The USB was meant to be a bootable drive. In this case, the USB I am analyzing was a Windows drive.
Ah, okay…very helpful to know.
I used Autopsy and found alternate text in a file on the Desktop referring to encrypted files being stored.
"Alternate text"? Can you elaborate on what you mean by that…are you perhaps referring to an alternate data stream?
I also found an e-mail history with 5 or 6 image files attached to the message. I pulled out "Key is SHA1 Five Character Hash" and then a reference to a "WHITE RABBIT."
Ok.
There is also a mention of a program which I discovered to be Invisible Secrets. It seems like those image files will lead me to the keyphrase I need to unlock whatever is being hidden inside Invisible Secrets.
I am not sure how to proceed from where I currently stand though. Any advice on the next steps?
It would be helpful if you could share your goals…this is something that hasn't been mentioned yet in this thread.
Document on the desktop which appears to be just a food recipe. Autopsy lists the text document and then relists it with "secret". It has mentions of sending/receiving encrypted files.
Goals of the assignment
Basically one group made a bootable drive and then passed it to another group. They have "reason to believe that trade secrets have been taken." The group wants us to examine the flash drive and see if any secrets are hidden on it.
It is basically a lab to explore and understand computer forensics.
Goals of the assignment
Basically one group made a bootable drive and then passed it to another group. They have "reason to believe that trade secrets have been taken." The group wants us to examine the flash drive and see if any secrets are hidden on it.
It is basically a lab to explore and understand computer forensics.
Hmmm.
I mean it's not the "usual" assignment (or hacking/crypto competition) with an image (or whatever) prepared by the teacher (or staff organizing the competition), i.e. along a set of "rules", do I get it right?
Now, if I were the "other group", I would have used twisted (say) a CRC32 hash XORed alternately with a two bytes string and (still say) used Truecrypt, while "planting" hints such as "Key is SHA1 Five Character Hash", "WHITE RABBIT" and "Invisible Secrets".
Maybe it's not the case, but the above quoted text sounds just "too good to be true" to me 😯 .
jaclaz
As it is the first exposure to any forensics tools, the drives weren't supposed to be too complex to gather information off of.
The other group did have a hidden partition on the drive which was the decoy.
I got the point of White Rabbit as one of the attachments was a White_Rabbit.jpg. Ran a online hash tool on that file to get the first five of the SHA1 hash, which I confirmed is the Invisible Secrets password.
So the other 4 files on that e-mail are the files that I need to unhide using Invisible Secrets to obtain the hidden information.
Those files have been deleted off of the drive so I need a tool that would allow me to recover those files. I did download them off of the e-mail the same way I got the White_Rabbit.jpg but they don't work with Invisible Secrets. It keeps on claiming that they are not .jpg or that the password is wrong.
Those files have been deleted off of the drive so I need a tool that would allow me to recover those files.
Try either (or both) of Photorec
http//
and DMDE
http//dmde.com/
jaclaz