Forensic Mission 3

Learn to recover deleted files, analyze evidence, and see beyond the immediately obvious.
Forum rules
DO NOT POST ANSWERS OR SPOILERS! [IE: Mission Links, Mission File Names/Pages, Scripts, etc.]
Posting these will result in warnings/bans!

Forensic Mission 3

Post by limdis on Sun May 22, 2016 1:30 pm
([msg=92347]see Forensic Mission 3[/msg])

Requirements:
File carving and critical thinking.

The challenge has several steps so keep track of what you do. It is suggested that you make copies of the files you are working with just in case you mess up. Similarly to Forensic #1, there are false positives in place to distract you. Examine everything and see what sticks out. Remember your goal, you are looking for incriminating evidence! If you can find something that would warrant an arrest according to the mission description, you will find the password.
Good luck.

Do not post spoilers!
"The quieter you become, the more you are able to hear..."
"Drink all the booze, hack all the things."
User avatar
limdis
Moderator
Moderator
 
Posts: 1657
Joined: Mon Jun 28, 2010 5:45 pm
Blog: View Blog (0)


Re: Forensic Mission 3

Post by RaThE_Waz_Here on Wed Jun 01, 2016 12:44 am
([msg=92400]see Re: Forensic Mission 3[/msg])

This was another fun challenge!
Looking forward to future updates! :mrgreen:
RaThE_Waz_Here
New User
New User
 
Posts: 3
Joined: Mon Jun 04, 2012 9:44 pm
Blog: View Blog (0)


Re: Forensic Mission 3

Post by astronate15 on Sat Jul 16, 2016 8:47 am
([msg=92628]see Re: Forensic Mission 3[/msg])

I'm having a heck of a time with this. Any hints? I've tried running several file carving utilities on the contents, however I'm thinking that the file type that needs carved is in the siggies.txt file, but may not exist in most application's default configuration lists. I've also spent hours trying to decipher the spreadsheet, but really can't decide if it's a red herring. I've been at it for a few weekends and the only thing I've been able to *--shhhhh, you're on the right track but i have to remove this part. ~limdis*
astronate15
New User
New User
 
Posts: 3
Joined: Sat Jul 16, 2016 8:42 am
Blog: View Blog (0)


Re: Forensic Mission 3

Post by Euforia33 on Sat Jul 16, 2016 5:24 pm
([msg=92637]see Re: Forensic Mission 3[/msg])

You are in the right station with the siggies file but not the right track, look at the file again and think about what it's telling you, perhaps it's there for a reason..? Look elsewhere for something that does not look right, it's one of those obvious things that are simple enough to overlook but just a simple comparison of some of the files should allow you to see it ;)

Limdis: Great challenge mate, keep them coming! Remove any or all of this if you think it is of too much help.
Euforia33
New User
New User
 
Posts: 9
Joined: Fri May 07, 2010 1:25 pm
Blog: View Blog (0)


Re: Forensic Mission 3

Post by astronate15 on Sun Jul 17, 2016 6:58 pm
([msg=92644]see Re: Forensic Mission 3[/msg])

I've spent so much time at this and I hate to ask any more questions without spoiling it for the others, but I think I'm going to give up for a bit. Feel free to blank out anything that gives it away, and sorry in advance.
================================================================================
I've been trying to match signatures (mostly at random) from the siggies file to each of the files. Scalpel is returning a lot of false positives and not getting me anywhere other than creating a ton of corrupt files. If the excel sheet is of importance, it's too cryptic for me to understand at the moment. I'm pretty sure that this challenge doesn't require steganalysis since that's a different category of missions, so I've ruled those out. Any educational materials that can help me with this would be greatly appreciated, limdis.
astronate15
New User
New User
 
Posts: 3
Joined: Sat Jul 16, 2016 8:42 am
Blog: View Blog (0)


Re: Forensic Mission 3

Post by MimoMarim on Sun Aug 07, 2016 1:34 pm
([msg=92742]see Re: Forensic Mission 3[/msg])

@limdis this was a really fun mission :)

@astronate15 definitely no steganalysis required - the first step here is critical thinking - good luck!
MimoMarim
New User
New User
 
Posts: 4
Joined: Thu Nov 25, 2010 7:44 am
Blog: View Blog (0)


Re: Forensic Mission 3

Post by astronate15 on Tue Aug 16, 2016 9:44 am
([msg=92785]see Re: Forensic Mission 3[/msg])

I got this figured out. Very cool mission Limdis! Looking forward to more!
astronate15
New User
New User
 
Posts: 3
Joined: Sat Jul 16, 2016 8:42 am
Blog: View Blog (0)


Re: Forensic Mission 3

Post by pitabit on Wed Nov 02, 2016 12:02 pm
([msg=93067]see Re: Forensic Mission 3[/msg])

I was really trying not to ask for help, but I almost tried everything I know, and probably that's the problem, I don't know enough. I think I found what you need to find among the files, but it's password protected. Should I try with some brute force software? Or, do I missing something? I tried to find the password, but not sure if this is also among the files.
User avatar
pitabit
New User
New User
 
Posts: 4
Joined: Sun Sep 18, 2016 6:04 am
Blog: View Blog (0)


Re: Forensic Mission 3

Post by choartex on Tue Nov 08, 2016 7:58 pm
([msg=93084]see Re: Forensic Mission 3[/msg])

I've been stuck on this mission for quite some time now...
Finished the other 2 without much trouble but I can't figure out what to do...
I'd like some help or being pointed towards the right direction
So here is what I got and my theory:
the answer lies within the siggies.txt, this contains headers for the files, so I manually checked the files for their headers containing anything relating to mail-stuff
also checked their headers within a hexeditor next to the siggies file to see if the files where indeed the right file types.
Now I also found it strange that the shh.jpg image has this abnormal size, there must be something up with that, but I can't open it in any other program without getting nonsense... The other files seem legit, somewhere has to be a bitcoin wallet tho, because there is obvious hints pointing towards it.

So if anyone could tell me how to tie these finding together or at least tell me what I should examine again or should lok up online then I'd be extremely gratefull because this is driving me insane :')

Thanks in advance!

-- Wed Nov 09, 2016 3:27 pm --

Alright, I managed to figure it out by a tip given from a classmate. I'll give the same tip and partly my assumption above here where right.
A good thing to do is looking how files are saved in hex, they have signatures and with that a header/footer. figure that out for the files, look at the existing ones and compare.
You are trying to untangle a giant file into multiple files.
goodluck I suppose, if you need more help feel free to pm me, I won't give you the answer but I'll point you in the right direction, be sure to tell me what you already tried and found so that I do not spoil to much!
choartex
New User
New User
 
Posts: 1
Joined: Tue Nov 08, 2016 7:51 pm
Blog: View Blog (0)


Re: Forensic Mission 3

Post by Zloy Obezyan on Tue Mar 21, 2017 5:18 am
([msg=93548]see Re: Forensic Mission 3[/msg])

Undoubtedly , there are many things in the file shh.jpg , except photos.
Now I try to extract hidden content from this file by various utilities installed in the Kali Linux (forensic chapter).
Am I right or should I change my approach?
Yourth Faithfully, Zloy Obezyan
Zloy Obezyan
New User
New User
 
Posts: 3
Joined: Mon Feb 27, 2017 7:21 am
Blog: View Blog (0)


Next

Return to Forensic

Who is online

Users browsing this forum: No registered users and 0 guests