📘
CAS Cybersecurity
  • Start
  • Reconnaissance
    • Opensource Intelligence
  • Docker basics and Images
    • Damn Vulnerable Webapp
    • bWAPP
    • Juice Webshop
    • Webgoat
    • Metasploitable 2
    • Metasploitable 3
    • MISP Docker (old)
    • MISP Docker (new)
  • Scanning and Enumeration
    • Scanning with zenmap
    • Scanning with nmap
    • Scanning with msf auxiliary
  • Vulnerability Scanning and Analysis
    • OpenVAS
    • nmap vulnerability scan
    • MSF Auxiliary Modules
  • Exploitation
    • Metasploitable 2
    • Redis Server
    • Print Nightmare
    • Baron Samedit
    • Polkit
    • Heartbleed
  • Man in the Middle
    • ARP Cache poisoning
    • RDP MitM Exercise
  • Windows Hacking
    • Throwback Network
      • Entering the breach
      • Exploring the caverns
      • Webshells and you!
      • First Contact
    • WinAttack LAB
      • Module 01
      • Module 02
      • Module 03
      • Module 04
      • Module 05
      • Module 06
      • Module 07
      • Module 08
      • Module 09
      • Module 10
  • Web Application Security
    • Burp Proxy Introduction
    • DVWA
      • DVWA Exercises 1
      • DVWA Exercises 2
      • DVWA Exercises 3
      • DVWA Exercises 4
      • DVWA Exercises 5
      • DVWA Exercises 6
      • DVWA Exercises 7
      • DVWA Exercises 8
  • CTF and Crypto Exercises
    • Cyberchef Challenge
    • HTB Invite Challenge
    • BSides London 2019 Challenge
    • Ninja Sec Challenge
  • Threat Intelligence
    • MISP Exercise 1
    • MISP Exercise 2
    • MISP Exercise 3
    • MISP Exercise 4
    • MISP Exercise 5
    • MISP Exercise 6
    • MISP Exercise 7
    • MISP Exercise 8
    • Virus Total Graph Exercise
    • RFI Incoming!
  • Forensic Exercises
    • Disk Forensics
      • The Sleuth Kit Intro
      • Filecarving with Foremost
      • Filecarving with scalpel
      • Bulk extractor
      • Disk acquisition with dd
      • Disk acquisition with dcfldd
      • Disk acquisition with ewftools
      • Disk acquisition with FTK Imager
      • Mount disk image (raw)
      • Unknown USB Stick
      • USB Stick Filecarving
      • Autopsy Exercise
    • Windows Forensics
      • Bitunlocker
      • Alternate Datastreams
    • Memory Forensics
      • Volatility2 Basics (Linux)
      • Volatility2 Exercise 1
      • Volatility3 Exercise 1
      • Volatility3 Exercise 2
      • Volatility3 Exercise 3
    • Image Forensics
      • Unswirl Image
      • Manual Filecarving 1
      • Manual Filecarving 2
    • Browser Forensics
    • Mail Header Analysis
    • Timestomping Exercise
    • Network Forensics
      • Tshark Exercise
  • Malware Analysis
    • Ransomware
      • General Introduction
      • Ryuk
      • RansomEXX
      • REvil
      • BlackMatter
      • Hades
      • Egregor
      • DoppelPaymer
    • YARA
      • YARA Install
      • yarGen
      • YARA with Cyberchef
      • TCP dump analysis
      • Memory dump analysis
    • Dosfuscated Scripts
  • Android Malware
    • LAB Setup 1
    • LAB Setup 2
    • Android Manifest
    • Android Permissions
    • APP Tracing with Frida
    • AES Key decryption
    • RedAlert
    • BlackRoseLucy
    • Crackme RE Challenge
  • Forensic Readiness
    • Windows Event Logs
    • Windows Sysmon
    • Sysmon: Capture Clipboard
    • Sysmon: Process Injection
    • Ransomware Detection
      • Signature based
  • Live Response
    • Velociraptor P1
    • Velociraptor P2
    • Velociraptor P3
    • Windows Response LAB
      • Lateral Movement Detection
      • Detect persistence
      • Volatility Analysis
Powered by GitBook
On this page
  • 1. Introduction
  • 2. Analysis
  • 3. Retrieve the flag
  • 4. Mitigation and some thoughts

Was this helpful?

  1. Forensic Exercises
  2. Disk Forensics

Unknown USB Stick

PreviousMount disk image (raw)NextUSB Stick Filecarving

Last updated 3 years ago

Was this helpful?

1. Introduction

  • An unknown USB Stick was found at the desk of an employee of your company.

  • The employee and his coworkers found the USB Stick to be suspicious, since when the worker plugged it into his computer, nothing showed up.

  • Another analyst has already created an image of the found stick using dd and made it available to you:

Your Task:

  • Describe how you retrieved the flag.

  • Describe why nothing showed up on when the USB Stick was inserted by the employee.

  • Describe what has likely happened to the USB Stick.

  • Make a provable statement on whether the USB Stick is likely malicious or not.

  • Make a statement on how the employee who found the USB Stick should remediate the situation and how he should handle similar situations in the future.

  • State why or why not file carving is useful in this scenario.

BONUS: There is a really simple way in order to just retrieve the flag from the image. Can you describe it?

2. Analysis

unzip usbimage.zip

file usbdisk.dd

Try to mount the image file

mkdir analysis

mount -o loop,ro usbstick.dd /home/hacker/forensic/analysis

I couldn't mount the image file yet. It seems that tere is no partition on the image file.

Try to restore partition with testdisk:

testdisk usbstick.dd

Testdisk did discover a FAT32 partition! Write changes to image file:

mount -o loop,ro usbstick.dd /home/hacker/forensic/analysis

Get still an error. Let's try fdisk to get the start sector:

fdisk -l

Try to remount image file:

mount usbstick.dd analysis/ -o ro,offset=$((2048*512))

3. Retrieve the flag

cat ThisIsTheFile.txt

As an alternative we can also use the command strings:

strings usbstick.dd

4. Mitigation and some thoughts

Start an awareness campaign for your employees. Never trust an orphaned USB Stick even it’s a gift from santa claus!!!

I wasn't able to locate maliscious files on the image file! It rather look that the USB stick was erased with a quick format. There are a lot of 0000 0000 0000 sectors. (See image below)

hexeditor usbstick.dd

Filecarving with tools like , , or are always a good choice if the partition isn't readable anymore!

photorec
foremost
scalpel
bulk extractor
2MB
UsbStickImage.zip
archive