Bulk extractor

1. Introduction

In this lab, a disk image file “evidence.img” is provided in the home directory of the root user (/root/). There is a file on this image which contains the email and phone number of “evil” user. The email of the user is “evil@attacker.co.uk” and the phone number is the flag for this lab.

Extract the files from the disk image using the bulk extractor tool and retrieve the flag!

2. Bulk extractor

We have to use bulk_extractor to extract the files from the given image

bulk_extractor evidence.img -o output

It depense on the image size, but the extraction process will take some time…

3. Retrieve the flag

Instead of checking every file manually I’ll use grep for a string search

grep -irn 'evil@attacker.co.uk' . --color

4. Summary