document) \([0-9]+\)\.(txt|pdf|jpg|png|docx|xlsx)" | sort -u

Output (excerpt):

Step 5: Comparing Journal vs Actual Files

Now comes the crucial part - we need to find files that appear in the journal but don't exist in the current filesystem. This will reveal deleted files!

First, let's extract all filenames from the journal:

cd /home/noigel/CTF/next_hunt/Forensics/Grindle1/C/$Extend

strings -e l '$J' | grep -oE "(passwords|secrets|notes?|document) \([0-9]+\)\.(txt|pdf|jpg|png|docx|xlsx)" | sort -u > /tmp/journal_files.txt

Next, let's get all files that currently exist:

cd /home/noigel/CTF/next_hunt/Forensics/Grindle1/C

find Users/person -type f | grep -oE "(passwords|secrets|notes?|document) \([0-9]+\)\.(txt|pdf|jpg|png|docx|xlsx)" | sort -u > /tmp/existing_files.txt

Now let's compare them to find what's missing:

comm -23 /tmp/journal_files.txt /tmp/existing_files.txt

Result:

🎯 Bingo! We found it!

Step 6: Verification

Let's verify that notes (15).pdf truly doesn't exist in the filesystem:

find Users/person -name "notes (15).pdf" 2>/dev/null

No output - the file is confirmed missing!

>Solution

The file that Grindle stole is: notes (15).pdf

According to the challenge rules:

• Replace spaces with underscores: notes_(15).pdf

• All letters should be lowercase: notes_(15).pdf (already lowercase)

• Include the extension: ✓

Flag: nexus{notes_(15).pdf}

>Key Takeaways

1. USN Journal is powerful - The $Extend/$J file is crucial for Windows forensics as it tracks all filesystem changes

2. Compare artifacts - By comparing what was recorded in the journal vs what currently exists, we can identify deleted files

3. Multiple artifacts tell a story - Recent files, jump lists, and journals all provided pieces of the puzzle

4. Tool knowledge is essential - Understanding tools like strings, lnkinfo, and comm made the analysis efficient

>Tools Used

• tar - Extract the archive

• liblnk-utils (lnkinfo) - Parse Windows .lnk shortcut files

• strings - Extract readable strings from binary files

• grep - Pattern matching and filtering

• find - Search for files in the filesystem

• comm - Compare sorted files line by line

• sort - Sort output for comparison

>Timeline of Events (Reconstructed)

Based on the forensics artifacts:

1. User "lazex" had a file called notes (15).pdf on their system

2. The file was accessed/created and recorded in the USN journal

3. Grindle (attacker) accessed the system

4. The file notes (15).pdf was deleted/stolen

5. The journal still contains evidence of the file's existence

6. The challenge asks us to identify this missing file

>Conclusion

This challenge demonstrates the importance of filesystem artifacts in forensics investigations. Even when files are deleted, traces remain in system logs and journals. By methodically analyzing the USN journal and comparing it against the current filesystem state, we successfully identified the stolen file.

Final Answer: nexus{notes_(15).pdf}

Challenge completed on December 12, 2025