Description: Learn how I solved the Job Interview challenge on Root-Me by converting an EnCase image, detecting hidden archives, and uncovering sensitive RDP cache screenshots using open-source tools.
🧠 Root-Me Forensics Challenge: Job Interview
The “Job Interview” challenge from Root-Me's Forensic section is an exciting test of your ability to work with forensic images and uncover hidden artifacts.
In this walkthrough, I’ll show how I:
- Extracted a hidden archive from a forensic
.E01image - Identified and unpacked an RDP bitmap cache
- Analyzed screenshots for sensitive information
- Ultimately recovered the flag
🧰 Tools I Used
| Tool | Use Case |
|---|---|
ewfexport |
Convert EnCase .E01 image to .raw
|
file, tar
|
Identify file types and extract archives |
bmc-tools |
Decode .bmc RDP bitmap cache |
eog |
View extracted .bmp screenshots |
binwalk (optional) |
Analyze file internals for signatures |
🪪 Step 1: Convert .E01 to .raw
The challenge provides an EnCase image file: image_forensic.e01. This needs to be converted into a raw binary format.
Use the following command:
ewfexport image_forensic
When prompted, input the following:
- Export format: raw
- Target path and filename: image
- Segment size: (just press Enter for default)
This will generate:
image.raw
⚠️ Don't add the .e01 again — the tool detects it automatically.
🔍 Step 2: Investigate the File Type
Now, don’t just assume that image.raw is a true raw disk image. Use the file command:
file image.raw
Output:
image.raw: POSIX tar archive (GNU)
🎯 It’s not a disk image — it’s a .tar archive disguised with a .raw extension.
📦 Step 3: Extract the Archive
Unpack the tar file:
tar -xvf image.raw
This extracts:
bcache24.bmc
🧠 Step 4: What Is a .bmc File?
.bmc files are bitmap cache files used by Windows Remote Desktop Protocol (RDP).
These files contain screen fragments cached during an RDP session. They can reveal:
- Screenshots of documents
- Passwords or flags displayed
- Session activity logs
Since this format is not natively supported, we’ll use an open-source Python tool called bmc-tools.
🛠️ Step 5: Extract .bmp Screenshots Using bmc-tools
5.1 Clone the Repository
git clone https://github.com/ANSSI-FR/bmc-tools.git
cd bmc-tools
5.2 Create Output Directory
mkdir ../bcache24bmc
5.3 Run the Tool
./bmc-tools.py -s ../bcache24.bmc -d ../bcache24bmc/ -v
- -s:Source .bmc file
- -d: Output directory for .bmp files
- -v: Verbose mode
This creates .bmp images in the output folder.
🖼️ Step 6: Review the Extracted Screenshots
To browse the extracted screenshots:
eog ../bcache24bmc/*.bmp
Manually inspecting the images reveals three screenshots:
- Yeah (RdP)
- this is the (l3av3s_Tra)
- flag (c3s)_
🏁 Final Flag
RdP_l3av3s_Trac3S
🎉 This is the flag displayed in three of the RDP session screenshots!
🧠 Forensic Takeaways
- Always use file to verify content types
- Don't trust extensions — .raw can be .tar
- RDP .bmc files can leak visual data from remote sessions
- Screenshots are evidence, even if they’re fragments
- Open-source tools like bmc-tools are vital in DFIR work
📋 Summary of Commands
Step 1: Convert E01 to raw
ewfexport image_forensic
Step 2: Inspect the file type
file image.raw
Step 3: Extract tar archive
tar -xvf image.raw
Step 4: Clone BMC tools and set up
git clone https://github.com/ANSSI-FR/bmc-tools.git
cd bmc-tools
mkdir ../bcache24bmc
Step 5: Decode bitmap cache
./bmc-tools.py -s ../bcache24.bmc -d ../bcache24bmc/ -v
Step 6: View extracted images
eog ../bcache24bmc/*.bmp
🙌 Let’s Connect
If this write-up helped or inspired you:
✍️ Follow me on Dev.to for more CTF and DFIR content
Thanks for reading — and happy hunting! 🧩🕵️♀️