Linux Forensics with Linux - CTF Walkthrough

Video Description

Cyber5W released a mini Linux Forensics capture the flag (CTF) as part of the Magnet User Summit 2022. [https://lfmus22.cyber5w.net/] It is open until the end of the year. And while there are no prizes, it is an excellent way to practice investigating Linux systems. The scenario is an internal policy violation. Each system has some suspect user activities. However, the questions only somewhat related to the scenario. Thank you to our Members and Patrons, but especially to our Investigators, TheRantingGeek, Roman, and Alexis Brignoni! Thank you so much! Instead of processing the forensic images with a tool like Autopsy, we mount the images with ewfmount, mmls, and mount. This gives us direct access to the suspect data. Then we chroot into the suspect root directory to see a "native view" of the suspect data. This makes investigations much easier. 00:00 Cyber5W Linux Forensics CTF 00:15 CTF Case Scenario 00:44 How this walkthrough works 01:11 Download images and setup 02:40 Verify Expert Witness Format File E01 with ewfverify 06:05 Mount the suspect disk image with ewfmount and mount 08:16 Get disk partition offsets with mmls and bc 10:44 Mount the partition based on disk offset with mount 12:18 Access the suspect system directly with chroot 14:04 MATE Q1 15:54 MATE Q2 18:25 MATE Q3 19:56 MATE Q4 22:58 MATE Q5 23:43 MATE Q6 25:48 Switching to the Kubuntu image 28:36 KUBUNTU Q1 30:01 KUBUNTU Q2 32:19 KUBUNTU Q3 33:58 KUBUNTU Q4 37:43 KUBUNTU Q5 40:29 Clean up and conclusions 🚀 Full Digital Forensic Courses → https://learn.dfir.science Links: * Linux CTF: https://lfmus22.cyber5w.net/ * Tsurugi Linux (to follow exactly): https://tsurugi-linux.org/ Related books: * 🔥🔥Practical Linux Forensics (https://amzn.to/3MMCjqY) * Digital Forensics with Open Source Tools (https://amzn.to/388dE1e) 010001000100011001010011011000110110100101100101011011100110001101100101 Get more Digital Forensic Science 👍 Subscribe → https://bit.ly/2Ij9Ojc ❤️ YT Member → https://bit.ly/DFIRSciMember ❤️ Patreon → https://www.patreon.com/dfirscience 🕸️ Blog → https://DFIR.Science 🤖 Code → https://github.com/DFIRScience 🐦 Follow → https://www.twitter.com/DFIRScience 📰 DFIR Newsletter → https://bit.ly/DFIRNews 010100110111010101100010011100110110001101110010011010010110001001100101 Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. Please link back to the original video. If you want to use this video for commercial purposes, please contact us first. We would love to see what you are doing.