The drama unfolds as the Best Festival Company and AntarctiCrafts merger wraps up! Tracy McGreedy, now a grumpy regional manager, secretly plans sabotage. His sidekick, Van Sprinkles, hesitantly kicks off a cyber attack — but guess what? Van Sprinkles is having second thoughts and helps McSkidy’s team bust McGreedy’s evil scheme!

Open FTK Imager and navigate to File > Add Evidence Item, select Physical Drive in the pop-up window, then choose our emulated USB drive "\\PHYSICALDRIVE2 - Microsoft Virtual Disk [1GB SCSI]" to proceed.

FTK Imager: User Interface (UI)

FTK Imager’s interface is intuitive and user-friendly. It displays an “x” icon next to deleted files and includes key UI components vital for its functionality. These components are:

1. Evidence Tree pane: Displays a hierarchical view of the added evidence sources such as hard drives, flash drives, and forensic image files.
2. File List pane: Displays a list of files and folders contained in the selected directory from the evidence tree pane.
3. Viewer pane: Displays the content of selected files in either the evidence tree pane or the file list pane.

FTK Imager: Previewing Modes

FTK Imager presents three distinct modes for displaying file content, arranged sequentially from left to right, each represented by icons enclosed in yellow:

1. Automatic mode: Selects the optimal preview method based on the file type. It utilises Internet Explorer (IE) for web-related files, displays text files in ASCII/Unicode, and opens unrecognised file types in their native applications or as hexadecimal code.
2. Text mode: Allows file contents to be previewed as ASCII or Unicode text. This mode is useful for revealing hidden text and binary data in non-text files.
3. Hex mode: Displays files in hexadecimal format, providing a detailed view of file data at the binary (or byte) level.

FTK Imager: Recovering Deleted Files and Folders

To view and recover deleted files, expand directories in the File List pane and Evidence Tree pane. Right-click and select Export Files on individual files marked with an "x" icon or on entire directories/devices for bulk recovery of files (whether deleted or not).

Pre-Requesites

1. Start the TryHackMe’s VPN or Attack box
2. Start the Machine
3. Connect to the Remote machine using the Credentials. In windows Remote Desktop Connection. Use rdpclient for Linux

1. What is the malware C2 server?

Open the deleted folder and click on the text file, you’ll find the c2 server

Ans: mcgreedysecretc2.thm

2. What is the file inside the deleted zip archive?

Open the deleted zip file and you can see a program

Ans: JuicyTomaToy.exe

3. What flag is hidden in one of the deleted PNG files?

Click the portrait.png --> Click the Hex View → Click Ctrl+F on the Hex pane and search THM{

Ans: THM{byt3-L3vel_@n4Lys15}

4. What is the SHA1 hash of the physical drive and forensic image?

Click on the Drive → File → Verify Drive/Image

Ans: 39f2dea6ffb43bf80d80f19d122076b3682773c2