diff --git a/Pruefungsleistung/KeePassXC_unlock_Pass.png b/Pruefungsleistung/KeePassXC_unlock_Pass.png new file mode 100644 index 0000000..b2670ff Binary files /dev/null and b/Pruefungsleistung/KeePassXC_unlock_Pass.png differ diff --git a/Pruefungsleistung/Verlauf-Hausarbeit.md b/Pruefungsleistung/Verlauf-Hausarbeit.md new file mode 100644 index 0000000..a45b8f4 --- /dev/null +++ b/Pruefungsleistung/Verlauf-Hausarbeit.md @@ -0,0 +1,200 @@ +Findings: + +firefox history von dem user "belle": + + +```sql +┌──(root㉿kali)-[/mnt/…/common/.mozilla/firefox/e9cqlzsn.default] +└─# cp places.sqlite ~/belle_places.sqlite +cd ~ +sqlite3 belle_places.sqlite "SELECT url, title, datetime(visit_date/1000000,'unixepoch') FROM moz_places JOIN moz_historyvisits ON moz_places.id = moz_historyvisits.place_id ORDER BY visit_date DESC LIMIT 50;" + +https://i.pinimg.com/236x/41/80/fa/4180fa703a970335721fe445385e7627.jpg|4180fa703a970335721fe445385e7627.jpg|2022-07-04 17:18:46 +https://www.google.com/imgres?imgurl=http%3A%2F%2Fwww.theoccidentalobserver.net%2Fwp-content%2Fuploads%2F2013%2F03%2Fpassport.jpg&imgrefurl=https%3A%2F%2Fwww.tanelorn.net%2Findex.php%3Ftopic%3D89563.0&tbnid=aVoZMmKwJEc3nM&vet=12ahUKEwjmxI7K3t_4AhW6X_EDHdnKCQ0QMygPegUIARDIAg..i&docid=RoDgtxExKImejM&w=485&h=325&q=fake%20reisepass&client=ubuntu&ved=2ahUKEwjmxI7K3t_4AhW6X_EDHdnKCQ0QMygPegUIARDIAg#imgrc=aVoZMmKwJEc3nM&imgdii=Wq-UfCzaU1CwWM|fake reisepass - Google Suche|2022-07-04 17:18:40 +https://i.pinimg.com/originals/b6/26/5d/b6265df99e65d5023e821832d53413d7.jpg|b6265df99e65d5023e821832d53413d7.jpg|2022-07-04 17:18:21 +http://www.theoccidentalobserver.net/wp-content/uploads/2013/03/passport.jpg|passport.jpg|2022-07-04 17:18:13 +https://www.google.com/imgres?imgurl=https%3A%2F%2Fi.pinimg.com%2Foriginals%2Fb6%2F26%2F5d%2Fb6265df99e65d5023e821832d53413d7.jpg&imgrefurl=https%3A%2F%2Fwww.pinterest.de%2Fpin%2F665758757412891737%2F&tbnid=2AqgmgjQ-5-K3M&vet=12ahUKEwjmxI7K3t_4AhW6X_EDHdnKCQ0QMygKegUIARC-Ag..i&docid=i8kd5nZiMlnTFM&w=1600&h=903&q=fake%20reisepass&client=ubuntu&ved=2ahUKEwjmxI7K3t_4AhW6X_EDHdnKCQ0QMygKegUIARC-Ag|fake reisepass - Google Suche|2022-07-04 17:17:57 +https://www.google.com/imgres?imgurl=http%3A%2F%2Fwww.theoccidentalobserver.net%2Fwp-content%2Fuploads%2F2013%2F03%2Fpassport.jpg&imgrefurl=https%3A%2F%2Fwww.tanelorn.net%2Findex.php%3Ftopic%3D89563.0&tbnid=aVoZMmKwJEc3nM&vet=12ahUKEwjmxI7K3t_4AhW6X_EDHdnKCQ0QMygPegUIARDIAg..i&docid=RoDgtxExKImejM&w=485&h=325&q=fake%20reisepass&client=ubuntu&ved=2ahUKEwjmxI7K3t_4AhW6X_EDHdnKCQ0QMygPegUIARDIAg|fake reisepass - Google Suche|2022-07-04 17:17:53 +https://www.google.com/search?q=fake+reisepass&client=ubuntu&hs=fKo&channel=fs&source=lnms&tbm=isch&sa=X&ved=2ahUKEwjUp4PJ3t_4AhUD76QKHe1WAGgQ_AUoAXoECAIQAw&biw=950&bih=656&dpr=1|fake reisepass – Google Suche|2022-07-04 17:17:31 +https://www.google.com/search?channel=fs&client=ubuntu&q=fake+reisepass+|fake reisepass - Google Suche|2022-07-04 17:17:29 +https://www.capacitymedia.com/article/29otc9t6wy04gbplov3ls/news/welcome-to-bruce-leegate-as-dos-santoss-lawyers-say-passport-was-faked|Welcome to Bruce Leegate, as Dos Santos’s lawyers say passport was faked | Capacity Media|2022-07-04 17:16:55 +https://www.google.com/url?sa=i&url=https%3A%2F%2Fwww.capacitymedia.com%2Farticle%2F29otc9t6wy04gbplov3ls%2Fnews%2Fwelcome-to-bruce-leegate-as-dos-santoss-lawyers-say-passport-was-faked&psig=AOvVaw1gkKsQD4pej9OiJznqp3qE&ust=1657041380579000&source=images&cd=vfe&ved=2ahUKEwjY75qo3t_4AhUL66QKHfX3CSIQjRx6BAgAEAs||2022-07-04 17:16:55 +https://www.pinterest.de/pin/1063764374453701873/|Pin auf buy real passport|2022-07-04 17:16:39 +https://www.google.com/url?sa=i&url=https%3A%2F%2Fwww.pinterest.de%2Fpin%2F1063764374453701873%2F&psig=AOvVaw1Kyf5mseWxUn9QUrS7dCGR&ust=1657041395616000&source=images&cd=vfe&ved=0CAoQjhxqFwoTCJCPirDe3_gCFQAAAAAdAAAAABAD||2022-07-04 17:16:39 +https://www.pinterest.de/pin/1063764374453701873/|Pin auf buy real passport|2022-07-04 17:16:37 +https://www.google.com/url?sa=i&url=https%3A%2F%2Fwww.pinterest.de%2Fpin%2F1063764374453701873%2F&psig=AOvVaw1Kyf5mseWxUn9QUrS7dCGR&ust=1657041395616000&source=images&cd=vfe&ved=0CAoQjhxqFwoTCJCPirDe3_gCFQAAAAAdAAAAABAD||2022-07-04 17:16:37 +https://www.google.com/search?q=fake+passport+germany&tbm=isch&client=ubuntu&hs=xdT&hl=de&sa=X&ved=2ahUKEwi_oZKj3t_4AhUV0oUKHU9dAdUQrNwCKAB6BQgBEN8B&biw=950&bih=656#imgrc=p4tx4Yn-KOB2dM|fake passport germany – Google Suche|2022-07-04 17:16:37 +https://www.google.com/search?q=fake+passport+germany&tbm=isch&client=ubuntu&hs=xdT&hl=de&sa=X&ved=2ahUKEwi_oZKj3t_4AhUV0oUKHU9dAdUQrNwCKAB6BQgBEN8B&biw=950&bih=656|fake passport germany – Google Suche|2022-07-04 17:16:35 +https://www.google.com/imgres?imgurl=https%3A%2F%2Fassets.euromoneydigital.com%2Fdims4%2Fdefault%2F52dde24%2F2147483647%2Fstrip%2Ftrue%2Fcrop%2F691x389%2B0%2B0%2Fresize%2F840x473!