Forensic Imaging: TryHackMe Writeup
In Digital Forensics, imaging is the process of creating an exact, bit-by-bit copy of digital storage media. This process ensures that all the data, including deleted files, hidden files, and unallocated space, is captured. By generating a forensic image, we preserve the original data, allowing for a thorough examination.
The primary goal of this process is to create a verifiable and reliable copy that can be used in investigations and legal proceedings. This process is crucial for maintaining the integrity of digital evidence, ensuring that the original data remains untouched and admissible in legal matters.
Furthermore, the process plays a critical role in maintaining the chain of custody, a crucial aspect of legal proceedings. By documenting the handling and transfer of digital evidence, we can demonstrate that the data has been preserved correctly and has not been tampered with, providing a reliable and transparent method for examining it.
Task 1: Introduction
Learning Objectives:
1. Learn the basics of the forensic imaging process
2. Explore different environment settings for imaging
3. Learn how to create a raw image from an attached device
4. Perform an integrity check of an image
No answer needed.
Task 2: Preparation
#2.1 What command can be used to list all block devices in Linux OS?
Answer: lsblk
#2..2 Which bash command displays all commands executed in a session?
Answer: history
Task 3: Creating a Forensic Image
No answer needed.
Task 4: Integrity Checking
#4.1 What is the MD5 hash of the image “exercise.img” located in /home/analyst/?
Answer: 1f1da616156f73083521478c334841bb
Task 5: Other Types of Imaging
#5.1 Mount the image “exercise.img” located in the analyst home directory folder. What is the content of the file “flag.txt” located within exercise.img?
Answer: THM{mounttt-mounttt-me}
Task 6: Practical Exercise
In this task you have to apply what you learnt thrugh out the room and it is quiet easy. First select the correct disk which has 1gb of size by running the command lsblk -a. So we find loop44 with 1gb size.
Than create a copy of the disk bit by bit by using dd tool of linux or dc3dd an enhanced version of the UNIX command dd.
Next find the md5sum of the created .img disk and then mount it and get the “flag.txt”.
#6.1 Create an image of the attached 1gb loop device. What is the MD5 hash of the image?
Answer: 1fab86e499934dda789c9c4aaf27101d
#6.2 Mount the image from the 1 GB loop device. What is the content of the file “flag.txt”?
Answer: THM{well-done-imaginggggggg}
Task 7: Conclusion
No answer needed.
In this room, we learned the basics of forensic imaging, defining the main concepts and performing tasks that will put us in practical scenarios where we performed imaging of devices, mount, and check their integrity through hashing algorithms.
