Forensic Mission 1

Learn to recover deleted files, analyze evidence, and see beyond the immediately obvious.
Forum rules
DO NOT POST ANSWERS OR SPOILERS! [IE: Mission Links, Mission File Names/Pages, Scripts, etc.]
Posting these will result in warnings/bans!

Re: Forensic Mission 1

Post by -Ninjex- on Thu Jul 24, 2014 10:04 am
([msg=82451]see Re: Forensic Mission 1[/msg])

0xFoo wrote:
limdis wrote:
0xFoo wrote:- Many encrypted files (with UNKNOWN keys)

Something went wrong here. What tool are you using? Edit your options and try your carve again. When the results are accurate the remainder of the challenge becomes fairly apparent.


By "many encrypted files" I mean ".pgp" files, a LOT of .pgp files. There is also a .wav file and a .fws file. So would it be useful to try to carve again?

Thanks!


If I recall, I only received one encrypted file from this challenge.
Try using a better recovery tool such as TestDisk
image
For those that know
K: 0x2CD8D4F9
User avatar
-Ninjex-
Moderator
Moderator
 
Posts: 1691
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


Re: Forensic Mission 1

Post by cyberdrain on Thu Jul 24, 2014 7:16 pm
([msg=82470]see Re: Forensic Mission 1[/msg])

0xFoo wrote:By "many encrypted files" I mean ".pgp" files, a LOT of .pgp files.
-Ninjex- wrote:If I recall, I only received one encrypted file from this challenge.

0xFoo, Ninjex is right: PGP files are not encrypted files, they are usually PGP security key-files used to encrypt something with Pretty Good Privacy.
Free your mind / Think clearly
User avatar
cyberdrain
Expert
Expert
 
Posts: 2160
Joined: Sun Nov 27, 2011 1:58 pm
Blog: View Blog (0)


Re: Forensic Mission 1

Post by -Ninjex- on Fri Jul 25, 2014 7:40 am
([msg=82489]see Re: Forensic Mission 1[/msg])

cyberdrain wrote:0xFoo, Ninjex is right: PGP files are not encrypted files, they are usually PGP security key-files used to encrypt something with Pretty Good Privacy.


wat? I never said that... PGP is encryption
I only recall seeing 1 encrypted file from the disk image after I recovered the data <--
image
For those that know
K: 0x2CD8D4F9
User avatar
-Ninjex-
Moderator
Moderator
 
Posts: 1691
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


Re: Forensic Mission 1

Post by cyberdrain on Fri Jul 25, 2014 8:25 am
([msg=82501]see Re: Forensic Mission 1[/msg])

Sorry, let me rephrase that: "Ninjex was right about finding only one encrypted file, as I've found the same thing. In addition to that, those PGP files are not encrypted files." <-- was what I meant.
I've not seen PGP files that were encrypted files instead of keys only, but maybe you have. AFAIK PGP files are keys used for PGP encryption only.
Free your mind / Think clearly
User avatar
cyberdrain
Expert
Expert
 
Posts: 2160
Joined: Sun Nov 27, 2011 1:58 pm
Blog: View Blog (0)


Re: Forensic Mission 1

Post by -Ninjex- on Fri Jul 25, 2014 8:40 am
([msg=82503]see Re: Forensic Mission 1[/msg])

cyberdrain wrote:I've not seen PGP files that were encrypted files instead of keys only, but maybe you have.


You can encrypt a file with a key. And yes I have, because I have encrypted my own files using PGP and I am looking at a few right now.
image
For those that know
K: 0x2CD8D4F9
User avatar
-Ninjex-
Moderator
Moderator
 
Posts: 1691
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


Re: Forensic Mission 1

Post by cyberdrain on Fri Jul 25, 2014 9:09 am
([msg=82508]see Re: Forensic Mission 1[/msg])

-Ninjex- wrote:You can encrypt a file with a key. And yes I have, because I have encrypted my own files using PGP and I am looking at a few right now.

Could you do me a favor in the interest of gathering knowledge, delete one of the files, try to recover them using one of the tools you'd use and see if they show up as PGP? I'm interested to see if there's some indication (header obviously) that it's a PGP encrypted file so the carver can recognize it as such. I mean, I could encrypt a .txt file and name it .txt, but I'm pretty sure a carver won't find it as .txt then.
Free your mind / Think clearly
User avatar
cyberdrain
Expert
Expert
 
Posts: 2160
Joined: Sun Nov 27, 2011 1:58 pm
Blog: View Blog (0)


Re: Forensic Mission 1

Post by -Ninjex- on Fri Jul 25, 2014 10:16 am
([msg=82511]see Re: Forensic Mission 1[/msg])

secure.gpg

Image
Image

Now, let's keep this thread on topic. Anything further off topic should be taken to pm or IRC
image
For those that know
K: 0x2CD8D4F9
User avatar
-Ninjex-
Moderator
Moderator
 
Posts: 1691
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


Re: Forensic Mission 1

Post by cyberdrain on Fri Jul 25, 2014 10:22 am
([msg=82512]see Re: Forensic Mission 1[/msg])

Alright, but that's a gpg, not a pgp file.

Edit: looks like the same applies to both, disregard.
Free your mind / Think clearly
User avatar
cyberdrain
Expert
Expert
 
Posts: 2160
Joined: Sun Nov 27, 2011 1:58 pm
Blog: View Blog (0)


Re: Forensic Mission 1

Post by aeroxtk on Sat Aug 09, 2014 4:16 pm
([msg=82689]see Re: Forensic Mission 1[/msg])

I've been trying a couple of tools under both unix-like and windows OSes but none have worked for me so far. In the end, it turns out the folders are empty.
Isolation, in my world means opportunity. Reflection of that nature undoubtedly brings round to the fact that comprehension is a requisite of success and thence exculpates the notion associated with the above alluded quips.
User avatar
aeroxtk
New User
New User
 
Posts: 24
Joined: Wed Oct 17, 2012 8:29 am
Location: Bulgaria
Blog: View Blog (0)


Re: Forensic Mission 1

Post by -Ninjex- on Wed Aug 13, 2014 8:51 am
([msg=82779]see Re: Forensic Mission 1[/msg])

aeroxtk wrote:I've been trying a couple of tools under both unix-like and windows OSes but none have worked for me so far. In the end, it turns out the folders are empty.


One of the best forensic tools is TestDisk. I used it to complete this mission, (I also used Scalpel to complete it, but the results were less stable than TestDisk) I would advise you to try it, as it's a very great recover tool. If it doesn't work for you, try installing it again, check the sums to make sure there isn't any interference with what's going on.
image
For those that know
K: 0x2CD8D4F9
User avatar
-Ninjex-
Moderator
Moderator
 
Posts: 1691
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


PreviousNext

Return to Forensic

Who is online

Users browsing this forum: No registered users and 0 guests