After Karen started working for ‘TAAUSAI,’ she began to do some illegal activities inside the company. ‘TAAUSAI’ hired you to kick off an investigation on this case.

You acquired a disk image and found that Karen uses Linux OS on her machine. Analyze the disk image of Karen’s computer and answer the provided questions.

Download the challenge folder and use FTK imager to view the image of the system file.

What distribution of Linux is being used on this machine?

The distribution of the Linux system can be seen in the boot folder.

What is the MD5 hash of the apache access.log?

Locate the access.log and export the file as a hash to find the answer.

It is believed that a credential dumping tool was downloaded? What is the file name of the download?

Find the file in the downloads folder.

There was a super-secret file created. What is the absolute path?

View the bash history file to find the secret file that was createad.

What program used didyouthinkwedmakeiteasy.jpg during execution?

Check the bash history file to find the program used to run the image.

What is the third goal from the checklist Karen created?

How many times was apache run?

Since all the sizes are 0.

It is believed this machine was used to attack another. What file proves this?

There is an image of a windows machine in the foot folder.

Within the Documents file path, it is believed that Karen was taunting a fellow computer expert through a bash script. Who was Karen taunting?

A user su’d to root at 11:26 multiple times. Who was it?

Head to the auth.log file in /var/log and search for the time.

Based on the bash history, what is the current working directory?

Check the bash history file and look out for the last “cd” command.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Comments (



%d bloggers like this: