Acquired Taste Lab

Career Paths Digital Forensics
1

Hello,

I am kind of lost here and any tips how to proceed will be appreciated. Just on the side note I am not expecting resolution but to learn on my own “layer 8” actions.

So the questions in the lab are:

  1. Using the Kali Linux virtual machine, create an image of the drive /dev/nvme1n1 using dc3dd.

You will need the SHA1 hash value of the result to answer the related challenge question.

Hint: You will need somewhere to write the image. As one option you can mount nvme3n1p1 to /evidence_storage and use that as a repository for the image you create.

Used the command and it writes out image, provides the sha1 but the answer is not correct. If needed I can provide commands I used to eventually check if there is an issue.

  1. Using the Windows virtual machine, create a logical image of the directory D:\User_Home_Directories using FTK Imager.

Added content of the folder as evidence, created image, even re-imported image but on answering the question it says its wrong.

Any pointers would really be appreciated.

2

Please Add “Lab Name,” “Section Number,” and “Unanswered Question” :slight_smile:

3

Hello.

For your dc3dd command:

  • Make sure you’re answering with the last 4 digits only from the SHA1 that you receive as a result of the dc3dd command.
  • Triple check that your if= references exactly /dev/nvme1n1 (as you noted) not nvme1n1p1 - that one is easy to mistype that value and also common to accidentally enter the partition (the one that ends in p1) rather than the drive. (If your SHA1 value ends in 066b then you accidentally imaged the partition instead.)

If none of that works please post your command and we’ll take a look.

For using FTK Imager to create a logical image:

  • As with the other item, make sure you’re only entering the last 4 digits from the SHA1 as your answer.
  • Also make sure you’re using the SHA1 not the MD5, as the tool provides both in the output.
  • Note that you shouldn’t need to re-import the image. The answer should be available in the pop-up that you receive when imaging is complete (unless you accidentally deselected the default option to verify the image upon completion.)
  • And also make sure that when you go to add the folder as an evidence item, that you add exactly that folder not the folder inside of it.
  • And finally when you get to the point where you’re adding that folder to FTK, you may still have PHYSICALDRIVE2 loaded from the previous question. Double check that you’re creating a logical image of the folder not repeating the creation of an image of PHYSICALDRIVE2.

If none of that helps, let us know.

Issue with lab "Acquired Taste" part of the digital forensics pathway