#Flash
Category: Forensics Points: 100 Description:
We were able to grab an image of a hard drive. Find out what's on it.
##Write-up Based on the information provided it appears that we will be dealing with an image of a flash hard drive so I am expecting that I will be using forensic software to analyze the file.
My first step was to download the image file and examine it with the [SANS Investigative Forensic Toolkit] (http://digital-forensics.sans.org/community/downloads). The SANS Investigative Forensic Toolkit (SIFT) is a virtual workstation created for incident response and digital forensics use and made available to the whole community as a public service.
The first step is to start the forensic application Autopsy installed on the SIFT.
Next we want to open a browser on the SIFT with the following URL http://localhost:9999/autopsy
which will take us to the Autopsy main page.
Let's click New Case
and populate the fields to create a new Autopsy case. Click New Case
again to complete this step.
If this is the first time you have used Autopsy on this system your screen will look like this. Simply leave the name to 'Hidden' and click Add Host
If you have run Autopsy on this system before simply click Add Host
.
Populate the information and click Add Host
again to complete this step.
Enter the full location of the flash image file in the location field and click Next
Leave the settings as they appear - Disk Image, Volume System Type (disk image only): dos. Click Ok
Here we don't need to make any changes, just click Add
On this screen we are going to click Analyze
.
We want to start with a keyword search so we click on the Keyword Search
button
We leave the default options and enter our search term of 'flag' and click Search
We can see that there were quite a number of search results returned (397 hits for the term 'flag'). Let's click on Keyword search
again and see if we can narrow our results buy changing our search parameters.
Let's enter the search term 'flag{', hit Keyword search
, and compare the results to the previous search.
Now we can see that our results are much smaller. We can see that this time we only have one hit listed.
If we click on the link Ascii
we can clearly see the flag - flag{b3l0w_th3_r4dar]
The flag recovered to solve this CTF is flag{b3l0w_th3_r4dar}