Forensic Mission 1

Learn to recover deleted files, analyze evidence, and see beyond the immediately obvious.
Forum rules
DO NOT POST ANSWERS OR SPOILERS! [IE: Mission Links, Mission File Names/Pages, Scripts, etc.]
Posting these will result in warnings/bans!

Forensic Mission 1

Post by mShred on Mon Jan 06, 2014 10:39 am
([msg=78758]see Forensic Mission 1[/msg])

Requirements:
Knowledge of hard disk architecture, file carving utility.

Forensic data recovery is the goal of this mission. There are many different ways to extract the deleted data and you may need to try more than one method before you recover all the necessary files needed in order to complete the mission. You may discuss different tools and provide assistance on how to properly utilize them; but do not post specific 'how to' details on the challenge itself.



Want to see something specific or have ideas for new challenges? Post them here

Do not post spoilers!
Image

For those about to rock.
User avatar
mShred
Administrator
Administrator
 
Posts: 1743
Joined: Tue Jun 22, 2010 4:22 pm
Blog: View Blog (2)


Re: Forensic Mission 1

Post by agorasecurity on Sun Jan 12, 2014 6:48 pm
([msg=78891]see Re: Forensic Mission 1[/msg])

I've liked this challenge.
I've used DFF and find some stuff on the file, anyhow I think I have to find some extra files and I haven't found them yet (but I think I have an idea of what the name and format of that file is, anyhow I'm not sure).
What tools have you used? What do you recommend?
agorasecurity
New User
New User
 
Posts: 1
Joined: Sun Jan 12, 2014 6:45 pm
Blog: View Blog (0)


Re: Forensic Mission 1

Post by Goatboy on Sun Jan 12, 2014 7:10 pm
([msg=78892]see Re: Forensic Mission 1[/msg])

This can be done using open source command-line tools, which is how I prefer to do forensics. scalpel and foremost are nice for general file carving, and photorec is good for, go figure, photos.
Assume that everything I say is or could be a lie.
1UHQ15HqBRZFykqx7mKHpYroxanLjJcUk
User avatar
Goatboy
Expert
Expert
 
Posts: 2823
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: Forensic Mission 1

Post by limdis on Sun Jan 12, 2014 7:27 pm
([msg=78894]see Re: Forensic Mission 1[/msg])

I haven't used DFF before but I will check it out. Some tools used with a default setting will not keep corrupted files in the carving results, which can make or break a forensic recovery if you miss it later. Depending on what you are using you can change that. Keep at it agorasecurity!
"The quieter you become, the more you are able to hear..."
"Drink all the booze, hack all the things."
User avatar
limdis
Moderator
Moderator
 
Posts: 1395
Joined: Mon Jun 28, 2010 5:45 pm
Blog: View Blog (0)


Re: Forensic Mission 1

Post by Blakrover on Fri Jan 24, 2014 9:17 am
([msg=79083]see Re: Forensic Mission 1[/msg])

Just wanted to say thanks for this challenge, had a load of fun doing this!
Blakrover
New User
New User
 
Posts: 1
Joined: Fri Jan 24, 2014 9:14 am
Blog: View Blog (0)


Re: Forensic Mission 1

Post by slaingod on Sun Jan 26, 2014 3:07 pm
([msg=79123]see Re: Forensic Mission 1[/msg])

I had a good bit of fun working this one. I had been testing the new Kali Linux distro release and actually had a harder time trying to do this using DFF and Scalpel. I found using free Windows apps worked much faster. I used OSFMount and Recuva. I think as "limdis" stated, I had some issues with DFF being able to recover or display some of the files. But I don't have much experience with DFF. So don't take that to heart, I may just need to RTFM.

It was fun, but it seemed like a data recovery mission. Not really a forensics mission. We were not looking for who tried to erase her drive. We only were recovering data for the end user.

I believe the techniques are very similar, definitely. So this is a very good mission for practicing forensics techniques. I would like to see missions that are related to the investigation of a wide variety of "computer crimes".

I think this might be fun to try to design missions for this.

-Slaingod
-Slaingod

"If it's stupid and works, then it's not stupid."
User avatar
slaingod
New User
New User
 
Posts: 3
Joined: Sun Jan 26, 2014 2:37 pm
Location: United States
Blog: View Blog (0)


Re: Forensic Mission 1

Post by -Ninjex- on Sun Jan 26, 2014 8:00 pm
([msg=79139]see Re: Forensic Mission 1[/msg])

slaingod wrote:I had been testing the new Kali Linux distro release and actually had a harder time trying to do this using DFF and Scalpel.


I had no issues using scalpel to complete this challenge. So for all who read that tad bit, don't be discouraged to dive into it :D
If you're not willing to learn, no one can help you. If you're determined to learn, no one can stop you.⠠⠵
The absence of evidence is not evidence of absence.
I can explain it for you, but I can't understand it for you.
User avatar
-Ninjex-
Addict
Addict
 
Posts: 1353
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


Re: Forensic Mission 1

Post by fashizzlepop on Sun Jan 26, 2014 10:36 pm
([msg=79143]see Re: Forensic Mission 1[/msg])

slaingod wrote:It was fun, but it seemed like a data recovery mission. Not really a forensics mission. We were not looking for who tried to erase her drive. We only were recovering data for the end user.


Definitely on our scope for further Forensic missions. :) Don't worry.
The glass is neither half-full nor half-empty; it's merely twice as big as it needs to be.
User avatar
fashizzlepop
Developer
Developer
 
Posts: 2303
Joined: Sat May 24, 2008 1:20 pm
Blog: View Blog (0)


Re: Forensic Mission 1

Post by slaingod on Tue Jan 28, 2014 3:29 pm
([msg=79165]see Re: Forensic Mission 1[/msg])

-Ninjex- wrote:
slaingod wrote:I had been testing the new Kali Linux distro release and actually had a harder time trying to do this using DFF and Scalpel.


I had no issues using scalpel to complete this challenge. So for all who read that tad bit, don't be discouraged to dive into it :D



I actually went back and tried this with SIFT, that was put together by SANS Institute. I Had no issues with DFF or Scalpel. The Kali Linux version was missing libraries for DFF. As for Scapel, I removed and reinstalled it and had no more issues with it either.


-Slaingod

-- Tue Jan 28, 2014 3:33 pm --

fashizzlepop wrote:
slaingod wrote:It was fun, but it seemed like a data recovery mission. Not really a forensics mission. We were not looking for who tried to erase her drive. We only were recovering data for the end user.


Definitely on our scope for further Forensic missions. :) Don't worry.




I found on the SANS DFIR website <http://digital-forensics.sans.org/community/challenges>, they have a digital forensics challenge or "mission". Maybe this is something that can help for ideas for more forensics missions. Hope this can help!
User avatar
slaingod
New User
New User
 
Posts: 3
Joined: Sun Jan 26, 2014 2:37 pm
Location: United States
Blog: View Blog (0)


Re: Forensic Mission 1

Post by gsingh2011 on Tue Jan 28, 2014 5:54 pm
([msg=79167]see Re: Forensic Mission 1[/msg])

Is RAR cracking required? That's what I'm stuck on right now.
gsingh2011
New User
New User
 
Posts: 11
Joined: Sun Mar 27, 2011 2:14 pm
Blog: View Blog (0)


Next

Return to Forensic

Who is online

Users browsing this forum: No registered users and 0 guests