Forensic Mission 1

Learn to recover deleted files, analyze evidence, and see beyond the immediately obvious.
Forum rules
DO NOT POST ANSWERS OR SPOILERS! [IE: Mission Links, Mission File Names/Pages, Scripts, etc.]
Posting these will result in warnings/bans!

Re: Forensic Mission 1

Post by cyberdrain on Wed May 07, 2014 5:12 pm
([msg=80589]see Re: Forensic Mission 1[/msg])

LordSyn wrote:would I be better of trying to do this on my Kali box with the previously recommended tool?

Personally, I would go with Kali as you already have it up and running and it's partially designed for it. If you want to do it using the (I'd assume) hard way, it seems it's also possible to do it on Windows. Figuring out the differences and uses for specific tools is part of the fun. Good luck using either way!
Free your mind / Think clearly
User avatar
cyberdrain
Addict
Addict
 
Posts: 1109
Joined: Sun Nov 27, 2011 1:58 pm
Blog: View Blog (0)


Re: Forensic Mission 1

Post by LordSyn on Wed May 07, 2014 6:12 pm
([msg=80592]see Re: Forensic Mission 1[/msg])

cyberdrain wrote:Personally, I would go with Kali as you already have it up and running and it's partially designed for it. If you want to do it using the (I'd assume) hard way, it seems it's also possible to do it on Windows. Figuring out the differences and uses for specific tools is part of the fun. Good luck using either way!


I think I'll Stick with the hard way maybe I will learn something new before my next CTF next week. :) Thanks for the help

Edit ::

I ended up getting it in windows I found scalpel on GitHub and just compiled it for windows... everything after that was a bit annoying but fun none the less
LordSyn
New User
New User
 
Posts: 8
Joined: Wed May 07, 2014 8:16 am
Location: CyberSpace
Blog: View Blog (0)


Re: Forensic Mission 1

Post by Esqulax on Sun Jun 01, 2014 5:05 pm
([msg=81145]see Re: Forensic Mission 1[/msg])

Toolswise - I used FTK Imager and 7zip. For windows only users, 7zip is a great tool to extract the original tar.gz file that was downloaded from HTS.

No carving or cracking required, just be REALLY nosy.
Esqulax
New User
New User
 
Posts: 2
Joined: Sun Apr 20, 2008 7:54 pm
Blog: View Blog (0)


Argh! Stuck.

Post by m0atz on Fri Jun 06, 2014 3:16 pm
([msg=81254]see Argh! Stuck.[/msg])

Ok, I've been using a multitude of tools (all on linux). I've recovered the suspected file that I think contains the password (I got the red herring, but hey - it was worth a go!). I just cant figure out what to do next. I need the password for the file, argh, catch 22. I'm missing something simple I know. I used Scalpel (with various flags) - do I need to update the conf? I used autopsy and that was very interesting. The recovery of various files is pretty straight forward, its just extracting the data. I've read the comments in other posts, like "look harder" etc, but how. I've opened the file in bless, I cant see anything obvious. A pointer would be useful before I resort to brute forcing the rar file. Which I guess will be pointless assuming the strength of the password probably used :-) Cheers.
m0atz
New User
New User
 
Posts: 2
Joined: Fri Jun 06, 2014 3:09 pm
Blog: View Blog (0)


Re: Forensic Mission 1

Post by cyberdrain on Fri Jun 06, 2014 6:17 pm
([msg=81264]see Re: Forensic Mission 1[/msg])

OK, I'll give you a hint on this one. To 'look harder' in this case doesn't mean keep doing what you did and hope it will work a next time. It means trying out different ideas, tools and files. It means looking through everything to make sure you didn't miss anything. It means editing config files to make sure you got everything you needed. It means questioning your set-up and make it better. And it certainly doesn't mean brute force the file. Hope that helps.
Free your mind / Think clearly
User avatar
cyberdrain
Addict
Addict
 
Posts: 1109
Joined: Sun Nov 27, 2011 1:58 pm
Blog: View Blog (0)


Re: Forensic Mission 1

Post by limdis on Fri Jun 06, 2014 7:01 pm
([msg=81270]see Re: Forensic Mission 1[/msg])

If done correctly all the files can be recovered without being damaged. It sounds like you are have gotten to that point. So I'd suggest what Esqulax said -
Esqulax wrote:...just be REALLY nosy.

Look at everything. Good luck.
"The quieter you become, the more you are able to hear..."
"Drink all the booze, hack all the things."
User avatar
limdis
Moderator
Moderator
 
Posts: 1388
Joined: Mon Jun 28, 2010 5:45 pm
Blog: View Blog (0)


Re: Forensic Mission 1

Post by m0atz on Sat Jun 07, 2014 1:05 am
([msg=81274]see Re: Forensic Mission 1[/msg])

Thanks guys. I'm close I know it!
m0atz
New User
New User
 
Posts: 2
Joined: Fri Jun 06, 2014 3:09 pm
Blog: View Blog (0)


Re: Forensic Mission 1

Post by Defience on Sat Jun 07, 2014 4:07 pm
([msg=81283]see Re: Forensic Mission 1[/msg])

Make no assumptions. Don't get tunnel vision. Pay attention to everything.
User avatar
Defience
Addict
Addict
 
Posts: 1281
Joined: Thu Jun 12, 2008 3:16 pm
Blog: View Blog (0)


Re: Forensic Mission 1

Post by walterF on Thu Jun 12, 2014 9:57 am
([msg=81345]see Re: Forensic Mission 1[/msg])

Ok, so forensics is something pretty new to me, however I'm quite comfortable with a hex editor (and google :3 .) There haven't been ANY spoilers out there that I've found thankfully, however I have managed to get very near to the password. I found the document however it seems to be empty, (please let me know if I'm saying too much and I'll fix this.) I made the mistake of trying to do this on a mac, are there any hints anyone could give me that might point me in the right direction? I've really enjoyed playing around with this and would love to figure it out.

thanks!
"Men have called me mad; but the question is not yet settled, whether madness is or is not the loftiest intelligence"
-Edgar Allen Poe
walterF
New User
New User
 
Posts: 4
Joined: Sat Jul 14, 2012 5:55 pm
Blog: View Blog (0)


Re: Forensic Mission 1

Post by Defience on Thu Jun 12, 2014 2:04 pm
([msg=81350]see Re: Forensic Mission 1[/msg])

walterF wrote:Ok, so forensics is something pretty new to me, however I'm quite comfortable with a hex editor (and google :3 .) There haven't been ANY spoilers out there that I've found thankfully, however I have managed to get very near to the password. I found the document however it seems to be empty, (please let me know if I'm saying too much and I'll fix this.) I made the mistake of trying to do this on a mac, are there any hints anyone could give me that might point me in the right direction? I've really enjoyed playing around with this and would love to figure it out.

thanks!


This is about file recovery. Reading through all of the posts in this thread provide all you need to complete this mission. Look at what others have used (a hex editor won't cut it) and try that route. Good luck!
User avatar
Defience
Addict
Addict
 
Posts: 1281
Joined: Thu Jun 12, 2008 3:16 pm
Blog: View Blog (0)


PreviousNext

Return to Forensic

Who is online

Users browsing this forum: No registered users and 0 guests