Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

Linux Forensics with Linux - CTF Walkthrough

DFIRScience via YouTube

Overview

Dive into a comprehensive Linux forensics tutorial that walks you through a Capture The Flag (CTF) challenge focused on investigating internal policy violations. Learn how to mount and analyze forensic images using tools like ewfmount, mmls, and mount to gain direct access to suspect data. Explore techniques for verifying Expert Witness Format files, calculating disk partition offsets, and using chroot to view suspect data natively. Follow along as the instructor tackles questions related to both MATE and Kubuntu systems, demonstrating practical forensic analysis skills applicable to real-world scenarios. Gain hands-on experience in Linux forensics and enhance your ability to investigate suspicious user activities on Linux systems.

Syllabus

Cyber5W Linux Forensics CTF
CTF Case Scenario
How this walkthrough works
Download images and setup
Verify Expert Witness Format File E01 with ewfverify
Mount the suspect disk image with ewfmount and mount
Get disk partition offsets with mmls and bc
Mount the partition based on disk offset with mount
Access the suspect system directly with chroot
MATE Q1
MATE Q2
MATE Q3
MATE Q4
MATE Q5
MATE Q6
Switching to the Kubuntu image
KUBUNTU Q1
KUBUNTU Q2
KUBUNTU Q3
KUBUNTU Q4
KUBUNTU Q5
Clean up and conclusions

Taught by

DFIRScience

Reviews

Start your review of Linux Forensics with Linux - CTF Walkthrough

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.