In your Kali VM terminal
git clone https://github.com/Jupithor/ITU.git
You should look through the scripts to verify what they do Next make them executable
chmod +x gettools.sh downloadevidence.sh
Run the scripts
./downloadevidence.sh
./gettools.sh
You should also have some application for viewing CSV files.
I am using Tablecruncher (https://tablecruncher.com/), but any application will do.
Please do: Ask about generic help, eg. "make a function that will do x", "make a find command that til sort for x"....
Please don't: copy-paste output/code from the terminal/evidence directly into the AI
Verify that your downloads was successful
md5sum 001Evidence.001
Make sure it matches the checksum from the 001Evidence.001.txt
cat 001Evidence.001.txt | grep md5
parted 001Evidence.001 p
ro (read only),
show_sys_files (system files),
streams_interface=windows (alternate data streams)
$type is the filesystem type that you got from the previous parted command
sudo mkdir -p /mnt/case/001Evidence
sudo mount -t $type -o ro,show_sys_files,streams_interface=windows 001Evidence.001 /mnt/case/001Evidence
Now the evidence is mounted at /mnt/case/001Evidence
Look for files with metadata that "sticks out" or maybe you can deduct that some files are missing?
Below are some commands that might be useful, try to use multiple of them.
List files:
ls -lah
Find files based on size.
replace $size with your actual value.
The "c" after the size is for bytes.
find . -type f -size $sizec
Check out "man find" on how to do logical negation.
To count the number of files named $name.
remember wildcards (*) before and after if you are searching for something that contains "*$name*".
find . -type -f -iname "*$name*" | wc -l
To look for files that are not of certain type where $string is the type.
file * | grep -v $string
Use mftecmd to analyze the $MFT $MFT is the path to MFT in your mounted evidence
mftecmd -f $MFT --csv ~/analysedmft
Open the output with your favorite csv viewer.
Tablecruncher ~/analyzedmft/<date>MFTE_output.csv
Use fls and icat to extract the deleted file
(check man fls for flag to see only deleted files)
fls 001Evidence.001
This will show you the inode for the file. Is it the digits right before the filename.
Output example:
1node nr. here
|
v
- r/r 12-345-6: $filename
Use the inode with icat to extract the deleted file.
icat 001Evidence.001 12-345-6 > $recoveredfile
WARNING: DO NOT TRY TO RUN/EXECUTE THE FILES
After recovering the deleted files, we can use file to see what the files are
file $recoveredfile
To decompile a dotnet application we can use tools like ilspy
(not the exe file, but the dll)
ANOTHER WARNING: DO NOT RUN/EXECUTE THE FILES(!!!)
ilspycmd $recoveredfile
Focus on these functions:
EncryptFile
SaveObfuscatedKeyToFileStream
Swipswap
Try to identify the necessary information to decrypt AES
Cipher: The file we recovered ending in .enc
IV: The IV is written to the file as well, it is usually prefixed (meaning the first 16 bytes is the IV)
Mode: CBC
padding: PKCS7
Key: Obfuscated and written to an Alternate data stream to the file
You can find alternate data streams by looking at the MFT output
(try sorting the column "IsADS")
Recover the file in the same way you would recover a deleted file. fls -> find inode -> icat > file
Note you can recover the ADS itself right away
Use all the components to recover the encrypted file.
Feel free to use AI to generate a generic AES decryption function and just paste your values.
Try to answer these questions
- What was the original filename of the encrypted file?
- What does it mean that the modified timestamp is BEFORE the created timestamp?
- How would you delete something without any chance of recovery?