Intro to Sleuthkit for Forensics (PicoCTF #39 'sleuthkit-apprentice')

14,186

560 0

Published 2022-04-27

Help the channel grow with a Like, Comment, & Subscribe!
❤️ Support ➡ j-h.io/patreon ↔ j-h.io/paypal ↔ j-h.io/buymeacoffee
Check out the affiliates below for more free or discounted learning!
🖥️ Zero-Point Security ➡ Certified Red Team Operator j-h.io/crto
💻Zero-Point Security ➡ C2 Development with C# j-h.io/c2dev
👨🏻‍💻7aSecurity ➡ Hacking Courses & Pentesting j-h.io/7asecurity
📗Humble Bundle ➡ j-h.io/humblebundle
🐶Snyk ➡ j-h.io/snyk

🌎Follow me! ➡ j-h.io/discord ↔ j-h.io/twitter ↔ j-h.io/linkedin ↔ j-h.io/instagram ↔ j-h.io/tiktok

📧Contact me! (I may be very slow to respond or completely unable to)
🤝Sponsorship Inquiries ➡ j-h.io/sponsorship
🚩 CTF Hosting Requests ➡ j-h.io/ctf
🎤 Speaking Requests ➡ j-h.io/speaking
💥 Malware Submission ➡ j-h.io/malware
❓ Everything Else ➡ j-h.io/etc

All Comments (15)

@harsh2314 1 year ago

Your reactions were relatable... most of the time it needs a simple task for us to solve the problem but we can't just get it 😂
@yttos7358 1 year ago

For those who want to do it on the command line you can use `icat` to `cat` out the contents of a specific inode. The inode he displayed in during autopsy was 2371, you also need to tell it the offset `-o` of the filesystem partition you are looking for (use mmls again) and then feed that to `iconv` So this is what I used at the end of it `iconv <(icat -o 360448 disk.flag.img 2371)`
@lab-at-home 1 year ago

That is cool. When I solved this challenge I just extracted the filesystem with binwall and looked into the files, but this tool seems to be really cool
@lordspacecake5565 1 year ago

Awsome video, great tool to have.
@moustafakashen3610 1 year ago

LOVE YOUR CONTENT!
@bladesvlogs4965 1 year ago

Wow, that was impressive 👍
@shiv_sagar72 1 year ago

great video thnks man
@h3bb1 1 year ago

Hey John, thansk for the videos. They are both fun and super interesting. I wanted to ask you, do you have a video on what you are doing in the terminal at the end, when you echo out the flag and the finish command? Or is this maybe just basic terminal stuff?
@TigerWalts 1 year ago

Three hundred megabytes of hard drive capacity! What can that do for you? Three hundred file cabinets of storage capacity! That's right That's on one disk! You couldn't get close to that on a floppy disk
@rasraster 1 year ago

Am I missing something obvious? Couldn't he have just decoded the hex in that flag.uni.txt file, right off the bat?
@bhagyalakshmi1053 11 months ago

Codo automatically shell
@feverwilly 2 years ago

The WIndows version is better it was redone in Java in Windows.
@forheuristiclifeksh7836 28 days ago

5:00
@Lacsap3366 1 year ago

All I did in this challenge was to mount the root partition as a loop device by hand and just cat out the flag.uni.txt