Skip to main content

My Own Challenges

Uncle Vader

Uncle Vader
Photo by Tommy van Kessel / Unsplash (Uncle Vader raging about his computer crashing)

Do not ask me about the name, it is just that way now!

Uncle Vader is hiding the Death Star plans (2025 version) and is trying to protect them with BitLocker. To prevent forgetting his recovery key, he decided to hide parts of it in various locations on his computer. However, it is unclear how far he got with this endeavor.

Furthermore, Uncle Vader heard that one can retrieve the Full Volume Encryption Key (FVEK) from memory, so he planned to verify that. Shortly after acquiring the memory and finding out that the FVEK is not there, his computer crashed... and right after the crash, he was arrested (some say he didn't pay child support for his children...). Nonetheless, as good rebels, we created a triage, added Uncle Vader's memory dump, and an image of the suspected VHD.

The data (516MB)
SHA1: 18635cde80d5654100d31628c1df69c28bba0797

If you find the flag, you will know. If you really want to know, here is the hashed flag (the string, not the file).

SHA1: ec0c72e8c8734f68645033b4d29e7e3871e42485

Disclaimer: This is for fun. I tried to leave hints to make it a bit more enjoyable and not like fishing in the dark. It is hard, knowing the complete way through the challenge, to create something enjoyable and yet somewhat challenging. I would say this is an intermediate forensic challenge.