Forensics
Forensics
What is Forensics?
In general, computer science professionals refer to "Digital Forensics" as "Forensics", for
simplicity’s sake. Digital Forensics is the field in cybersecurity that tries to gather and
understand evidence after an incident, which can be a crime, to determine how it
happened. This not only helps law enforcement when pledging someone innocent or
guilty, but also to understand how to improve security in a system that was successfully
attacked. Digital Forensics focuses on gathering evidence present in computer devices
that hold information electronically. It is a branch of Forensic Science, which can also
investigate any type of crime even if there is no computer media involved.
Right-click on the file link provided in the challenge description and select "Copy
Address" or "Copy Link." Then, return to your webshell and use the wget command to
download the file. Your command should look something like this:
$ wget
https://jupiter.challenges.picoctf.org/static/495d43ee4a2
b9f345a4307d053b4d88d/file
This command downloads the file to your current directory in the webshell.
$ file file
If everything works correctly, the output should tell you that the file is "ASCII text, with
very long lines." This means it's a plain text file, and you can view its contents using the
cat command.
$ cat file
The output may look like gibberish, but don’t worry—that’s expected. Since this
challenge is not about cryptography, we’re likely looking for something specific hidden
in the text.
The challenge hint suggests using grep, a powerful tool in Linux that searches for
patterns within files. You can read more about it by using the man (manual) command:
$ man grep
But for now, we’ll just use it directly. grep is ideal for finding specific text within large
amounts of data. In this case, we’re searching for "picoCTF," which is likely part of the
flag.
This command searches for "picoCTF" in the file and prints out the line containing it,
which should include the flag.
$ file files.zip
You should see something like "Zip archive data," which indicates it's a compressed file.
Unzip it using:
$ unzip files.zip
Once unzipped, you’ll notice a new directory called files. A challenge can require
finding a file named something related to secret.txt. Instead of manually searching
through all directories, you can use the find command.
$ cd files
The output should show you the exact path to the file, something like:
./adequate_books/more_books/.secret/deeper_secrets/deepes
t_secrets/secret.txt
$ cd
adequate_books/more_books/.secret/deeper_secrets/deepest_
secrets/
$ ls -al
9. Viewing the File Contents
$ cat uber-secret.txt
With these skills, you're ready to try more difficult challenges. One option is this
challenge: https://play.picoctf.org/practice/challenge/322. Follow similar steps and apply
your newfound knowledge to solve it!
2)Disk Analysis
Disk analysis is a key skill for a forensics analyst. In this section, we'll explore how to
analyse disk images, which are digital copies of disks, using Sleuthkit tools. These tools
help us investigate the structure and content of disks in detail.
$ nc saturn.picoctf.net 52279
Follow the instructions in the challenge to learn how to use nc and solve the problem.
3. Disk Analysis with Sleuthkit: A Walkthrough
$ wget
https://artifacts.picoctf.net/c/331/disk.flag.img.gz
$ gunzip disk.flag.img.gz
Use the mmls tool to view the partition table of the disk image, which will help you find
the main partition:
$ mmls disk.flag.img
Look for the largest partition labelled "Linux (0x83)"—this is likely the main partition.
Note the "Start" value, which you'll use to examine the partition.
Now, use the fls tool to list the files in the main partition. You’ll need to provide the
start offset (from mmls) to view the files:
This command lists the directories and files in the root of the main partition. The output
should show standard Linux directories like home, usr, root, etc.
To look inside a specific directory, like /root, find its inode number from the fls
output and use it in the next fls command:
You should see files like flag.txt and flag.uni.txt. To read the contents of
flag.uni.txt, use the icat tool:
4. Advanced Challenges
● https://play.picoctf.org/practice/challenge/137
● https://play.picoctf.org/practice/challenge/285
If you get stuck, look for write ups online by searching for "Writeup, [challenge name],
picoCTF."