Statement You are invited to an interview for a forensics investigator position at the NSA. For your first technical evaluation they ask you to analyze this file. Prove to them that you’re a fitting candidate for this job. Download Evidence File Extract evidence file ch16.zip after this you will get e01 format file of evidence. Now mount this image file First install this tool for this task git clone https://github.com/ANSSI-FR/bmc-tools.git cd bmc-tools now move your evidence file in this folder sudo apt install ewf-tools ewf-tools is a powerful suite of utilities designed for working with EnCase Evidence Files (E01). These files, used in digital forensics, capture bit-for-bit copies of storage devices and are commonly used to preserve and analyze evidence in forensic investigations. ewf-tools provides essential functionalities for mounting, extracting, verifying, and analyzing EnCase .E01 files, enabling investigators to handle these forensic images efficiently and securely. The key utilities in the ewf-tools package allow users to mount .E01 images as virtual file systems, convert them to raw disk images for further analysis, verify their integrity, and retrieve metadata about the files. These tools support working with compressed and segmented .E01 files, making them indispensable for digital forensic professionals. Whether you need to access the contents of a forensic image, extract raw data for deeper analysis, or ensure the integrity of critical evidence, ewf-tools provides a versatile and reliable set of tools for handling EnCase forensic images across different platforms, including Linux, macOS, and Windows. Key Features: Common Tools in ewf-tools: By offering a robust set of tools for handling EnCase Evidence Files, ewf-tools is an invaluable resource for anyone involved in forensic investigations, enabling them to manage and analyze digital evidence effectively. mkdir bcache24bmc./bmc-tools.py -s bcache24.bmc -d bcache24bmc/ -v now go to this folder bcache24bmc and check all image carefully and find flag. Flag – RdP_l3av3s_Trac3S
Find the Cat – Root ME CTF Forensic
The president’s cat was kidnapped by separatists. A suspect carrying a USB key has been arrested. Berthier, once again you have to save the Republic! Analyze this key and find out in which city the cat is retained! The md5sum of the archive is edf2f1aaef605c308561888079e7f7f7. Input the city name in lowercase. Download evidence file and run these commands. First of all, we will get information about evidence. Command: file chall9 Command: fdisk -l chall9 Write the partition as separate image Command: dd if=chall9 of=chall9_p1 bs=512 skip=2048 count=260096 Mount the image: Command: sudo mount chall9_p1 /dev/disk Command: ls /dev/disk Command: ls /dev/disk/Documentations Command: sudo umount /dev/disk Alas. Maybe deleted? Command: testdisk chall9_p1 enter – enter – enter – list – enter Select Files and Enter select this file – -rwxr-xr-x 0 0 2341273 23-Jul-2013 04:20 revendications.odt press c for copy this file and select location and press again c for paste than press q for exit go to save location and go to file folder now extract this file – revendications.odt Command: unzip revendications.odt after extract go to picture folders rename this image name any and upload to this website or use exiftool for extract information command: mv 1000000000000CC000000990038D2A62.jpg cat.jpg upload this image to this website – https://www.pic2map.com We have got the address – 1, Rue Principale, Helfrantzkirch, Mulhouse, Haut-Rhin, Grand Est, Metropolitan France, 68510, France Flag – helfrantzkirch
Command & Control – level 2 – Root ME
Congratulations Berthier, thanks to your help the computer has been identified. You have requested a memory dump but before starting your analysis you wanted to take a look at the antivirus’ logs. Unfortunately, you forgot to write down the workstation’s hostname. But since you have its memory dump you should be able to get it back! The validation flag is the workstation’s hostname. The uncompressed memory dump md5 hash is e3a902d4d44e0f7bd9cb29865e0a15de So, we need to Find workstations hostname from memory dump After installing this requirement, you need to extract your evidence file and run this command. python3 vol.py -f ch2.dmp windows.info.Info The Windows Registry is a database where Windows stores important settings for both the system and applications. A “registry hive” is a group of keys, subkeys, and values organized in this database. When we need to find the name of the workstation, we can look in these registry keys to find the information. python3 vol.py -f ch2.dmp windows.registry.hivelist.HiveList So, we can see /Registry/Machine/System so for this to work we need to print specific key, which is a path inside of this folder, so we are gonna use the plugin windows.registry.printkey.PrintKey, so we need to search for the key path that contain the computer name in google, so i found that its ‘ControlSet001\Control\ComputerName\ComputerName’so, as we have the offset and the key path, we can use the plugin to get the computer name! python3 vol.py -f ch2.dmp windows.registry.printkey.PrintKey –offset 0x8b21c008 –key ‘ControlSet001\Control\ComputerName\ComputerName’ Flag – WIN-ETSA91RKCFP Want to become a cybersecurity expert? Join A7 Security Hunters and start your journey to mastering cybersecurity!
Root Me: Deleted File Forensic Solution – A Step-by-Step Guide
Forensic analysis plays a crucial role in cybersecurity investigations, helping ethical hackers and security analysts recover lost or deleted data to uncover hidden evidence. One popular platform for practicing digital forensics is Root Me, which offers a variety of challenges, including Deleted File Forensic challenges. In this blog, we’ll walk you through solving a Deleted File Forensic challenge on Root Me, explaining key forensic techniques and tools used in real-world investigations. First, we need to initiate the challenge, which provides us with a downloadable file. According to the challenge statement, the file pertains to a USB drive, and our task is to identify its owner. so we can notice after we extracting the gz file that the file hasn’t extension, its just usb.image so, we need to perform forensic analysis using FTK Imager (you can download it from the highlight) we can find that it’s a file that we can use in FTK Imager to start forensic we can see that there is a usb.image in the file as we saw before, also there is mkfs.fat and it is used to create a FAT filesystem in an image file. so, we can export the usb.image to open it in FTK to see what its content. we need to search for something interesting that may lead to the flag, if we look at the root folder, we can see anonyme.png and it may contain the flag we need to convert it to text to see its content Flag – javier_turcot Become a Certified Digital Crime Investigator with A7 Security Hunters.
What is CTF in Cybersecurity? A Beginner’s Guide to Capture the Flag Challenges
Cybersecurity is an ever-evolving field that requires continuous learning and hands-on practice. One of the most engaging ways to develop and test ethical hacking skills is through Capture The Flag (CTF) competitions. These events allow security enthusiasts, professionals, and students to apply their knowledge in real-world hacking scenarios. In this blog, we’ll explore what CTF challenges are, their types, benefits, and how you can get started. What is CTF in Cybersecurity? Capture The Flag (CTF) is a type of cybersecurity competition where participants solve security-related tasks to retrieve a hidden flag (usually a string of text). These challenges simulate real-world cyber threats and vulnerabilities, helping ethical hackers sharpen their skills. Types of CTF Challenges Benefits of Participating in CTF Competitions Best CTF Practice Platforms If you’re looking to improve your ethical hacking skills, these CTF practice platforms offer challenges for all skill levels: How to Get Started with CTF? Conclusion CTF competitions are an exciting and valuable way to enhance your ethical hacking skills. Whether you’re a beginner or an experienced security professional, participating in CTF events can help you stay ahead in the cybersecurity field. Want to master ethical hacking and cybersecurity? Join our cybersecurity courses and ethical hacking with A7 Security Hunters and start your journey today!