[CTF Series #12] Mini Linux Forensics — MUS22

Here is my write-up for the mini linux forensics challenge. In this challenge, each participant received 2 E01 files aka Encase image files, which are mate and kubuntu disk image. At first I was put the E01 image into FTKImager, but I found that it is not so convenient for me to perform investigation from there. So, I’m thinking of mounting the image in my Linux machine to make my life easier.

Therefore, after some google-fu and bash-fu, I managed to created a script to mount Linux partition from E01 image. \o/

Let’s begin our investigation.

MATE case

Q#1 What is the ID of the last boot?

There’s only 3 user-1000 journal file that we need to inspect.

Using the command below to last boot timeline for user-1000.

journalctl --file <user-1000.journal> -o verbose --no-pager -n 1

user-1000.journal contains the latest boot timeline. We can further investigate the metadata output and its _BOOT_ID can be found!

Q#2 How did the user install Google chrome on MATE?

Based on .bash_history , the installation is through apt command.

Q#3 What date and time did the user install it?

I thought that it always starts with the date time at line install, but after looking through the sequence of package install, the package installation will always starts with archive unpack first.

inside dpkg.log file.

Q#4 The name of a repository from which more than one extra application was installed from?

Answer is in .bash_history.

Q#5 What is the name of the desktop session?

We have to find the value of XDG_CURRENT_DESKTOP which can be find inside .xsession-errors.

Q#6 What was the name of the suspicious domain the user visited from MATE?

Inside folder /mnt/ewf_mount/home/user1/.mozilla/firefox/qkpl6zix.default-release, there is a file called places.sqlite which contains the browsing history of the current user. It can be open using sqlitebrowser.

Kubuntu case

Q#1 How did the user install Google chrome, date, time?

In .bash_history, Chrome is installed via dpkg

Q#2 How did the device go to sleep?

In auth.log.1, lid closed action is mentioned for before the PC suspend/sleep.

Q#3 How many privileged commands did the user run?

Look for sudo in auth.log and you can find 6 command runs with privileged user (root).

OR

In journal/ folder, look for any system* journal file and grep for USER=root

Q#4 What application was used to open the Top devices file?

When talks about application, we may look around things in .local folder.

Keyword Top devices can be found in .local/Kate

Q#5 What was the UUID of the main root volume?

It can be found in /etc/fstab.

Others

Here are the folder/file list which contains the answers for this challenge.

/var/log/dpkg.log*
/var/log/auth.log*
/home/user/.local/*
/home/user/.bash_history
/home/user/.xsession-error
/mnt/ewf_mount/home/user1/.mozilla/firefox/<rand_char>-release/etc/fstab

Scoreboard

References

--

--

--

Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Day #16 with Workflows: Reading in and writing a JSON file to a storage bucket from a workflow

TotemFi’s Week in Review

Trip summary + productive day

What Does a Healthy and Compatible Relationship Look Like?

12 Things You Must Do to Land a Junior Web Developer Job

How to find Gender from a DataFrame of Names?

Server virtualization

Installing and Upgrading Ansible with *pip

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
GhouLSec

GhouLSec

Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec

More from Medium

picoCTF Write-up

Malware Sample Analysis 11–02–2022

TryHackMe Vulnuniversity Writeup

Attacktive Directory — THM