Open in app

Sign in

Write

Sign in

Learning How to Capture The Flag (CTF): Pitter, Patter, Platters (Forensics)

Cheryl Abram
8 min readAug 12, 2022

As you may be aware I work as a cybersecurity consultant specializing in governance, risk and compliance. As is evident by the number of articles I publish, I love to write, research and share. I’m also interested in giving the most decision-enabling advice that I can to cybersecurity leaders.

For this reason, I take the time to learn and practice the technical side of cybersecurity. However, I do it much differently than others that I’ve witnessed.

My goal is NOT to capture the flag. My goal is to take time to wonder, ask questions, and learn.

Here is the “write-up” I did for a PICO CTF problem I quasi-completed last year. I do CTFs to determine how much I actually understand about various IT and cybersecurity concepts, this is why you’ll see alot of content where I’m thinking through things, asking myself questions and sharing my steps toward a resolution to the problem.

Because I’m a professional questioner and an empath with a Curiosity IQ that’s in the stratosphere, I had to eventually ask for help to complete this CTF…so I could move on to the next one.

For each CTF I take structured notes where I document:

1. Any initial questions or observations I have about the problem before I begin seeking the resolution;

2. Sites, videos, and documents I used to research terms and ideas that I do not understand;

3. What I actually did, or did not do;

4. How I felt about what I was doing, and

5. Things I discovered on my way to discovering a resolution and finding the flag.

PICO CTF Challenge

Pitter, Patter, Platters (Forensics)

Forensics challenges can include file format analysis, steganography, memory dump analysis, or network packet capture analysis. Any challenge to examine and process a hidden piece of information out of static data files (as opposed to executable programs or remote servers) could be considered a Forensics challenge

# Challenge Description

‘Suspicious’ is written all over this disk image. Download suspicious.dd.sda1. Relevant hints: It may help to analyze this image in multiple ways: as a blob, and as an actual mounted disk.

TOOLS I CAN USE FOR THIS CHALLENGE :- Autopsy, split, pdfinfo, pdfimages, pdfcrack, pdfdetach, Keepass, Magic Numbers, hexed.it, foremost, binwalk, Repair image online tool, photorec, TestDisk, pngcheck, pngcsum, Registry Dumper, Dnscat2, pefile, Wireshark, Network Miner, PCAPNG, tcpflow, PcapXray, qpdf, Audacity, sonic visualiser, ffmpeg strings, file, grep, scalpel, bgrep, hexdump, xxd, base64, xplico framework, zsteg, gimp, Memory dump — volatility, ethscan, and many more.

MY INITIAL QUESTIONS/OBSERVATIONS

1. What is dd.sda1?

WHAT I RESEARCHED

1. API gateway pattern: Reduces the number of requests/roundtrips. For example, the API gateway enables clients to retrieve data from multiple services with a single round-trip. Fewer requests also means less overhead and improves the user experience. An API gateway is essential for mobile applications.

2. dd.sda1 (KeepItTechie just made a video about this; “Disk Destroyer | How to use the DD Command in Linux” Disk Destroyer | How to use the DD Command in Linux. DD is “data duplicator”; creates virtual file systems and back-up iso’s; super user is the only one who can use DD command; “if” is the file writing from and “of” is the file writing to

WHAT I DID TO UNDERSTAND THIS CTF, DISCOVER A RESOLUTION & FIND THE FLAG

1. Tried to download the file. Didn’t work.

2. Inspected the link. Saw “api/challenges/87” under console.

3. “man dd” in linux while watching YouTube video again

4. Downloaded “suspicious.dd.sda1” into kali downloads; cat (sda1); got a bunch of gobbeldy-gook

5. Created “Pico patter” file (nano) in downloads; I don’t see it…where the heck did it go?!!

6. Back to video; ran “lsblk” to see all disks and partitions in Kali

7.Should I move the .sda1 to the dev directory? Tried it but did not work

8. Ran “file” command to see what kind of file it is hoping I can get more clarity about what to do next

9. I guess it’s a UUID? Is that a type of file? I don’t know what UUID means so I looked up the definition.

UUID is a unique identifier used in partitions to uniquely identify partitions in Linux operating systems. UUID is a property of the disk partition itself. … The UUID of a partition is required mainly for mounting the partitions correctly in a computer system where hundreds of hard drives are installed. needs journal recovery” just means that it hasn’t been unmounted cleanly.

