In my opinion this is the most interesting challenge in DFIR. Our mission is analyzing email file in somewhere in backup file. After spending time finding, I found email files:


I will use Thunderbird to analyze it!


With ‘YOU WON A LOTTERY.eml’ it just two files that I discussed above, so it’s no more important. Just ‘50% Discount available on the Mimikyu plushie.eml’ that we haven’t analyzed yet:


It took me a long time to think because 2 email don’t give me anything. But when I read message so many times, I realised that it’s so confusing and it’s not how a normal person says. And then I thought: “Maybe… it’s a type of encryption?????”. Not waiting, I took a part of the message and search Google, I know it’s called **Spammimic**:


Very fast, I decoded message by [online tool](https://www.spammimic.com/decode.shtml) and I got the flag!

**FLAG: BITSCTF{sp4m_2_ph1sh_U}**

Original writeup (https://odintheprotector.github.io/2024/02/17/bitsctf2024-dfir.html).