Image Forensics 101
So a few days back i came across a site that had a capture the flag challenge (CTF)that i really like. The challenge was first released 5 years ago but up now there were only about 1500 solves for that specific challenge and the pass rate was about 6%
The story line is so simple as seen below
We require your services once again. An employee from our company had recently been identified as a known criminal named Brett Thwaits. He is considered to have stolen missile launch codes from the US navy which unfortunately were handed to us for a brief period of time. As of now, we are accused of the theft and unless we do something about it, we’re gonna end in some serious trouble. Before Brett left, he formatted the thumbdrive which used to store the launch codes. Fortunately, our system had made a backup image of the drive. See if you can recover the fourth launch code. Good luck! Download backupAnd We are presented with an image about 25MB which we are supposed to download and do some forensics on it. Without much say let’s begin
First we need to download the image to our box and it shouldn’t be a problem since it’s not that big in terms of size
After saving the file to my box i ran a file command against it and as seen below it’s a filesystem with ext4 partition
Next logical thing to do is see the files that the image has and my first though was to use MATE Disk Image Mounter but it actually didn’t work. The image was mounted but there were no files in the partition. So i decided to use a different tool foremost which is a forensic program to recover lost files based on their headers, footers, and internal data structures. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers can be specified by a configuration file or you can use command line switches to specify built-in file types. These built-in types look at the data structures of a given file format allowing for a more reliable and faster recovery.
To extract data off the image i used the command
foremost forensics1.imgI didn’t specify any extensions since i wanted it to extract every possible files it possibly could
After it finished extracting it created a directory called output nice let’s take a look at it
As seen above it was able to extract dll,gif,jpg,pdf,png and rar files
Taking a closer look at the audit file we find that it was able to extract 95 files sweet
Now we have to go though the file one at a time
The dll’s weren’t that interesting
Also the gif directory didn’t have anything intersting
And so did the jpeg directory
And so on till i reached to the rar directory
I found two rar files
Doing a md5sum on both of the files we find that it’s the same file so no need to analze both of the files
When i tried to extract the archive and found it was password protected as seen below
I thought that if something was password protected it might contain sensitive information and since i didn’t know the password for that archive i decided to bruteforce using john the ripper
First i needed to dump the hash that john the ripper will crack using rar2john which is a script that coverts the archive’s password to a hash format that john the ripper can easily understand and crack
I saved the hash to a file called codes.hash and started cracking
And after a while the hash got cracked and the password was 123 haha lame right ?????
Now we can extract the archive
After extracting the archive we get a .wav file
I decided to open the file with VLC media player it had sounds of phone dial pad tones
Sorry but i can’t upload the .wav file
So i went online and searched for dial tones decrypt and came across the site below and uploaded the wav file
After i clicked on Find DTMF Tones it was able to decode the tones as seen below
I saves the codes to a text file called codes.txt and tried to upload to the site but it didn’t work
I decided to go back to the beginning because maybe i was not seeing the whole picture or i was going down a rabbit hole
I decided to extract the image again but this time i used binwalk. Binwalk is a tool for searching a given binary image for embedded files and executable code. Specifically, it is designed for identifying files and code embedded inside of firmware images. Binwalk uses the libmagic library, so it is compatible with magic signatures created for the Unix file utility.
Binwalk was able to extract Linux EXT filesystem as seen below
I decided to do a strings on the filesystem and save the output to a text file called strings (i saved only string with a minimum character of 4)
I opened the text file with pluma which is a text editor that supports most standard editor features, extending this basic functionality with other features not usually found in simple text editors. Pluma is a graphical application which
supports editing multiple text files in one window (known sometimes as tabs or MDI).
On opening the file we get some really useful information like line 12 we got a string called launchcodes
I decided to search for the strings of the decoded wav file and at line 108832 found a strings that looked familiar to our decoded text
So i decided to add hyphens after every 4 characters and see if it was going to work
And on submitting i got it correct voila we have the codes
And voila we have completed the challenge that had been rated insane that’s it for now guys till next time take care
If you liked the walkthrough you can clap for me down below