RECOVERING FILES with Autopsy (PicoCTF 2022 #47 'operation-oni') 

If you want to understand the rwx permission set, it's better to interpret it as binary. Basically, we have 3 bits that each represent r, w, and x, respectively. so, let's say I want read & execute, this translates to r-x, which translates in binary to 101, which then in turn converts to 4+1=5 in base10 :)

Briefly talks about Chmod three digit codes "you can look up resources on how this exactly works" then proceeds to explain how it exactly works lol thank you John, I love when you do that!

"i need to look for keys" hovers over the key folder and moves on

one easy way to remember the file permissions is to know that read is 4, write is 2, and execute is 1 so r-x will be 4+1=5 and rw- will be 4+2=6

I used binwalk too. It was quick and easy using that than autopsy because of command line

Love this Format Mighty Friend! You can lead a horse to water but ya can't always git'em to drink.

I like the 'short' informative videos like these. Thanks

Really like the alternate solution / additional extra curricular activity that you mention as applicable....

Watching this on the TV cast with my father fingers crossed 🤞 it's not to over my or rather our head(s).

HOLY SHIT BRO YOU DONT EVEN KNOW HOW HELPFUL THIS WAS FOR ME HOMIE

Great video, love the content. Thank you!

Great content John! Keep it up!

thanks dude

Great great video John, but dude you are like sonic speed lol barely catching up , which made this vid a 40 minutes show. But the point is this is great . May God bless you brother

Nice one as allways!

I like using autopsy and we don't even do traditional forensics as my state requires you be a PI of all things to do that. But I do use it for data recovery and I even use a hardware write blocker. Probably seems like overkill but I never have to say that I may have changed something so if the end user wants to send it to Ontrack or some other place I can argue that we never changed anything.

I did it with commands icat and fls....it was a lot hectic though!

cant wait for htb cyber apocalypse videos.

Lol I just mounted the root partition as a loop device with losetup

uh, he saw for the first time a kernel source tree 🙊 binwalk FTW!

You are Epic

the audio seemed low at full volume was I able to hear anything as always great vid

Whats this GUI, I've used autopsy on windows and it wasnt a web app, had a much nicer GUI... Is it not available on Linux?

The SSH key wasn't a deleted file though

Couldn’t you just midair image; mount -t iso9660 -o loop disk.img image to mount the disk image and then use find to look for SSH keys and the like?

are you use linux for daily driver ??

Watching this file failing the htb CTF xD only 8 challenges done, but I'm alone ^^

1

👍

Hiiiii

Finnaly, I got your home address.

13:40 whats that finish command 🤔🤔 can anyone explain?

I love your content, but calling things a "gimmick" when they're far from it... that's... grating. :(