The Sleuth Kit Intro

1. Introduction

In this lab, a disk image file “evidence.img” is provided in the home directory of the root user (/root/). Interact with the image using The Sleuth Kit and answer the following questions:

1. What is the image format type of the image?

2. Which file system type is used in the image?

3. Which directory was mounted most recently from the disk whose image is provided to us?

4. List the names of the directories present on the image.

5. What is the name of the file present in the notes directory?

6. Retrieve the flag kept inside the flag.txt file.

2. Check image format type

Let's check first which filetypes are possible:

img_stat -i list

Check image format type:

img_stat -t evidence.img

Answer1:

It's the raw format

3. Check file system type

Let's check first which filesystem types are possible: fsstat -i raw -f list

Check Image file system type:

fsstat -i raw -t evidence.img

Answer 2:

It's the ext4 filesystem

4. Check mount directory

We can get more information about the filesystem with the following command:

fsstat -i raw -f ext4 evidence.img

Answer 3:

mount directory is /mnt/disk0

5. List directories from the image

To list the names of the directories we can use the following command:

fls -i raw -f ext4 evidence.img

Answer 4:

notes, photos, videos

6. Get the file name inside notes directory

To get the name of a specific file in the notes directory I use the following command:

fls -i raw -f ext4 evidence.img 12

Answer 5:

flag.txt

7. Retrieve the flag

Now I need to find a way to see what’s stored inside the file flag.txt

icat -i raw -f ext4 evidence.img 16 >flag.txt

Answer 6:

baa82c37e53e2886a8a1379f4e3c2999

8. Summary