SlideShare une entreprise Scribd logo

Booklet

Tiago Henriques
Tiago Henriques
Technologie
1  sur  9
Télécharger pour lire hors ligne
Just 4 meeting - Tiago Henriques - Computer Forensics Workshop In this booklet you will be given the materials needed to participate in the workshop of computer forensics at the Just 4 Meeting event. During this workshop you will have learn the basic parts of a Computer Forensic Investigation, and will now work on a set of exercises where you will put in practice what you learned. In some parts you will have to try and think 'outside the box' to reach a solution, this is a skill that cannot be taught and you either have it or get it with years of experience in the field. The exercises will start on a basic level and increase to a more complex level. Also and very important when you solve one exercise you will get indication on how to reach the next one. Following is some information that you need to know before starting. With this booklet you will also receive: -A DD image of a Windows XP instalation which was captured from what we will call in this scenario a 'Suspect machine'. This acquisition was done by inserting a Live-cd of DEFT linux into the Suspect machine, mounting the Windows XP partition as read-only and using the command dd if=/dev/sda conv=noerror,sync bs=65000 | nc 192.168.1.45 1337. This will make DD create a bit-image copy of the partition and send it through netcat to our 'Acquisition machine' where we will type nc -l 1337 | dd of=/home/tiago/evidence/suspect.dd . Depending on the size of the partition we are imaging this process can take from few minutes to a couple of hours, which is why we wont make you go through it, and provide you directly with a DD image. So that we dont waste time copying the DD image into the Ubuntu image, I will put the DD file inside the VirtualBox image straight way. Another important point: this was a NTFS partition! -A VirtualBox disk image, this is a simple Linux Ubuntu installation, with some forensic tools previously installed into it. Everyone should have VirtualBox installed and in case you dont request it and I will provide you with the setup file for your Operating system. You should then import this image into VirtualBox and start the Virtualmachine. This virtual machine will have all the tools needed to finish the exercises given in this workshop. List of tools needed to solve exercises (not mandatory to use these feel free to use others if you prefer): Autopsy-sleuthkit Bless Hex editor Winrar - use command rar Gedit VLC Totem music player Wireshark tcpdump tcpxtract chaosreader
On exercise Number 1 we will simply start Autopsy and have a go at some of the features it has, which is a Web front end for Sleuthkit. For those of you that don't know, Sleuthkit is a set of tools that allows you to analyse volume and file system data. As mentioned before the .DD file will already be located inside the VirtualBox Ubuntu image. So first thing we have to do is open a command line and start autopsy. root@thor:/home/balgan# autopsy ================================================================ Autopsy Forensic Browser http://www.sleuthkit.org/autopsy/ ver 2.21 ================================================================ Evidence Locker: /var/lib/autopsy Start Time: Mon Jun 21 13:13:24 2010 Remote Host: localhost Local Port: 9999 Open an HTML browser on the remote host and paste this URL in it: http://localhost:9999/autopsy Keep this process running and use <ctrl-c> to exit We then follow the on screen instructions and point our browser to http://localhost:9999/autopsy
If we press 'New case' We are then presented with a page that asks us for some information. Case Name - Suspect 1 Description - Simple one line description of what this case is about Investigator Name - Tiago Henriques Press 'New Case' We are then presented with:
Then we add an Host to this case by pressing the 'Add Host' button We are then asked about the host information: We will then be asked to add the 'Image' related to this host! So we then proceed to point to the .DD file in the Type we choose DISK.
We press 'Next' We can ignore the file hash in this case . And ADD the image We can then explore all the different tools provided to us. In this exercise we will focus on 'Analyze' and file system analysis. When we press file system analysis, we are presented with a view of the C:/
In File browsing we can pre-visualize a file. After we find an interesting file we can export it and use the tools installed on our machine to analyze that file.
You can find Exercise 1 Folder located on C:/ Try getting the word file located inside the folder into your computer (the folder name should be pretty obvious :) ) and open it with an Hex editor and locate Exercise 2. Hex Editors Everytime you need to analyse the content of a file you will most likely use a Hex Editor! Installed on ur Analysis machine is a Hex editor called Bless!
A hex editor is relatively simple to use you can search for different strings this can help you locate important bits of information faster! Magic Numbers To finish this workshop you will be provided with a list of magic numbers, I can guarantee you that to finish this workshop all the magic numbers you will need are located in the following list: • JPEG image files begin with FF D8 and end with FF D9. JPEG/JFIF files contain the ASCII code for "JFIF" (4A 46 49 46) as a null terminated string. JPEG/Exif files contain the ASCII code for "Exif" (45 78 69 66) also as a null terminated string, followed by more metadata about the file. • Microsoft Office document files start with D0 CF 11 E0, which is visually suggestive of the word "DOCFILE0". • Wav file magic number - Hex: 52 49 46 46 xx xx xx xx 57 41 56 45 66 6D 74 20 ASCII: RIFF....WAVEfmt Winrar To extract a file on the command line you can use the command 'unrar <filename>' Wireshark, tcpdump, tcpxtract
These are all network forensic tools that should only be used in case we are analysing some sort of network capture file such as a .PCAP file. Wireshark is a network sniffer but can also work as a visualiser for the .PCAP files tcpdump can extract different sessions from a .PCAP file and tcpxtract can be used to extract commonly known files such as .TXT, .JPG, .PNG etc from network captures(.PCAP files). chaosreader can be used to analyse sessions within a .PCAP file Misc... All the rest of standard tools of Linux are also provided such as, cat,strings, file, and some others that can be used to finish these exercises faster and more reliably. Exercise 2 - Extract a JPEG out of .DOC file using Hex editor - this jpeg will be text indicating location of files for exercise 3 Exercise 3 - This JPEG has a bit more to it then it first appears. And it will help you to find Exercise 4! Exercise 4 - Oh oh a Truecrypt image! Maybe that other file can help me, but what is it ? Exercise 5 - What a weird file, inside it somehow there is the location of exercise 6. Exercise 6 - Somehow recover the file with the address where the meeting is gonna happen.

