Forensics — Recovering from the Snap

This CTF exercise involves recovering deleted files from a disk image file: animals.dd. Try mounting this image file on your Linux machine. You can do this easily in the GUI by right-clicking the image file and opening it with “Disk Image Mounter”:

You should then see the mount point appear on the left hand side. Click on it and you should see the following files:

The hint for this question tells you that some files have been deleted. Could one of these deleted files contain then flag? Let’s find out using the free forensics tool TestDisk. I installed this on my Linux machine using the command line. Don’t forget the sudo before the rest of the command as you will most likely need root user privileges in order to complete the installation successfully. I (alex) am the root user below so when prompted, I type in the same password I use to log into my Linux machine and the installation should proceed as follows:

When the installation is complete, navigate to the folder in which the animals.dd image file is located. Then run the following command:

testdisk animals.dd

You should now see the following:

Keep pressing enter until you see the following screen:

Notice that the deleted files (i.e. those you could not see when you initially tried to mount the image file) show up here in red. The very last one is called theflag.jpg. This is the file that you want to extract and then open. Move down to that file with the arrow key and press “c” as instructed at the bottom of the screen “to copy the current file”. Choose the default option to copy into the same directory in which you have been working (in my case “Downloads). You should then see the text “Copy done! 1 ok, 0 failed” appear above the list of files. Then check the directory.

The file has appeared and should be readable. Open it to capture the flag!

To continue with this series, click here.