The third post that won't get a number because it's as subjective as your last case...

by Chris Atha

Sep 2, 2025

With the sweet taste of victory still lingering; after the previous win over our dear friend Chat, it is time to turn the knob to 11. Rather than general knowledge questions, which feel like an easier answer. Now the question is can Chat successfully work through a capture the flag challenge.

Though I imagine soon, the ability to simply upload an EWF-E01 (The most common of forensic image formats) file into chat will be an option. Right now, it is not.

Rather we will approach this using free and open-source tools, you may be thinking. We will pose each portion of the process as a question, and despite my desire to win. We will frame the question in a manner which should allow Chat to have a fighting chance, this of course only supports the notion of humans being needed.

We will be using a challenge image from a public capture the flag. In this game the DFIR pro will answer first. To make it a process where readers can follow along, I will use free and when an option possibly free and open-source tools. I have yet to decide to compete only using a version of Linux, and attempt to coax the correct tools, methods, and processes out of Chat. Rather depending upon the questions posed during the capture flag, will determine this final detail. Also, I’m writing this using my Mac, so chances are I’ll not go the extra mile; and use my Mac. However, a good note is most free and free and open source macOS utilities have Linux variants.

In my previous article, when Chat and I were chatting about general knowledge questions, I made it seem like we knew each other way more than we do. Much like that friend who says they used to race bicycles professionally for team 7-11 or some other back in the day and then you introduce them to Francisco "Frankie" Andreu; and they suddenly change their story. Though with my initial interactions, I felt like I got Chats’ permission to use a less than formal name.

I decided to pick a well-worn CTF which was created by a group whom I hold and whom I recommend you hold in high esteem, the 2022 Magnet User Summit CTF Windows image. You can check it out and download it if compelled to https://cfreds.nist.gov/all/MagnetForensics/2022WindowsMagnetCTF.

The original question set can be found https://www.magnetforensics.com/blog/update-on-magnet-summit-2022-capture-the-flag-contests/.

To keep things fair, I’ve not read the write ups, however I am sure Chat has; can’t trust generative AI these days. I’ll be adding a question or two of my own during this process, to help with things I always attempt to ascertain in a case. Plus, this will let me check on Chat.

Without further ado, here we go! The first question is a multi-part one, which is something I do every time I receive an EWF-E01 image. https://www.loc.gov/preservation/digital/formats/fdd/fdd000406.shtml

What is the date of acquisition, and other various and sundry image details?

In the spirt of fairness I’ll go first, with the more technical nature of these answers; I won’t be doodling nearly as much as I want to. Though I’ll be doing it more so than anyone wants. With an E01 image, one of my favorite utilities to use is libewf. https://github.com/libyal/libewf

The “ewfinfo” command of libewf is a quick and concise manner to get all sorts of deals stored as metadata during the imaging process when employing the EWF-E01 format. From this we can answer the date, software, and the EWF-E01 image hash. Verifying this hash should be considered the 1st action prior to doing any work on the image.

You may be thinking why would I elect to use libewf and this process? I find it quick, easy, and most importantly it’s free and open source. I will attempt to use methods as these when possible as it allows for easier peer review and evaluation of my work. This is exceptionally important in a court of law, or a business setting where the stakes are often high.

Enough from me; how will Watson perform. Wait, that’s not a cool joke, those cats at IMB have a Watson, and we dear readers have Chat. Let’s checkin on Chat.

I now have formally asked for the informal name, Chat it is. Also, whoa I am starting to feel like Chat and I are kindred spirits. The first answer is using libewf, and Chat begins to describe how to easily install this on a macOS system!

Chat is an over achiever and goes as far to explain how to use the tool. I don’t know about you, but I consider this answer pretty good. Now, what can’t Chat do in this instance? Chat cannot interact with my local terminal emulator and file array to run this and find those ever-important answers, yet?

I find this question, a “draw”. While both of us provided excellent information. It was only I, a mere mortal, who was able to not only know the tooling and procedures; but also carry out the task of using them. So, maybe I am a winner. Do you hear that, the sound of a DJ Khalid Air Horn echoing through my empty home office? I do.

This wasn’t an omission of putting an awesome meme. Rather I thought the whole <INSTER DJ KHALID MEME> was equally as funny.

This is far from over!

Cheers until I ask chat to write another article for me, I mean to answer questions; yeah that’s what I meant.