Join Us!

How to open .ELF .r...
 
Notifications
Clear all

How to open .ELF .raw file?  

  RSS
barburon
(@barburon)
New Member

Hi experts!

Does anyone know a software / method I can use to open and browse inside an .ELF .raw file?
The file is .raw but when I pass it to HxD the first four bits are .ELF
I tried FTK imager but no luck with that.

Thank you, and please do not forget - I an a noob )

Tal

Quote
Posted : 30/09/2019 2:39 pm
athulin
(@athulin)
Community Legend

Does anyone know a software / method I can use to open and browse inside an .ELF .raw file?
The file is .raw but when I pass it to HxD the first four bits are .ELF
I tried FTK imager but no luck with that.l

What does file or similar tools say? (I'm assuming you're on a Linux system?) ELF executable? ELF shared object?

They're executable or object files, and some Unixes and many Linux's use them, as do other platforms.

See https://en.wikipedia.org/wiki/Executable_and_Linkable_Format for more info.

Tools? Disassemblers would be my first guess. There's also elfutils and objdump. It's just a question how far into this particular jungle you want to go.

ReplyQuote
Posted : 30/09/2019 5:09 pm
barburon
(@barburon)
New Member

Hi!

This is a forensics-related assignment we got.

Basically what need to be done is to recover a string / flag (CTF) hidden inside the .raw file we were given.
In a prior challenge I successfully recover data from .raw file using FTKimager, but no success with this one.

I guess the fact that the file type is ELF is where the issue is.
My question is, how should I approach it?

I'll give those tools a chance - thank you!

Thank you again,

Tal

ReplyQuote
Posted : 02/10/2019 2:49 pm
jaclaz
(@jaclaz)
Community Legend

Hi!

This is a forensics-related assignment we got.

Basically what need to be done is to recover a string / flag (CTF) hidden inside the .raw file we were given.
In a prior challenge I successfully recover data from .raw file using FTKimager, but no success with this one.

I guess the fact that the file type is ELF is where the issue is.
My question is, how should I approach it?

I'll give those tools a chance - thank you!

Thank you again,

Tal

Yes, but with all due respect, if you actually attempted using FTKimager on an ELF file you seem like having not a mental definition/categorrization of what an ELF file is (and how it is a completely different beast from a disk/volume image RAW file that you can access/open with FTK imager).

The RAW file is a disk or volume image, i.e. a representation of a "container" of files (organized/accessed/addressed by a given filesystem).

An ELF file is an executable, there is no such thing as a non-raw ELF file and it is not intended as a "container".

If you want to retrieve a string from an executable you need an hex editor and/or a disassembler/dumper, but what is the actual assignment?

Noone on the board will give you the solution, but if you actually detail the question you may receive some hints or confirmations you are following the right procedure.

jaclaz

ReplyQuote
Posted : 02/10/2019 3:57 pm
barburon
(@barburon)
New Member

Thank you jaclaz,

As you already understand from my writing, I am new to the subject of digital forensics.
Your reply is much appreciated and educative - thank you for it.

As for a more detailed question - I'll try to sharpen it a bit. The assignment is to extract a "flag", which is probably a string inside a .txt file located in the .raw file.

Thank you again.

ReplyQuote
Posted : 02/10/2019 4:38 pm
jaclaz
(@jaclaz)
Community Legend

Thank you jaclaz,

As you already understand from my writing, I am new to the subject of digital forensics.
Your reply is much appreciated and educative - thank you for it.

As for a more detailed question - I'll try to sharpen it a bit. The assignment is to extract a "flag", which is probably a string inside a .txt file located in the .raw file.

Thank you again.

Good. )

Which is bad.

There is no such thing as a .txt file located in the .raw file.

There is actually no .raw file, there is an ELF file (which is an executable).

And there is not any .txt file inside any other file (unless the file is a container or archive, and the ELF being an executable is not a container, while it could be a self-extracting archive, a very narrow subset of ELF files rarely used).

In the case of self-extracting archive executables, technically the file is not really-really an executable, but rather an archive with a self-extracting stub prepended to it, see
https://blog.cykerway.com/posts/2018/08/30/create-self-extracting-archive-on-linux.html

But since the idea of a self-extracting archive is that contents is uncompressed/copied upon execution it would be too simple to just run the file on the appropriate OS to solve the assignment/challenge.

There may be a string of text somewhere inside an ELF file, of course, but let's try to define "a string of text" in this context (assuming that no encryption/transformation/rotation/etc. is used).
This could be a valid definition of "text string"
An arbitrary number of contiguous bytes limited to the values in the range assigned to printable ASCII characters.

If the codification is not ASCII but - say - UNICODE the definition might be slightly different
An arbitrary number of contiguous couples of bytes (technically a "word" but in this context it would confuse the ideas) limited to the values in the range assigned to printable UNICODE characters.

Anyway, for the moment let's stay in the more common ASCII range.

What is the ASCII range?
What is the ASCII range corresponding to printable characters?
How do you look at the byte values?
And how do you show them as the corresponding ASCII character (if any)?

jaclaz

ReplyQuote
Posted : 02/10/2019 6:46 pm
passcodeunlock
(@passcodeunlock)
Senior Member

Run this under linux, saving the output to a file, for example output.txt

strings yourfile > output.txt

I might think your flag will be there at some point, but you have to figure on your own )

ReplyQuote
Posted : 03/10/2019 11:08 am
Share: