Rating: 4.0
NotFS
The description for this challenge try to say to us: hey investigators that the file may contain or represent a file system, and you need to analyze and possibly reconstruct or repair it to extract relevant information.
okay now before diving into the challenge we know that the file had some issues we need to fix, we always do that.
okay after downloading the zip file we will get a a disk image
DOS-style Master Boot Record (MBR) partitioning scheme
Let us start solving this now
1: Discovery 1: First we will use “mmls” to display the partition layout of a volume system (partition tables). From SleuthKit.
mmls Chall.img
Allocated Partition: The disk has one allocated partition (Slot 002) formatted as NTFS or exFAT, covering sectors 39168 to 1063168. Allocated Partition: This disk section is in use and formatted to store files. NTFS/exFAT: The partition uses one of these file systems, which determines how files are organized and accessed. Sectors 39168 to 1063168: This is the range of the disk that the partition occupies. 2: Mount: dd if=Chall.img of=ch_1 bs=512 skip=0 count=1024001
We are copying a specific portion of a disk image to a new file
This portion is for NTFS where is Allocated Partition and its store files.
sudo mkdir -p /mnt/disk
Now let's mount the Partition to this dir
sudo mount ch_1 /mnt/disk
Error:)
but Why?
the issue was related to the use of loop devices and possibly mounting the disk image file
One minute what are loop devices?
In Unix-like operating systems, a loop device, vnd, or lofi is a pseudo-device that makes a computer file accessible as a block device. Before use, a loop device must be connected to an extant file in the file system.
hmm
now let's fix that, we always do
now we need to forget about the ch_1 because that will not work why? because we need to mount the whole image
Okay Let's start:
1: Understanding the Process: Mounting a Disk Image
When working with disk images, it’s crucial to properly mount them to access and analyze their contents. Here’s a detailed explanation of the steps taken to mount the disk image file Chall.img:
Attempting to Set Up the Loop Device sudo losetup /dev/loop1 /home/kali/Desktop/Chall.img
Purpose: This command attempts to associate the disk image file Chall.img with the loop device /dev/loop1. Loop devices allow you to mount files as if they were actual disks.
Checking Current Loop Device Associations
losetup -a
Mounting the Disk Image with Offset
sudo mount -o loop,offset=((0x100000))/dev/loop1/mnt/diskPurpose:Thiscommandmountsthediskimagefiledirectlytoamountpoint(/mnt/disk)usingtheloopdevice/dev/loop1,withanoffsetspecified.Theoffset=
((0x100000)) option is used to skip over any preliminary data (e.g., partition table) and reach the start of the actual filesystem.
Verifying the Mounted Filesystem
ls /mnt/disk
All the files have the same extension .webp, only one file has the .png extension
'DALL·E 2024-08-08 07.08.12 - A bustling scene at Black Hat MEA (Middle East & Africa) cybersecurity event. The image includes a large exhibition hall filled with booths from vario.png'
Analysing the file
mv /mnt/disk/DALL·E\ 2024-08-08\ 07.08.12\ -\ A\ bustling\ scene\ at\ Black\ Hat\ MEA\ (Middle\ East\ &\ Africa)\ cybersecurity\ event.\ The\ image\ includes\ a\ large\ exhibition\ hall\ filled\ with\ booths\ from\ vario.png /home/kali/Desktop
Something Wrong:)
Let's see the header of the PNG file
I used: https://hexed.it/
now we know why it's not opening:)
Magic Numpers :)
We need to add the Magic Numper header for the png
List of file signatures - Wikipedia needs additional citations for verification .improve this article by (Learn how and when to remove this message )… en.wikipedia.org
89 50 4E 47 0D 0A 1A 0A Add the Magic Numbers using https://hexed.it/
Export the file
open DALL·E\ 2024-08-08\ 07.08.12\ -\ A\ bustling\ scene\ at\ Black\ Hat\ MEA\ (Middle\ East\ &\ Africa)\ cybersecurity\ event.\ The\ image\ includes\ a\ large\ exhibition\ hall\ filled\ with\ booths\ from\ vario(1).png
Thx For reading.
