The eight day of AoC23 contains Disk Forensics task.
Use
Use
FTK Imager to track down and piece together deleted digital breadcrumbs.
Learning Objectives #
- Analyse digital artefacts and evidence.
- Recover deleted digital artefacts and evidence.
- Verify the integrity of a drive/image used as evidence.
Overview #
A USB have infected the network and destroyed computer. We are tasked to dive into a digital forensic adventure to unravel a web of deception hidden in the device.
This is my key takeaways from today:
- There are devices that can mount a USB in read-only mode, using a write blocker attached to an actual machine.
FTK Imagerlooks like a powerful application to retrieve deleted files from a USB drive.
FTK Imager #
Forensics tool that allows specialists to acquire computer data and perform analysis without affecting the original evidence. GUI based and Windows executable. Don’t know when I’m going to use it again…
Questions #
- What is the malware C2 server?
Answer found inside the deleted file
root/DO_NOT_OPEN/secretchat.txt
- What is the file inside the deleted zip archive?
Export the deleted file root/DO_NOT_OPEN/JuicyTomaTOY.zip and view the contents.
- What flag is hidden in one of the deleted PNG files?
Use Ctrl + F on the deleted png file /root/portrait.png and search for THM{.
- What is the SHA1 hash of the physical drive and forensic image?
Run File - Verify Drive/Image on the USB drive.