Tryhackme-Forensic Imaging-Writeup

Learn the basic concepts of forensic imaging.

Make every campaign better than the last with GetResponse Email Marketing + Landing Pages + Marketing Automation — $49 only

GetResponse | Professional Email Marketing for Everyone

Forensic Imaging Room

Task 1 Introduction

No Answer Needed

Task 2 Preparation

Q : What command can be used to list all block devices in Linux OS?

A : lsblk

Q : Which bash command displays all commands executed in a session?

A : history

Task 3 Creating a Forensic Image

No Answer Needed

Task 4 Integrity Checking

Q : What is the MD5 hash of the image “exercise.img” located in /home/analyst/?

A : 👇👇

user@tryhackme$ sudo md5sum exercise.img

Task 5 Other Types of Imaging

Q : Mount the image “exercise.img” located in the analyst home directory folder. What is the content of the file “flag.txt” located within exercise.img?

A : 👇👇

# Create a directory for mounting the image
user@tryhackme$ mkdir /mnt/thm

# Mount the image
sudo mount -o loop /home/analyst/exercise.img /mnt/thm

# Navigate to the mounted directory and read the content of flag.txt
user@tryhackme$ cat /mnt/thm/flag.txt

Task 6 Practical Exercise

Step 1: Create the Image

Assuming the loop device is /dev/loop0, the following command will create an image:

user@tryhackme$ sudo dc3dd if=/dev/loop0 of=thm2.img log=thm

Step 2: Calculate the MD5 Hash

Once the image is created, calculate its MD5 hash

Q : Create an image of the attached 1gb loop device. What is the MD5 hash of the image?

A : 👇👇

user@tryhackme$ md5sum thm2.img

Extract Flag

Q : Mount the image from the 1 GB loop device. What is the content of the file “flag.txt”?

A : 👇👇

user@tryhackme$ sudo mkdir /mnt/thm2
user@tryhackme$ sudo mount -o loop thm2.img /mnt/thm2
user@tryhackme$ cd /mnt/thm2
user@tryhackme~/mnt/thm2$ ls -la
user@tryhackme$ cat flag.txt

Task 7 Conclusion

No Anwer Needed

Find Me :

Mohamed Ali | Facebook | Linktree