TryHackMe FAT32 Analysis | Examine the FAT32 filesystem from a forensic point of view скачать в хорошем качестве

TryHackMe FAT32 Analysis | Examine the FAT32 filesystem from a forensic point of view

Examine the FAT32 filesystem from a forensic point of view ✅ Room Link: https://tryhackme.com/room/fat32analysis ✅ Resources used on the video:✅ 🏷️🏷️ FAT32 Structure Information - MBR, FAT32 Boot Sector: https://www.easeus.com/resource/fat32... 🏷️🏷️ FAT32 Boot Sector, Locating Files and Dirs: http://www.cs.fsu.edu/~cop4610t/lectu... ✅ Introduction ✅ ⚡ A filesystem tracks how and where files are stored on an Operating System. It provides a translation between the files’ locations on the OS and their locations on physical storage. A filesystem also tracks file-related changes and options, such as file deletion, file access, file size, and more. ⚡ Filesystems are an essential component in forensics. Threat actors often abuse it in attacks. For example, a threat actor could use the hidden space within the filesystem to hide files or mark malicious files as deleted. As we will discuss later, deleting a file does not necessarily mean it is deleted on the physical storage. A forensic analyst needs to know where to find forensic artifacts on filesystems. ✅ Learning Objectives ✅ 🏷️ Explore the FAT32 filesystem structure 🏷️ Apply forensic analysis techniques to the FAT32 filesystem 🏷️ Apply data recovery techniques to the FAT32 filesystem 🏷️ Detect defense evasion techniques involving FAT32 [TIMESTAMP] [00:01:26] Task 1: Introduction [00:01:51] Task 2: Environment and Setup [00:02:00] Task 3: FAT32: Relevancy in Cyber Security [00:04:08] Task 4: FAT32 Structure: Reserved and FAT Areas [00:40:44] Task 5: FAT32 Structure: Data Area [01:01:36] Task 6: FAT32: Analysis Techniques and Tools [01:02:50] Task 7: T1564.001 Hidden Files and Directories [01:38:06] Task 8: T1070.006 Indicator Removal: Timestomp [01:52:47] Task 9: T1070.004 File Deletion and T1070.009 Clear Persistence [02:13:50] Task 10: Challenge ✅ Room Tasks ✅ ⚡ Task 1: Introduction ⚡ Task 2: Environment and Setup ⚡ Task 3: FAT32: Relevancy in Cyber Security What is the name of the attack that targeted the Iranian nuclear program? What category of tactic is MITRE ATT&CK TA0005? ⚡ Task 4: FAT32 Structure: Reserved and FAT Areas We have a hypothetical file B and its cluster chain starts at cluster F and ends at cluster 10 . What would be the value of the FAT entry at cluster F? Provide the value as you would read it in the HxD editor (e.g. 00001111). Note: File B is not a file on the image. Using the FAT32_structure.001 image, answer the following question: At which offset does the FAT2 table start ( give in the offset value without spaces)? Remember, FAT1 starts right after the Reserved Sectors and FAT2 starts right after FAT1. ⚡ Task 5: FAT32 Structure: Data Area What is the filename of the file that starts at cluster 9? What is the creation time of the file that starts at cluster 9? Please provide the hexadecimal value of the Creation time field. ⚡ Task 6: FAT32: Analysis Techniques and Tools Which analysis technique can we use to look for hidden files and directories? ⚡ Task 7: T1564.001 Hidden Files and Directories What is the short file name of the hidden file in the M@lL0v3 directory? What is the short file name of the hidden file in the M@lL0v3 directory? ⚡ Task 8: T1070.006 Indicator Removal: Timestomp What is the Accessed timestamp of the discovered suspicious file? What is the flag found during the automated analysis? ⚡ Task 9: T1070.004 File Deletion and T1070.009 Clear Persistence Which hexadecimal sequence identifies a deleted file? What is the output of the deleted PowerShell script after executing it? Note: In real-life investigations, we will only execute a suspicious file in a sandboxed environment. ⚡ Task 10: Challenge At which offset does the FAT1 table begin? Fill in the complete offset number XXXXXXXX. What is the name of the hidden directory on the image? (Excluding the System Volume Information folder and the Recycle Bin). What is the flag found in the hidden directory? What is the size (bytes) of the archive file in the hidden directory? What is the name of the deleted file that is present on the image? What is the flag included in the deleted file? What is the name of the file that has suspicious timestamp(s) (name.extension)? What is the flag included in the file with suspicious timestamps? 👍 Like, Subscribe, and Comment to stay updated with our latest cybersecurity tutorials. If you have any questions or need further clarification on any concept, feel free to drop a comment below! 👍 these tutorials are for educational purposes and to encourage responsible and legal use of hacking knowledge. #TryHackMeWalkthrough #TryHackMeRoom #CyberSecurity #HackingTutorial #SecurityExploits #PenetrationTesting #InfoSec #fat32 #forensic