Wuhu~
In this issue, we will analyze the single-machine forensics for the National Vocational Skills Competition-Information Security Management and Evaluation Competition
And take an example question to explain and share some ideas and logic
Table of contents
The main difference between DD image and E01 image
How to open and view the E01 file extension?
Come on everyone ( •̀ ω •́ )y look forward to seeing you again
topic
Task 4 computer stand-alone forensics (60 points)
Analyze the given forensic image file and search for evidence keywords (clue keywords are
"evidence 1" "evidence 2"..."evidence 10", both in text form and in image form,
case-insensitive), please extract and fix the subject matter evidence files required by the competition, and follow the sample
The format requires filling in relevant information, and the proportion of evidence documents in the total number of documents shall not be less than
15%. Forensic information may be hidden in normal, deleted or damaged files, your
It may be necessary to use code conversion technology, encryption and decryption technology, steganographic technology, data recovery technology,
You also need to be familiar with commonly used file formats (such as office documents, compressed files, pictures, etc.).
List of materials for this task: forensics image file
Please submit the correct answer according to the environment of the competition question and the task requirements of the on-site answer sheet.
| Task 4 computer stand-alone forensics |
||
| evidence number |
original file name (does not include path) |
Hash code of the original file in the image ( MD5 , case insensitive) |
| evidence 1 |
||
| evidence 2 |
||
| evidence 3 |
||
| evidence 4 |
||
| evidence 5 |
||
| evidence 6 |
||
| evidence 7 |
||
| evidence 8 |
||
| evidence 9 |
||
| evidence 10 |
||
preface analysis
we observe the subject
We all know that stand-alone forensics can be attributed to the column of forensics
As for evidence collection and traceability, he is a general in MISC.
Therefore, the solution to stand-alone forensics is inseparable from the thinking and logic of MISC.
Note that the answers to stand-alone forensics are in a certain order and cannot be filled indiscriminately
(It can be said that other questions are to find the flag, stand-alone forensics is to find the correct file, and find the correct order of these files and then get the MD5 value of this file)
It is to put some image steganography or text steganography, image lsb low-bit steganography, audio Morse code analysis, compressed package pseudo-encryption, put it into a mirror image, include some pictures, hide base 32 flag word excel in hex, and hide transparent characters
We find clues hidden in it by some means
get the correct files in the correct order
.E01 file
The main difference between DD image and E01 image
- The E01 file extension represents the EnCase image file format used by EnCase software.
- This file is used to store digital evidence, including volume images, disk images, memory and logical files. Encase created multiple E01 files with a size of 640 MB to store the acquired digital data.
- One of the most notable features of this file format is that for each new E01 file, the extension of the file will change for each new file created.
- Since EnCase was originally introduced under the name of Expert Witness , E01 files can generally be referred to as Expert Witness files.
How to open and view the E01 file extension?
Forensic disk image file created by EnCase, a forensics software application; holds an exact copy of the contents extracted from the target device's disk; can be mounted and read by EnCase or another program that supports the .E01 format.
Common tools used - Autopsy
Next, let's talk about a topic in detail
Forensics without tools, he is just a mirror image and can't do anything
The most commonly used tool for stand-alone forensics is Autopsy
Considering that many people don't know about this tool
Just briefly introduce how to open the software through Autopsy
Version 4.20 is used here
This is the loading page
After opening, return to the automatic pop-up window
We choose the first new case ( the last two are to open the most recent case and open case)
Give the folder of the newly created case a name and select the storage directory
don't worry about this
click finish
load page
Select the first one to generate a new hostname based on the data name
Still the first disk image or virtual machine file
This is the path to the image file
The basic configuration completed here
Continue to the next step here is still the default
load
pop-up window appears
Loading completed
officially set sail
Then we begin our problem-solving journey.
evidence 1
Idea ①
I have said before that stand-alone forensics belongs to misc
So what do we need to do first
Of course the search string
Use keyboard search to search first.
Then what to search for is our topic number evidence
A search bar in the upper right corner of the tool
search completed
The retrieved files need to be viewed one by one
The first file was found
The MD5 value of the file name can basically be found in the unit column
evidence 2
Search can directly burst two
For the rest, we will not follow the order of topics
Solve the questions in order and write to find that and write that (see personal logic)
evidence 4
I'll go straight to the pictures next step
Let's open this File Views (File View)
Let's look at the picture column
train of thought②
My idea will start with the file name of the picture (look for any clues)
At this time we need to view the thumbnail of the picture
Let's go through all the pictures roughly
We will find that there are two pictures that are exactly the same
Then we found this picture in both the vo12 folder and the ps folder
vo12 folder
ps folder
Then we add the name of this image (img_ hight.jpg )
We suspect this image has been photoshopped
And with the name of this picture
We have good reason to suspect that this image has been altered in height
export pictures
We modify the height directly
Marker code: FF C0, data length: 00 11, precision: 08, image height: 0 2 27
the fourth to find
evidence 10
OK, what's next?
Idea ③
We check whether the image file has modified the file suffix
What does it mean? A brief explanation is that the file was originally in png format but the suffix has been changed to dll, pdf, etc.
Then someone asked how we can find the changed suffix
In autopsy, as long as there is no problem with the original format of the picture, it can be displayed in the thumbnail (that is, the thumbnsil mentioned in the above question)
So we need to go all the way in the file view
Then I found two
check information
evidence 9
Found another one in the file view
The same is the image file with the file suffix modified
view information
evidence 8
Idea ④
Next we'll look for something special
How about a special method, such as a special file name is no longer a single number or letter, or our common name is like the following
When we checked the zip file, we found that there is a file named desktop.zip. Are you curious or familiar with this file name?
What does the red exclamation mark mean (although it may not be useful, but it attracts our attention)
The filename cannot yet be percent determined
know i saw this
In the original data, we found the txt file , which is still named as flag
Here we can be sure that there must be a problem with this compressed package
export analysis
After downloading, I found that the compressed package requires a password
Idea ⑤
Here we must have a thought in our minds
Stand-alone forensics itself has a lot of questions. If it is not a simple password, it is impossible for you to blast it. But if it is a normal password question, there are not too many prompts.
So it is very likely that it is either a weak password or a fake encryption
After verification, we found that it is a pseudo-encryption
As for the repair method of pseudo-encryption, I won’t say more here.
I am using the repair file that comes with winrar
decompress
Get clue 8. The answer here is the original source file. Don’t someone write flag.txt as the answer for me.
view information
evidence 3
Thinking ⑥
The above are seen through the surface layer,
Next we will go internally to find the source code
In the archives (archive) (compressed package collection), we found that a compressed package is obviously a file in zip format
But when we look at the raw data (HEX) we see a file header mismatch
This is when we have good reason to suspect that he's one of the answers we're looking for
So directly export the modification analysis
Zip file header is 50 4B 03 04
There is only one ppt file in the decompression
But this ppt file cannot be opened
At this time, we have reason to suspect that it is not a normal ppt solution
According to experience, we know that ppt can be said to be an integrated thing, which can contain pictures, text, audio, etc.
So we can decompress it as a compressed package
Change the suffix to modify the file header and then decompress directly
We get multiple folders and we look at them one by one
Found clue pictures in the media folder
As soon as the clues come out, it is sure
evidence 5
This file header does not match the same original data as the previous one
We found a rar file but the file header of his original data is not 52 61 72 21
export analysis
Modify file header
Save and unzip
Inside is an exe file
We run it directly (we must first ensure the safety of unfamiliar programs whenever we want)
Lose anything and it will appear
Check
evidence 6
There are three problems with the file header.
this time on a picture
The normal file header is FF D8 FF E0
got clue 6
Check
evidence 7
Idea⑦
The last one is a bit more complicated because it is not easy to find
Let's see this zhdcujlm.rar
Let's see his viewable character text
There is an obvious hint in it
Normally it should be 7.png but it is gnp.7
This is obviously reversed, the entire original data reversed
with open('zhdcujlm.rar','rb') as f:
with open('flag.rar','wb') as g:
g.write(f.read()[::-1])get a picture
But this picture is also reversed
After the reversal, we successfully got the clue
epilogue
All ten pieces of evidence have been found so far
At the end of the journey , someone asked you how you found it so accurately in one step.
Then I will briefly refute that no one can do it in one step (of course you have to have the answer and pretend I didn’t say it)
We did not solve the questions in the order of the questions. This article is just to provide you with an idea and some common ideas for doing the questions.
So I can only do more questions. At the beginning, I also said that he has misc logic and thinking.
So fellow Taoists, come on!