# USB Stick Filecarving ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2Fu0m1VSmaLaomAG4Z7oHJ%2Fmalicious-usb-mail-featured.jpg?alt=media\&token=acb62135-bd5f-4768-a680-6643ef79fb5a) ### 1. Introduction > Someone was able to hack one of your staff’s computer and is now blackmailing you. He has received an email containing a file called blackmail.docx. You have a reasonable suspicion that the hacker is one of the other employees and so you told the system administrator to confiscate the suspect’s USB stick. The system administrator confiscated the stick and created a dd image. Eventually he gave it to you for a forensic analysis. * Download USB dd Image from here: {% embed url="" %} * Unzip USBStickCarving.zip * Use Linux Forensic Tools: {% embed url="" %} Your goal is: 1. Analyze the image of the USB stick. 2. Identify the Volume Serial Number of the image 3. Search for a copy of blackmail.docx on the image. 4. Is there anything else suspiscious? ### 2. Analysis `unzip USBStickCarving.zip` `md5sum usb_stick.dd` `fsstat usb_stick.dd` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FC7RtH1LvwgweEUZxYtpz%2Ffsstat01.png?alt=media\&token=f94a2c91-a33b-453c-bd7a-ceb1582e003c) Volume S/N is: AE78E78878E74DA1 Let's try to mount the image: `mkdir /mnt/usb_stick` `mount usb_stick.dd /mnt/usb_stick -o ro,loop,show_sys_files,streams_interface=windows` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2F7UCnJcRAImtMrjkK5TA4%2Fanalysis01.png?alt=media\&token=d8bd8206-acbe-421a-bf71-5058da3d4f2e) While browsing during the `html`, `docs` and `Tools` directory I can find suspiscious files: * burpsuite\_free\_windows-x64\_v1\_7\_26.exe * sqlmap.py * owasp.txt * rsnake.txt * sql.txt * … blackmail.docx wasn\`t located yet. ### 3. Filecarving with foremost > foremost -t zip usb\_stick.dd Note: word files (\*.docx) are ziped xml files, so you have to look for zip files

Let's habe a closer look to the output directory:

This is the default file hierarchy used in word / libreoffice files. The metadata is mainly to be found in docProps/core.xml while the word file’s content appears in word/document.xml You can of course rename the 00215144.zip to 00215144.docx and open the file using Microsoft Word or LibreOffice: `mv 00215144.zip 00215144.docx` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FYvIL3N8pbtyBuwKnZARf%2Fdocx01.png?alt=media\&token=dbccdf13-c973-4799-9d62-aed030ce7674) ### 4. Filecarving with bulk extractor `bulk_extractor usb_stick.dd -o bulk_data`

Inside the bulk\_data directory I could find a lot of more files, but none of them showd me a document called `blackmail.docx` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2F1E8Lb2m1VUS4Eq7Kj6T7%2Fbulk_extract02.png?alt=media\&token=49b796ee-8391-441a-89d3-e13c18f11a3e) The zip file direcory shows the xml files which belongs with high probability to a docx file! ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2F6JMci2K506J8ZNdgMsPI%2Fbulk_extract03.png?alt=media\&token=ddc1bc99-7f14-49eb-8c73-cc3d7698b751) ### 5. Filecarving with Sleuthkit `tsk_recover usb_stick.dd sleuth_data` ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FslIAwZDahDbXugVBUtDw%2Fsleuth01.png?alt=media\&token=4eaf3d90-0050-4fac-8746-e1e52ddb0270) A file called blackmail.docx was restored, but the content is not what I've expected! ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FImt7UbRnwv9aizjtkurD%2Fdocx02.png?alt=media\&token=4990cd9b-089e-473b-a466-36cc176793e6)