Disk Forensics P9

After learning howto create a disk image (acquire disk image), we need to know how to mount this files and use it for further analysis.

Image mounting involves mounting the evidence disk image on the local system so the data on the disk can be analyzed and inspected.

In this lab, an evidence hard disk image is present on an external disk mounted on ‘/dev/sdc’. The dd tools are installed on the lab machine. Also, a flag file is kept in the /root directory of the disk image filesystem.

Objective: Mount the evidence disk image and retrieve the flag!

First let’s check if /dev/sdc is mounted

I’ll change the directory to /mnt/evidence

From there I’ll copy the evidence.img file to the root directory

cp evidence.img /root

file evidence.img

From here we’ll create a directory called «analysis»

mkdir analysis

mount evidence.img /analysis

df -h

cd /analysis/root

cat flag.txt

Kommentar hinterlassen

Schreib einen Kommentar

Ihre E-Mail-Adresse wird nicht veröffentlicht.


*