Advent of Cyber 2023 — Day 8 Writeup with Answers by Karthikeyan Nagaraj | TryHackMe
2023-12-11 12:0:26
Author: infosecwriteups.com(查看原文)
阅读量:11
收藏
TryHackMe — Disk Forensics [ Have a Holly, Jolly Byte ] — An employee finds a USB flash drive in the office parking lot. It contains dangerous malware. The team analyse the drive and try to recover a deleted file to perform further analysis
The drama unfolds as the Best Festival Company and AntarctiCrafts merger wraps up! Tracy McGreedy, now a grumpy regional manager, secretly plans sabotage. His sidekick, Van Sprinkles, hesitantly kicks off a cyber attack — but guess what? Van Sprinkles is having second thoughts and helps McSkidy’s team bust McGreedy’s evil scheme!
Open FTK Imager and navigate to File > Add Evidence Item, select Physical Drive in the pop-up window, then choose our emulated USB drive "\\PHYSICALDRIVE2 - Microsoft Virtual Disk [1GB SCSI]" to proceed.
FTK Imager: User Interface (UI)
FTK Imager’s interface is intuitive and user-friendly. It displays an “x” icon next to deleted files and includes key UI components vital for its functionality. These components are:
Evidence Tree pane: Displays a hierarchical view of the added evidence sources such as hard drives, flash drives, and forensic image files.
File List pane: Displays a list of files and folders contained in the selected directory from the evidence tree pane.
Viewer pane: Displays the content of selected files in either the evidence tree pane or the file list pane.
FTK Imager: Previewing Modes
FTK Imager presents three distinct modes for displaying file content, arranged sequentially from left to right, each represented by icons enclosed in yellow:
Automatic mode: Selects the optimal preview method based on the file type. It utilises Internet Explorer (IE) for web-related files, displays text files in ASCII/Unicode, and opens unrecognised file types in their native applications or as hexadecimal code.
Text mode: Allows file contents to be previewed as ASCII or Unicode text. This mode is useful for revealing hidden text and binary data in non-text files.
Hex mode: Displays files in hexadecimal format, providing a detailed view of file data at the binary (or byte) level.
FTK Imager: Recovering Deleted Files and Folders
To view and recover deleted files, expand directories in the File List pane and Evidence Tree pane. Right-click and select Export Files on individual files marked with an "x" icon or on entire directories/devices for bulk recovery of files (whether deleted or not).
Pre-Requesites
Start the TryHackMe’s VPN or Attack box
Start the Machine
Connect to the Remote machine using the Credentials. In windows Remote Desktop Connection. Use rdpclient for Linux
1. What is the malware C2 server?
Open the deleted folder and click on the text file, you’ll find the c2 server
Ans: mcgreedysecretc2.thm
2. What is the file inside the deleted zip archive?
Open the deleted zip file and you can see a program
Ans: JuicyTomaToy.exe
3. What flag is hidden in one of the deleted PNG files?
Click the portrait.png --> Click the Hex View → Click Ctrl+F on the Hex pane and search THM{
Ans: THM{byt3-L3vel_@n4Lys15}
4. What is the SHA1 hash of the physical drive and forensic image?