📘
CAS Cybersecurity
  • Start
  • Reconnaissance
    • Opensource Intelligence
  • Docker basics and Images
    • Damn Vulnerable Webapp
    • bWAPP
    • Juice Webshop
    • Webgoat
    • Metasploitable 2
    • Metasploitable 3
    • MISP Docker (old)
    • MISP Docker (new)
  • Scanning and Enumeration
    • Scanning with zenmap
    • Scanning with nmap
    • Scanning with msf auxiliary
  • Vulnerability Scanning and Analysis
    • OpenVAS
    • nmap vulnerability scan
    • MSF Auxiliary Modules
  • Exploitation
    • Metasploitable 2
    • Redis Server
    • Print Nightmare
    • Baron Samedit
    • Polkit
    • Heartbleed
  • Man in the Middle
    • ARP Cache poisoning
    • RDP MitM Exercise
  • Windows Hacking
    • Throwback Network
      • Entering the breach
      • Exploring the caverns
      • Webshells and you!
      • First Contact
    • WinAttack LAB
      • Module 01
      • Module 02
      • Module 03
      • Module 04
      • Module 05
      • Module 06
      • Module 07
      • Module 08
      • Module 09
      • Module 10
  • Web Application Security
    • Burp Proxy Introduction
    • DVWA
      • DVWA Exercises 1
      • DVWA Exercises 2
      • DVWA Exercises 3
      • DVWA Exercises 4
      • DVWA Exercises 5
      • DVWA Exercises 6
      • DVWA Exercises 7
      • DVWA Exercises 8
  • CTF and Crypto Exercises
    • Cyberchef Challenge
    • HTB Invite Challenge
    • BSides London 2019 Challenge
    • Ninja Sec Challenge
  • Threat Intelligence
    • MISP Exercise 1
    • MISP Exercise 2
    • MISP Exercise 3
    • MISP Exercise 4
    • MISP Exercise 5
    • MISP Exercise 6
    • MISP Exercise 7
    • MISP Exercise 8
    • Virus Total Graph Exercise
    • RFI Incoming!
  • Forensic Exercises
    • Disk Forensics
      • The Sleuth Kit Intro
      • Filecarving with Foremost
      • Filecarving with scalpel
      • Bulk extractor
      • Disk acquisition with dd
      • Disk acquisition with dcfldd
      • Disk acquisition with ewftools
      • Disk acquisition with FTK Imager
      • Mount disk image (raw)
      • Unknown USB Stick
      • USB Stick Filecarving
      • Autopsy Exercise
    • Windows Forensics
      • Bitunlocker
      • Alternate Datastreams
    • Memory Forensics
      • Volatility2 Basics (Linux)
      • Volatility2 Exercise 1
      • Volatility3 Exercise 1
      • Volatility3 Exercise 2
      • Volatility3 Exercise 3
    • Image Forensics
      • Unswirl Image
      • Manual Filecarving 1
      • Manual Filecarving 2
    • Browser Forensics
    • Mail Header Analysis
    • Timestomping Exercise
    • Network Forensics
      • Tshark Exercise
  • Malware Analysis
    • Ransomware
      • General Introduction
      • Ryuk
      • RansomEXX
      • REvil
      • BlackMatter
      • Hades
      • Egregor
      • DoppelPaymer
    • YARA
      • YARA Install
      • yarGen
      • YARA with Cyberchef
      • TCP dump analysis
      • Memory dump analysis
    • Dosfuscated Scripts
  • Android Malware
    • LAB Setup 1
    • LAB Setup 2
    • Android Manifest
    • Android Permissions
    • APP Tracing with Frida
    • AES Key decryption
    • RedAlert
    • BlackRoseLucy
    • Crackme RE Challenge
  • Forensic Readiness
    • Windows Event Logs
    • Windows Sysmon
    • Sysmon: Capture Clipboard
    • Sysmon: Process Injection
    • Ransomware Detection
      • Signature based
  • Live Response
    • Velociraptor P1
    • Velociraptor P2
    • Velociraptor P3
    • Windows Response LAB
      • Lateral Movement Detection
      • Detect persistence
      • Volatility Analysis
Powered by GitBook
On this page
  • 1. Introduction
  • 2. Analysis
  • 3. Filecarving with foremost
  • 4. Filecarving with bulk extractor
  • 5. Filecarving with Sleuthkit

Was this helpful?

  1. Forensic Exercises
  2. Disk Forensics

USB Stick Filecarving

PreviousUnknown USB StickNextAutopsy Exercise

Last updated 3 years ago

Was this helpful?

1. Introduction

Someone was able to hack one of your staff’s computer and is now blackmailing you. He has received an email containing a file called blackmail.docx. You have a reasonable suspicion that the hacker is one of the other employees and so you told the system administrator to confiscate the suspect’s USB stick. The system administrator confiscated the stick and created a dd image. Eventually he gave it to you for a forensic analysis.

  • Download USB dd Image from here:

  • Unzip USBStickCarving.zip

  • Use Linux Forensic Tools:

Your goal is:

  1. Analyze the image of the USB stick.

  2. Identify the Volume Serial Number of the image

  3. Search for a copy of blackmail.docx on the image.

  4. Is there anything else suspiscious?

2. Analysis

unzip USBStickCarving.zip

md5sum usb_stick.dd

fsstat usb_stick.dd

Volume S/N is: AE78E78878E74DA1

Let's try to mount the image:

mkdir /mnt/usb_stick

mount usb_stick.dd /mnt/usb_stick -o ro,loop,show_sys_files,streams_interface=windows

While browsing during the html, docs and Tools directory I can find suspiscious files:

  • burpsuite_free_windows-x64_v1_7_26.exe

  • sqlmap.py

  • owasp.txt

  • rsnake.txt

  • sql.txt

  • …

blackmail.docx wasn`t located yet.

3. Filecarving with foremost

foremost -t zip usb_stick.dd

Note: word files (*.docx) are ziped xml files, so you have to look for zip files

Let's habe a closer look to the output directory:

This is the default file hierarchy used in word / libreoffice files. The metadata is mainly to be found in docProps/core.xml while the word file’s content appears in word/document.xml

You can of course rename the 00215144.zip to 00215144.docx and open the file using Microsoft Word or LibreOffice:

mv 00215144.zip 00215144.docx

4. Filecarving with bulk extractor

bulk_extractor usb_stick.dd -o bulk_data

Inside the bulk_data directory I could find a lot of more files, but none of them showd me a document called blackmail.docx

The zip file direcory shows the xml files which belongs with high probability to a docx file!

5. Filecarving with Sleuthkit

tsk_recover usb_stick.dd sleuth_data

A file called blackmail.docx was restored, but the content is not what I've expected!

Hacking-Lab LiveCD
Logo
USBStickCarving.zipDropbox
Logo