TryHackme’s Advent of Cyber 2023 — Day 8 Writeup

Disk forensics Have a Holly, Jolly Byte!

Task Objectives

Use FTK Imager to track down and piece together McGreedy’s deleted digital breadcrumbs, exposing his evil scheme. Learn how to perform the following with FTK Imager:

- Analyse digital artefacts and evidence.

- Recover deleted digital artefacts and evidence.

- Verify the integrity of a drive/image used as evidence.

Investigating the Malicious USB Flash Drive

In the practical application within a real-world scenario, a forensic laboratory analyst initiates the investigative process by meticulously documenting intricate details pertaining to the suspect drive or forensic artifact. This includes, but is not limited to, information regarding the vendor or manufacturer and the hardware ID associated with the subject under examination. Subsequently, a crucial step in the forensic protocol is taken as the analyst proceeds to mount the drive, employing a specialized write-blocking device. This meticulous measure serves the paramount purpose of preventing any inadvertent data tampering throughout the entire forensic analysis, ensuring the integrity and reliability of the investigative procedures.