Here is my write-up for the mini linux forensics challenge. In this challenge, each participant received 2 E01 files aka Encase image files, which are
kubuntu disk image. At first I was put the E01 image into FTKImager, but I found that it is not so convenient for me to perform investigation from there. So, I’m thinking of mounting the image in my Linux machine to make my life easier.
Therefore, after some google-fu and bash-fu, I managed to created a script to mount Linux partition from E01 image. \o/
RandomCodes/LinuxE01_mount.sh at master · ghoulgy/RandomCodes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below…
Let’s begin our investigation.
Q#1 What is the ID of the last boot?
There’s only 3
user-1000 journal file that we need to inspect.
Using the command below to last boot timeline for
journalctl --file <user-1000.journal> -o verbose --no-pager -n 1
user-1000.journal contains the latest boot timeline. We can further investigate the metadata output and its
_BOOT_ID can be found!
Q#2 How did the user install Google chrome on MATE?
.bash_history , the installation is through
Q#3 What date and time did the user install it?
I thought that it always starts with the date time at line
install, but after looking through the sequence of package install, the package installation will always starts with
archive unpack first.
Q#4 The name of a repository from which more than one extra application was installed from?
Answer is in
Q#5 What is the name of the desktop session?
We have to find the value of
XDG_CURRENT_DESKTOP which can be find inside
Q#6 What was the name of the suspicious domain the user visited from MATE?
/mnt/ewf_mount/home/user1/.mozilla/firefox/qkpl6zix.default-release, there is a file called
places.sqlite which contains the browsing history of the current user. It can be open using
Q#1 How did the user install Google chrome, date, time?
.bash_history, Chrome is installed via
Q#2 How did the device go to sleep?
lid closed action is mentioned for before the PC suspend/sleep.
Q#3 How many privileged commands did the user run?
auth.log and you can find
6 command runs with privileged user (root).
journal/ folder, look for any
system* journal file and grep for
Q#4 What application was used to open the Top devices file?
When talks about application, we may look around things in
Top devices can be found in
Q#5 What was the UUID of the main root volume?
It can be found in
Here are the folder/file list which contains the answers for this challenge.
Magnet Weekly CTF - Week 5 - Had-A-Loop Around the Block
The Magnet Forensics Weekly CTF has been running since October and sets one question each week using an image that…
How to Use journalctl to Read Linux System Logs
Linux system logging changed with the introduction of systemd. Learn how to use the journalctl command to read and…