🐝
OSCP 2022 Materials
  • General
    • Whoami
    • Resources
    • Frequently Asked Questions
    • Shared Resource
  • Enumeration
    • Foreword
    • FTP
    • SMTP
    • DNS
    • Finger
    • HTTP/ HTTPS
      • Login Attacks
        • PHP Logins
      • XSS
      • LFI ( LFI -> RCE )
      • RFI ( RFI -> RCE )
      • CMS Exploitation
        • Wordpress
        • Magento
        • Bludit
        • Tomcat
        • Drupal
      • PHPMyAdmin
    • Kerberos
    • POP3
    • SMB
    • IMAP
    • SNMP
    • IRC
    • RSync
    • MSSQL
    • NFS
    • REDIS
    • Port Forwarding
  • Linux Post Exploitation
    • Post Exploit Checks
    • Pivoting ( ProxyChains )
  • Windows Post Exploitation
    • Post Exploit Checks
    • Active Directory ( Recon -> PE)
    • Notes
      • Powershell
      • Commands
  • Buffer Overflow
    • Hackthebox
    • TryHackMe
  • Mobile Pentesting
    • Android Pentesting
      • Lab TroubleShoot
      • Root Detection Bypass ( Manual )
      • Physical Device
  • MISC
    • Useful
    • Web
    • Linux
    • Application Specific
    • Programming Notes for Offensive Security
      • Python
    • Forensics
      • Disk Forensics
    • Inspection
    • Troubleshooting
      • Mouse Flickering
Powered by GitBook
On this page
  • Mounted Devices
  • Quick Wins
  • Forensic Way

Was this helpful?

  1. MISC
  2. Forensics

Disk Forensics

Disk Forensics includes where you are required to investigate the files which were deleted off the system.

Mounted Devices

  • The devices that were mounted to the devices can be identified with the commands

df -h
mount

Quick Wins

  • Every device blocks connected to the UNIX systems store its contents in binary format and everything connected is CATable / GREPable

  • Once the mounted device is identified we can cat / grep the device block

cat /dev/sdb
sudo xxd /dev/sdb  | grep -Ev '(0000 0000 0000 0000 0000 * | ffff ffff ffff ffff ffff *)'

Forensic Way

  • With the dcfldd 

dcfldd if=/dev/sdb of=/tmp/file.dd

root@raspberrypi:/home/pi# dcfldd if=/dev/sdb of=/tmp/test
256 blocks (8Mb) written.
320+0 records in
320+0 records out
root@raspberrypi:/home/pi# ls -lash /tmp/test
10M -rw-r--r-- 1 root root 10M Mar 13 10:34 /tmp/test

  • With this file transferred to the attacker machine we can run utilities like testdisk or photorec to investigate this dd file

PreviousForensicsNextInspection

Last updated 2 years ago

Was this helpful?