This forensics challenge was the first one of a series of 3 challenges related to Roblox in this CTF.

We were given the same 2 AD1 files as evidences for the 4 forensics challs. It is a pretty uncommon file type, let’s use FTK Imager on Windows.

Investigation

After extracting all the files using FTK Imager, we have access to 3 main Windows Folders : Programs, Users and Riot Games.

After searching a bit, we notice that the files related to the Roblox game are stored in \Users\ftcsvisgreat\AppData\Local\Roblox

Finding the game

We have to find the game joined by the victim.

After doing some research, we learn that the id of the game is caracterized by the name placeid in the logs.

By searching for this name in all the files, we find 5 different placeid values

734159876 | 292439477 | 14853367450 | 370731277 | 142823291

We can get information about each game with the placeid by visiting the link roblox.com/games/<placeid>

The only suspicious game is the one with the placeid 14853367450 related to a game called ftcsvthrowaway's Place

Inside the game

After joining the game

Flag

vsctf{w34k_4nt1_d3bugg3rs_4r3_n0_m4tch_f0r_th3_31337}