PTS2021

Forensics Low Level - Having fun with Linux onboard tools
2021-07-05, 16:50–17:25, Zoom room

In this presentation I will cover some curiosities I stumble over while working in forensics. One goal is to show that you can not always relay on tools and should be able to read the data on byte level to understand what's going wrong.


The presentation will consists out of 3 live demos. All the demos based on Linux standard tools like 'dd', 'hexedit' and alike.

  1. In Forensics a HW write-blocker is necessary. Just mounting the device in RO mode is not sufficient. I will connect a USB stick to my laptop and mount it RO. After this I will modify some data on the USB stick.

  2. I have a standard USB stick and simply modify some (3) bytes on it. The result, Linux will mount up to 250 partitions. Some tools either hang or simply display wrong information. You need to read the bytes of the partition table to understand whats going wrong.

  3. If you connect another USB stick to a Windows, file A, B and C have content X, Y and Z. If you connect the same USB stick to Linux, file A, B and C have content U, V, W. Analyzing and understanding the Master Boot Record will reveal the secret.

Since 2010, Michael has worked as an operator and analyst at CIRCL – Computer Incident Response Center Luxembourg where he is working on forensic examinations and incident response.