 Alright, what's up everybody? My name is John Hammond. Welcome back to another YouTube video again So looking at the Kaizen CTF this time checking out some more of the forensics challenges and looking at this gone But not forgotten the 200 point challenge that wasn't too difficult in my eyes But that's because I've seen that kind of challenge before and I kind of knew the the the vantage point or the tactic Is technique that I should use to solve it So I want to showcase to you guys here challenge prompt is as a new security specialist local police department You're eager to make a name for yourself and as your chance high-party tech crime case files Just been sent to you help us find the secret to crack the case. So we get a zip archive. We'll go ahead and download this I'll create a new folder for it gone, but not forgotten And we'll hop on over to it take a look at what we actually have here unzip this disk image and Okay, we have a disk image image, you know, it looks like an actual hard drive image file So it's a DOS MBR bootsector So, okay, it looks like a Windows kind of file partition We can go ahead and if we wanted to open this up. Oh, sorry fail Nautilus the current directory and we can mount this we can go ahead and say Disk image mounter and it's mounted now and there's nothing particularly here at first glance But we can use control H to see the hidden files And now I can see this trash directory and I can see files that were previously deleted like hmm an article PDF file cool car jpeg message from boss in the video favorite video game secret hidden PDF file secret hidden file PDF and All of these except for message from my boss are all deleted and that they have zero Byte size you can see down at the very bottom here. They are zero bytes So we have to recover these I'm sure so this was a Challenge that I have seen before Because it's being able to recover some deleted files from this this hard drive and this image file And a tool that we ended up using last time was a cool a tool called test disk So I'll find that test disk Goblin on for complete. Okay, so I have the whole directory in my actual My actual files for it. So let's copy that directory over here and Now I have test disk just you can find this online by the way I should actually look it up test disk image and This is the one test disk. So we want to be able to look at it here Tescos is a powerful free data recovery software primary designed to recover lost partitions and make non-booting disc bootable again, so it can find all Files like you can un-delete files from fat file systems. So Let's take a look at it and start to use it You can install and download it from that same web page. It has a download link here and You can download I think specific versions. I think I ran the Linux one And once it's installed and set up you can just dot slash test this static and it'll open up and work with it We do want to however pass in the arguments of the file that we're working with So I'll pass in the disk image dot image file and we selected this is the one we want we can proceed It wants to know the partition type Intel is fine for the time being We want to we have some options what we can do with it. We can analyze it do some advanced things and advance what we want to do we can look at the Partitions specifically and we have options out on the bottom here to Boots or undelete and check out some images and stuff like that We want to be able to undelete these files right because we just saw them They were deleted and we want to be able to recover them So undelete and now we can see all that stuff that we already saw and I'm very curious about the secret hidden file text We can undelete it and all the others if you really wanted to What we can do is we can hit c down at the bottom it explains the keys you can use Capital see the copy the selected file capital C or load case to copy the current file So we can copy these and put them wherever we want it asks for what directory when I'm putting in I'm finally using the dot to specify our current directory and See again when the destination is correct So we hit see and we get the screen text copies done one okay and zero failed So now ideally we should be able to take a look in our directory and we've got message from boss Secret hidden file etc. etc. So if we cat out secret hidden file dot text We get our flag which is which is awesome here that kaizen always delete your files completely. So that's it That's really all we had to do It looks like I did extract just about Some other things from in here articles and cool car and jpeg and files like that But you open it up with test this Analyze and like do some advanced operations on the image file Specify you want to undelete some files and go ahead and proceed to copy them out and test this will Recover them for you. So that's all we live doing. So that's really awesome a cool tool to know test this for working with those fat and Other image files that are like in this type and partition type. So thanks for watching guys Hope you enjoyed it and that's the flag we can submit and get an awesome 200 points and crank through the rest of the CTF So I hope to see you guys in a later video