%2Fquality%2F90%2F%3Furl%3Dhttp%253A%252F%252Feuromoney-brightspot.s3.amazonaws.com%252F3b%252F3b%252Fc65211fc4d1b26967322e6d686f2%252Fserveimage&imgrefurl=https%3A%2F%2Fwww.capacitymedia.com%2Farticle%2F29otc9t6wy04gbplov3ls%2Fnews%2Fwelcome-to-bruce-leegate-as-dos-santoss-lawyers-say-passport-was-faked&tbnid=kiFDAG2HJ1Wa8M&vet=12ahUKEwi_oZKj3t_4AhUV0oUKHU9dAdUQMygLegUIARDDAQ..i&docid=eDNGXz2EPJg-cM&w=840&h=473&q=how%20to%20fake%20passport&client=ubuntu&ved=2ahUKEwi_oZKj3t_4AhUV0oUKHU9dAdUQMygLegUIARDDAQ|how to fake passport - Google Suche|2022-07-04 17:16:20 +https://www.google.com/search?q=how+to+fake+passport&client=ubuntu&hs=xdT&channel=fs&source=lnms&tbm=isch&sa=X&ved=2ahUKEwjY_OSf3t_4AhX4wQIHHZdtCNcQ_AUoAXoECAEQAw&biw=950&bih=656|how to fake passport – Google Suche|2022-07-04 17:16:10 +https://www.google.com/search?channel=fs&client=ubuntu&q=howto+fake+passport|howto fake passport - Google Suche|2022-07-04 17:16:03 +https://www.mozilla.org/de/privacy/firefox/|Firefox Datenschutzhinweis — Mozilla|2022-07-04 17:15:42 +https://www.mozilla.org/privacy/firefox/||2022-07-04 17:15:42 + +``` + + +In Ordner Downloads bei Belle war eine passport.jpg. war nicht öffenbar, da magicbytes zerstört, kopiert, magic bytes repariert, siehe bild aus der gruppe + +``` +┌──(root㉿kali)-[~] +└─# file /mnt/forensik/home/belle/Downloads/passport.jpg +exiftool /mnt/forensik/home/belle/Downloads/passport.jpg + +/mnt/forensik/home/belle/Downloads/passport.jpg: data +ExifTool Version Number : 13.25 +File Name : passport.jpg +Directory : /mnt/forensik/home/belle/Downloads +File Size : 53 kB +File Modification Date/Time : 2022:07:04 19:19:25+02:00 +File Access Date/Time : 2022:07:04 19:19:10+02:00 +File Inode Change Date/Time : 2022:07:04 19:19:25+02:00 +File Permissions : -rw-rw-r-- +Error : File format error + + +┌──(root㉿kali)-[~] +└─# xxd /mnt/forensik/home/belle/Downloads/passport.jpg | head -n 10 + +00000000: 0000 ffe0 0010 4a46 4946 0001 0101 0048 ......JFIF.....H + + +``` + + +bash history von pc user: +``` +┌──(root㉿kali)-[/mnt/forensik/home/pc] +└─# cat .bash_history +exit +sudo gedit /etc/ssh/ssh_config +sudo gedit /etc/ssh/ + +sudo gedit /etc/ssh/ssh_config +ssh pc@localhost +sudo service ssh +sudo apt-get install openssh-server +sudo apt-get install openssh-client +gedit /etc/ssh/sshd_config +sudo gedit /etc/ssh/sshd_config +service ssh restart +ssh pc@localhost +ping googl.de +ip +ip a +exit +lsblk +fdisk -l vda +sudo fdisk -l vda +sudo fdisk -l /dev/vda +ip a +sudo usermod aG sudo pc +sudo usermod -aG sudo pc +ip a +exit +sudo parted + +``` + +Downloadsordner von belle hatte Pass.kdbx datei: + +``` +┌──(root㉿kali)-[/mnt/forensik] +└─# keepassxc /mnt/forensik/home/belle/Dokumente/Pass.kdbx + +``` +mit passwort: Eip7uoKo +(Passwörter gecracked von Markus) +findet man Passwort für Veracrypt: forgeMaster + +(siehe Gruppe) + +Mit dem Passwort kann man den verschlüsselten Windows Ordner öffnen: + + +``` +┌──(kali㉿kali)-[/mnt/windows/business] +└─$ sudo mkdir -p /mnt/tmp_business +sudo veracrypt --text --pim=0 --hash=sha512 --protect-hidden=no --mount /mnt/windows/business/business /mnt/tmp_business + +Enter password for /mnt/windows/business/business: forgeMaster +Enter keyfile [none]: + +``` + + +``` +┌──(kali㉿kali)-[/mnt/windows/business] +└─$ ls -lah /mnt/tmp_business + +total 10K +drwx------ 3 kali kali 1.0K Jan 1 1970 . +drwxr-xr-x 9 root root 4.0K Jul 19 16:48 .. +drwx------ 4 kali kali 5.0K Jul 4 2022 paesse + +┌──(kali㉿kali)-[/mnt/windows/business] +└─$ ls -lah /mnt/tmp_business/paesse + +total 273K +drwx------ 4 kali kali 5.0K Jul 4 2022 . +drwx------ 3 kali kali 1.0K Jan 1 1970 .. +-rwx------ 1 kali kali 1004 Nov 30 2018 back_to_samples.gif +-rwx------ 1 kali kali 11K Nov 30 2018 b-contacts.jpg +-rwx------ 1 kali kali 11K Nov 30 2018 b-news.jpg +-rwx------ 1 kali kali 27K Nov 30 2018 b-samples.jpg +-rwx------ 1 kali kali 1.2K Nov 30 2018 button_email.gif +drwx------ 2 kali kali 2.0K Jul 4 2022 Cover +-rwx------ 1 kali kali 43 Nov 30 2018 emty.gif +-rwx------ 1 kali kali 484 Nov 30 2018 flash_r1_c2e.gif +-rwx------ 1 kali kali 518 Nov 30 2018 flash_r1_c3e.gif +-rwx------ 1 kali kali 508 Nov 30 2018 flash_r1_c6e.gif +-rwx------ 1 kali kali 2.2K Nov 30 2018 head_r1_c1.jpg +-rwx------ 1 kali kali 12K Nov 30 2018 head_r1_c2.jpg +-rwx------ 1 kali kali 1.9K Nov 30 2018 head_r2_c1.gif +-rwx------ 1 kali kali 2.4K Nov 30 2018 index.html +-rwx------ 1 kali kali 29K Nov 30 2018 index.php.CB66877E.html +-rwx------ 1 kali kali 12K Jul 4 2022 index.shtml +drwx------ 2 kali kali 1.0K Jul 4 2022 inside +-rwx------ 1 kali kali 15K Nov 30 2018 main.jpg +-rwx------ 1 kali kali 365 Nov 30 2018 menu_r1_c1e.gif +-rwx------ 1 kali kali 391 Nov 30 2018 menu_r1_c2e.gif +-rwx------ 1 kali kali 460 Nov 30 2018 menu_r1_c3e.gif +-rwx------ 1 kali kali 492 Nov 30 2018 menu_r1_c4e.gif +-rwx------ 1 kali kali 1.1K Nov 30 2018 menu_r1_c5e.gif +-rwx------ 1 kali kali 1.1K Nov 30 2018 menu_r1_c6e.gif +-rwx------ 1 kali kali 483 Nov 30 2018 menu_r1_c7e.gif +-rwx------ 1 kali kali 802 Nov 30 2018 menu_rfid.gif +-rwx------ 1 kali kali 388 Nov 30 2018 m-maine.gif +-rwx------ 1 kali kali 9.1K Nov 30 2018 novelty_fake_id_contacts.shtml +-rwx------ 1 kali kali 19K Nov 30 2018 novelty_fake_id_pricing.shtml +-rwx------ 1 kali kali 14K Nov 30 2018 novelty_fake_id_samples.shtml +-rwx------ 1 kali kali 20K Nov 30 2018 parashut.gif +-rwx------ 1 kali kali 1.9K Nov 30 2018 pricing.GIF +-rwx------ 1 kali kali 3.3K Nov 30 2018 privacy.gif +-rwx------ 1 kali kali 1.9K Nov 30 2018 tab2_r1_c13e.gif +-rwx------ 1 kali kali 1.9K Nov 30 2018 tab2_r1_c14e.gif +-rwx------ 1 kali kali 2.0K Nov 30 2018 tab2_r1_c16e.gif +-rwx------ 1 kali kali 2.0K Nov 30 2018 tab2_r1_c1e.gif +-rwx------ 1 kali kali 1.2K Nov 30 2018 tab2_r4_c2e.gif +-rwx------ 1 kali kali 255 Nov 30 2018 tab_r1_c1.gif +-rwx------ 1 kali kali 252 Nov 30 2018 tab_r1_c4.gif +-rwx------ 1 kali kali 93 Nov 30 2018 tab_r2_c1.gif +-rwx------ 1 kali kali 88 Nov 30 2018 tab_r2_c4.gif +-rwx------ 1 kali kali 62 Nov 30 2018 tab_r3_c1.gif +-rwx------ 1 kali kali 62 Nov 30 2018 tab_r3_c2.gif +-rwx------ 1 kali kali 61 Nov 30 2018 tab_r3_c4.gif +-rwx------ 1 kali kali 136 Nov 30 2018 tab_r4_c1.gif +-rwx------ 1 kali kali 128 Nov 30 2018 tab_r4_c2.gif +-rwx------ 1 kali kali 138 Nov 30 2018 tab_r4_c4.gif +-rwx------ 1 kali kali 116 Nov 30 2018 tab_r5_c1.gif +-rwx------ 1 kali kali 241 Nov 30 2018 tab_r5_c2.gif +-rwx------ 1 kali kali 114 Nov 30 2018 tab_r5_c4.gif +-rwx------ 1 kali kali 1.9K Nov 30 2018 terms.gif +-rwx------ 1 kali kali 20K Nov 30 2018 terms.shtml +-rwx------ 1 kali kali 3.4K Nov 30 2018 Ukpassport-cover.jpg +-rwx------ 1 kali kali 2.9K Nov 30 2018 'UK passport.shtml' + +``` + + +auf den .shtml dateien findet man die website von dem vermutlichen täter \ No newline at end of file diff --git a/Pruefungsleistung/windowsLog_report.md b/Pruefungsleistung/windowsLog_report.md new file mode 100644 index 0000000..f25e47c --- /dev/null +++ b/Pruefungsleistung/windowsLog_report.md @@ -0,0 +1,759 @@ +# [++] Forensic report of case: windowsLog + +## [++] Description +Analyse der Windows partition + + +## [++] Timeline of Commands and Comments + +### [+] Timestamp: `2025-07-19T08-42-13-560508+00-00` +#### [+] Comment from analyst: Markus Winklhofer + +#### [+] Content: +Image bereits als Loopdevice angelegt und jetzt wird anschließend gemounted und die Windoespartition forensisch analysiert + +--- + +### [+] Command: `sudo fdisk -l` +- Timestamp: `2025-07-19T08-43-00-004975+00-00` +- GPG-signature: [+] Valid +- SHA256: `43a7e40ef8949b90c8e89dafdd962bb263e8f6556d2a1c80c3f689bf1fb968c1` + +#### Output: +```Shell +[STDOUT] +Disk /dev/vda: 40 GiB, 42949672960 bytes, 83886080 sectors +Units: sectors of 1 * 512 = 512 bytes +Sector size (logical/physical): 512 bytes / 512 bytes +I/O size (minimum/optimal): 512 bytes / 512 bytes +Disklabel type: gpt +Disk identifier: C00980BD-CD97-44C9-A883-C367CE8873C7 + +Device Start End Sectors Size Type +/dev/vda1 2048 34815 32768 16M Linux filesystem +/dev/vda2 34816 2035711 2000896 977M EFI System +/dev/vda3 2035712 79546367 77510656 37G Linux filesystem +/dev/vda4 79546368 83884031 4337664 2.1G Linux swap + + +Disk /dev/nbd0: 33 GiB, 35433480192 bytes, 69206016 sectors +Units: sectors of 1 * 512 = 512 bytes +Sector size (logical/physical): 512 bytes / 512 bytes +I/O size (minimum/optimal): 512 bytes / 131072 bytes +Disklabel type: gpt +``` + +#### Context: +### [+] Legal Context for `sudo fdisk -l` + +**Analyst:** Markus Winklhofer +**Timestamp:** 2025-07-20T11:57:41.175563+00:00 + +**[!] Note:** This command was executed with administrative rights (`sudo`). +`fdisk` is an interactive command-line tool to create, delete, and manage partitions on storage devices. + + +Lists partition tables of all recognized devices. + +--- + +### [+] Command: `sudo mmls /dev/nbd0` +- Timestamp: `2025-07-19T08-43-21-603461+00-00` +- GPG-signature: [+] Valid +- SHA256: `1e7e7d7d86604a62aceffd32db9f4f6f897f22c84de9f2367b46bf6fa4d9b77b` + +#### Output: +```Shell +[STDOUT] +GUID Partition Table (EFI) +Offset Sector: 0 +Units are in 512-byte sectors + + Slot Start End Length Description +000: Meta 0000000000 0000000000 0000000001 Safety Table +001: ------- 0000000000 0000002047 0000002048 Unallocated +002: Meta 0000000001 0000000001 0000000001 GPT Header +003: Meta 0000000002 0000000033 0000000032 Partition Table +004: 000 0000002048 0000004095 0000002048 +005: 001 0000004096 0001054719 0001050624 EFI System Partition +006: 002 0001054720 0046135295 0045080576 +007: ------- 0046135296 0046874623 0000739328 Unallocated +008: 003 0046874624 0068360191 0021485568 FAT +009: ------- 0068360192 0069206015 0000845824 Unallocated + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `sudo mmls /dev/nbd0` + +**Analyst:** Markus Winklhofer +**Timestamp:** 2025-07-20T11:57:41.187798+00:00 + +**[!] Note:** This command was executed with administrative rights (`sudo`). +`mmls` analyzes the partition layout of a disk image without modifying it. It shows partitions, offsets, and sizes — a typical forensic step before mounting. + +--- + +### [+] Command: `sudo mount -o ro /dev/nbd0p4 ~/mnt/windows` +- Timestamp: `2025-07-19T08-45-08-725153+00-00` +- GPG-signature: [+] Valid +- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f` + +#### Output: +```Shell +[STDOUT] + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `sudo mount -o ro /dev/nbd0p4 ~/mnt/windows` + +**Analyst:** Markus Winklhofer +**Timestamp:** 2025-07-20T11:57:41.225568+00:00 + +**[!] Note:** This command was executed with administrative rights (`sudo`). +`mount` is used to attach a filesystem to the directory tree. In forensic contexts, it must be used cautiously, as mounting can alter timestamps or content. + + +The `-o` option sets mount parameters — e.g., to enable read-only mode or suppress timestamp changes. + + +`ro` stands for "read-only". It ensures that the mounted filesystem is not modified. This is critical in digital forensics. + +--- + +### [+] Command: `file ~/mnt/windows/business/business ` +- Timestamp: `2025-07-19T08-47-12-169525+00-00` +- GPG-signature: [+] Valid +- SHA256: `ddde4a678fd1627868e4b7f7be63273df4698f55d6b06069fd92eb5bcf6531db` + +#### Output: +```Shell +[STDOUT] +/home/forick/mnt/windows/business/business: data + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `file ~/mnt/windows/business/business` + +**Analyst:** Markus Winklhofer +**Timestamp:** 2025-07-20T11:57:41.239020+00:00 + +`file` identifies file types by examining magic numbers and headers. Useful for verifying or correcting file extensions and detecting anomalies. + +--- + +### [+] Command: `xxd business | head` +- Timestamp: `2025-07-19T08-49-20-139817+00-00` +- GPG-signature: [+] Valid +- SHA256: `d637733a8611dd3a59413fcfccbba0bf9570452f943569608795395f5db9a147` + +#### Output: +```Shell +[STDOUT] +00000000: 6eb4 2189 ffa2 36d4 bddc 7b86 9304 48ae n.!...6...{...H. +00000010: 6efd a848 cdf3 24bc da26 be81 bfd7 9e17 n..H..$..&...... +00000020: 66c6 9f07 d791 1071 7bfd a3a9 4dcd 86af f......q{...M... +00000030: 083a 3b06 ae59 ac64 e294 1f54 6fef 2654 .:;..Y.d...To.&T +00000040: 47cd bcd8 dd96 7fd5 7713 94ca 3860 8081 G.......w...8`.. +00000050: 663a 5711 ad69 2ea2 7b40 5969 bc7f ceb6 f:W..i..{@Yi.... +00000060: 20ca 92d8 6cc4 b540 7799 44a2 c91b e4bc ...l..@w.D..... +00000070: 3d9c 2e45 db8b 6ce8 d2b8 de2a f403 2edc =..E..l....*.... +00000080: 3d61 7ac4 f06d a7d5 828e e896 7138 cd98 =az..m......q8.. +00000090: a4b6 79f3 e518 3c18 e0ff b983 c2f1 1ab2 ..y...<......... + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `xxd business | head` + +**Analyst:** Markus Winklhofer +**Timestamp:** 2025-07-20T11:57:41.249584+00:00 + +The `xxd` command creates a hexadecimal dump of a given file. This is useful for inspecting raw data structures or headers. + +--- + +### [+] Command: `sudo mount -o ro /dev/nbd0p3 ~/mnt/linux` +- Timestamp: `2025-07-19T08-52-36-712619+00-00` +- GPG-signature: [+] Valid +- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f` + +#### Output: +```Shell +[STDOUT] + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `sudo mount -o ro /dev/nbd0p3 ~/mnt/linux` + +**Analyst:** Markus Winklhofer +**Timestamp:** 2025-07-20T11:57:41.296805+00:00 + +**[!] Note:** This command was executed with administrative rights (`sudo`). +`mount` is used to attach a filesystem to the directory tree. In forensic contexts, it must be used cautiously, as mounting can alter timestamps or content. + + +The `-o` option sets mount parameters — e.g., to enable read-only mode or suppress timestamp changes. + + +`ro` stands for "read-only". It ensures that the mounted filesystem is not modified. This is critical in digital forensics. + +--- + +### [+] Timestamp: `2025-07-19T08-53-48-208768+00-00` +#### [+] Comment from analyst: Markus Winklhofer + +#### [+] Content: +Unter Windows Partition derzeit keine Ergebnisse, desshalb wurde Linux Partition gemounted und anschließend analysiert. + +--- + +### [+] Command: `sudo cat shadow` +- Timestamp: `2025-07-19T09-17-43-927272+00-00` +- GPG-signature: [+] Valid +- SHA256: `c1f678376e214937833b8b20a631606fdf86a427045f287709f812916ae0f524` + +#### Output: +```Shell +[STDOUT] +root:!:19175:0:99999:7::: +daemon:*:19101:0:99999:7::: +bin:*:19101:0:99999:7::: +sys:*:19101:0:99999:7::: +sync:*:19101:0:99999:7::: +games:*:19101:0:99999:7::: +man:*:19101:0:99999:7::: +lp:*:19101:0:99999:7::: +mail:*:19101:0:99999:7::: +news:*:19101:0:99999:7::: +uucp:*:19101:0:99999:7::: +proxy:*:19101:0:99999:7::: +www-data:*:19101:0:99999:7::: +backup:*:19101:0:99999:7::: +list:*:19101:0:99999:7::: +irc:*:19101:0:99999:7::: +gnats:*:19101:0:99999:7::: +nobody:*:19101:0:99999:7::: +systemd-network:*:19101:0:99999:7::: +... (truncated, showing first 20 and last 10 lines) +pulse:*:19101:0:99999:7::: +gnome-initial-setup:*:19101:0:99999:7::: +hplip:*:19101:0:99999:7::: +gdm:*:19101:0:99999:7::: +pc:$y$j9T$graH6StsN64vZy4TX6DLO1$jFAPKwPTtCP25YeK6fiAIcbse.xZb3XaFXnIuwfaej4:19175:0:99999:7::: +sshd:*:19175:0:99999:7::: +belle:$6$mysalt$YapdgZlg0yR2OqcmMqMSk7rtEfLo2l0Yh/T4o8s1qilhHZUxHspG7n0nx2kzplXK9bBt1b7xx0/lExTeVDVDw0:19177:0:99999:7::: +kiara:$6$mysalt$O3uB2Z2bsrQzEWnKMGiud28mGyGERuQKillaz.0EktBTWK4YfHTCFOiUhUSWGBjgwL5wd1VHMnjVcDBGgFu7r0:19177:0:99999:7::: + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `sudo cat shadow` + +**Analyst:** Markus Winklhofer +**Timestamp:** 2025-07-20T11:57:41.309219+00:00 + +**[!] Note:** This command was executed with administrative rights (`sudo`). +`cat` concatenates and displays the content of files. It is commonly used to view file contents or combine multiple files. + +--- + +### [+] Timestamp: `2025-07-19T09-19-32-944437+00-00` +#### [+] Comment from analyst: Markus Winklhofer + +#### [+] Content: +Es sind die drei User zu sehen im Shadow-File. Inklusive hash des passworts, verwendetem Salt und gehashtem Wert, sowie Zeitstempel. Anschließend werden diese Hashes gesichert. + +--- + +> [!Info] Note +> Andere Passwörter hab ich schon mit hashcat und der wordList.txt geknackt. +> + +--- +### [+] Command: `sudo grep '^pc:' shadow > ~/evidence/linux-passHashes/hashes.txt` +- Timestamp: `2025-07-19T09-33-23-227939+00-00` +- GPG-signature: [+] Valid +- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f` + +#### Output: +```Shell +[STDOUT] + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `sudo grep '^pc:' shadow > ~/evidence/linux-passHashes/hashes.txt` + +**Analyst:** Markus Winklhofer +**Timestamp:** 2025-07-20T11:57:41.337992+00:00 + +**[!] Note:** This command was executed with administrative rights (`sudo`). +`grep` searches for patterns in text files. In forensics, it helps extract relevant entries from logs, configs, or dumps. + +--- + +### [+] Command: `cut -d: -f2 ~/evidence/linux-passHashes/hashes.txt > ~/evidence/linux-passHashes/hashes_hashcat.txt` +- Timestamp: `2025-07-19T09-41-50-673936+00-00` +- GPG-signature: [+] Valid +- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f` + +#### Output: +```Shell +[STDOUT] + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `cut -d: -f2 ~/evidence/linux-passHashes/hashes.txt > ~/evidence/linux-passHashes/hashes_hashcat.txt` + +**Analyst:** Markus Winklhofer +**Timestamp:** 2025-07-20T11:57:41.362354+00:00 + +`cut` removes sections from each line of files. It is commonly used to extract specific columns or fields. + + +Specifies the delimiter character. + + +Specifies the fields to extract. + +--- + +### [+] Timestamp: `2025-07-19T14-35-17-836177+00-00` +#### [+] Comment from analyst: Markus Winklhofer + +#### [+] Content: +Passwörter von User belle und kiara wurden geknackt und lauten: ohQuep1A (kiara) und Eip7uoKo (belle) + +--- + +### [+] Timestamp: `2025-07-19T14-46-11-098224+00-00` +#### [+] Comment from analyst: Markus Winklhofer + +#### [+] Content: +Anschließend wird versucht die Datei auf der Windowspartition mit den erhaltenen Passwörtern zu öffnen. + +--- + +### [+] Timestamp: `2025-07-19T15-09-38-776505+00-00` +#### [+] Comment from analyst: Markus Winklhofer + +#### [+] Content: +Passwort von User pc wird anschließend geknackt. + +--- + +### [+] Timestamp: `2025-07-19T15-28-09-158744+00-00` +#### [+] Comment from analyst: Markus Winklhofer + +#### [+] Content: +Okay Passwort von User pc muss jetzt doch mit John geknackt werden weil Hashcat mich verlassen hat. R.I.P hashcat + +--- + +### [+] Timestamp: `2025-07-19T16-08-43-581807+00-00` +#### [+] Comment from analyst: Markus Winklhofer + +#### [+] Content: +Alle mit john durchzuprobieren würde zu lange dauern. unshadowed Datei wird manuell bereinigt. + +--- + +### [+] Timestamp: `2025-07-19T16-22-52-786709+00-00` +#### [+] Comment from analyst: Markus Winklhofer + +#### [+] Content: +User pc hash lässt sich nicht decrypten. Was bekannt ist: höchst wahrscheinlich yescrypt + +--- + +### [+] Timestamp: `2025-07-19T16-23-12-195637+00-00` +#### [+] Comment from analyst: Markus Winklhofer + +#### [+] Content: +Dann schauen wir doch nochmal auf das business file im Windows + +--- + +### [+] Timestamp: `2025-07-19T19-05-53-643688+00-00` +#### [+] Comment from analyst: Markus Winklhofer + +#### [+] Content: +Business Datei unter Windowspartition wurde mit