Use FTK Imager to track down and piece together McGreedy's deleted digital breadcrumbs, exposing his evil scheme. Learn how to perform the following with FTK Imager:
- Analyse digital artefacts and evidence.
- Recover deleted digital artefacts and evidence.
- Verify the integrity of a drive/image used as evidence.
After the Machine is up go ahead and open ftk imager.
open physical drive 2 by adding evidence inside ftk imager.
Questions:
What is the malware C2 server?
Answer
mcgreedysecretc2.thm
What is the file inside the deleted zip archive?
Answer
JuicyTomaTOY.exe
What flag is hidden in one of the deleted PNG files?
Answer
THM{byt3-L3vel_@n4Lys15}
What is the SHA1 hash of the physical drive and forensic image?
Answer
39f2dea6ffb43bf80d80f19d122076b3682773c2