Skip to content

Latest commit

 

History

History
72 lines (48 loc) · 3.15 KB

Flash option 2.md

File metadata and controls

72 lines (48 loc) · 3.15 KB

#Flash

Category: Forensics Points: 100 Description:

We were able to grab an image of a hard drive. Find out what's on it.

##Write-up Based on the information provided it appears that we will be dealing with an image of a flash hard drive so I am expecting that I will be using forensic software to analyze the file.

My first step was to download the image file and examine it with the [SANS Investigative Forensic Toolkit] (http://digital-forensics.sans.org/community/downloads). The SANS Investigative Forensic Toolkit (SIFT) is a virtual workstation created for incident response and digital forensics use and made available to the whole community as a public service. CTF Image

The first step is to start the forensic application Autopsy installed on the SIFT. CTF Image

Next we want to open a browser on the SIFT with the following URL http://localhost:9999/autopsy which will take us to the Autopsy main page. CTF Image

Let's click New Case and populate the fields to create a new Autopsy case. Click New Case again to complete this step. CTF Image

If this is the first time you have used Autopsy on this system your screen will look like this. Simply leave the name to 'Hidden' and click Add Host CTF Image

If you have run Autopsy on this system before simply click Add Host. CTF Image

Populate the information and click Add Host again to complete this step. CTF Image

Click Add Image CTF Image

Click Add Image File CTF Image

Enter the full location of the flash image file in the location field and click Next CTF Image

Leave the settings as they appear - Disk Image, Volume System Type (disk image only): dos. Click Ok CTF Image

Here we don't need to make any changes, just click Add CTF Image

Just click Ok CTF Image

On this screen we are going to click Analyze. CTF Image

We want to start with a keyword search so we click on the Keyword Search button CTF Image

We leave the default options and enter our search term of 'flag' and click Search CTF Image

We can see that there were quite a number of search results returned (397 hits for the term 'flag'). Let's click on Keyword search again and see if we can narrow our results buy changing our search parameters. CTF Image

Let's enter the search term 'flag{', hit Keyword search, and compare the results to the previous search. CTF Image

Now we can see that our results are much smaller. We can see that this time we only have one hit listed. CTF Image

If we click on the link Ascii we can clearly see the flag - flag{b3l0w_th3_r4dar] CTF Image

The flag recovered to solve this CTF is flag{b3l0w_th3_r4dar}