Dive into a comprehensive Linux forensics tutorial that walks you through a Capture The Flag (CTF) challenge focused on investigating internal policy violations. Learn how to mount and analyze forensic images using tools like ewfmount, mmls, and mount to gain direct access to suspect data. Explore techniques for verifying Expert Witness Format files, calculating disk partition offsets, and using chroot to view suspect data natively. Follow along as the instructor tackles questions related to both MATE and Kubuntu systems, demonstrating practical forensic analysis skills applicable to real-world scenarios. Gain hands-on experience in Linux forensics and enhance your ability to investigate suspicious user activities on Linux systems.
Overview
Syllabus
Cyber5W Linux Forensics CTF
CTF Case Scenario
How this walkthrough works
Download images and setup
Verify Expert Witness Format File E01 with ewfverify
Mount the suspect disk image with ewfmount and mount
Get disk partition offsets with mmls and bc
Mount the partition based on disk offset with mount
Access the suspect system directly with chroot
MATE Q1
MATE Q2
MATE Q3
MATE Q4
MATE Q5
MATE Q6
Switching to the Kubuntu image
KUBUNTU Q1
KUBUNTU Q2
KUBUNTU Q3
KUBUNTU Q4
KUBUNTU Q5
Clean up and conclusions
Taught by
DFIRScience
