Forensics Challenge 2 - Remote Recovery

Prompt

Our analysts have recovered cached bitmap files from a server used by Liber8tion. See what you can uncover about their activity on a machine that they accessed via Windows Remote Desktop.

Answers

Q1 (15 pts) - How many bitmap images are contained in the binary?
2069

Q2 (15 pts) - What time and date did they connect to the machine?
3:13PM Feb 19th 2026

Q3 (15 pts) - What is the IPv4 address of the remote client?
10.100.20.149

Q4 (25 pts) - How many images did the adversary upload to the remote client?
NOTE: This question only allows maximum of 1 attempt, you have 1 attempt remaining. 5

Q5 (30 pts) - There is a flag hidden among the images. What is it?
SKY-DFFR-6776

Steps I Took

Started by searching for a bitmap tool Found this https://github.com/ANSSI-FR/bmc-tools Followed the syntax

Exported 2069 tiles Used that for the answer to Q1

Opened the collage file

Had the flag in it

Used the montage tool to make a different collage of bitmaps

Find the frame with the earliest date - q2

Q3 — Found IPv4

Downloaded RDPCacheStitcher to try and see how many files were uploaded to the Remote Desktop

I also assembled several different block combinations to confirm that I was actually seeing five separate images. Because the pictures were based on older memes, I checked each one to verify that the reconstructed image matched what I expected.