📘
CAS Cybersecurity
  • Start
  • Reconnaissance
    • Opensource Intelligence
  • Docker basics and Images
    • Damn Vulnerable Webapp
    • bWAPP
    • Juice Webshop
    • Webgoat
    • Metasploitable 2
    • Metasploitable 3
    • MISP Docker (old)
    • MISP Docker (new)
  • Scanning and Enumeration
    • Scanning with zenmap
    • Scanning with nmap
    • Scanning with msf auxiliary
  • Vulnerability Scanning and Analysis
    • OpenVAS
    • nmap vulnerability scan
    • MSF Auxiliary Modules
  • Exploitation
    • Metasploitable 2
    • Redis Server
    • Print Nightmare
    • Baron Samedit
    • Polkit
    • Heartbleed
  • Man in the Middle
    • ARP Cache poisoning
    • RDP MitM Exercise
  • Windows Hacking
    • Throwback Network
      • Entering the breach
      • Exploring the caverns
      • Webshells and you!
      • First Contact
    • WinAttack LAB
      • Module 01
      • Module 02
      • Module 03
      • Module 04
      • Module 05
      • Module 06
      • Module 07
      • Module 08
      • Module 09
      • Module 10
  • Web Application Security
    • Burp Proxy Introduction
    • DVWA
      • DVWA Exercises 1
      • DVWA Exercises 2
      • DVWA Exercises 3
      • DVWA Exercises 4
      • DVWA Exercises 5
      • DVWA Exercises 6
      • DVWA Exercises 7
      • DVWA Exercises 8
  • CTF and Crypto Exercises
    • Cyberchef Challenge
    • HTB Invite Challenge
    • BSides London 2019 Challenge
    • Ninja Sec Challenge
  • Threat Intelligence
    • MISP Exercise 1
    • MISP Exercise 2
    • MISP Exercise 3
    • MISP Exercise 4
    • MISP Exercise 5
    • MISP Exercise 6
    • MISP Exercise 7
    • MISP Exercise 8
    • Virus Total Graph Exercise
    • RFI Incoming!
  • Forensic Exercises
    • Disk Forensics
      • The Sleuth Kit Intro
      • Filecarving with Foremost
      • Filecarving with scalpel
      • Bulk extractor
      • Disk acquisition with dd
      • Disk acquisition with dcfldd
      • Disk acquisition with ewftools
      • Disk acquisition with FTK Imager
      • Mount disk image (raw)
      • Unknown USB Stick
      • USB Stick Filecarving
      • Autopsy Exercise
    • Windows Forensics
      • Bitunlocker
      • Alternate Datastreams
    • Memory Forensics
      • Volatility2 Basics (Linux)
      • Volatility2 Exercise 1
      • Volatility3 Exercise 1
      • Volatility3 Exercise 2
      • Volatility3 Exercise 3
    • Image Forensics
      • Unswirl Image
      • Manual Filecarving 1
      • Manual Filecarving 2
    • Browser Forensics
    • Mail Header Analysis
    • Timestomping Exercise
    • Network Forensics
      • Tshark Exercise
  • Malware Analysis
    • Ransomware
      • General Introduction
      • Ryuk
      • RansomEXX
      • REvil
      • BlackMatter
      • Hades
      • Egregor
      • DoppelPaymer
    • YARA
      • YARA Install
      • yarGen
      • YARA with Cyberchef
      • TCP dump analysis
      • Memory dump analysis
    • Dosfuscated Scripts
  • Android Malware
    • LAB Setup 1
    • LAB Setup 2
    • Android Manifest
    • Android Permissions
    • APP Tracing with Frida
    • AES Key decryption
    • RedAlert
    • BlackRoseLucy
    • Crackme RE Challenge
  • Forensic Readiness
    • Windows Event Logs
    • Windows Sysmon
    • Sysmon: Capture Clipboard
    • Sysmon: Process Injection
    • Ransomware Detection
      • Signature based
  • Live Response
    • Velociraptor P1
    • Velociraptor P2
    • Velociraptor P3
    • Windows Response LAB
      • Lateral Movement Detection
      • Detect persistence
      • Volatility Analysis
Powered by GitBook
On this page
  • 1. Introduction
  • 2. Check image format type
  • 3. Check file system type
  • 4. Check mount directory
  • 5. List directories from the image
  • 6. Get the file name inside notes directory
  • 7. Retrieve the flag
  • 8. Summary

Was this helpful?

  1. Forensic Exercises
  2. Disk Forensics

The Sleuth Kit Intro

PreviousDisk ForensicsNextFilecarving with Foremost

Last updated 3 years ago

Was this helpful?

1. Introduction

In this lab, a disk image file “evidence.img” is provided in the home directory of the root user (/root/). Interact with the image using and answer the following questions:

  1. What is the image format type of the image?

  2. Which file system type is used in the image?

  3. Which directory was mounted most recently from the disk whose image is provided to us?

  4. List the names of the directories present on the image.

  5. What is the name of the file present in the notes directory?

  6. Retrieve the flag kept inside the flag.txt file.

2. Check image format type

Let's check first which filetypes are possible:

img_stat -i list

Check image format type:

img_stat -t evidence.img

Answer1:

It's the raw format

3. Check file system type

Let's check first which filesystem types are possible: fsstat -i raw -f list

Check Image file system type:

fsstat -i raw -t evidence.img

Answer 2:

It's the ext4 filesystem

4. Check mount directory

We can get more information about the filesystem with the following command:

fsstat -i raw -f ext4 evidence.img

Answer 3:

mount directory is /mnt/disk0

5. List directories from the image

To list the names of the directories we can use the following command:

fls -i raw -f ext4 evidence.img

Answer 4:

notes, photos, videos

6. Get the file name inside notes directory

To get the name of a specific file in the notes directory I use the following command:

fls -i raw -f ext4 evidence.img 12

Answer 5:

flag.txt

7. Retrieve the flag

Now I need to find a way to see what’s stored inside the file flag.txt

icat -i raw -f ext4 evidence.img 16 >flag.txt

Answer 6:

baa82c37e53e2886a8a1379f4e3c2999

8. Summary

The Sleuth Kit