Lost in Waves

Challenge

• Category: Hardware / Audio Forensics
• File Provided: 0.sal (Saleae Logic 2 capture)

Overview

A Saleae Logic 2 capture file containing a POCSAG pager radio signal recorded as audio. The signal was hidden inside a password-protected RAR archive embedded in the capture's raw data file.

Step-by-Step

1. Extract the data file from the .sal

A .sal file is a ZIP archive. Unzipping it reveals a data binary alongside metadata. The data file turned out to be a RAR archive in disguise.

unzip 0.sal
file data   # → RAR archive
mv data binary.rar

2. Brute-force the RAR password

The archive was password-protected. Used rarcrack to brute-force it:

rarcrack binary.rar --type rar

Password recovered. Extraction yielded four WAV files: 1.wav, 2.wav, 3.wav, 4.wav.

3. Concatenate the WAVs

sox 1.wav 2.wav 3.wav 4.wav full_audio.wav

Result: full_audio.wav -- 16 seconds, stereo 48 kHz 16-bit PCM.

4. Identify the encoding

Generating a spectrogram with sox revealed broadband noise bursts with clear on/off keying -- characteristic of a pager protocol rather than voice audio or simple tone encoding.

sox full_audio.wav -n spectrogram -o spectrogram.png

Running multimon-ng with all supported demodulators identified the signal as POCSAG 1200:

multimon-ng -t wav -a MORSE_CW -a DTMF -a AFSK1200 -a AFSK2400 \
    -a POCSAG512 -a POCSAG1200 -a POCSAG2400 full_audio.wav

5. Decode the POCSAG traffic

multimon-ng decoded a full pager conversation:

Address 1 → "Oi, tell us your name then, yeah?"
Address 2 → "Alright Benzoo, Im Awoonimbuss."
Address 3 → "c00lz, mate"
Address 1 → "You got the package sorted?"
Address 2 → "Too right. Tucked away safe and sound."
Address 1 → "And the code??"
Address 2 → "Passwordz [...]. Keep it hush, yeah?"

Key Insight

The audio is a POCSAG 1200 baud pager signal recorded by a logic analyzer. multimon-ng is the go-to tool for decoding digital radio protocols (POCSAG, AFSK, DTMF, etc.) directly from WAV files.