Linux Forensics with Linux - CTF Walkthrough
Ғылым және технология
Cyber5W released a mini Linux Forensics capture the flag (CTF) as part of the Magnet User Summit 2022. [lfmus22.cyber5w.net/] It is open until the end of the year. And while there are no prizes, it is an excellent way to practice investigating Linux systems.
The scenario is an internal policy violation. Each system has some suspect user activities. However, the questions only somewhat related to the scenario.
Thank you to our Members and Patrons, but especially to our Investigators, TheRantingGeek, Roman, and Alexis Brignoni! Thank you so much!
Instead of processing the forensic images with a tool like Autopsy, we mount the images with ewfmount, mmls, and mount. This gives us direct access to the suspect data. Then we chroot into the suspect root directory to see a "native view" of the suspect data. This makes investigations much easier.
00:00 Cyber5W Linux Forensics CTF
00:15 CTF Case Scenario
00:44 How this walkthrough works
01:11 Download images and setup
02:40 Verify Expert Witness Format File E01 with ewfverify
06:05 Mount the suspect disk image with ewfmount and mount
08:16 Get disk partition offsets with mmls and bc
10:44 Mount the partition based on disk offset with mount
12:18 Access the suspect system directly with chroot
14:04 MATE Q1
15:54 MATE Q2
18:25 MATE Q3
19:56 MATE Q4
22:58 MATE Q5
23:43 MATE Q6
25:48 Switching to the Kubuntu image
28:36 KUBUNTU Q1
30:01 KUBUNTU Q2
32:19 KUBUNTU Q3
33:58 KUBUNTU Q4
37:43 KUBUNTU Q5
40:29 Clean up and conclusions
🚀 Full Digital Forensic Courses → learn.dfir.science
Links:
* Linux CTF: lfmus22.cyber5w.net/
* Tsurugi Linux (to follow exactly): tsurugi-linux.org/
Related books:
* 🔥🔥Practical Linux Forensics (amzn.to/3MMCjqY)
* Digital Forensics with Open Source Tools (amzn.to/388dE1e)
010001000100011001010011011000110110100101100101011011100110001101100101
Get more Digital Forensic Science
👍 Subscribe → bit.ly/2Ij9Ojc
❤️ YT Member → bit.ly/DFIRSciMember
❤️ Patreon → / dfirscience
🕸️ Blog → DFIR.Science
🤖 Code → github.com/DFIRScience
🐦 Follow → / dfirscience
📰 DFIR Newsletter → bit.ly/DFIRNews
010100110111010101100010011100110110001101110010011010010110001001100101
Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. Please link back to the original video. If you want to use this video for commercial purposes, please contact us first. We would love to see what you are doing.
Пікірлер: 17
Video is timestamped, explanations precise, asmr voice. Overall worth watching walk-through.
Another masterpiece from the legend. Thank You.
@DFIRScience
2 жыл бұрын
Haha! Thanks so much. Hope it was helpful!
Brilliant, learnt alot 🔥
@DFIRScience
2 жыл бұрын
Awesome!
Great piece
@DFIRScience
2 жыл бұрын
Thank you kindly
Best channel for digital forensics
@DFIRScience
2 жыл бұрын
Thank you so much!
How to acquire a linux system as an E01 Image file? when I use the dd (dc3dd or dfldd) command it becomes a RAW file.
Hi, your description states this would be open until the end of the year, but the link to the CTF seems down. (can't be reached - DNS_PROBE_FINISHED_NXDOMAIN).
More video about forensics some case please
could you share ctf files? because they are not available to download
One of the greatest forensic presentation. but in the part of mounting ..on my side i got an error "unknown filesystem type 'LVM2_member'."..any help please
@DFIRScience
2 жыл бұрын
I am releasing a video next week about how to deal with LVM2 - stay tuned!
Is this CTF could be done with Autopsy or Magnet Axiom?
@DFIRScience
Жыл бұрын
Anything really. I mostly used standard tools built into Linux.