veracrypt gemounted. Jetzt haben wir einen Ordner namens paesse, welcher .jpeg, .gif und .html Dateien enthält. Wir haben ihn Kameraden. + +--- + +### [+] Command: `cp -r paesse ~/evidence/paesse_secured` +- Timestamp: `2025-07-19T19-08-38-532451+00-00` +- GPG-signature: [+] Valid +- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f` + +#### Output: +```Shell +[STDOUT] + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `cp -r paesse ~/evidence/paesse_secured` + +**Analyst:** Markus Winklhofer +**Timestamp:** 2025-07-20T11:57:41.463529+00:00 + +`cp` copies files and directories. + + +Copies directories recursively. + +--- + +### [+] Command: `cat paesse_hashes.txt` +- Timestamp: `2025-07-19T19-15-35-249409+00-00` +- GPG-signature: [+] Valid +- SHA256: `e021c5fb88dbb683e55d00991fcf65e2ecb038e615375b6f8aa95091aa3d5cbc` + +#### Output: +```Shell +[STDOUT] +2337d9209ebc59826b7c6839b62a073bfb4c6084ae7ca7b33091adf5b51124f0 paesse/b-contacts.jpg +56c54308a51a73f1fde781a923a7d5e33c992d54e5698c7a1a5f62df5faf96d6 paesse/b-news.jpg +699d7fbef975e4f75d8755a7cc9bb7c4e0d50e6aac35c676cfb84590cab4cab1 paesse/b-samples.jpg +4ce769d6291abad8e9e57911adbc7e263645c0cd5b2ad81fbfc5dd5339137883 paesse/back_to_samples.gif +88c50adcbd68e9b06317b0f10e4cd118bccb5ee9c6b7d15b2053c7475a0f4b7c paesse/button_email.gif +b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b paesse/emty.gif +1f3e68eef4da22b8c1991813a58cc2ca931e3a313db4dbb49dd5c64d34231021 paesse/flash_r1_c2e.gif +76eb565cb3290c6542c27d16b075de244bfb055eaba9ed744d6095e3d8163d95 paesse/flash_r1_c3e.gif +0cb5cb828aaa48c5b6ecaaff62812b74376143e8375af99969992d2d7c772290 paesse/flash_r1_c6e.gif +908bc1335ed5d3eb60eff3787cf33162d48e1ced5c116702719673722fc433cb paesse/head_r1_c1.jpg +edb7a8c927edbfe365fb0015892c4893f5ccedf217e4d61a94f6fa947daef9ae paesse/head_r1_c2.jpg +6985dfc8eb8836a79084decd3a7df6efbe70af108ea3942b897e16f5865b79bb paesse/head_r2_c1.gif +7a9847daf2ce9f8e612e8daea71c52dbcd2649b83685d9eeeb87e4c4f64b18f0 paesse/index.html +d3178da777620b3045cd390842a317c5fb5fb7f7baf49e14f2b85e54a98ecee9 paesse/index.php.CB66877E.html +c670355f7938549fa50faa7d80c764e64e9e67ec1e64309f2a68b0a6a5196635 paesse/index.shtml +e2704c3f9480d96bc8c70c30b2db3cec6ad73d9f8729ec9ada335eab7fb4534a paesse/m-maine.gif +983e88c639a4a60b8abd68188aabeb16cc1ffd36745ca2bdce29819c0bc3a912 paesse/main.jpg +a7d820cf32d4be1a04515f0334abae05cc6ceb385844a6ef57d4c6f9af73c75e paesse/menu_r1_c1e.gif +a1e852623a899f3e3be745d2819a650d666f5985cfbfae6d27785fce187a54ac paesse/menu_r1_c2e.gif +... (truncated, showing first 20 and last 10 lines) +2fa9099d8949fc6a6a4a6992ccd1c303ee201d4d7b12aab39c5d7c0c68265a66 paesse/Cover/Canada passport.jpg +cb41bb8bb1a969cdd498900574483d966fe3debd2e51996e4a4384a0d3461efc paesse/Cover/Finland passport.jpg +8c692f01c66852ab217b60bd36417b6603a8bf2fbba61163b914deb842dc7233 paesse/Cover/France passport.jpg +1dfb1a35d4a6efe8d6172014078eac070885c195a5c58b95ff47f435d9da22d0 paesse/Cover/German passport.jpg +a9723e7b99ffc8a8a36e1fd20346721286e681c9fd533d291b732acbfea10cb2 paesse/Cover/Netherlands passport.jpg +f51dda5ad02e23445ea503911324920c3776bb271c741eb6165fc2006e5fc130 paesse/Cover/UK license small.jpg +2963750629e0b3560c2a7ef52c4ffd82183395f551f43bf6548490a10acf0456 paesse/Cover/UK passport.jpg +a41f223bdb68803e763969808dcde3fcf14e10c97dd23b7314e083f21edc1b2d paesse/inside/pp-uk-open-big.jpg + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `cat paesse_hashes.txt` + +**Analyst:** Markus Winklhofer +**Timestamp:** 2025-07-20T11:57:41.498045+00:00 + +`cat` concatenates and displays the content of files. It is commonly used to view file contents or combine multiple files. + +--- + +### [+] Timestamp: `2025-07-19T19-44-42-593534+00-00` +#### [+] Comment from analyst: Markus Winklhofer + +#### [+] Content: +Forenische Analyse der index.html, konnten viele Hinweise auf den verkauf von gefälschten Pässen gefunden werden. Die Seite beinhaltet mehrere Reiter, darunter auch 'Terms and Conditions', eine Preisliste, eine Enail Adresse (documents.service@safe-mail.net) und weitere Hinweise. Die genauen Hinweise werden anschließend aufgelistet + +--- + +### [+] Timestamp: `2025-07-19T19-45-33-350345+00-00` +#### [+] Comment from analyst: Markus Winklhofer + +#### [+] Content: +Passwort für Business File: forgeMaster + +--- + +### [+] Timestamp: `2025-07-19T19-50-48-645917+00-00` +#### [+] Comment from analyst: Markus Winklhofer + +#### [+] Content: +Anschließend wird nach Chatverläufen und Emailverkehr, sowie Browserverläufen gesucht + +--- + +### [+] Command: `sudo ls -la belle` +- Timestamp: `2025-07-19T19-56-41-335702+00-00` +- GPG-signature: [+] Valid +- SHA256: `82baa87dfd52f9eaf1f17cb2016d112f83c1ae0428e1737c67b2869d02c0c997` + +#### Output: +```Shell +[STDOUT] +total 76 +drwxr-x--- 16 1001 1001 4096 Jul 