Published
Cyber5W released a mini Linux Forensics capture the flag (CTF) as part of the Magnet User Summit 2022. [https://lfmus22.cyber5w.net/] It is open until the end of the year. And while there are no prizes, it is an excellent way to practice investigating Linux systems.
The scenario is an internal policy violation. Each system has some suspect user activities. However, the questions only somewhat relate to the scenario.
Thank you to our Members and Patrons, but especially to our Investigators, TheRantingGeek, Roman, and Alexis Brignoni! Thank you so much!
Instead of processing the forensic images with a tool like Autopsy, we mount the images with ewfmount, mmls, and mount. This gives us direct access to the suspect data. Then we chroot into the suspect root directory to see a "native view" of the suspect data. This makes investigations much easier.
00:00 Cyber5W Linux Forensics CTF
00:15 CTF Case Scenario
00:44 How this walkthrough works
01:11 Download images and setup
02:40 Verify Expert Witness Format File E01 with ewfverify
06:05 Mount the suspect disk image with ewfmount and mount
08:16 Get disk partition offsets with mmls and bc
10:44 Mount the partition based on disk offset with mount
12:18 Access the suspect system directly with chroot
14:04 MATE Q1
15:54 MATE Q2
18:25 MATE Q3
19:56 MATE Q4
22:58 MATE Q5
23:43 MATE Q6
25:48 Switching to the Kubuntu image
28:36 KUBUNTU Q1
30:01 KUBUNTU Q2
32:19 KUBUNTU Q3
33:58 KUBUNTU Q4
37:43 KUBUNTU Q5
40:29 Clean up and conclusions
https://bit.ly/2Ij9Ojc -
The scenario is an internal policy violation. Each system has some suspect user activities. However, the questions only somewhat relate to the scenario.
Thank you to our Members and Patrons, but especially to our Investigators, TheRantingGeek, Roman, and Alexis Brignoni! Thank you so much!
Instead of processing the forensic images with a tool like Autopsy, we mount the images with ewfmount, mmls, and mount. This gives us direct access to the suspect data. Then we chroot into the suspect root directory to see a "native view" of the suspect data. This makes investigations much easier.
00:00 Cyber5W Linux Forensics CTF
00:15 CTF Case Scenario
00:44 How this walkthrough works
01:11 Download images and setup
02:40 Verify Expert Witness Format File E01 with ewfverify
06:05 Mount the suspect disk image with ewfmount and mount
08:16 Get disk partition offsets with mmls and bc
10:44 Mount the partition based on disk offset with mount
12:18 Access the suspect system directly with chroot
14:04 MATE Q1
15:54 MATE Q2
18:25 MATE Q3
19:56 MATE Q4
22:58 MATE Q5
23:43 MATE Q6
25:48 Switching to the Kubuntu image
28:36 KUBUNTU Q1
30:01 KUBUNTU Q2
32:19 KUBUNTU Q3
33:58 KUBUNTU Q4
37:43 KUBUNTU Q5
40:29 Clean up and conclusions
https://bit.ly/2Ij9Ojc -
- Category
- Job
Be the first to comment
-
11:01
Can We Make Linux Search Better?
-
12:48
Do You Have Linux Regrets? I Do.
-
11:52
10 things I WISH I knew when switching to Linux
-
23:10
Windows vs Linux
-
08:41
LINUX Interview Questions And Answers in 2022 | Top Linux Questions Asked For Devops Interview 2022
-
32:10
Linux Filter Commands - Linux Basics by Arisha Pavan
-
09:51
Top 5 Linux Job Interview Questions
-
1:57:07
Why Linux is important to learn | Interview with Women In Linux Founder Tameika Reed
-
14:23
This PS4 runs Linux now...
-
04:32
Linux got wrecked by backdoor attack
-
02:21
Online job Profile| real job Profile| private job Profile| biography lifestyle| online jobs|
-
1:29:20
Live Record Class 12 EBC342 L001 Writing a Cover Letter and Resume by Dr. Thavorn Thitthongkam
-
02:13
Qatar Job's, How to search Qatar jobs agriculture form,Qatar New Vacancy Good salary job, Latest job