Recommandé

Linux Troubleshooting
Linux TroubleshootingLinux Troubleshooting
Linux TroubleshootingKeith Wright
 
Module 13 - Troubleshooting
Module 13 - TroubleshootingModule 13 - Troubleshooting
Module 13 - TroubleshootingT. J. Saotome
 
Making a Process (Virtualizing Memory)
Making a Process (Virtualizing Memory)Making a Process (Virtualizing Memory)
Making a Process (Virtualizing Memory)David Evans
 
All of Your Network Monitoring is (probably) Wrong
All of Your Network Monitoring is (probably) WrongAll of Your Network Monitoring is (probably) Wrong
All of Your Network Monitoring is (probably) Wrongice799
 
Class 1: What is an Operating System?
Class 1: What is an Operating System?Class 1: What is an Operating System?
Class 1: What is an Operating System?David Evans
 
Once Upon a Process
Once Upon a ProcessOnce Upon a Process
Once Upon a ProcessDavid Evans
 
Microkernels and Beyond
Microkernels and BeyondMicrokernels and Beyond
Microkernels and BeyondDavid Evans
 
Managing Memory
Managing MemoryManaging Memory
Managing MemoryDavid Evans
 

Recommandé

Linux Troubleshooting
Linux TroubleshootingLinux Troubleshooting
Linux TroubleshootingKeith Wright
 
Module 13 - Troubleshooting
Module 13 - TroubleshootingModule 13 - Troubleshooting
Module 13 - TroubleshootingT. J. Saotome
 
Making a Process (Virtualizing Memory)
Making a Process (Virtualizing Memory)Making a Process (Virtualizing Memory)
Making a Process (Virtualizing Memory)David Evans
 
All of Your Network Monitoring is (probably) Wrong
All of Your Network Monitoring is (probably) WrongAll of Your Network Monitoring is (probably) Wrong
All of Your Network Monitoring is (probably) Wrongice799
 
Class 1: What is an Operating System?
Class 1: What is an Operating System?Class 1: What is an Operating System?
Class 1: What is an Operating System?David Evans
 
Once Upon a Process
Once Upon a ProcessOnce Upon a Process
Once Upon a ProcessDavid Evans
 
Microkernels and Beyond
Microkernels and BeyondMicrokernels and Beyond
Microkernels and BeyondDavid Evans
 
Managing Memory
Managing MemoryManaging Memory
Managing MemoryDavid Evans
 
About linux-english
About linux-englishAbout linux-english
About linux-englishShota Ito
 
Linux monitoring and Troubleshooting for DBA's
Linux monitoring and Troubleshooting for DBA'sLinux monitoring and Troubleshooting for DBA's
Linux monitoring and Troubleshooting for DBA'sMydbops
 
Linux networking
Linux networkingLinux networking
Linux networkingArie Bregman
 
Kernel Recipes 2019 - Faster IO through io_uring
Kernel Recipes 2019 - Faster IO through io_uringKernel Recipes 2019 - Faster IO through io_uring
Kernel Recipes 2019 - Faster IO through io_uringAnne Nicolas
 
Flash! (Modern File Systems)
Flash! (Modern File Systems)Flash! (Modern File Systems)
Flash! (Modern File Systems)David Evans
 
Interview questions
Interview questionsInterview questions
Interview questionsxavier john
 
110864103 adventures-in-bug-hunting
110864103 adventures-in-bug-hunting110864103 adventures-in-bug-hunting
110864103 adventures-in-bug-huntingbob dobbs
 
Segmentation Faults, Page Faults, Processes, Threads, and Tasks
Segmentation Faults, Page Faults, Processes, Threads, and TasksSegmentation Faults, Page Faults, Processes, Threads, and Tasks
Segmentation Faults, Page Faults, Processes, Threads, and TasksDavid Evans
 
Fun with FUSE
Fun with FUSEFun with FUSE
Fun with FUSEKernel TLV
 
The New Systems Performance
The New Systems PerformanceThe New Systems Performance
The New Systems PerformanceBrendan Gregg
 
Part 1 of 'Introduction to Linux for bioinformatics': Introduction
Part 1 of 'Introduction to Linux for bioinformatics': IntroductionPart 1 of 'Introduction to Linux for bioinformatics': Introduction
Part 1 of 'Introduction to Linux for bioinformatics': IntroductionJoachim Jacob
 
Run Run Trema Test
Run Run Trema TestRun Run Trema Test
Run Run Trema TestHiroshi Ota
 
Jordan Hubbard Talk @ LISA
Jordan Hubbard Talk @ LISAJordan Hubbard Talk @ LISA
Jordan Hubbard Talk @ LISAguest4c923d
 
Linux Performance Tools 2014
Linux Performance Tools 2014Linux Performance Tools 2014
Linux Performance Tools 2014Brendan Gregg
 
Infrastructure as code might be literally impossible
Infrastructure as code might be literally impossibleInfrastructure as code might be literally impossible
Infrastructure as code might be literally impossibleice799
 
Making a Process
Making a ProcessMaking a Process
Making a ProcessDavid Evans
 
Deconstruct 2017: All programmers MUST learn C and Assembly
Deconstruct 2017: All programmers MUST learn C and AssemblyDeconstruct 2017: All programmers MUST learn C and Assembly
Deconstruct 2017: All programmers MUST learn C and Assemblyice799
 
Kernel Recipes 2019 - CVEs are dead, long live the CVE!
Kernel Recipes 2019 - CVEs are dead, long live the CVE!Kernel Recipes 2019 - CVEs are dead, long live the CVE!
Kernel Recipes 2019 - CVEs are dead, long live the CVE!Anne Nicolas
 
What the &~#@&lt;!? (Pointers in Rust)
What the &~#@&lt;!? (Pointers in Rust)What the &~#@&lt;!? (Pointers in Rust)
What the &~#@&lt;!? (Pointers in Rust)David Evans
 
Ubuntu – Linux Useful Commands
Ubuntu – Linux Useful CommandsUbuntu – Linux Useful Commands
Ubuntu – Linux Useful CommandsUniversity of Technology
 
Presentation Brucon - Anubisnetworks and PTCoresec
Presentation Brucon - Anubisnetworks and PTCoresecPresentation Brucon - Anubisnetworks and PTCoresec
Presentation Brucon - Anubisnetworks and PTCoresecTiago Henriques
 
BSides Lisbon - Data science, machine learning and cybersecurity
BSides Lisbon - Data science, machine learning and cybersecurity BSides Lisbon - Data science, machine learning and cybersecurity
BSides Lisbon - Data science, machine learning and cybersecurity Tiago Henriques
 

Contenu connexe

Tendances

About linux-english
About linux-englishAbout linux-english
About linux-englishShota Ito
 
Linux monitoring and Troubleshooting for DBA's
Linux monitoring and Troubleshooting for DBA'sLinux monitoring and Troubleshooting for DBA's
Linux monitoring and Troubleshooting for DBA'sMydbops
 
Kernel Recipes 2019 - Faster IO through io_uring
Kernel Recipes 2019 - Faster IO through io_uringKernel Recipes 2019 - Faster IO through io_uring
Kernel Recipes 2019 - Faster IO through io_uringAnne Nicolas
 
Flash! (Modern File Systems)
Flash! (Modern File Systems)Flash! (Modern File Systems)
Flash! (Modern File Systems)David Evans
 
Interview questions
Interview questionsInterview questions
Interview questionsxavier john
 
110864103 adventures-in-bug-hunting
110864103 adventures-in-bug-hunting110864103 adventures-in-bug-hunting
110864103 adventures-in-bug-huntingbob dobbs
 
Segmentation Faults, Page Faults, Processes, Threads, and Tasks
Segmentation Faults, Page Faults, Processes, Threads, and TasksSegmentation Faults, Page Faults, Processes, Threads, and Tasks
Segmentation Faults, Page Faults, Processes, Threads, and TasksDavid Evans
 
The New Systems Performance
The New Systems PerformanceThe New Systems Performance
The New Systems PerformanceBrendan Gregg
 
Part 1 of 'Introduction to Linux for bioinformatics': Introduction
Part 1 of 'Introduction to Linux for bioinformatics': IntroductionPart 1 of 'Introduction to Linux for bioinformatics': Introduction
Part 1 of 'Introduction to Linux for bioinformatics': IntroductionJoachim Jacob
 
Run Run Trema Test
Run Run Trema TestRun Run Trema Test
Run Run Trema TestHiroshi Ota
 
Jordan Hubbard Talk @ LISA
Jordan Hubbard Talk @ LISAJordan Hubbard Talk @ LISA
Jordan Hubbard Talk @ LISAguest4c923d
 
Linux Performance Tools 2014
Linux Performance Tools 2014Linux Performance Tools 2014
Linux Performance Tools 2014Brendan Gregg
 
Infrastructure as code might be literally impossible
Infrastructure as code might be literally impossibleInfrastructure as code might be literally impossible
Infrastructure as code might be literally impossibleice799
 
Making a Process
Making a ProcessMaking a Process
Making a ProcessDavid Evans
 
Deconstruct 2017: All programmers MUST learn C and Assembly
Deconstruct 2017: All programmers MUST learn C and AssemblyDeconstruct 2017: All programmers MUST learn C and Assembly
Deconstruct 2017: All programmers MUST learn C and Assemblyice799
 
Kernel Recipes 2019 - CVEs are dead, long live the CVE!
Kernel Recipes 2019 - CVEs are dead, long live the CVE!Kernel Recipes 2019 - CVEs are dead, long live the CVE!
Kernel Recipes 2019 - CVEs are dead, long live the CVE!Anne Nicolas
 
What the &~#@&lt;!? (Pointers in Rust)
What the &~#@&lt;!? (Pointers in Rust)What the &~#@&lt;!? (Pointers in Rust)
What the &~#@&lt;!? (Pointers in Rust)David Evans
 

Tendances (20)

About linux-english
About linux-englishAbout linux-english
About linux-english
 
Linux monitoring and Troubleshooting for DBA's
Linux monitoring and Troubleshooting for DBA'sLinux monitoring and Troubleshooting for DBA's
Linux monitoring and Troubleshooting for DBA's
 
Linux networking
Linux networkingLinux networking
Linux networking
 
Kernel Recipes 2019 - Faster IO through io_uring
Kernel Recipes 2019 - Faster IO through io_uringKernel Recipes 2019 - Faster IO through io_uring
Kernel Recipes 2019 - Faster IO through io_uring
 
Flash! (Modern File Systems)
Flash! (Modern File Systems)Flash! (Modern File Systems)
Flash! (Modern File Systems)
 
Interview questions
Interview questionsInterview questions
Interview questions
 
110864103 adventures-in-bug-hunting
110864103 adventures-in-bug-hunting110864103 adventures-in-bug-hunting
110864103 adventures-in-bug-hunting
 
Segmentation Faults, Page Faults, Processes, Threads, and Tasks
Segmentation Faults, Page Faults, Processes, Threads, and TasksSegmentation Faults, Page Faults, Processes, Threads, and Tasks
Segmentation Faults, Page Faults, Processes, Threads, and Tasks
 
Fun with FUSE
Fun with FUSEFun with FUSE
Fun with FUSE
 
The New Systems Performance
The New Systems PerformanceThe New Systems Performance
The New Systems Performance
 
Part 1 of 'Introduction to Linux for bioinformatics': Introduction
Part 1 of 'Introduction to Linux for bioinformatics': IntroductionPart 1 of 'Introduction to Linux for bioinformatics': Introduction
Part 1 of 'Introduction to Linux for bioinformatics': Introduction
 
Run Run Trema Test
Run Run Trema TestRun Run Trema Test
Run Run Trema Test
 
Jordan Hubbard Talk @ LISA
Jordan Hubbard Talk @ LISAJordan Hubbard Talk @ LISA
Jordan Hubbard Talk @ LISA
 
Linux Performance Tools 2014
Linux Performance Tools 2014Linux Performance Tools 2014
Linux Performance Tools 2014
 
Infrastructure as code might be literally impossible
Infrastructure as code might be literally impossibleInfrastructure as code might be literally impossible
Infrastructure as code might be literally impossible
 
Making a Process
Making a ProcessMaking a Process
Making a Process
 
Deconstruct 2017: All programmers MUST learn C and Assembly
Deconstruct 2017: All programmers MUST learn C and AssemblyDeconstruct 2017: All programmers MUST learn C and Assembly
Deconstruct 2017: All programmers MUST learn C and Assembly
 
Kernel Recipes 2019 - CVEs are dead, long live the CVE!
Kernel Recipes 2019 - CVEs are dead, long live the CVE!Kernel Recipes 2019 - CVEs are dead, long live the CVE!
Kernel Recipes 2019 - CVEs are dead, long live the CVE!
 
What the &~#@&lt;!? (Pointers in Rust)
What the &~#@&lt;!? (Pointers in Rust)What the &~#@&lt;!? (Pointers in Rust)
What the &~#@&lt;!? (Pointers in Rust)
 
Ubuntu – Linux Useful Commands
Ubuntu – Linux Useful CommandsUbuntu – Linux Useful Commands
Ubuntu – Linux Useful Commands
 

En vedette

Presentation Brucon - Anubisnetworks and PTCoresec
Presentation Brucon - Anubisnetworks and PTCoresecPresentation Brucon - Anubisnetworks and PTCoresec
Presentation Brucon - Anubisnetworks and PTCoresecTiago Henriques
 
BSides Lisbon - Data science, machine learning and cybersecurity
BSides Lisbon - Data science, machine learning and cybersecurity BSides Lisbon - Data science, machine learning and cybersecurity
BSides Lisbon - Data science, machine learning and cybersecurity Tiago Henriques
 
BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015
BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015
BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015Tiago Henriques
 
Historia De Los Impuestos En Colombia Y El Mundo
Historia De Los Impuestos En Colombia Y El Mundo Historia De Los Impuestos En Colombia Y El Mundo
Historia De Los Impuestos En Colombia Y El Mundo DianaisaA
 
Leadership Styles with Examples
Leadership Styles with ExamplesLeadership Styles with Examples
Leadership Styles with Exampleschintu83
 
Leadership styles
Leadership stylesLeadership styles
Leadership stylesMohini Sahu
 

En vedette (7)

Presentation Brucon - Anubisnetworks and PTCoresec
Presentation Brucon - Anubisnetworks and PTCoresecPresentation Brucon - Anubisnetworks and PTCoresec
Presentation Brucon - Anubisnetworks and PTCoresec
 
BSides Lisbon - Data science, machine learning and cybersecurity
BSides Lisbon - Data science, machine learning and cybersecurity BSides Lisbon - Data science, machine learning and cybersecurity
BSides Lisbon - Data science, machine learning and cybersecurity
 
BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015
BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015
BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015
 
Hardware hacking 101
Hardware hacking 101Hardware hacking 101
Hardware hacking 101
 
Historia De Los Impuestos En Colombia Y El Mundo
Historia De Los Impuestos En Colombia Y El Mundo Historia De Los Impuestos En Colombia Y El Mundo
Historia De Los Impuestos En Colombia Y El Mundo
 
Leadership Styles with Examples
Leadership Styles with ExamplesLeadership Styles with Examples
Leadership Styles with Examples
 
Leadership styles
Leadership stylesLeadership styles
Leadership styles
 

Similaire à Booklet

ASSIGNMENT2 Computer Architecture and Imaging So you’re telling .docx
ASSIGNMENT2 Computer Architecture and Imaging So you’re telling .docxASSIGNMENT2 Computer Architecture and Imaging So you’re telling .docx
ASSIGNMENT2 Computer Architecture and Imaging So you’re telling .docxedmondpburgess27164
 
Part 4 Scripting and Virtualization (due Week 7)Objectives1. .docx
Part 4 Scripting and Virtualization (due Week 7)Objectives1. .docxPart 4 Scripting and Virtualization (due Week 7)Objectives1. .docx
Part 4 Scripting and Virtualization (due Week 7)Objectives1. .docxkarlhennesey
 
I Am Linux-Introductory Module on Linux
I Am Linux-Introductory Module on LinuxI Am Linux-Introductory Module on Linux
I Am Linux-Introductory Module on LinuxSagar Kumar
 
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docxChapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docxchristinemaritza
 
Report on forensics tools
Report on forensics toolsReport on forensics tools
Report on forensics toolsVishnuPratap7
 
Ransomware for fun and non-profit
Ransomware for fun and non-profitRansomware for fun and non-profit
Ransomware for fun and non-profitYouness Zougar
 
TechMentor Fall, 2011 - Packaging Software for Automated Deployment with Wind...
TechMentor Fall, 2011 - Packaging Software for Automated Deployment with Wind...TechMentor Fall, 2011 - Packaging Software for Automated Deployment with Wind...
TechMentor Fall, 2011 - Packaging Software for Automated Deployment with Wind...Concentrated Technology
 
Nrpe - Nagios Remote Plugin Executor. NRPE plugin for Nagios Core
Nrpe - Nagios Remote Plugin Executor. NRPE plugin for Nagios CoreNrpe - Nagios Remote Plugin Executor. NRPE plugin for Nagios Core
Nrpe - Nagios Remote Plugin Executor. NRPE plugin for Nagios CoreNagios
 
NRPE - Nagios Remote Plugin Executor. NRPE plugin for Nagios Core 4 and others.
NRPE - Nagios Remote Plugin Executor. NRPE plugin for Nagios Core 4 and others.NRPE - Nagios Remote Plugin Executor. NRPE plugin for Nagios Core 4 and others.
NRPE - Nagios Remote Plugin Executor. NRPE plugin for Nagios Core 4 and others.Marc Trimble
 
Batch file programming
Batch file programmingBatch file programming
Batch file programmingalan moreno
 
Batch file-programming
Batch file-programmingBatch file-programming
Batch file-programmingjamilur
 
What the Heck Just Happened?
What the Heck Just Happened?What the Heck Just Happened?
What the Heck Just Happened?Ken Evans
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hackingAmanpreet Singh
 
PythonNotes1.pdf
PythonNotes1.pdfPythonNotes1.pdf
PythonNotes1.pdfShaikfiza5
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2ratnalajaggu
 

Similaire à Booklet (20)

snortinstallguide
snortinstallguidesnortinstallguide
snortinstallguide
 
ASSIGNMENT2 Computer Architecture and Imaging So you’re telling .docx
ASSIGNMENT2 Computer Architecture and Imaging So you’re telling .docxASSIGNMENT2 Computer Architecture and Imaging So you’re telling .docx
ASSIGNMENT2 Computer Architecture and Imaging So you’re telling .docx
 
Part 4 Scripting and Virtualization (due Week 7)Objectives1. .docx
Part 4 Scripting and Virtualization (due Week 7)Objectives1. .docxPart 4 Scripting and Virtualization (due Week 7)Objectives1. .docx
Part 4 Scripting and Virtualization (due Week 7)Objectives1. .docx
 
I Am Linux-Introductory Module on Linux
I Am Linux-Introductory Module on LinuxI Am Linux-Introductory Module on Linux
I Am Linux-Introductory Module on Linux
 
Backtrack Manual Part4
Backtrack Manual Part4Backtrack Manual Part4
Backtrack Manual Part4
 
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docxChapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
 
Report on forensics tools
Report on forensics toolsReport on forensics tools
Report on forensics tools
 
Ransomware for fun and non-profit
Ransomware for fun and non-profitRansomware for fun and non-profit
Ransomware for fun and non-profit
 
TechMentor Fall, 2011 - Packaging Software for Automated Deployment with Wind...
TechMentor Fall, 2011 - Packaging Software for Automated Deployment with Wind...TechMentor Fall, 2011 - Packaging Software for Automated Deployment with Wind...
TechMentor Fall, 2011 - Packaging Software for Automated Deployment with Wind...
 
Nrpe - Nagios Remote Plugin Executor. NRPE plugin for Nagios Core
Nrpe - Nagios Remote Plugin Executor. NRPE plugin for Nagios CoreNrpe - Nagios Remote Plugin Executor. NRPE plugin for Nagios Core
Nrpe - Nagios Remote Plugin Executor. NRPE plugin for Nagios Core
 
NRPE - Nagios Remote Plugin Executor. NRPE plugin for Nagios Core 4 and others.
NRPE - Nagios Remote Plugin Executor. NRPE plugin for Nagios Core 4 and others.NRPE - Nagios Remote Plugin Executor. NRPE plugin for Nagios Core 4 and others.
NRPE - Nagios Remote Plugin Executor. NRPE plugin for Nagios Core 4 and others.
 
Batch file programming
Batch file programmingBatch file programming
Batch file programming
 
Batch file-programming
Batch file-programmingBatch file-programming
Batch file-programming
 
What the Heck Just Happened?
What the Heck Just Happened?What the Heck Just Happened?
What the Heck Just Happened?
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hacking
 
computing networks and operating system
computing networks and operating system computing networks and operating system
computing networks and operating system
 
Presentation1
Presentation1Presentation1
Presentation1
 
Sun raysetup
Sun raysetupSun raysetup
Sun raysetup
 
PythonNotes1.pdf
PythonNotes1.pdfPythonNotes1.pdf
PythonNotes1.pdf
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2
 

Plus de Tiago Henriques

BSides Lisbon 2023 - AI in Cybersecurity.pdf
BSides Lisbon 2023 - AI in Cybersecurity.pdfBSides Lisbon 2023 - AI in Cybersecurity.pdf
BSides Lisbon 2023 - AI in Cybersecurity.pdfTiago Henriques
 
Pixels Camp 2017 - Stories from the trenches of building a data architecture
Pixels Camp 2017 - Stories from the trenches of building a data architecturePixels Camp 2017 - Stories from the trenches of building a data architecture
Pixels Camp 2017 - Stories from the trenches of building a data architectureTiago Henriques
 
Pixels Camp 2017 - Stranger Things the internet version
Pixels Camp 2017 - Stranger Things the internet versionPixels Camp 2017 - Stranger Things the internet version
Pixels Camp 2017 - Stranger Things the internet versionTiago Henriques
 