4 2022 . +drwxr-xr-x 5 root root 4096 Jul 4 2022 .. +-rw-r--r-- 1 1001 1001 220 Jan 6 2022 .bash_logout +-rw-r--r-- 1 1001 1001 3771 Jan 6 2022 .bashrc +drwxr-xr-x 2 1001 1001 4096 Jul 4 2022 Bilder +drwx------ 13 1001 1001 4096 Jul 4 2022 .cache +drwx------ 14 1001 1001 4096 Jul 4 2022 .config +drwxr-xr-x 2 1001 1001 4096 Jul 4 2022 Dokumente +drwxr-xr-x 2 1001 1001 4096 Jul 4 2022 Downloads +drwx------ 2 1001 1001 4096 Jul 4 2022 .gnupg +drwx------ 3 1001 1001 4096 Jul 4 2022 .local +drwxr-xr-x 2 1001 1001 4096 Jul 4 2022 Musik +drwxr-xr-x 2 1001 1001 4096 Jul 4 2022 Öffentlich +-rw-r--r-- 1 1001 1001 807 Jan 6 2022 .profile +drwxr-xr-x 2 1001 1001 4096 Jul 4 2022 Schreibtisch +drwx------ 4 1001 1001 4096 Jul 4 2022 snap +drwx------ 2 1001 1001 4096 Jul 4 2022 .ssh +-rw-r--r-- 1 1001 1001 0 Jul 4 2022 .sudo_as_admin_successful +``` + +#### Context: +### [+] Legal Context for `sudo ls -la belle` + +**Analyst:** Markus Winklhofer +**Timestamp:** 2025-07-20T11:57:41.509216+00:00 + +**[!] Note:** This command was executed with administrative rights (`sudo`). +`ls` lists files in a directory. It is used to gain an overview and does not modify data. + +--- + +### [+] Timestamp: `2025-07-19T19-57-33-244846+00-00` +#### [+] Comment from analyst: Markus Winklhofer + +#### [+] Content: +Zuerst durchsuchen wir den User belle (Der Command davor gehört dazu) + +--- + +### [+] Command: `sudo ls -la belle/Bilder` +- Timestamp: `2025-07-19T19-58-19-142111+00-00` +- GPG-signature: [+] Valid +- SHA256: `b916127be77302898d8d5d0a74789e0da96e597c8cc36239ba3555fdeadde089` + +#### Output: +```Shell +[STDOUT] +total 8 +drwxr-xr-x 2 1001 1001 4096 Jul 4 2022 . +drwxr-x--- 16 1001 1001 4096 Jul 4 2022 .. + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `sudo ls -la belle/Bilder` + +**Analyst:** Markus Winklhofer +**Timestamp:** 2025-07-20T11:57:41.520846+00:00 + +**[!] Note:** This command was executed with administrative rights (`sudo`). +`ls` lists files in a directory. It is used to gain an overview and does not modify data. + +--- + +### [+] Command: `sudo ls -la belle/.config` +- Timestamp: `2025-07-19T20-08-05-109640+00-00` +- GPG-signature: [+] Valid +- SHA256: `78eaefb4186c21188354ab750c8082743330d3871e8c0bebbc7cec9b647b686d` + +#### Output: +```Shell +[STDOUT] +total 72 +drwx------ 14 1001 1001 4096 Jul 4 2022 . +drwxr-x--- 16 1001 1001 4096 Jul 4 2022 .. +drwx------ 2 1001 1001 4096 Jul 4 2022 dconf +drwx------ 3 1001 1001 4096 Jul 4 2022 evolution +-rw-rw-r-- 1 1001 1001 3 Jul 4 2022 gnome-initial-setup-done +drwx------ 3 1001 1001 4096 Jul 4 2022 gnome-session +drwxr-xr-x 2 1001 1001 4096 Jul 4 2022 goa-1.0 +-rw-rw-r-- 1 1001 1001 0 Jul 4 2022 .gsd-keyboard.settings-ported +drwx------ 2 1001 1001 4096 Jul 4 2022 gtk-3.0 +drwx------ 2 1001 1001 4096 Jul 4 2022 gtk-4.0 +drwx------ 3 1001 1001 4096 Jul 4 2022 ibus +drwxrwxr-x 2 1001 1001 4096 Jul 4 2022 keepassxc +drwxr-xr-x 2 1001 1001 4096 Jul 4 2022 nautilus +drwx------ 2 1001 1001 4096 Jul 4 2022 pulse +-rw-rw-r-- 1 1001 1001 106 Jul 4 2022 QtProject.conf +drwx------ 2 1001 1001 4096 Jul 4 2022 update-notifier +-rw------- 1 1001 1001 640 Jul 4 2022 user-dirs.dirs +-rw-rw-r-- 1 1001 1001 5 Jul 4 2022 user-dirs.locale +``` + +#### Context: +### [+] Legal Context for `sudo ls -la belle/.config` + +**Analyst:** Markus Winklhofer +**Timestamp:** 2025-07-20T11:57:41.529524+00:00 + +**[!] Note:** This command was executed with administrative rights (`sudo`). +`ls` lists files in a directory. It is used to gain an overview and does not modify data. + +--- + +### [+] Command: `sudo ls -la belle/.cache` +- Timestamp: `2025-07-19T20-08-50-883916+00-00` +- GPG-signature: [+] Valid +- SHA256: `39e23eb4173556a2dce5e3b0562a4b8ab6b340e77f077cb5e2798ec8b0d76711` + +#### Output: +```Shell +[STDOUT] +total 64 +drwx------ 13 1001 1001 4096 Jul 4 2022 . +drwxr-x--- 16 1001 1001 4096 Jul 4 2022 .. +-rw-r--r-- 1 1001 1001 12288 Jul 4 2022 event-sound-cache.tdb.6746c953637546dc9d96c167a444559c.x86_64-pc-linux-gnu +drwx------ 8 1001 1001 4096 Jul 4 2022 evolution +drwx------ 3 1001 1001 4096 Jul 4 2022 gnome-desktop-thumbnailer +drwxrwxr-x 2 1001 1001 4096 Jul 4 2022 gstreamer-1.0 +drwxrwxr-x 3 1001 1001 4096 Jul 4 2022 ibus +drwxrwxr-x 2 1001 1001 4096 Jul 4 2022 ibus-table +drwxrwxr-x 2 1001 1001 4096 Jul 4 2022 keepassxc +drwxr-xr-x 97 1001 1001 4096 Jul 4 2022 mesa_shader_cache +drwx------ 4 1001 1001 4096 Jul 4 2022 thumbnails +drwx------ 3 1001 1001 4096 Jul 4 2022 tracker3 +drwx------ 2 1001 1001 4096 Jul 4 2022 ubuntu-report +drwxrwxr-x 2 1001 1001 4096 Jul 4 2022 update-manager-core + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `sudo ls -la belle/.cache` + +**Analyst:** Markus Winklhofer +**Timestamp:** 2025-07-20T11:57:41.538887+00:00 + +**[!] Note:** This command was executed with administrative