Challenge Information
- Advent of Cyber Day 8
- THM link here
Explanation
This challenge will be focusing on how to use FTK imager.
What is the malware C2 server
To search for the C2 server, the first things to do is to read the volume in FTK imager. After wandering arond, there is a secret.txt which contains the information about C2 server.
What is the file inside the deleted zip archive?
The file inside the deleted zip archive can be found in the same directory of secret.txt
What flag is hidden in one of the deleted PNG files?
To start off, search for the images. after getting the image, view the hex and use the find feature to serach for flag with the flag format.
What is the SHA1 hash of the physical drive and forensic image?
To get the hash of the physical drive, right click on the physical drive and click on verify file. the result will be hash value of the physical drive which is this question’s answer.
Things I learned from the challenge
- Understanding about basic of ftk imager and disk forensic