Forensic Mission 1

Learn to recover deleted files, analyze evidence, and see beyond the immediately obvious.
Forum rules
DO NOT POST ANSWERS OR SPOILERS! [IE: Mission Links, Mission File Names/Pages, Scripts, etc.]
Posting these will result in warnings/bans!

Re: Forensic Mission 1

Post by walterF on Thu Jun 12, 2014 2:48 pm
([msg=81351]see Re: Forensic Mission 1[/msg])

Defience wrote:This is about file recovery. Reading through all of the posts in this thread provide all you need to complete this mission. Look at what others have used (a hex editor won't cut it) and try that route. Good luck!

Ok thanks, my only problem was that I didn't want to have to give myself admin access. I did that and can now use more than just photorec. Thanks!

-- Fri Jun 13, 2014 9:19 am --

Ok, I finished it. You can actually do it with just a hex editor you just need to know the file headers...and have a lot of patience. Thanks for all the tips and for a great challenge! I'm definitely looking forward to more. :)
"Men have called me mad; but the question is not yet settled, whether madness is or is not the loftiest intelligence"
-Edgar Allen Poe
walterF
New User
New User
 
Posts: 4
Joined: Sat Jul 14, 2012 5:55 pm
Blog: View Blog (0)


Re: Forensic Mission 1

Post by Libra4 on Sun Jun 22, 2014 4:16 am
([msg=81593]see Re: Forensic Mission 1[/msg])

I've found this very useful tool for Windows: OSForensics
Thanks for your posts. Helped me a lot :D
Libra4
New User
New User
 
Posts: 1
Joined: Mon Nov 17, 2008 3:31 pm
Blog: View Blog (0)


Re: Forensic Mission 1

Post by OS_13115 on Sat Jul 05, 2014 4:30 pm
([msg=81991]see Re: Forensic Mission 1[/msg])

RAR seems to be part the solution. Also TrueCrypt:

Code: Select all
Your new password is.rarPhP
OS_13115
New User
New User
 
Posts: 12
Joined: Sat Jul 05, 2014 1:07 pm
Blog: View Blog (0)


Re: Forensic Mission 1

Post by MouseMatt on Sun Jul 06, 2014 11:16 am
([msg=82002]see Re: Forensic Mission 1[/msg])

I used Autopsy (Windows) to look at the image for the 1st mission. However, I found the email, but not the rar file that apparently was present?
MouseMatt
New User
New User
 
Posts: 1
Joined: Sun Jul 06, 2014 11:13 am
Blog: View Blog (0)


Re: Forensic Mission 1

Post by cyberdrain on Sun Jul 06, 2014 2:25 pm
([msg=82011]see Re: Forensic Mission 1[/msg])

OS_13115 wrote:... seems to be part the solution. Also ...

This isn't entirely correct.
Free your mind / Think clearly
User avatar
cyberdrain
Expert
Expert
 
Posts: 2160
Joined: Sun Nov 27, 2011 1:58 pm
Blog: View Blog (0)


Re: Forensic Mission 1

Post by limdis on Mon Jul 07, 2014 7:04 pm
([msg=82039]see Re: Forensic Mission 1[/msg])

OS_13115 wrote:Your new password is.rarPhP

What cyberdrain said. You're doing something wrong.

MouseMatt wrote:I used Autopsy (Windows) to look at the image for the 1st mission. However, I found the email, but not the rar file that apparently was present?

You are either getting a false flag or you are going to need to rerun your recovery. It's there, keep playing with it.
"The quieter you become, the more you are able to hear..."
"Drink all the booze, hack all the things."
User avatar
limdis
Moderator
Moderator
 
Posts: 1657
Joined: Mon Jun 28, 2010 5:45 pm
Blog: View Blog (0)


Re: Forensic Mission 1

Post by 0xFoo on Wed Jul 23, 2014 10:49 am
([msg=82426]see Re: Forensic Mission 1[/msg])

Hello everybody, I'd like to take a tip:

What do I have after carving the .dd?

- A bunch of random images
- 2 pdf's that are not related to the problem
- Many encrypted files (with UNKNOWN keys)
- A really interesting .rar/.zip file (dunno the password)

If it's necessary to find the password of the compressed file...could I get a hint? - please, something like "look at everything" is not going to help me...
Thx! :oops:
0xFoo
New User
New User
 
Posts: 2
Joined: Tue Jul 15, 2014 10:03 pm
Blog: View Blog (0)


Re: Forensic Mission 1

Post by limdis on Wed Jul 23, 2014 12:47 pm
([msg=82428]see Re: Forensic Mission 1[/msg])

0xFoo wrote:- Many encrypted files (with UNKNOWN keys)

Something went wrong here. What tool are you using? Edit your options and try your carve again. When the results are accurate the remainder of the challenge becomes fairly apparent.
"The quieter you become, the more you are able to hear..."
"Drink all the booze, hack all the things."
User avatar
limdis
Moderator
Moderator
 
Posts: 1657
Joined: Mon Jun 28, 2010 5:45 pm
Blog: View Blog (0)


Re: Forensic Mission 1

Post by 0xFoo on Wed Jul 23, 2014 4:24 pm
([msg=82432]see Re: Forensic Mission 1[/msg])

limdis wrote:
0xFoo wrote:- Many encrypted files (with UNKNOWN keys)

Something went wrong here. What tool are you using? Edit your options and try your carve again. When the results are accurate the remainder of the challenge becomes fairly apparent.


By "many encrypted files" I mean ".pgp" files, a LOT of .pgp files. There is also a .wav file and a .fws file. So would it be useful to try to carve again?

Thanks!
0xFoo
New User
New User
 
Posts: 2
Joined: Tue Jul 15, 2014 10:03 pm
Blog: View Blog (0)


Re: Forensic Mission 1

Post by cyberdrain on Wed Jul 23, 2014 6:53 pm
([msg=82442]see Re: Forensic Mission 1[/msg])

The right settings and the right files help. After doing another carve go through the files.
Free your mind / Think clearly
User avatar
cyberdrain
Expert
Expert
 
Posts: 2160
Joined: Sun Nov 27, 2011 1:58 pm
Blog: View Blog (0)


PreviousNext

Return to Forensic

Who is online

Users browsing this forum: No registered users and 0 guests