Forensic Mission 3

[limdis]

Requirements:
File carving and critical thinking.

The challenge has several steps so keep track of what you do. It is suggested that you make copies of the files you are working with just in case you mess up. Similarly to Forensic #1, there are false positives in place to distract you. Examine everything and see what sticks out. Remember your goal, you are looking for incriminating evidence! If you can find something that would warrant an arrest according to the mission description, you will find the password.
Good luck.

Do not post spoilers!

[RaThE_Waz_Here]

This was another fun challenge!
Looking forward to future updates!

[astronate15]

I'm having a heck of a time with this. Any hints? I've tried running several file carving utilities on the contents, however I'm thinking that the file type that needs carved is in the siggies.txt file, but may not exist in most application's default configuration lists. I've also spent hours trying to decipher the spreadsheet, but really can't decide if it's a red herring. I've been at it for a few weekends and the only thing I've been able to *--shhhhh, you're on the right track but i have to remove this part. ~limdis*

[Euforia33]

You are in the right station with the siggies file but not the right track, look at the file again and think about what it's telling you, perhaps it's there for a reason..? Look elsewhere for something that does not look right, it's one of those obvious things that are simple enough to overlook but just a simple comparison of some of the files should allow you to see it

Limdis: Great challenge mate, keep them coming! Remove any or all of this if you think it is of too much help.

[astronate15]

I've spent so much time at this and I hate to ask any more questions without spoiling it for the others, but I think I'm going to give up for a bit. Feel free to blank out anything that gives it away, and sorry in advance.
================================================================================
I've been trying to match signatures (mostly at random) from the siggies file to each of the files. Scalpel is returning a lot of false positives and not getting me anywhere other than creating a ton of corrupt files. If the excel sheet is of importance, it's too cryptic for me to understand at the moment. I'm pretty sure that this challenge doesn't require steganalysis since that's a different category of missions, so I've ruled those out. Any educational materials that can help me with this would be greatly appreciated, limdis.

[MimoMarim]

@limdis this was a really fun mission

@astronate15 definitely no steganalysis required - the first step here is critical thinking - good luck!

[astronate15]

I got this figured out. Very cool mission Limdis! Looking forward to more!

[pitabit]

I was really trying not to ask for help, but I almost tried everything I know, and probably that's the problem, I don't know enough. I think I found what you need to find among the files, but it's password protected. Should I try with some brute force software? Or, do I missing something? I tried to find the password, but not sure if this is also among the files.

[choartex]

I've been stuck on this mission for quite some time now...
Finished the other 2 without much trouble but I can't figure out what to do...
I'd like some help or being pointed towards the right direction
So here is what I got and my theory:
the answer lies within the siggies.txt, this contains headers for the files, so I manually checked the files for their headers containing anything relating to mail-stuff
also checked their headers within a hexeditor next to the siggies file to see if the files where indeed the right file types.
Now I also found it strange that the shh.jpg image has this abnormal size, there must be something up with that, but I can't open it in any other program without getting nonsense... The other files seem legit, somewhere has to be a bitcoin wallet tho, because there is obvious hints pointing towards it.

So if anyone could tell me how to tie these finding together or at least tell me what I should examine again or should lok up online then I'd be extremely gratefull because this is driving me insane :')

Thanks in advance!

-- Wed Nov 09, 2016 3:27 pm --

Alright, I managed to figure it out by a tip given from a classmate. I'll give the same tip and partly my assumption above here where right.
A good thing to do is looking how files are saved in hex, they have signatures and with that a header/footer. figure that out for the files, look at the existing ones and compare.
You are trying to untangle a giant file into multiple files.
goodluck I suppose, if you need more help feel free to pm me, I won't give you the answer but I'll point you in the right direction, be sure to tell me what you already tried and found so that I do not spoil to much!

[Zloy Obezyan]

Undoubtedly , there are many things in the file shh.jpg , except photos.
Now I try to extract hidden content from this file by various utilities installed in the Kali Linux (forensic chapter).
Am I right or should I change my approach?