{"id":732,"date":"2020-08-27T21:28:49","date_gmt":"2020-08-27T20:28:49","guid":{"rendered":"https:\/\/cybercop-training.ch\/?p=732"},"modified":"2020-09-07T21:25:14","modified_gmt":"2020-09-07T20:25:14","slug":"disk-forensics-p1","status":"publish","type":"post","link":"https:\/\/cybercop-training.ch\/?p=732","title":{"rendered":"Disk Forensics P1"},"content":{"rendered":"

Disk forensics techniques are used to acquire the disk image, process this image to find artifacts of interest including deleted ones.<\/p>\n

In this lab, a disk image file \u201cevidence.img\u201d is provided in the home directory of the root user (\/root\/). Interact with the image using The Sleuth Kit<\/b><\/a>\u00a0and answer the following questions:<\/p>\n

    \n
  1. \n

    What is the image format type of the image?<\/p><\/blockquote>\n<\/li>\n

  2. \n

    Which file system type is used in the image?<\/p><\/blockquote>\n<\/li>\n

  3. \n

    Which directory was mounted most recently from the disk whose image is provided to us?<\/p><\/blockquote>\n<\/li>\n

  4. \n

    List the names of the directories present on the image.<\/p><\/blockquote>\n<\/li>\n

  5. \n

    What is the name of the file present in the notes directory?<\/p><\/blockquote>\n<\/li>\n

  6. \n

    Retrieve the flag kept inside the flag.txt file.<\/p><\/blockquote>\n<\/li>\n<\/ol>\n

    Let’s check which file types are possible<\/p>\n

    img_stat -i list<\/code><\/p>\n

    \"\"<\/a><\/p>\n

    img_stat -t evidence.img<\/code><\/p>\n

    \"\"<\/a><\/p>\n

    Answer 1: raw<\/strong><\/p><\/blockquote>\n

    To answer question 2 let’s list the supported file types first<\/p>\n

    fsstat -i raw -f list<\/code><\/p>\n

    \"\"<\/a><\/p>\n

    fsstat -i raw -t evidence.img<\/code><\/p>\n

    \"\"<\/a><\/p>\n

    Answer 2: ext4<\/strong><\/p><\/blockquote>\n

    I’ll go ahead to get the directory that was mounted most recently<\/p>\n

    fsstat -i raw -f ext4 evidence.img<\/code><\/p>\n

    \"\"<\/a><\/p>\n

    answer: \/mnt\/disk0<\/p><\/blockquote>\n

    To list the names of the directories that are being present in the image I’ll use the following command:<\/p>\n

    fls -i raw -f ext4 evidence.img<\/code><\/p>\n

    \"\"<\/a><\/p>\n

    Answer 4: notes, photos, videos<\/p><\/blockquote>\n

    To get the name of a specific file in the notes directory I use the following command:<\/p>\n

    fls -i raw -f ext4 evidence.img 12<\/strong><\/code><\/p>\n

    \"\"<\/a><\/p>\n

    Answer 5: flag.txt<\/p><\/blockquote>\n

    Now I need to find a way to see what’s stored inside the file flag.txt<\/p>\n

    icat -i raw -f ext4 evidence.img 16<\/strong> >flag.txt<\/code><\/p>\n

    \"\"<\/a><\/p>\n

    Answer 6: baa82c37e53e2886a8a1379f4e3c2999<\/p><\/blockquote>\n

     <\/p>\n

     <\/p>\n

     <\/p>\n","protected":false},"excerpt":{"rendered":"

    Disk forensics techniques are used to acquire the disk image, process this image to find artifacts of interest including deleted ones. In this lab, a […]<\/a><\/p>\n<\/div>","protected":false},"author":2,"featured_media":735,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,16],"tags":[],"class_list":["post-732","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-forensic","category-linux"],"_links":{"self":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/732","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=732"}],"version-history":[{"count":6,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/732\/revisions"}],"predecessor-version":[{"id":748,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/732\/revisions\/748"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/media\/735"}],"wp:attachment":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=732"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=732"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=732"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}