Disk Forensics P1

Disk forensics techniques are used to acquire the disk image, process this image to find artifacts of interest including deleted ones.

In this lab, a disk image file “evidence.img” is provided in the home directory of the root user (/root/). Interact with the image using The Sleuth Kit and answer the following questions:

  1. What is the image format type of the image?

  2. Which file system type is used in the image?

  3. Which directory was mounted most recently from the disk whose image is provided to us?

  4. List the names of the directories present on the image.

  5. What is the name of the file present in the notes directory?

  6. Retrieve the flag kept inside the flag.txt file.

Let’s check which file types are possible

img_stat -i list

img_stat -t evidence.img

Answer 1: raw

To answer question 2 let’s list the supported file types first

fsstat -i raw -f list

fsstat -i raw -t evidence.img

Answer 2: ext4

I’ll go ahead to get the directory that was mounted most recently

fsstat -i raw -f ext4 evidence.img

answer: /mnt/disk0

To list the names of the directories that are being present in the image I’ll use the following command:

fls -i raw -f ext4 evidence.img

Answer 4: notes, photos, videos

To get the name of a specific file in the notes directory I use the following command:

fls -i raw -f ext4 evidence.img 12

Answer 5: flag.txt

Now I need to find a way to see what’s stored inside the file flag.txt

icat -i raw -f ext4 evidence.img 16 >flag.txt

Answer 6: baa82c37e53e2886a8a1379f4e3c2999




Kommentar hinterlassen

Schreib einen Kommentar

Ihre E-Mail-Adresse wird nicht veröffentlicht.