Day 8

Disk forensics Have a Holly, Jolly Byte! This room is an introduction to FTK Imager

FTK Imager is a forensics tool that allows forensic specialists to acquire computer data and perform analysis without affecting the original evidence, preserving its authenticity, integrity, and validity for presentation during a trial in a court of law.

Task Objectives

Learn how to perform the following with FTK Imager:

• Analyse digital artefacts and evidence.

• Recover deleted digital artefacts and evidence.

• Verify the integrity of a drive/image used as evidence.

What is the malware C2 server?
Check one of the deleted .txt files you can find the C2 server in it.

C2 server found in deleted .txt file (.txt file and C2 server hidden in picture)

What is the file inside the deleted zip archive?
Just like the previous question look into the deleted zip archive you will find the file in it.

What flag is hidden in one of the deleted PNG files?
First we need to change to hex when and then look into the deleted PNG files to get the flag

Flag found in deleted PNG file (Flag has been hidden in picture)

What is the SHA1 hash of the physical drive and forensic image?
To get the SHA1 hash right click on the physical drive and click Verify Drive/Image
This will give us the SHA1 Hash.

SHA1 Hash of the physical drive

---