rights (`sudo`). +`ls` lists files in a directory. It is used to gain an overview and does not modify data. + +--- + +### [+] Command: `sudo ls -la belle/Dokumente/Pass.kdbx` +- Timestamp: `2025-07-19T20-14-23-496084+00-00` +- GPG-signature: [+] Valid +- SHA256: `d20f70753042c1eb64f27c65792dc833b48f36a22a98a20cbe318741a6cbe9a4` + +#### Output: +```Shell +[STDOUT] +-rw------- 1 1001 1001 1605 Jul 4 2022 belle/Dokumente/Pass.kdbx + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `sudo ls -la belle/Dokumente/Pass.kdbx` + +**Analyst:** Markus Winklhofer +**Timestamp:** 2025-07-20T11:57:41.547486+00:00 + +**[!] Note:** This command was executed with administrative rights (`sudo`). +`ls` lists files in a directory. It is used to gain an overview and does not modify data. + +--- + +### [+] Timestamp: `2025-07-19T20-15-03-978366+00-00` +#### [+] Comment from analyst: Markus Winklhofer + +#### [+] Content: +Passwortmanager schon von Eric gemacht: Passwort für Windows partition. + +--- + +### [+] Command: `sudo cat belle/.ssh/id_rsa` +- Timestamp: `2025-07-19T21-05-04-042237+00-00` +- GPG-signature: [+] Valid +- SHA256: `f36e6f459dcb473e51ffafbbf7c84eb014d20b209b6aec5137be2b2fc8a8d910` + +#### Output: +```Shell +[STDOUT] +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn +NhAAAAAwEAAQAAAYEA8HvHvFjaySYQbujRPF/FXnBnq5eUy4UgdcVu2XgZXnqQ14Y/SREG +BLPabOxqz11fS8k/xLdU30JLypH0+vUccrcN51k6ZfM5aKszqYvTXgenGc0S8zCGGPC4mt +cMs2AzSQglx11fjAOh51DyDcE+nSFV7q11LMDufGgklY7Z0Y/EpTjAlkXJKwgIUPLewSV5 +KKcmr3Sj6JhPXZrVcHwbrIIS5f88TLzL7L+bNrLE4EGVmAAsOwSSeNZ0F51uDXuhmnIwxw +UMBd4XAhQtSt8OruwoeQcrPO0heUyxCFi19OvOCF+kNp7JhkO2AD+GnanrH79sc2RV8+nN +miLJvAOW1bk4yvl784fxvzR6l6q+x3hYy57QqZG6sOhTxJYslQ5A33UiSL6boZ5UrS4zS6 +xVgrF7eEy4ZTgh3CaHUc6sK1GqoBqDas+pBKl4ZnygWxWhAxoExfy7p9iqMc27+YkYfAfC +LpyKIU7iSV+2D2/QKW+idRohT/HEhyjSPCcLu5KDAAAFqNUGXfjVBl34AAAAB3NzaC1yc2 +EAAAGBAPB7x7xY2skmEG7o0TxfxV5wZ6uXlMuFIHXFbtl4GV56kNeGP0kRBgSz2mzsas9d +X0vJP8S3VN9CS8qR9Pr1HHK3DedZOmXzOWirM6mL014HpxnNEvMwhhjwuJrXDLNgM0kIJc +ddX4wDoedQ8g3BPp0hVe6tdSzA7nxoJJWO2dGPxKU4wJZFySsICFDy3sEleSinJq90o+iY +T12a1XB8G6yCEuX/PEy8y+y/mzayxOBBlZgALDsEknjWdBedbg17oZpyMMcFDAXeFwIULU +rfDq7sKHkHKzztIXlMsQhYtfTrzghfpDaeyYZDtgA/hp2p6x+/bHNkVfPpzZoiybwDltW5 +OMr5e/OH8b80epeqvsd4WMue0KmRurDoU8SWLJUOQN91Iki+m6GeVK0uM0usVYKxe3hMuG +U4Idwmh1HOrCtRqqAag2rPqQSpeGZ8oFsVoQMaBMX8u6fYqjHNu/mJGHwHwi6ciiFO4klf +tg9v0ClvonUaIU/xxIco0jwnC7uSgwAAAAMBAAEAAAGAMkMUtHN3ytnXTm7/qFg19q6UpG +MKmNzqs2K/79jvqHUCh+FJodpagSocCW8CRfP0gnD+EH3m0cDX+W83HiqTtxA2ajeWgo9q +... (truncated, showing first 20 and last 10 lines) +J1i1XmO49o/FP0mze51sFnPG7OtWpKOXR7m3pha8akpnNZ7IcnF/xZfVxiykVGmmSRn+eT +J9i53CQTukHQSNG12zlYZhXhfXigFjDQAAAMEA9UCGcYR1KkIrx1zlITQAvJfYPIWPEfgz +6iEvErwXZ9wjyVovoi6tT+lWHa/Hz2Larj4uUgXAuqL0ZkNwj4WBNuQOcbzkyMW9oJ8EOb +8wl6AppLW0FqxMhmu2UWl9eGeGEr/DsEnIYfTPu+L8aIGmdLjn6Iefu8QYab/YSvVNEkMW +cMJ4yBQhhgpyhFtSO3mxSSZ9sXX16PTuIz0ZZR5EXp5B54RSMlCWSvNv59f4XK0oZ6GdmM +rcY97g+jJdO6fPAAAAMWFuc2libGUtZ2VuZXJhdGVkIG9uIHBjLVN0YW5kYXJkLVBDLVEz +NS1JQ0g5LTIwMDkB +-----END OPENSSH PRIVATE KEY----- + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `sudo cat belle/.ssh/id_rsa` + +**Analyst:** Markus Winklhofer +**Timestamp:** 2025-07-20T11:57:41.555969+00:00 + +**[!] Note:** This command was executed with administrative rights (`sudo`). +`cat` concatenates and displays the content of files. It is commonly used to view file contents or combine multiple files. + +--- + +### [+] Command: `sudo cat belle/.ssh/id_rsa.pub` +- Timestamp: `2025-07-19T21-06-59-071476+00-00` +- GPG-signature: [+] Valid +- SHA256: `10e017969f0c7635be44d0a4f8d5ec505414e228883f7a8109b807633c9d19f7` + +#### Output: +```Shell +[STDOUT] +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDwe8e8WNrJJhBu6NE8X8VecGerl5TLhSB1xW7ZeBleepDXhj9JEQYEs9ps7GrPXV9LyT/Et1TfQkvKkfT69Rxytw3nWTpl8zloqzOpi9NeB6cZzRLzMIYY8Lia1wyzYDNJCCXHXV+MA6HnUPINwT6dIVXurXUswO58aCSVjtnRj8SlOMCWRckrCAhQ8t7BJXkopyavdKPomE9dmtVwfBusghLl/zxMvMvsv5s2ssTgQZWYACw7BJJ41nQXnW4Ne6GacjDHBQwF3hcCFC1K3w6u7Ch5Bys87SF5TLEIWLX0684IX6Q2nsmGQ7YAP4adqesfv2xzZFXz6c2aIsm8A5bVuTjK+Xvzh/G/NHqXqr7HeFjLntCpkbqw6FPEliyVDkDfdSJIvpuhnlStLjNLrFWCsXt4TLhlOCHcJodRzqwrUaqgGoNqz6kEqXhmfKBbFaEDGgTF/Lun2Koxzbv5iRh8B8IunIohTuJJX7YPb9Apb6J1GiFP8cSHKNI8Jwu7koM= ansible-generated on pc-Standard-PC-Q35-ICH9-2009 + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `sudo cat belle/.ssh/id_rsa.pub` + +**Analyst:** Markus Winklhofer +**Timestamp:** 2025-07-20T11:57:41.564473+00:00 + +**[!] Note:** This command was executed with administrative rights (`sudo`). +`cat` concatenates and displays the content of files. It is commonly used to view file contents or combine multiple files. + +--- + + +## [+] GPG-Overview +Each `.log`-file was digitally signed with GPG where applicable. +The signature status is documented per command.