Forensic Platforms

Above we have explored techniques for image and audio files. Now we shall see how to investigate artifacts from a disk image. We shall briefly cover the uses of Autopsy toll to perform analysis on disc images. We will be using the Windows OS for this section.

AUTOPSY

Autopsy is an open source forensics platform which analyzes all mobile devices and digital media.

We start by opening a case. We may be given an .aut file for analysis. There is an option to add data sources if required.

In this guide we will focus on Disk image or VM File options. The supported formats are :

• Raw Single: (For example: *.img, *.dd, *.raw, *.bin)

• Raw Split: (For example: *.001, *.002, *.aa, *.ab, etc)

• EnCase: (For example: *.e01, *.e02, etc)

• Virtual Machines: (For example: *.vmdk, *.vhd)

Remember, Autopsy adds metadata about files to the local database, not the actual file contents.

Walkthrough - Autopsy

We will be looking at an example on how Autopsy is used in CTFs. We will be using windows for this example.

Sleuthkit Intro(PicoCTF): https://play.picoctf.org/practice/challenge/301?category=4&page=2

Download the disk image. Open Autopsy and select a new case and follow instructions. Once it has loaded, open up the disk image. You should be seeing this.

\

\

If you are on Kali you can use mmls to get to the same.

After this you can connect to their portal given and enter the number of the partition. The right one opens up to the key as you see above

Refer : https://otuva.medium.com/tryhackme-autopsy-walkthrough-a97468393a8a

WIRESHARK

Wireshark is a platform that we use to analyze networks real-time. In CTF Challenges it is used to analyze pre recorded network traffic. To record files wireshark uses PCAP files.

To familiarize yourself with wireshark ref: https://ctf101.org/forensics/what-is-wireshark/

Downloading Wireshark is easy. Visit their website and download the installer as per your OS.

We will be using wireshark in the below example.

Its highly recommended that you pay a visit to https://www.wireshark.org/learn

WALKTHROUGH - WIRESHARK

Wireshark doo dooo do (picoCTF): https://play.picoctf.org/practice/challenge/115?category=4&page=1

Open up your file in wireshark. You will see a couple TCP, HTTP protocols listed down.

Right click on one of the listed protocols(preferably the first one) and follow it. You should see a window pop up and on the bottom right you can view your selected stream. Analyze each stream for any suspicious strings.

On the 5th one you should see something like this!

We can see what looks like a flag with { }, just that its not in are usual flag picoCTF format. The string that we see is encrypted! On close observation, we see that PGS should have been CTF, this means the cipher is ROT13!

Simply copy paste this text to an online ROT13 decoder to get your flag, picoCTF{p33kab00_1_s33_u_deadbeef}