A partition is a logical division on a hard disk drive (HDD). New partitions can also be created after the operating system has been installed by using available free space (i.e., space that has not yet been partitioned) or by erasing existing partitions to create free space

UUID stands for Universally Unique IDentifiers. They are 128-bit identifiers standardized by RFC 4122 (though their use predates the RFC and they are sometimes referred to as GUIDs). No central registry is required to generate a UUID. An example: de7f5de9-bb0b-44ac-a018-e4651868d2ed.

Uhhhhh. the definition is fairly clear but I’m still not sure what to do next. I see that UUID has something to do with API.

Still not sure what to do but I am aware that the “mount” command has something to do with disks.

13. Created “Mount” file in Downloads then ran this command: nano suspicious.dd.sda1 Mount https://linuxhint.com/mount_partition_uuid_label_linux/

14.

15. I See “lost+found…boot…tce…suspicious-file.txt

I found the answer (I think) but I don’t know why “Autopsy” is used; continued research; found and saved “The Law Enforcement and Forensic Examiner’s Introduction to Linux” https://linuxleo.com/Docs/LinuxLeo_4.94.pdf

15. Ran the ls command

17. Ran gdisk scan and returned:

18. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Before file systems on devices can be used they MUST be mounted…but when not mounted they can still be written to!!!!!!!!!!

19. Looked at permissions of file:

20. From Law Enforcement Document

Moved suspicious.dd.sda1 to etc/fsta

AAUTOPOSY DIRECTIONS

  • Went to GUI to cut and paste file location
  • Adjusted autopsy for fs type (raw)

THINGS I discovered and did (that I did not know before)

  1. Made directories as part of a strategy to find the resolution (mkdir)
  2. Moved files as well (mv)
  3. Used dd command to copy contents from one directory to another dd if=…
  4. I have to be “root” to use the dd command, so I used “sudo su” to become root
  5. UUID has to be mounted before it can be used in a file system
  6. Used CTRL+ (spacebar, n, t) to navigate in Nano

METHOD

  1. Read definition of “forensic” challenge and listed tools
  2. Read challenge and researched what I did not know in the description (what is “dd” and UUID)
  3. Inspected the challenge link and looked for familiar things (saw API so looked that up again)
  4. Remembered a YouTube video with DD command so looked at part of that which led me to suspect I had to do something to this link with the DD command
  5. Tried to download it on my computer but couldn’t so went to Kali and downloaded there; Kali put it in the Downloads folder
  6. Found websites, documents and videos about the mount, file, lsblk, fdisk, gdisk commands and tried all of them
  7. Felt I made progress when I opened the file in Nano and saw a the “suspicious-file.txt” along with other words like “lost+found”, etc.
  8. Was unsure what to do after that so searched for the answer online.
  9. Found writeup that used Autopsy but did not know how they knew to use Autopsy so started to search again on my own
  10. Used law enforcement document and found interesting and useful commands (and used them) but I still was not able to see and understand what was in the dd file
  11. used autopsy but still did not see what’s in the file
  12. I think if I understood more about disk partitions (purpose, how they are made and used) I’d know enough to understand how to open it

I hated to do it, but I asked for help to find the flag.

RESOLUTION/FLAG

1. Sudo autopsy

2. Ctrl-Shift-Click url: http://localhost:9999/autopsy (Keep this process running and use to exit)

3. Click New Case

4. Input Case Name > Click New Case

5. Click Ok

6. Add Host

7. Input Host Name > Add Host

8. Click Add Image

9. Add Image file

10. Add a new image

11. Input Location: /home/kali/Downloads/suspicious.dd.sda1 and click Partition (Symlink should already be clicked)

12. Click Calculate the hash value for this image and then click Add

13. Click ok

14. Click Analyze

15. Click File Analysis

16. Click 12 under Meta (next to UID and GID)

17. Click 2049 (Direct Blocks)

18. Return to the Linux Terminal > Input “rev” command and all content in number 23 below

19. Input }.8.3.4.6.0.c.a.e._.3.<._.|.L.m._.1.1.1.t.5._.3.b.{.F.T.C.o.c.i.p

20. FLAG: p.i.c.o.C.T.F.{.b.3._.5.t.1.1.1._.m.L.|._.<.3._.e.a.c.0.6.4.3.8.} (Remove the dots)

21. picoCTF{b3_5t111_mL|_

Ctf
Life
Technology
Cybersecurity
Forensics

--

--

Cheryl Abram

Written by Cheryl Abram

49 Followers

A spiritual doula working in cybersecurity. Follow me on YouTube http://www.youtube.com/personcenteredcyber & LinkedIn.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams