3009728
/
DIF_Team_13
4
1
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

current stance

main
Ahzek 2025-07-20 21:34:43 +02:00
parent d271296314
commit 0ca9fb7d59
3 changed files with 959 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
Pruefungsleistung/KeePassXC_unlock_Pass.png 100644
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 39 KiB

200
Pruefungsleistung/Verlauf-Hausarbeit.md 100644
View File

@ -0,0 +1,200 @@
Findings:
firefox history von dem user "belle":
```sql
┌──(root㉿kali)-[/mnt/…/common/.mozilla/firefox/e9cqlzsn.default]
└─# cp places.sqlite ~/belle_places.sqlite
cd ~
sqlite3 belle_places.sqlite "SELECT url, title, datetime(visit_date/1000000,'unixepoch') FROM moz_places JOIN moz_historyvisits ON moz_places.id = moz_historyvisits.place_id ORDER BY visit_date DESC LIMIT 50;"
https://i.pinimg.com/236x/41/80/fa/4180fa703a970335721fe445385e7627.jpg|4180fa703a970335721fe445385e7627.jpg|2022-07-04 17:18:46
https://www.google.com/imgres?imgurl=http%3A%2F%2Fwww.theoccidentalobserver.net%2Fwp-content%2Fuploads%2F2013%2F03%2Fpassport.jpg&imgrefurl=https%3A%2F%2Fwww.tanelorn.net%2Findex.php%3Ftopic%3D89563.0&tbnid=aVoZMmKwJEc3nM&vet=12ahUKEwjmxI7K3t_4AhW6X_EDHdnKCQ0QMygPegUIARDIAg..i&docid=RoDgtxExKImejM&w=485&h=325&q=fake%20reisepass&client=ubuntu&ved=2ahUKEwjmxI7K3t_4AhW6X_EDHdnKCQ0QMygPegUIARDIAg#imgrc=aVoZMmKwJEc3nM&imgdii=Wq-UfCzaU1CwWM|fake reisepass - Google Suche|2022-07-04 17:18:40
https://i.pinimg.com/originals/b6/26/5d/b6265df99e65d5023e821832d53413d7.jpg|b6265df99e65d5023e821832d53413d7.jpg|2022-07-04 17:18:21
http://www.theoccidentalobserver.net/wp-content/uploads/2013/03/passport.jpg|passport.jpg|2022-07-04 17:18:13
https://www.google.com/imgres?imgurl=https%3A%2F%2Fi.pinimg.com%2Foriginals%2Fb6%2F26%2F5d%2Fb6265df99e65d5023e821832d53413d7.jpg&imgrefurl=https%3A%2F%2Fwww.pinterest.de%2Fpin%2F665758757412891737%2F&tbnid=2AqgmgjQ-5-K3M&vet=12ahUKEwjmxI7K3t_4AhW6X_EDHdnKCQ0QMygKegUIARC-Ag..i&docid=i8kd5nZiMlnTFM&w=1600&h=903&q=fake%20reisepass&client=ubuntu&ved=2ahUKEwjmxI7K3t_4AhW6X_EDHdnKCQ0QMygKegUIARC-Ag|fake reisepass - Google Suche|2022-07-04 17:17:57
https://www.google.com/imgres?imgurl=http%3A%2F%2Fwww.theoccidentalobserver.net%2Fwp-content%2Fuploads%2F2013%2F03%2Fpassport.jpg&imgrefurl=https%3A%2F%2Fwww.tanelorn.net%2Findex.php%3Ftopic%3D89563.0&tbnid=aVoZMmKwJEc3nM&vet=12ahUKEwjmxI7K3t_4AhW6X_EDHdnKCQ0QMygPegUIARDIAg..i&docid=RoDgtxExKImejM&w=485&h=325&q=fake%20reisepass&client=ubuntu&ved=2ahUKEwjmxI7K3t_4AhW6X_EDHdnKCQ0QMygPegUIARDIAg|fake reisepass - Google Suche|2022-07-04 17:17:53
https://www.google.com/search?q=fake+reisepass&client=ubuntu&hs=fKo&channel=fs&source=lnms&tbm=isch&sa=X&ved=2ahUKEwjUp4PJ3t_4AhUD76QKHe1WAGgQ_AUoAXoECAIQAw&biw=950&bih=656&dpr=1|fake reisepass Google Suche|2022-07-04 17:17:31
https://www.google.com/search?channel=fs&client=ubuntu&q=fake+reisepass+|fake reisepass - Google Suche|2022-07-04 17:17:29
https://www.capacitymedia.com/article/29otc9t6wy04gbplov3ls/news/welcome-to-bruce-leegate-as-dos-santoss-lawyers-say-passport-was-faked|Welcome to Bruce Leegate, as Dos Santoss lawyers say passport was faked | Capacity Media|2022-07-04 17:16:55
https://www.google.com/url?sa=i&url=https%3A%2F%2Fwww.capacitymedia.com%2Farticle%2F29otc9t6wy04gbplov3ls%2Fnews%2Fwelcome-to-bruce-leegate-as-dos-santoss-lawyers-say-passport-was-faked&psig=AOvVaw1gkKsQD4pej9OiJznqp3qE&ust=1657041380579000&source=images&cd=vfe&ved=2ahUKEwjY75qo3t_4AhUL66QKHfX3CSIQjRx6BAgAEAs||2022-07-04 17:16:55
https://www.pinterest.de/pin/1063764374453701873/|Pin auf buy real passport|2022-07-04 17:16:39
https://www.google.com/url?sa=i&url=https%3A%2F%2Fwww.pinterest.de%2Fpin%2F1063764374453701873%2F&psig=AOvVaw1Kyf5mseWxUn9QUrS7dCGR&ust=1657041395616000&source=images&cd=vfe&ved=0CAoQjhxqFwoTCJCPirDe3_gCFQAAAAAdAAAAABAD||2022-07-04 17:16:39
https://www.pinterest.de/pin/1063764374453701873/|Pin auf buy real passport|2022-07-04 17:16:37
https://www.google.com/url?sa=i&url=https%3A%2F%2Fwww.pinterest.de%2Fpin%2F1063764374453701873%2F&psig=AOvVaw1Kyf5mseWxUn9QUrS7dCGR&ust=1657041395616000&source=images&cd=vfe&ved=0CAoQjhxqFwoTCJCPirDe3_gCFQAAAAAdAAAAABAD||2022-07-04 17:16:37
https://www.google.com/search?q=fake+passport+germany&tbm=isch&client=ubuntu&hs=xdT&hl=de&sa=X&ved=2ahUKEwi_oZKj3t_4AhUV0oUKHU9dAdUQrNwCKAB6BQgBEN8B&biw=950&bih=656#imgrc=p4tx4Yn-KOB2dM|fake passport germany Google Suche|2022-07-04 17:16:37
https://www.google.com/search?q=fake+passport+germany&tbm=isch&client=ubuntu&hs=xdT&hl=de&sa=X&ved=2ahUKEwi_oZKj3t_4AhUV0oUKHU9dAdUQrNwCKAB6BQgBEN8B&biw=950&bih=656|fake passport germany Google Suche|2022-07-04 17:16:35
https://www.google.com/imgres?imgurl=https%3A%2F%2Fassets.euromoneydigital.com%2Fdims4%2Fdefault%2F52dde24%2F2147483647%2Fstrip%2Ftrue%2Fcrop%2F691x389%2B0%2B0%2Fresize%2F840x473!%2Fquality%2F90%2F%3Furl%3Dhttp%253A%252F%252Feuromoney-brightspot.s3.amazonaws.com%252F3b%252F3b%252Fc65211fc4d1b26967322e6d686f2%252Fserveimage&imgrefurl=https%3A%2F%2Fwww.capacitymedia.com%2Farticle%2F29otc9t6wy04gbplov3ls%2Fnews%2Fwelcome-to-bruce-leegate-as-dos-santoss-lawyers-say-passport-was-faked&tbnid=kiFDAG2HJ1Wa8M&vet=12ahUKEwi_oZKj3t_4AhUV0oUKHU9dAdUQMygLegUIARDDAQ..i&docid=eDNGXz2EPJg-cM&w=840&h=473&q=how%20to%20fake%20passport&client=ubuntu&ved=2ahUKEwi_oZKj3t_4AhUV0oUKHU9dAdUQMygLegUIARDDAQ|how to fake passport - Google Suche|2022-07-04 17:16:20
https://www.google.com/search?q=how+to+fake+passport&client=ubuntu&hs=xdT&channel=fs&source=lnms&tbm=isch&sa=X&ved=2ahUKEwjY_OSf3t_4AhX4wQIHHZdtCNcQ_AUoAXoECAEQAw&biw=950&bih=656|how to fake passport Google Suche|2022-07-04 17:16:10
https://www.google.com/search?channel=fs&client=ubuntu&q=howto+fake+passport|howto fake passport - Google Suche|2022-07-04 17:16:03
https://www.mozilla.org/de/privacy/firefox/|Firefox Datenschutzhinweis — Mozilla|2022-07-04 17:15:42
https://www.mozilla.org/privacy/firefox/||2022-07-04 17:15:42
```
In Ordner Downloads bei Belle war eine passport.jpg. war nicht öffenbar, da magicbytes zerstört, kopiert, magic bytes repariert, siehe bild aus der gruppe
```
┌──(root㉿kali)-[~]
└─# file /mnt/forensik/home/belle/Downloads/passport.jpg
exiftool /mnt/forensik/home/belle/Downloads/passport.jpg
/mnt/forensik/home/belle/Downloads/passport.jpg: data
ExifTool Version Number : 13.25
File Name : passport.jpg
Directory : /mnt/forensik/home/belle/Downloads
File Size : 53 kB
File Modification Date/Time : 2022:07:04 19:19:25+02:00
File Access Date/Time : 2022:07:04 19:19:10+02:00
File Inode Change Date/Time : 2022:07:04 19:19:25+02:00
File Permissions : -rw-rw-r--
Error : File format error
┌──(root㉿kali)-[~]
└─# xxd /mnt/forensik/home/belle/Downloads/passport.jpg | head -n 10
00000000: 0000 ffe0 0010 4a46 4946 0001 0101 0048 ......JFIF.....H
```
bash history von pc user:
```
┌──(root㉿kali)-[/mnt/forensik/home/pc]
└─# cat .bash_history
exit
sudo gedit /etc/ssh/ssh_config
sudo gedit /etc/ssh/
sudo gedit /etc/ssh/ssh_config
ssh pc@localhost
sudo service ssh
sudo apt-get install openssh-server
sudo apt-get install openssh-client
gedit /etc/ssh/sshd_config
sudo gedit /etc/ssh/sshd_config
service ssh restart
ssh pc@localhost
ping googl.de
ip
ip a
exit
lsblk
fdisk -l vda
sudo fdisk -l vda
sudo fdisk -l /dev/vda
ip a
sudo usermod aG sudo pc
sudo usermod -aG sudo pc
ip a
exit
sudo parted
```
Downloadsordner von belle hatte Pass.kdbx datei:
```
┌──(root㉿kali)-[/mnt/forensik]
└─# keepassxc /mnt/forensik/home/belle/Dokumente/Pass.kdbx
```
mit passwort: Eip7uoKo
(Passwörter gecracked von Markus)
findet man Passwort für Veracrypt: forgeMaster
(siehe Gruppe)
Mit dem Passwort kann man den verschlüsselten Windows Ordner öffnen:
```
┌──(kali㉿kali)-[/mnt/windows/business]
└─$ sudo mkdir -p /mnt/tmp_business
sudo veracrypt --text --pim=0 --hash=sha512 --protect-hidden=no --mount /mnt/windows/business/business /mnt/tmp_business
Enter password for /mnt/windows/business/business: forgeMaster
Enter keyfile [none]:
```
```
┌──(kali㉿kali)-[/mnt/windows/business]
└─$ ls -lah /mnt/tmp_business
total 10K
drwx------ 3 kali kali 1.0K Jan 1 1970 .
drwxr-xr-x 9 root root 4.0K Jul 19 16:48 ..
drwx------ 4 kali kali 5.0K Jul 4 2022 paesse
┌──(kali㉿kali)-[/mnt/windows/business]
└─$ ls -lah /mnt/tmp_business/paesse
total 273K
drwx------ 4 kali kali 5.0K Jul 4 2022 .
drwx------ 3 kali kali 1.0K Jan 1 1970 ..
-rwx------ 1 kali kali 1004 Nov 30 2018 back_to_samples.gif
-rwx------ 1 kali kali 11K Nov 30 2018 b-contacts.jpg
-rwx------ 1 kali kali 11K Nov 30 2018 b-news.jpg
-rwx------ 1 kali kali 27K Nov 30 2018 b-samples.jpg
-rwx------ 1 kali kali 1.2K Nov 30 2018 button_email.gif
drwx------ 2 kali kali 2.0K Jul 4 2022 Cover
-rwx------ 1 kali kali 43 Nov 30 2018 emty.gif
-rwx------ 1 kali kali 484 Nov 30 2018 flash_r1_c2e.gif
-rwx------ 1 kali kali 518 Nov 30 2018 flash_r1_c3e.gif
-rwx------ 1 kali kali 508 Nov 30 2018 flash_r1_c6e.gif
-rwx------ 1 kali kali 2.2K Nov 30 2018 head_r1_c1.jpg
-rwx------ 1 kali kali 12K Nov 30 2018 head_r1_c2.jpg
-rwx------ 1 kali kali 1.9K Nov 30 2018 head_r2_c1.gif
-rwx------ 1 kali kali 2.4K Nov 30 2018 index.html
-rwx------ 1 kali kali 29K Nov 30 2018 index.php.CB66877E.html
-rwx------ 1 kali kali 12K Jul 4 2022 index.shtml
drwx------ 2 kali kali 1.0K Jul 4 2022 inside
-rwx------ 1 kali kali 15K Nov 30 2018 main.jpg
-rwx------ 1 kali kali 365 Nov 30 2018 menu_r1_c1e.gif
-rwx------ 1 kali kali 391 Nov 30 2018 menu_r1_c2e.gif
-rwx------ 1 kali kali 460 Nov 30 2018 menu_r1_c3e.gif
-rwx------ 1 kali kali 492 Nov 30 2018 menu_r1_c4e.gif
-rwx------ 1 kali kali 1.1K Nov 30 2018 menu_r1_c5e.gif
-rwx------ 1 kali kali 1.1K Nov 30 2018 menu_r1_c6e.gif
-rwx------ 1 kali kali 483 Nov 30 2018 menu_r1_c7e.gif
-rwx------ 1 kali kali 802 Nov 30 2018 menu_rfid.gif
-rwx------ 1 kali kali 388 Nov 30 2018 m-maine.gif
-rwx------ 1 kali kali 9.1K Nov 30 2018 novelty_fake_id_contacts.shtml
-rwx------ 1 kali kali 19K Nov 30 2018 novelty_fake_id_pricing.shtml
-rwx------ 1 kali kali 14K Nov 30 2018 novelty_fake_id_samples.shtml
-rwx------ 1 kali kali 20K Nov 30 2018 parashut.gif
-rwx------ 1 kali kali 1.9K Nov 30 2018 pricing.GIF
-rwx------ 1 kali kali 3.3K Nov 30 2018 privacy.gif
-rwx------ 1 kali kali 1.9K Nov 30 2018 tab2_r1_c13e.gif
-rwx------ 1 kali kali 1.9K Nov 30 2018 tab2_r1_c14e.gif
-rwx------ 1 kali kali 2.0K Nov 30 2018 tab2_r1_c16e.gif
-rwx------ 1 kali kali 2.0K Nov 30 2018 tab2_r1_c1e.gif
-rwx------ 1 kali kali 1.2K Nov 30 2018 tab2_r4_c2e.gif
-rwx------ 1 kali kali 255 Nov 30 2018 tab_r1_c1.gif
-rwx------ 1 kali kali 252 Nov 30 2018 tab_r1_c4.gif
-rwx------ 1 kali kali 93 Nov 30 2018 tab_r2_c1.gif
-rwx------ 1 kali kali 88 Nov 30 2018 tab_r2_c4.gif
-rwx------ 1 kali kali 62 Nov 30 2018 tab_r3_c1.gif
-rwx------ 1 kali kali 62 Nov 30 2018 tab_r3_c2.gif
-rwx------ 1 kali kali 61 Nov 30 2018 tab_r3_c4.gif
-rwx------ 1 kali kali 136 Nov 30 2018 tab_r4_c1.gif
-rwx------ 1 kali kali 128 Nov 30 2018 tab_r4_c2.gif
-rwx------ 1 kali kali 138 Nov 30 2018 tab_r4_c4.gif
-rwx------ 1 kali kali 116 Nov 30 2018 tab_r5_c1.gif
-rwx------ 1 kali kali 241 Nov 30 2018 tab_r5_c2.gif
-rwx------ 1 kali kali 114 Nov 30 2018 tab_r5_c4.gif
-rwx------ 1 kali kali 1.9K Nov 30 2018 terms.gif
-rwx------ 1 kali kali 20K Nov 30 2018 terms.shtml
-rwx------ 1 kali kali 3.4K Nov 30 2018 Ukpassport-cover.jpg
-rwx------ 1 kali kali 2.9K Nov 30 2018 'UK passport.shtml'
```
auf den .shtml dateien findet man die website von dem vermutlichen täter

759
Pruefungsleistung/windowsLog_report.md 100644
View File

@ -0,0 +1,759 @@
# [++] Forensic report of case: windowsLog
## [++] Description
Analyse der Windows partition
## [++] Timeline of Commands and Comments
### [+] Timestamp: `2025-07-19T08-42-13-560508+00-00`
#### [+] Comment from analyst: Markus Winklhofer
#### [+] Content:
Image bereits als Loopdevice angelegt und jetzt wird anschließend gemounted und die Windoespartition forensisch analysiert
---
### [+] Command: `sudo fdisk -l`
- Timestamp: `2025-07-19T08-43-00-004975+00-00`
- GPG-signature: [+] Valid
- SHA256: `43a7e40ef8949b90c8e89dafdd962bb263e8f6556d2a1c80c3f689bf1fb968c1`
#### Output:
```Shell
[STDOUT]
Disk /dev/vda: 40 GiB, 42949672960 bytes, 83886080 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: C00980BD-CD97-44C9-A883-C367CE8873C7
Device Start End Sectors Size Type
/dev/vda1 2048 34815 32768 16M Linux filesystem
/dev/vda2 34816 2035711 2000896 977M EFI System
/dev/vda3 2035712 79546367 77510656 37G Linux filesystem
/dev/vda4 79546368 83884031 4337664 2.1G Linux swap
Disk /dev/nbd0: 33 GiB, 35433480192 bytes, 69206016 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 131072 bytes
Disklabel type: gpt
```
#### Context:
### [+] Legal Context for `sudo fdisk -l`
**Analyst:** Markus Winklhofer
**Timestamp:** 2025-07-20T11:57:41.175563+00:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
`fdisk` is an interactive command-line tool to create, delete, and manage partitions on storage devices.
Lists partition tables of all recognized devices.
---
### [+] Command: `sudo mmls /dev/nbd0`
- Timestamp: `2025-07-19T08-43-21-603461+00-00`
- GPG-signature: [+] Valid
- SHA256: `1e7e7d7d86604a62aceffd32db9f4f6f897f22c84de9f2367b46bf6fa4d9b77b`
#### Output:
```Shell
[STDOUT]
GUID Partition Table (EFI)
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
000: Meta 0000000000 0000000000 0000000001 Safety Table
001: ------- 0000000000 0000002047 0000002048 Unallocated
002: Meta 0000000001 0000000001 0000000001 GPT Header
003: Meta 0000000002 0000000033 0000000032 Partition Table
004: 000 0000002048 0000004095 0000002048
005: 001 0000004096 0001054719 0001050624 EFI System Partition
006: 002 0001054720 0046135295 0045080576
007: ------- 0046135296 0046874623 0000739328 Unallocated
008: 003 0046874624 0068360191 0021485568 FAT
009: ------- 0068360192 0069206015 0000845824 Unallocated
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo mmls /dev/nbd0`
**Analyst:** Markus Winklhofer
**Timestamp:** 2025-07-20T11:57:41.187798+00:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
`mmls` analyzes the partition layout of a disk image without modifying it. It shows partitions, offsets, and sizes — a typical forensic step before mounting.
---
### [+] Command: `sudo mount -o ro /dev/nbd0p4 ~/mnt/windows`
- Timestamp: `2025-07-19T08-45-08-725153+00-00`
- GPG-signature: [+] Valid
- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f`
#### Output:
```Shell
[STDOUT]
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo mount -o ro /dev/nbd0p4 ~/mnt/windows`
**Analyst:** Markus Winklhofer
**Timestamp:** 2025-07-20T11:57:41.225568+00:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
`mount` is used to attach a filesystem to the directory tree. In forensic contexts, it must be used cautiously, as mounting can alter timestamps or content.
The `-o` option sets mount parameters — e.g., to enable read-only mode or suppress timestamp changes.
`ro` stands for "read-only". It ensures that the mounted filesystem is not modified. This is critical in digital forensics.
---
### [+] Command: `file ~/mnt/windows/business/business `
- Timestamp: `2025-07-19T08-47-12-169525+00-00`
- GPG-signature: [+] Valid
- SHA256: `ddde4a678fd1627868e4b7f7be63273df4698f55d6b06069fd92eb5bcf6531db`
#### Output:
```Shell
[STDOUT]
/home/forick/mnt/windows/business/business: data
[STDERR]
```
#### Context:
### [+] Legal Context for `file ~/mnt/windows/business/business`
**Analyst:** Markus Winklhofer
**Timestamp:** 2025-07-20T11:57:41.239020+00:00
`file` identifies file types by examining magic numbers and headers. Useful for verifying or correcting file extensions and detecting anomalies.
---
### [+] Command: `xxd business | head`
- Timestamp: `2025-07-19T08-49-20-139817+00-00`
- GPG-signature: [+] Valid
- SHA256: `d637733a8611dd3a59413fcfccbba0bf9570452f943569608795395f5db9a147`
#### Output:
```Shell
[STDOUT]
00000000: 6eb4 2189 ffa2 36d4 bddc 7b86 9304 48ae n.!...6...{...H.
00000010: 6efd a848 cdf3 24bc da26 be81 bfd7 9e17 n..H..$..&......
00000020: 66c6 9f07 d791 1071 7bfd a3a9 4dcd 86af f......q{...M...
00000030: 083a 3b06 ae59 ac64 e294 1f54 6fef 2654 .:;..Y.d...To.&T
00000040: 47cd bcd8 dd96 7fd5 7713 94ca 3860 8081 G.......w...8`..
00000050: 663a 5711 ad69 2ea2 7b40 5969 bc7f ceb6 f:W..i..{@Yi....
00000060: 20ca 92d8 6cc4 b540 7799 44a2 c91b e4bc ...l..@w.D.....
00000070: 3d9c 2e45 db8b 6ce8 d2b8 de2a f403 2edc =..E..l....*....
00000080: 3d61 7ac4 f06d a7d5 828e e896 7138 cd98 =az..m......q8..
00000090: a4b6 79f3 e518 3c18 e0ff b983 c2f1 1ab2 ..y...<.........
[STDERR]
```
#### Context:
### [+] Legal Context for `xxd business | head`
**Analyst:** Markus Winklhofer
**Timestamp:** 2025-07-20T11:57:41.249584+00:00
The `xxd` command creates a hexadecimal dump of a given file. This is useful for inspecting raw data structures or headers.
---
### [+] Command: `sudo mount -o ro /dev/nbd0p3 ~/mnt/linux`
- Timestamp: `2025-07-19T08-52-36-712619+00-00`
- GPG-signature: [+] Valid
- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f`
#### Output:
```Shell
[STDOUT]
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo mount -o ro /dev/nbd0p3 ~/mnt/linux`
**Analyst:** Markus Winklhofer
**Timestamp:** 2025-07-20T11:57:41.296805+00:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
`mount` is used to attach a filesystem to the directory tree. In forensic contexts, it must be used cautiously, as mounting can alter timestamps or content.
The `-o` option sets mount parameters — e.g., to enable read-only mode or suppress timestamp changes.
`ro` stands for "read-only". It ensures that the mounted filesystem is not modified. This is critical in digital forensics.
---
### [+] Timestamp: `2025-07-19T08-53-48-208768+00-00`
#### [+] Comment from analyst: Markus Winklhofer
#### [+] Content:
Unter Windows Partition derzeit keine Ergebnisse, desshalb wurde Linux Partition gemounted und anschließend analysiert.
---
### [+] Command: `sudo cat shadow`
- Timestamp: `2025-07-19T09-17-43-927272+00-00`
- GPG-signature: [+] Valid
- SHA256: `c1f678376e214937833b8b20a631606fdf86a427045f287709f812916ae0f524`
#### Output:
```Shell
[STDOUT]
root:!:19175:0:99999:7:::
daemon:*:19101:0:99999:7:::
bin:*:19101:0:99999:7:::
sys:*:19101:0:99999:7:::
sync:*:19101:0:99999:7:::
games:*:19101:0:99999:7:::
man:*:19101:0:99999:7:::
lp:*:19101:0:99999:7:::
mail:*:19101:0:99999:7:::
news:*:19101:0:99999:7:::
uucp:*:19101:0:99999:7:::
proxy:*:19101:0:99999:7:::
www-data:*:19101:0:99999:7:::
backup:*:19101:0:99999:7:::
list:*:19101:0:99999:7:::
irc:*:19101:0:99999:7:::
gnats:*:19101:0:99999:7:::
nobody:*:19101:0:99999:7:::
systemd-network:*:19101:0:99999:7:::
... (truncated, showing first 20 and last 10 lines)
pulse:*:19101:0:99999:7:::
gnome-initial-setup:*:19101:0:99999:7:::
hplip:*:19101:0:99999:7:::
gdm:*:19101:0:99999:7:::
pc:$y$j9T$graH6StsN64vZy4TX6DLO1$jFAPKwPTtCP25YeK6fiAIcbse.xZb3XaFXnIuwfaej4:19175:0:99999:7:::
sshd:*:19175:0:99999:7:::
belle:$6$mysalt$YapdgZlg0yR2OqcmMqMSk7rtEfLo2l0Yh/T4o8s1qilhHZUxHspG7n0nx2kzplXK9bBt1b7xx0/lExTeVDVDw0:19177:0:99999:7:::
kiara:$6$mysalt$O3uB2Z2bsrQzEWnKMGiud28mGyGERuQKillaz.0EktBTWK4YfHTCFOiUhUSWGBjgwL5wd1VHMnjVcDBGgFu7r0:19177:0:99999:7:::
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo cat shadow`
**Analyst:** Markus Winklhofer
**Timestamp:** 2025-07-20T11:57:41.309219+00:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
`cat` concatenates and displays the content of files. It is commonly used to view file contents or combine multiple files.
---
### [+] Timestamp: `2025-07-19T09-19-32-944437+00-00`
#### [+] Comment from analyst: Markus Winklhofer
#### [+] Content:
Es sind die drei User zu sehen im Shadow-File. Inklusive hash des passworts, verwendetem Salt und gehashtem Wert, sowie Zeitstempel. Anschließend werden diese Hashes gesichert.
---
> [!Info] Note
> Andere Passwörter hab ich schon mit hashcat und der wordList.txt geknackt.
>
---
### [+] Command: `sudo grep '^pc:' shadow > ~/evidence/linux-passHashes/hashes.txt`
- Timestamp: `2025-07-19T09-33-23-227939+00-00`
- GPG-signature: [+] Valid
- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f`
#### Output:
```Shell
[STDOUT]
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo grep '^pc:' shadow > ~/evidence/linux-passHashes/hashes.txt`
**Analyst:** Markus Winklhofer
**Timestamp:** 2025-07-20T11:57:41.337992+00:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
`grep` searches for patterns in text files. In forensics, it helps extract relevant entries from logs, configs, or dumps.
---
### [+] Command: `cut -d: -f2 ~/evidence/linux-passHashes/hashes.txt > ~/evidence/linux-passHashes/hashes_hashcat.txt`
- Timestamp: `2025-07-19T09-41-50-673936+00-00`
- GPG-signature: [+] Valid
- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f`
#### Output:
```Shell
[STDOUT]
[STDERR]
```
#### Context:
### [+] Legal Context for `cut -d: -f2 ~/evidence/linux-passHashes/hashes.txt > ~/evidence/linux-passHashes/hashes_hashcat.txt`
**Analyst:** Markus Winklhofer
**Timestamp:** 2025-07-20T11:57:41.362354+00:00
`cut` removes sections from each line of files. It is commonly used to extract specific columns or fields.
Specifies the delimiter character.
Specifies the fields to extract.
---
### [+] Timestamp: `2025-07-19T14-35-17-836177+00-00`
#### [+] Comment from analyst: Markus Winklhofer
#### [+] Content:
Passwörter von User belle und kiara wurden geknackt und lauten: ohQuep1A (kiara) und Eip7uoKo (belle)
---
### [+] Timestamp: `2025-07-19T14-46-11-098224+00-00`
#### [+] Comment from analyst: Markus Winklhofer
#### [+] Content:
Anschließend wird versucht die Datei auf der Windowspartition mit den erhaltenen Passwörtern zu öffnen.
---
### [+] Timestamp: `2025-07-19T15-09-38-776505+00-00`
#### [+] Comment from analyst: Markus Winklhofer
#### [+] Content:
Passwort von User pc wird anschließend geknackt.
---
### [+] Timestamp: `2025-07-19T15-28-09-158744+00-00`
#### [+] Comment from analyst: Markus Winklhofer
#### [+] Content:
Okay Passwort von User pc muss jetzt doch mit John geknackt werden weil Hashcat mich verlassen hat. R.I.P hashcat
---
### [+] Timestamp: `2025-07-19T16-08-43-581807+00-00`
#### [+] Comment from analyst: Markus Winklhofer
#### [+] Content:
Alle mit john durchzuprobieren würde zu lange dauern. unshadowed Datei wird manuell bereinigt.
---
### [+] Timestamp: `2025-07-19T16-22-52-786709+00-00`
#### [+] Comment from analyst: Markus Winklhofer
#### [+] Content:
User pc hash lässt sich nicht decrypten. Was bekannt ist: höchst wahrscheinlich yescrypt
---
### [+] Timestamp: `2025-07-19T16-23-12-195637+00-00`
#### [+] Comment from analyst: Markus Winklhofer
#### [+] Content:
Dann schauen wir doch nochmal auf das business file im Windows
---
### [+] Timestamp: `2025-07-19T19-05-53-643688+00-00`
#### [+] Comment from analyst: Markus Winklhofer
#### [+] Content:
Business Datei unter Windowspartition wurde mit veracrypt gemounted. Jetzt haben wir einen Ordner namens paesse, welcher .jpeg, .gif und .html Dateien enthält. Wir haben ihn Kameraden.
---
### [+] Command: `cp -r paesse ~/evidence/paesse_secured`
- Timestamp: `2025-07-19T19-08-38-532451+00-00`
- GPG-signature: [+] Valid
- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f`
#### Output:
```Shell
[STDOUT]
[STDERR]
```
#### Context:
### [+] Legal Context for `cp -r paesse ~/evidence/paesse_secured`
**Analyst:** Markus Winklhofer
**Timestamp:** 2025-07-20T11:57:41.463529+00:00
`cp` copies files and directories.
Copies directories recursively.
---
### [+] Command: `cat paesse_hashes.txt`
- Timestamp: `2025-07-19T19-15-35-249409+00-00`
- GPG-signature: [+] Valid
- SHA256: `e021c5fb88dbb683e55d00991fcf65e2ecb038e615375b6f8aa95091aa3d5cbc`
#### Output:
```Shell
[STDOUT]
2337d9209ebc59826b7c6839b62a073bfb4c6084ae7ca7b33091adf5b51124f0 paesse/b-contacts.jpg
56c54308a51a73f1fde781a923a7d5e33c992d54e5698c7a1a5f62df5faf96d6 paesse/b-news.jpg
699d7fbef975e4f75d8755a7cc9bb7c4e0d50e6aac35c676cfb84590cab4cab1 paesse/b-samples.jpg
4ce769d6291abad8e9e57911adbc7e263645c0cd5b2ad81fbfc5dd5339137883 paesse/back_to_samples.gif
88c50adcbd68e9b06317b0f10e4cd118bccb5ee9c6b7d15b2053c7475a0f4b7c paesse/button_email.gif
b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b paesse/emty.gif
1f3e68eef4da22b8c1991813a58cc2ca931e3a313db4dbb49dd5c64d34231021 paesse/flash_r1_c2e.gif
76eb565cb3290c6542c27d16b075de244bfb055eaba9ed744d6095e3d8163d95 paesse/flash_r1_c3e.gif
0cb5cb828aaa48c5b6ecaaff62812b74376143e8375af99969992d2d7c772290 paesse/flash_r1_c6e.gif
908bc1335ed5d3eb60eff3787cf33162d48e1ced5c116702719673722fc433cb paesse/head_r1_c1.jpg
edb7a8c927edbfe365fb0015892c4893f5ccedf217e4d61a94f6fa947daef9ae paesse/head_r1_c2.jpg
6985dfc8eb8836a79084decd3a7df6efbe70af108ea3942b897e16f5865b79bb paesse/head_r2_c1.gif
