Join Us!

USB Analysis for Cl...
 
Notifications
Clear all

USB Analysis for Class Assignment  

  RSS
gurharman
(@gurharman)
New Member

I am working on a class assignment where we have a USB drive that we have to forensically analyze. FTK was one of the forensics tools that was mentioned to us; however, the free version will not analyze if there are more than 5,000 files.

I am in that situation right now. Is there other software that I can use in order to complete my assignment?

Thanks.

Quote
Posted : 01/05/2013 11:49 am
athulin
(@athulin)
Community Legend

Is there other software that I can use in order to complete my assignment?

I would have expected the assignment to be created to be doable with a tool that you had access to. That is, I'd start from your course and your course instructor.

There is free software, but if they will take you through your assignment, I can't say.

For one list, try the 'Tools' entry on ForensicWiki, particularly the 'Open Source' subentry. Autopsy may be a starting point, as may the SANS SIFT Kit (which is not listed there, but is easily found through most web search engines).

ReplyQuote
Posted : 01/05/2013 12:57 pm
gurharman
(@gurharman)
New Member

Is there other software that I can use in order to complete my assignment?

I would have expected the assignment to be created to be doable with a tool that you had access to. That is, I'd start from your course and your course instructor.

There is free software, but if they will take you through your assignment, I can't say.

For one list, try the 'Tools' entry on ForensicWiki, particularly the 'Open Source' subentry. Autopsy may be a starting point, as may the SANS SIFT Kit (which is not listed there, but is easily found through most web search engines).

The school lab computers have a license for FTK. Just that they are in a VM which pass the USB files in at USB 1.0 speeds. I am trying to find something that I can use to do this analysis on my custom PC at home.

ReplyQuote
Posted : 01/05/2013 1:33 pm
manuld
(@manuld)
New Member

It might be helpful if you explain what you are trying to achieve?

ReplyQuote
Posted : 01/05/2013 4:37 pm
keydet89
(@keydet89)
Community Legend

I am working on a class assignment where we have a USB drive that we have to forensically analyze.

Can you describe what you mean by this? Recover deleted files? A USB drive does not normally have a valid operating system on it…though it can…so, what is it that you're trying to achieve?

ReplyQuote
Posted : 01/05/2013 5:24 pm
jhup
 jhup
(@jhup)
Community Legend

Also, what school & class is it for?

ReplyQuote
Posted : 01/05/2013 10:08 pm
jaclaz
(@jaclaz)
Community Legend

FTK was one of the forensics tools that was mentioned to us;

What are the names of the other tools?

jaclaz

ReplyQuote
Posted : 02/05/2013 12:01 am
TuckerHST
(@tuckerhst)
Active Member

FTK was one of the forensics tools that was mentioned to us; however, the free version will not analyze if there are more than 5,000 files.

As others have stated, it's difficult to give good advice if we don't know what the assignment is. Nevertheless, the following observation may be helpful. When I assigned my class to download and use FTK Imager (and even embedded the link), some students misunderstood and attempted to install and use the full FTK product. You may want to check with your instructor what was meant by FTK.

ReplyQuote
Posted : 02/05/2013 12:24 am
twjolson
(@twjolson)
Active Member

I am working on a class assignment where we have a USB drive that we have to forensically analyze. FTK was one of the forensics tools that was mentioned to us; however, the free version will not analyze if there are more than 5,000 files.

I am in that situation right now. Is there other software that I can use in order to complete my assignment?

Thanks.

Why not use this opportunity to learn how to research and discover tools, rather than being spoon fed a list of programs for conducting examinations?

The CF community is a great resource, but it is not an answer machine either. Sometimes you have to go it alone.

By not giving you a list of programs to use (or even previously in the course), that may be the teacher's intention.

Then again, maybe the teacher assumes you will do the assignment at school, where they have the FTK licenses, and not at home.

ReplyQuote
Posted : 02/05/2013 1:24 am
gurharman
(@gurharman)
New Member

The USB was meant to be a bootable drive. In this case, the USB I am analyzing was a Windows drive.

I used Autopsy and found alternate text in a file on the Desktop referring to encrypted files being stored.

I also found an e-mail history with 5 or 6 image files attached to the message. I pulled out "Key is SHA1 Five Character Hash" and then a reference to a "WHITE RABBIT."

There is also a mention of a program which I discovered to be Invisible Secrets. It seems like those image files will lead me to the keyphrase I need to unlock whatever is being hidden inside Invisible Secrets.

I am not sure how to proceed from where I currently stand though. Any advice on the next steps?

ReplyQuote
Posted : 02/05/2013 6:08 am
keydet89
(@keydet89)
Community Legend

The USB was meant to be a bootable drive. In this case, the USB I am analyzing was a Windows drive.

Ah, okay…very helpful to know.

I used Autopsy and found alternate text in a file on the Desktop referring to encrypted files being stored.

"Alternate text"? Can you elaborate on what you mean by that…are you perhaps referring to an alternate data stream?

I also found an e-mail history with 5 or 6 image files attached to the message. I pulled out "Key is SHA1 Five Character Hash" and then a reference to a "WHITE RABBIT."

Ok.

There is also a mention of a program which I discovered to be Invisible Secrets. It seems like those image files will lead me to the keyphrase I need to unlock whatever is being hidden inside Invisible Secrets.

I am not sure how to proceed from where I currently stand though. Any advice on the next steps?

It would be helpful if you could share your goals…this is something that hasn't been mentioned yet in this thread.

ReplyQuote
Posted : 02/05/2013 7:04 am
gurharman
(@gurharman)
New Member

Document on the desktop which appears to be just a food recipe. Autopsy lists the text document and then relists it with "secret". It has mentions of sending/receiving encrypted files.

Goals of the assignment

Basically one group made a bootable drive and then passed it to another group. They have "reason to believe that trade secrets have been taken." The group wants us to examine the flash drive and see if any secrets are hidden on it.

It is basically a lab to explore and understand computer forensics.

ReplyQuote
Posted : 02/05/2013 7:17 am
jaclaz
(@jaclaz)
Community Legend

Goals of the assignment

Basically one group made a bootable drive and then passed it to another group. They have "reason to believe that trade secrets have been taken." The group wants us to examine the flash drive and see if any secrets are hidden on it.

It is basically a lab to explore and understand computer forensics.

Hmmm.
I mean it's not the "usual" assignment (or hacking/crypto competition) with an image (or whatever) prepared by the teacher (or staff organizing the competition), i.e. along a set of "rules", do I get it right?

Now, if I were the "other group", I would have used twisted (say) a CRC32 hash XORed alternately with a two bytes string and (still say) used Truecrypt, while "planting" hints such as "Key is SHA1 Five Character Hash", "WHITE RABBIT" and "Invisible Secrets".

Maybe it's not the case, but the above quoted text sounds just "too good to be true" to me 😯 .

jaclaz

ReplyQuote
Posted : 03/05/2013 12:15 am
gurharman
(@gurharman)
New Member

As it is the first exposure to any forensics tools, the drives weren't supposed to be too complex to gather information off of.

The other group did have a hidden partition on the drive which was the decoy.

I got the point of White Rabbit as one of the attachments was a White_Rabbit.jpg. Ran a online hash tool on that file to get the first five of the SHA1 hash, which I confirmed is the Invisible Secrets password.

So the other 4 files on that e-mail are the files that I need to unhide using Invisible Secrets to obtain the hidden information.

Those files have been deleted off of the drive so I need a tool that would allow me to recover those files. I did download them off of the e-mail the same way I got the White_Rabbit.jpg but they don't work with Invisible Secrets. It keeps on claiming that they are not .jpg or that the password is wrong.

ReplyQuote
Posted : 03/05/2013 1:29 am
jaclaz
(@jaclaz)
Community Legend

Those files have been deleted off of the drive so I need a tool that would allow me to recover those files.

Try either (or both) of Photorec
http//www.cgsecurity.org/wiki/PhotoRec
and DMDE
http//dmde.com/

jaclaz

ReplyQuote
Posted : 03/05/2013 2:06 pm
Share: