CTF Forensics 101: Dealing with Filesystems
Sometimes in CTF (WTF is CTF?) Forensic challenges, we will be dealing with a full disk image. The most common approach to this is to mount the image, look at it's directory structure and take a quick look at everything.
Problem
There are however two problem with this kind of approach:
Filesystem images are usually very big files, or and most of the time we would be looking for a file that has already been deleted, or is being hidden inside the unallocated space. Without proper tools, it would be very time-consuming.
Example
Take this forensic challenge from last year's NeverLAN CTF:
You've been hired as a Forensics expert. A special police force caught a rebel planning to destroy a military installation. I think this is related to some 'plans' we found transmitted earlier. They found a flashdrive on him, but didn't find anything useful. We took a DD image of the flash drive and are sending it to you. You're trying to find any information on their attack plans or organization. Good Luck.
flashdrive.zip
We were given a zip file that contains a 3.87Gb disk image.
Now, how do we proceed from this?
Introducing "Autopsy"
Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.
~source: Autopsy
What does that mean?
Well see for yourself.
That is how easy Autopsy is to use. Basically, all you need to do is just load the image file and Autopsy will do the rest. It even displays a preview of what was deleted. In this example the flag(piece of information we are looking for in CTFs) is hidden in the deleted file "_embers.png".
For specific tools for specifc categories, check the following links:
-WTF is CTF?
-Recon: The art of gathering information
-Recon: Getting information out of images
-Cryptography: Useful Tools
-Forensics: Basic Approach to File Analysis
-Forensics: Getting Information out of Images
Congratulations! This post has been upvoted from the communal account, @minnowsupport, by jlordc from the Minnow Support Project. It's a witness project run by aggroed, ausbitbank, teamsteem, theprophet0, someguy123, neoxian, followbtcnews, and netuoso. The goal is to help Steemit grow by supporting Minnows. Please find us at the Peace, Abundance, and Liberty Network (PALnet) Discord Channel. It's a completely public and open space to all members of the Steemit community who voluntarily choose to be there.
If you would like to delegate to the Minnow Support Project you can do so by clicking on the following links: 50SP, 100SP, 250SP, 500SP, 1000SP, 5000SP.
Be sure to leave at least 50SP undelegated on your account.
Your Post Has Been Featured on @Resteemable!
Feature any Steemit post using resteemit.com!
How It Works:
1. Take Any Steemit URL
2. Erase
https://3. Type
reGet Featured Instantly – Featured Posts are voted every 2.4hrs
Join the Curation Team Here
This post has received a 0.24 % upvote from @drotto thanks to: @jlordc.