Disk forensics techniques are used to acquire the disk image, process this image to find artifacts of interest including deleted ones.
In this lab, a disk image file “evidence.img” is provided in the home directory of the root user (/root/). There is a file on this image which contains the email and phone number of “evil” user. The email of the user is “firstname.lastname@example.org” and the phone number is the flag for this lab.
Objective: Extract the files from the disk image using the bulk extractor tool and retrieve the flag!
We have to use bulk_extractor to extract the files from the given image
bulk_extractor evidence.img -o output
It depense on the image size, but the extraction process will take some time…
Instead of checking every file manually I’ll use grep for a string search
grep -irn 'email@example.com' . --color
And there we have the flag: +912999949811