"No exceptional circumstances whatsoever, whether a state of war or a threat of war, internal political instability, or any other public emergency, may be invoked as a justification of torture." -- U.N. Convention Against Torture
I thought I would share how I completed the Forensics mission 1 using the sleuth toolkit. I hope this helps you work through the challenge and get some basic insight into forensics.
For more information on the sleuth toolkit you can find information at the following link http://www.sleuthkit.org/
TOOLS - SETUP
All you need is kali, which comes with the kit installed.
Once you have kali running, create the following directories:
CODE :
mkdir hts
cd hts
mkdir fs
cd fs
mkdir 1
cd 1
mkdir original_image
mkdir working_image
STEP 1 IMAGE VALIDATION
After downloading the image.tar.gz to your kali machine, copy the file to the original_image directory you created in the setup section. The next step is to validate the image against the hash value provided, which is “md5checksum: 4e7af965caed9b8d29c40f549fdb7d28” to ensure no corruption of the evidence (file) has been introduced by downloading and copying.
Fortunately, there is a function for this called md5sum.
You should see the md5 value matches the hash provided for the mission and that the download has not corrupted the file. However, it should be noted that the md5 algorithm can create hash collations, meaning two files can generate the same hash value; therefore, the sha256sum command can be used to create not surprisingly a SHA 256 hash value, and at the time of writing there are no known hash collations for sha 256; run the following command:
When undertaking, forensic investigations is important not to work on the original evidence unless this is unavoidable, this ensures the original evidence is not corrupted or changed, this enables the findings to be re-validated independently and helps prove we did not tamper with the evidence. The hash values we created can be used to validate the evidence has not been corrupted as we conduct the investigation to recover the files.
Make a copy of the image.dd file from the original directory to the working directory and navigate into the working directory.
There should be no difference, therefore, we can be confident the copied image.dd is the same as the original.
STEP 2 – FINDING FILES & RESTORING
The command from the sleuth toolkit that will help is “fls”; which lists files and directories in an image; additional details can be found here http://www.sleuthkit.org/sleuthkit/man/fls.html
Type the following:
CODE :
fls -rd image.dd > image.dd.deletedfile.txt
This will generate a recursive search and generating a list of deleted files, like the list below:
r/r = regular file
-/d = directory
/ * = indicates the file is deleted.
64-144-2 = This is the meta address, also referred to as the inode number, which we will need to recover then file later.
Voicemail 1.wav = Name of the file
STEP 3 RECOVERY.
Now we have a list of files we can start to investigate the contents. Let’s have a closer look at the file logins.txt.
As you can see we have successfully extracted a deleted file from image.dd. Using this approach, we can extract any of the files from the image.dd file.
Additionally, it is important check the working image.dd file has not been damaged, when extracting the file:
Carve out the file from the imade.dd using the icat command e.g:
CODE :
icat image.dd xx-xx-xxxxx > thepassword.rar
Finally, we cannot trust this is a rar file purely by the extension. To validate the file there is an archive, we can use a command called file, which will validate the file type:
This is a basic check and confirms this is a rar archive, moreover a password protected rar file ahhhhhhh!!!. On my initial attempt at this mission I jumped into a dictionary and brute force attack. However, this is not required to complete the mission, by using the above command to inspect the files from the image.dd you will be able to solve the mission; however, I will leave this up to you to discover.
STEP 5 SUMMARY
In this short tutorial, we covered:
Creating and validating md5 and sha256 hashes to ensure the evidence is not corrupted when investigating. This is very useful if you go onto mount the image; as accessing file system can change the meta-data if not set to read-only.
Used the fls command to show deleted files within the image.dd file.
Used the icat command to carve out files of interest.
Used the file command to validate the files extracted were of the correct type.
Good look on completing this mission.
Cast your vote on this article 10 - Highest, 1 - Lowest
HackThisSite is the collective work of the HackThisSite staff, licensed under a CC BY-NC license.
We ask that you inform us upon sharing or distributing.