FORENSICS

What is Forensics?
In general, computer science professionals refer to "Digital Forensics" as "Forensics", for
simplicity’s sake. Digital Forensics is the field in cybersecurity that tries to gather and
understand evidence after an incident, which can be a crime, to determine how it
happened. This not only helps law enforcement when pledging someone innocent or
guilty, but also to understand how to improve security in a system that was successfully
attacked. Digital Forensics focuses on gathering evidence present in computer devices
that hold information electronically. It is a branch of Forensic Science, which can also
investigate any type of crime even if there is no computer media involved.

Basic Techniques of Forensics

1)Searching Strings and Filenames

1. Connecting to the picoCTF Webshell

Start by visiting the picoCTF webshell at https://webshell.picoctf.org/. Once connected,

open the problem you're working on in a separate tab. Let's start with the challenge at
this link: https://play.picoctf.org/practice/challenge/85.

2. Downloading the Challenge File

Right-click on the file link provided in the challenge description and select "Copy
Address" or "Copy Link." Then, return to your webshell and use the wget command to
download the file. Your command should look something like this:

$ wget
https://jupiter.challenges.picoctf.org/static/495d43ee4a2
b9f345a4307d053b4d88d/file

This command downloads the file to your current directory in the webshell.

3. Identifying the File Type

Before doing anything with the file, it’s a good idea to check what type of file it is. You
can do this with the file command. The first word references the file program, and
the second word is the name of the file you just downloaded:

$ file file

If everything works correctly, the output should tell you that the file is "ASCII text, with
very long lines." This means it's a plain text file, and you can view its contents using the
cat command.

4. Viewing the File Contents

Use the cat command to display the contents of the file:

$ cat file

The output may look like gibberish, but don’t worry—that’s expected. Since this
challenge is not about cryptography, we’re likely looking for something specific hidden
in the text.

5. Searching the File for the Flag Using grep

The challenge hint suggests using grep, a powerful tool in Linux that searches for
patterns within files. You can read more about it by using the man (manual) command:

$ man grep

But for now, we’ll just use it directly. grep is ideal for finding specific text within large
amounts of data. In this case, we’re searching for "picoCTF," which is likely part of the
flag.

$ egrep 'picoCTF' file

This command searches for "picoCTF" in the file and prints out the line containing it,
which should include the flag.

6. Trying Another Challenge

Now, let's try another challenge. Go to https://play.picoctf.org/practice/challenge/320

and download the zip file using the same method as before:
$ wget [download link]

After downloading, check the file type:

$ file files.zip

You should see something like "Zip archive data," which indicates it's a compressed file.
Unzip it using:

$ unzip files.zip

7. Finding a Specific File Using find

Once unzipped, you’ll notice a new directory called files. A challenge can require
finding a file named something related to secret.txt. Instead of manually searching
through all directories, you can use the find command.

Navigate to the files directory:

$ cd files

Then, use the find command to locate secret.txt:

$ find . -name secret.txt

The output should show you the exact path to the file, something like:

./adequate_books/more_books/.secret/deeper_secrets/deepes
t_secrets/secret.txt

8. Navigating to the File

Now, use the cd command to navigate through the directories:

$ cd
adequate_books/more_books/.secret/deeper_secrets/deepest_
secrets/

Finally, list the contents of the directory:

$ ls -al
9. Viewing the File Contents

To see the contents of uber-secret.txt, use the cat command:

$ cat uber-secret.txt

This should reveal the flag for this challenge.

10. Tackling a More Difficult Challenge

With these skills, you're ready to try more difficult challenges. One option is this
challenge: https://play.picoctf.org/practice/challenge/322. Follow similar steps and apply
your newfound knowledge to solve it!

2)Disk Analysis

1. Introduction to Disk Analysis

Disk analysis is a key skill for a forensics analyst. In this section, we'll explore how to
analyse disk images, which are digital copies of disks, using Sleuthkit tools. These tools
help us investigate the structure and content of disks in detail.

2. First Challenge: Getting Started with Sleuthkit

Let's start with a simple challenge on picoCTF:

https://play.picoctf.org/practice/challenge/301. This challenge introduces netcat (or
nc), which allows you to connect to a server to check your answers. The command looks
like this:

$ nc saturn.picoctf.net 52279

Here’s what each part means:

● nc: The command to run Netcat.

● saturn.picoctf.net: The server you’re connecting to.
● 52279: The port number on the server (this might differ for you).

Follow the instructions in the challenge to learn how to use nc and solve the problem.
3. Disk Analysis with Sleuthkit: A Walkthrough

Next, let’s dive into a more detailed challenge:

https://play.picoctf.org/practice/challenge/300. This challenge will help you understand
how to analyse a disk image using Sleuthkit tools.

Step 1: Download and Decompress the Disk Image

First, download the disk image file and decompress it:

$ wget
https://artifacts.picoctf.net/c/331/disk.flag.img.gz
$ gunzip disk.flag.img.gz

Step 2: Analyse the Disk with mmls

Use the mmls tool to view the partition table of the disk image, which will help you find
the main partition:

$ mmls disk.flag.img

Look for the largest partition labelled "Linux (0x83)"—this is likely the main partition.
Note the "Start" value, which you'll use to examine the partition.

Step 3: List Files with fls

Now, use the fls tool to list the files in the main partition. You’ll need to provide the
start offset (from mmls) to view the files:

$ fls -o 360448 disk.flag.img

This command lists the directories and files in the root of the main partition. The output
should show standard Linux directories like home, usr, root, etc.

Step 4: Explore Specific Directories

To look inside a specific directory, like /root, find its inode number from the fls
output and use it in the next fls command:

$ fls -o 360448 disk.flag.img 1995

This might show files and subdirectories within /root. For example, you might find a
file called .ash_history and a directory called my_folder.

Step 5: Find the Flag

To find the flag, explore the contents of my_folder:

$ fls -o 360448 disk.flag.img 3981

You should see files like flag.txt and flag.uni.txt. To read the contents of
flag.uni.txt, use the icat tool:

$ icat -o 360448 disk.flag.img 2371

This will display the flag.

4. Advanced Challenges

If you're ready to explore further, try these additional challenges:

● https://play.picoctf.org/practice/challenge/137
● https://play.picoctf.org/practice/challenge/285

If you get stuck, look for write ups online by searching for "Writeup, [challenge name],
picoCTF."