The state of cybersecurity in Switzerland - FinTechDay 2017
The state of cybersecurity in Switzerland - FinTechDay 2017The state of cybersecurity in Switzerland - FinTechDay 2017
The state of cybersecurity in Switzerland - FinTechDay 2017Tiago Henriques
 
Webzurich - The State of Web Security in Switzerland
Webzurich - The State of Web Security in SwitzerlandWebzurich - The State of Web Security in Switzerland
Webzurich - The State of Web Security in SwitzerlandTiago Henriques
 
I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...
I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...
I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...Tiago Henriques
 
Codebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the winCodebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the winTiago Henriques
 
Confraria 28-feb-2013 mesa redonda
Confraria 28-feb-2013 mesa redondaConfraria 28-feb-2013 mesa redonda
Confraria 28-feb-2013 mesa redondaTiago Henriques
 
How to dominate a country
How to dominate a countryHow to dominate a country
How to dominate a countryTiago Henriques
 
Country domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havocCountry domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havocTiago Henriques
 
(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using sshTiago Henriques
 
Secure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesSecure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesTiago Henriques
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploitTiago Henriques
 
Practical exploitation and social engineering
Practical exploitation and social engineeringPractical exploitation and social engineering
Practical exploitation and social engineeringTiago Henriques
 

Plus de Tiago Henriques (19)

BSides Lisbon 2023 - AI in Cybersecurity.pdf
BSides Lisbon 2023 - AI in Cybersecurity.pdfBSides Lisbon 2023 - AI in Cybersecurity.pdf
BSides Lisbon 2023 - AI in Cybersecurity.pdf
 
Pixels Camp 2017 - Stories from the trenches of building a data architecture
Pixels Camp 2017 - Stories from the trenches of building a data architecturePixels Camp 2017 - Stories from the trenches of building a data architecture
Pixels Camp 2017 - Stories from the trenches of building a data architecture
 
Pixels Camp 2017 - Stranger Things the internet version
Pixels Camp 2017 - Stranger Things the internet versionPixels Camp 2017 - Stranger Things the internet version
Pixels Camp 2017 - Stranger Things the internet version
 
The state of cybersecurity in Switzerland - FinTechDay 2017
The state of cybersecurity in Switzerland - FinTechDay 2017The state of cybersecurity in Switzerland - FinTechDay 2017
The state of cybersecurity in Switzerland - FinTechDay 2017
 
Webzurich - The State of Web Security in Switzerland
Webzurich - The State of Web Security in SwitzerlandWebzurich - The State of Web Security in Switzerland
Webzurich - The State of Web Security in Switzerland
 
I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...
I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...
I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...
 
Codebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the winCodebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the win
 
Workshop
WorkshopWorkshop
Workshop
 
Enei
EneiEnei
Enei
 
Confraria 28-feb-2013 mesa redonda
Confraria 28-feb-2013 mesa redondaConfraria 28-feb-2013 mesa redonda
Confraria 28-feb-2013 mesa redonda
 
Preso fcul
Preso fculPreso fcul
Preso fcul
 
How to dominate a country
How to dominate a countryHow to dominate a country
How to dominate a country
 
Country domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havocCountry domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havoc
 
(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh
 
Secure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesSecure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago Henriques
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
 
Practical exploitation and social engineering
Practical exploitation and social engineeringPractical exploitation and social engineering
Practical exploitation and social engineering
 
Talkj4mshare
Talkj4mshareTalkj4mshare
Talkj4mshare
 
Codebits 2010
Codebits 2010Codebits 2010
Codebits 2010
 

Dernier

Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Dernier (20)

Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

Booklet

  • 1. Just 4 meeting - Tiago Henriques - Computer Forensics Workshop In this booklet you will be given the materials needed to participate in the workshop of computer forensics at the Just 4 Meeting event. During this workshop you will have learn the basic parts of a Computer Forensic Investigation, and will now work on a set of exercises where you will put in practice what you learned. In some parts you will have to try and think 'outside the box' to reach a solution, this is a skill that cannot be taught and you either have it or get it with years of experience in the field. The exercises will start on a basic level and increase to a more complex level. Also and very important when you solve one exercise you will get indication on how to reach the next one. Following is some information that you need to know before starting. With this booklet you will also receive: -A DD image of a Windows XP instalation which was captured from what we will call in this scenario a 'Suspect machine'. This acquisition was done by inserting a Live-cd of DEFT linux into the Suspect machine, mounting the Windows XP partition as read-only and using the command dd if=/dev/sda conv=noerror,sync bs=65000 | nc 192.168.1.45 1337. This will make DD create a bit-image copy of the partition and send it through netcat to our 'Acquisition machine' where we will type nc -l 1337 | dd of=/home/tiago/evidence/suspect.dd . Depending on the size of the partition we are imaging this process can take from few minutes to a couple of hours, which is why we wont make you go through it, and provide you directly with a DD image. So that we dont waste time copying the DD image into the Ubuntu image, I will put the DD file inside the VirtualBox image straight way. Another important point: this was a NTFS partition! -A VirtualBox disk image, this is a simple Linux Ubuntu installation, with some forensic tools previously installed into it. Everyone should have VirtualBox installed and in case you dont request it and I will provide you with the setup file for your Operating system. You should then import this image into VirtualBox and start the Virtualmachine. This virtual machine will have all the tools needed to finish the exercises given in this workshop. List of tools needed to solve exercises (not mandatory to use these feel free to use others if you prefer): Autopsy-sleuthkit Bless Hex editor Winrar - use command rar Gedit VLC Totem music player Wireshark tcpdump tcpxtract chaosreader
  • 2. On exercise Number 1 we will simply start Autopsy and have a go at some of the features it has, which is a Web front end for Sleuthkit. For those of you that don't know, Sleuthkit is a set of tools that allows you to analyse volume and file system data. As mentioned before the .DD file will already be located inside the VirtualBox Ubuntu image. So first thing we have to do is open a command line and start autopsy. root@thor:/home/balgan# autopsy ================================================================ Autopsy Forensic Browser http://www.sleuthkit.org/autopsy/ ver 2.21 ================================================================ Evidence Locker: /var/lib/autopsy Start Time: Mon Jun 21 13:13:24 2010 Remote Host: localhost Local Port: 9999 Open an HTML browser on the remote host and paste this URL in it: http://localhost:9999/autopsy Keep this process running and use <ctrl-c> to exit We then follow the on screen instructions and point our browser to http://localhost:9999/autopsy
  • 3. If we press 'New case' We are then presented with a page that asks us for some information. Case Name - Suspect 1 Description - Simple one line description of what this case is about Investigator Name - Tiago Henriques Press 'New Case' We are then presented with:
  • 4. Then we add an Host to this case by pressing the 'Add Host' button We are then asked about the host information: We will then be asked to add the 'Image' related to this host! So we then proceed to point to the .DD file in the Type we choose DISK.
  • 5. We press 'Next' We can ignore the file hash in this case . And ADD the image We can then explore all the different tools provided to us. In this exercise we will focus on 'Analyze' and file system analysis. When we press file system analysis, we are presented with a view of the C:/
  • 6. In File browsing we can pre-visualize a file. After we find an interesting file we can export it and use the tools installed on our machine to analyze that file.
  • 7. You can find Exercise 1 Folder located on C:/ Try getting the word file located inside the folder into your computer (the folder name should be pretty obvious :) ) and open it with an Hex editor and locate Exercise 2. Hex Editors Everytime you need to analyse the content of a file you will most likely use a Hex Editor! Installed on ur Analysis machine is a Hex editor called Bless!
  • 8. A hex editor is relatively simple to use you can search for different strings this can help you locate important bits of information faster! Magic Numbers To finish this workshop you will be provided with a list of magic numbers, I can guarantee you that to finish this workshop all the magic numbers you will need are located in the following list: • JPEG image files begin with FF D8 and end with FF D9. JPEG/JFIF files contain the ASCII code for "JFIF" (4A 46 49 46) as a null terminated string. JPEG/Exif files contain the ASCII code for "Exif" (45 78 69 66) also as a null terminated string, followed by more metadata about the file. • Microsoft Office document files start with D0 CF 11 E0, which is visually suggestive of the word "DOCFILE0". • Wav file magic number - Hex: 52 49 46 46 xx xx xx xx 57 41 56 45 66 6D 74 20 ASCII: RIFF....WAVEfmt Winrar To extract a file on the command line you can use the command 'unrar <filename>' Wireshark, tcpdump, tcpxtract
  • 9. These are all network forensic tools that should only be used in case we are analysing some sort of network capture file such as a .PCAP file. Wireshark is a network sniffer but can also work as a visualiser for the .PCAP files tcpdump can extract different sessions from a .PCAP file and tcpxtract can be used to extract commonly known files such as .TXT, .JPG, .PNG etc from network captures(.PCAP files). chaosreader can be used to analyse sessions within a .PCAP file Misc... All the rest of standard tools of Linux are also provided such as, cat,strings, file, and some others that can be used to finish these exercises faster and more reliably. Exercise 2 - Extract a JPEG out of .DOC file using Hex editor - this jpeg will be text indicating location of files for exercise 3 Exercise 3 - This JPEG has a bit more to it then it first appears. And it will help you to find Exercise 4! Exercise 4 - Oh oh a Truecrypt image! Maybe that other file can help me, but what is it ? Exercise 5 - What a weird file, inside it somehow there is the location of exercise 6. Exercise 6 - Somehow recover the file with the address where the meeting is gonna happen.