# Disk Images *Downloads, downloads, downloads...* Some help for the (unfortunately rather uncommon) disk image challenges you might come across! ## Tools for Analysing Disk Images: * Autopsy (my personal reccomendation) * FTK Imager ## Autopsy A wonderful and powerful tool for the analysis of disk images. By default, it will run ingest modules when provided with a disk image such as `Exif Parser` and `Extension Mismatch Detector` among many others. However, these can take a little while to run if you leave them all on by default - especially with larger images. Modules such as `Hash Lookup` can very easily be left disabled for CTFs as this is something that is usually used in actual forensic investigations: comparing a list of hashes of "known bad" files to the files that are in the disk image. Usually, the disk image will contain files that you will also have to analyse and mess with to get flags. A good example of this is RACTF2020's "Disk Forensics Fun" where a Linux Alpine image that contains files is given. I would recommend trying this challenge out for practice, as well as the other forensics challenges from RACTF2020. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://the-winrars.gitbook.io/references/forensics/disk-images.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.