Hello, cyber enthusiasts! How are you doing, guys?
TryHackMe has released the task for day 8 of the Advent of Cyber 2023. So here I am with it’s walkthrough.
Throughout this walkthrough, you will deep dive into the ocean of FTK Imager, and you’ll learn how to analyse digital artefacts and evidence, recover deleted digital artefacts and evidence, and verify the integrity of a drive/image used as evidence.
Disk Forensics
Disk forensics, also known as digital forensics or computer forensics, is a branch of forensic science that involves the identification, preservation, analysis, and presentation of digital evidence stored on computer hard drives or other storage media.
The primary goal of disk forensics is to uncover and investigate digital evidence related to computer crimes, cybersecurity incidents, or other legal matters.
FTK Imager
FTK Imager, developed by AccessData, is a forensic imaging software widely used in the field of digital forensics and computer investigations.
FTK stands for Forensic Toolkit, and FTK Imager is one component of the larger Forensic Toolkit suite.
FTK Imager is specifically designed for creating forensic images of computer data, allowing investigators to capture and preserve the state of digital evidence.
Digital forensic professionals and law enforcement agencies commonly use FTK Imager as part of their investigative toolkit to collect, preserve, and analyze digital evidence in a forensically sound manner.
It plays a crucial role in the investigation of cybercrime, computer security incidents, and other legal matters involving digital evidence.
How do I install FTK Imager?
In order to install FTK Imager, you first search ‘FTK Imager Download’ in Google.
You will get few links; please click on this link : https://www.exterro.com/ftk-product-downloads/ftk-imager-version-4-7-1
When this website loads up, you need to scroll down to product download. Click on Download Now. And then it will ask you to fill up some details. Fill them up.
When you finish downloading it, you will have an AccessData-FTK-Imager.exe file, whose name may vary in your case. Double click on it.
You’ll see a user account control window. Click Yes.
Working With FTK Imager
After installation, you will see the graphical user interface of this tool. In the left corner, you will see a file tab. Click on it, and then click on ‘Add Evidence Item…’.
Select the physical drive and click next.
Select your preferred physical drive and click Finish.
Now, you are all set up. It’s time to explore the GUI and its usage.
FTK Imager: User Interface (UI)
It’s GUI is very user-friendly and intuitive. Files that are deleted have a little “x” next to them, and the main parts of the program that make it work are built into the easy-to-use design.
- Evidence Tree pane: Displays a hierarchical view of the added evidence sources, such as hard drives, flash drives, and forensic image files.
- File List pane: Displays a list of files and folders contained in the selected directory from the evidence tree pane.
- Viewer pane: Displays the content of selected files in either the evidence tree pane or the file list pane.
These three icons enclosed in a yellow box represent the three distinct modes for displaying file content, arranged sequentially from left to right.
- Automatic mode: Selects the optimal preview method based on the file type. It utilises Internet Explorer (IE) for web-related files, displays text files in ASCII/Unicode, and opens unrecognised file types in their native applications or as hexadecimal code.
- Text mode: Allows file contents to be previewed as ASCII or Unicode text. This mode is useful for revealing hidden text and binary data in non-text files.
- Hex mode: Displays files in hexadecimal format, providing a detailed view of file data at the binary (or byte) level.
Search for Specific text
You can use Ctrl + F to search for specific text in the file content viewer pane. Press Ctrl + F. Type what you want to search for and click ‘Find’.
If that text is present in the file, you can see it highlighted.
If not present, then it will display String not found. Click ok.
FTK Imager: Recovering Deleted Files and Folders
You’ll see a red ‘x’ icon marked on the deleted files and folders. In order to recover those files or folders, select the file,right-click, and then click on ‘Export files’.
You’ll see export results. Click ok
It’ll ask you the path to store the file; choose your path, and that’s it.
FTK Imager: Verifying Drive/Image Integrity
To verify the drive’s / image’s integrity. Select that Drive/Image in the Evidence Tree pane.
And then click on the Files tab, and then click Verify Drive/Image.
It’ll calculate the Drive/Image’s MD5 hash and SHA1 hash.
And then you can calculate the hash of the restored files with the help of any hash calculator tool. And then verify the file’s integrity.
Now let’s move on to the challenges. You have been given a machine. Start the machine and click on the Show Split view.
Once the machine is fully booted up, you will see that FTK Imager is already downloaded there. So we can proceed to the questions.
What is the malware C2 server?
To see this malware C2 server, I didn’t find any files like this. I saw a secretchat.txt deleted file.
Exported it.
And then I opened this file.
Reading the content of this file, i got to know that C2 malware is good to go at mcgreedysecretc2.thm
What is the file inside the deleted zip archive?
When we were going through the secretchat.txt file, we got to know that there is a JuicyTomaTOY_final.zip file inside which malware is hidden.
Export the zip file.
And extract that zip file.
We see that it’s password-protected. We don’t know the password, but we got to know that JuicyTomaTOY.exe is password protected. That’s the answer to this question.
What flag is hidden in one of the deleted PNG files?
I see two PNG files in the file list pane ‘wallpaper.png’ and ‘potrait.png’.
Select the ‘wallpaper.png’ deleted file and click on hex view.
Then press Ctrl + F to search for the flag, and search for “THM{“
String not found. Click ok.
Let’s move to the portrait.png deleted file. Follow the same steps, and you’ll find the flag.
Our final flag is THM{byt3-L3vel_@n4Lys15}.
What is the SHA1 hash of the physical drive and forensic image?
I’ve already shown the steps to find the hashes of any drive/image. Select that drive/image and navigate to File/Verify Drive/Image.
The computed SHA1 hash is 39f2dea6ffb43bf80d80f19d122076b3682773c2.
Submit all the answers, and you are done for the day.
That’s all for this walkthrough.
If you face any issues, feel free to connect with me on LinkedIn and ask your doubts. I’ll be happy to help.
Check out our YouTube channel, Ethical Empire.
If you’re preparing for the CEH Practical Exam, don’t forget to check out our playlist, ‘CEH Practical Exam Preparation’.
Until next time, stay curious, stay secure, and keep exploring the fascinating world of cyber security.
![Hack The Box: [Easy]OSINT Challenges Writeup](https://ethical-empire.com/wp-content/uploads/2024/04/image-1-1024x535.jpeg)
![Hack The Box: [Medium] OSINT Challenges Writeup](https://ethical-empire.com/wp-content/uploads/2024/04/image-2-1024x535.jpeg)