Disk Forensics P3

Disk forensics techniques are used to acquire the disk image, process this image to find artifacts of interest including deleted ones.

In this lab, a disk image file “evidence.img” is provided in the home directory of the root user (/root/). One of the PDF files present on the disk contains the flag.

Objective: Extract files from the given image using Scalpel tool and retrieve the flag!


  • pdftotext tool can be used to convert PDF files into text files.

This exercise is very similar to the last one.

Instead of using foremost, I’ll use another tool called Scalpel 😉

scalpel evidence.img -o output

Seems that I’ve to edit the config file first which is located under /etc/scalpel/scalpel.conf

vi /etc/scalpel/scalpel.conf

We search for pdf files therefore, I’ll «uncomment» the lines which are responsible for pdf files

Save the file and give scalpel a new try:

scalpel evidence.img -o output

Let’s brows in the output directory and use the tool pdftotext

The flag is: ff8a95f5989fe663b4d8c4d82d32c2d0


Kommentar hinterlassen

Schreib einen Kommentar

Ihre E-Mail-Adresse wird nicht veröffentlicht.