7a9847daf2ce9f8e612e8daea71c52dbcd2649b83685d9eeeb87e4c4f64b18f0 paesse/index.html
d3178da777620b3045cd390842a317c5fb5fb7f7baf49e14f2b85e54a98ecee9 paesse/index.php.CB66877E.html
c670355f7938549fa50faa7d80c764e64e9e67ec1e64309f2a68b0a6a5196635 paesse/index.shtml
e2704c3f9480d96bc8c70c30b2db3cec6ad73d9f8729ec9ada335eab7fb4534a paesse/m-maine.gif
983e88c639a4a60b8abd68188aabeb16cc1ffd36745ca2bdce29819c0bc3a912 paesse/main.jpg
a7d820cf32d4be1a04515f0334abae05cc6ceb385844a6ef57d4c6f9af73c75e paesse/menu_r1_c1e.gif
a1e852623a899f3e3be745d2819a650d666f5985cfbfae6d27785fce187a54ac paesse/menu_r1_c2e.gif
... (truncated, showing first 20 and last 10 lines)
2fa9099d8949fc6a6a4a6992ccd1c303ee201d4d7b12aab39c5d7c0c68265a66 paesse/Cover/Canada passport.jpg
cb41bb8bb1a969cdd498900574483d966fe3debd2e51996e4a4384a0d3461efc paesse/Cover/Finland passport.jpg
8c692f01c66852ab217b60bd36417b6603a8bf2fbba61163b914deb842dc7233 paesse/Cover/France passport.jpg
1dfb1a35d4a6efe8d6172014078eac070885c195a5c58b95ff47f435d9da22d0 paesse/Cover/German passport.jpg
a9723e7b99ffc8a8a36e1fd20346721286e681c9fd533d291b732acbfea10cb2 paesse/Cover/Netherlands passport.jpg
f51dda5ad02e23445ea503911324920c3776bb271c741eb6165fc2006e5fc130 paesse/Cover/UK license small.jpg
2963750629e0b3560c2a7ef52c4ffd82183395f551f43bf6548490a10acf0456 paesse/Cover/UK passport.jpg
a41f223bdb68803e763969808dcde3fcf14e10c97dd23b7314e083f21edc1b2d paesse/inside/pp-uk-open-big.jpg
[STDERR]
```
#### Context:
### [+] Legal Context for `cat paesse_hashes.txt`
**Analyst:** Markus Winklhofer
**Timestamp:** 2025-07-20T11:57:41.498045+00:00
`cat` concatenates and displays the content of files. It is commonly used to view file contents or combine multiple files.
---
### [+] Timestamp: `2025-07-19T19-44-42-593534+00-00`
#### [+] Comment from analyst: Markus Winklhofer
#### [+] Content:
Forenische Analyse der index.html, konnten viele Hinweise auf den verkauf von gefälschten Pässen gefunden werden. Die Seite beinhaltet mehrere Reiter, darunter auch 'Terms and Conditions', eine Preisliste, eine Enail Adresse (documents.service@safe-mail.net) und weitere Hinweise. Die genauen Hinweise werden anschließend aufgelistet
---
### [+] Timestamp: `2025-07-19T19-45-33-350345+00-00`
#### [+] Comment from analyst: Markus Winklhofer
#### [+] Content:
Passwort für Business File: forgeMaster
---
### [+] Timestamp: `2025-07-19T19-50-48-645917+00-00`
#### [+] Comment from analyst: Markus Winklhofer
#### [+] Content:
Anschließend wird nach Chatverläufen und Emailverkehr, sowie Browserverläufen gesucht
---
### [+] Command: `sudo ls -la belle`
- Timestamp: `2025-07-19T19-56-41-335702+00-00`
- GPG-signature: [+] Valid
- SHA256: `82baa87dfd52f9eaf1f17cb2016d112f83c1ae0428e1737c67b2869d02c0c997`
#### Output:
```Shell
[STDOUT]
total 76
drwxr-x--- 16 1001 1001 4096 Jul 4 2022 .
drwxr-xr-x 5 root root 4096 Jul 4 2022 ..
-rw-r--r-- 1 1001 1001 220 Jan 6 2022 .bash_logout
-rw-r--r-- 1 1001 1001 3771 Jan 6 2022 .bashrc
drwxr-xr-x 2 1001 1001 4096 Jul 4 2022 Bilder
drwx------ 13 1001 1001 4096 Jul 4 2022 .cache
drwx------ 14 1001 1001 4096 Jul 4 2022 .config
drwxr-xr-x 2 1001 1001 4096 Jul 4 2022 Dokumente
drwxr-xr-x 2 1001 1001 4096 Jul 4 2022 Downloads
drwx------ 2 1001 1001 4096 Jul 4 2022 .gnupg
drwx------ 3 1001 1001 4096 Jul 4 2022 .local
drwxr-xr-x 2 1001 1001 4096 Jul 4 2022 Musik
drwxr-xr-x 2 1001 1001 4096 Jul 4 2022 Öffentlich
-rw-r--r-- 1 1001 1001 807 Jan 6 2022 .profile
drwxr-xr-x 2 1001 1001 4096 Jul 4 2022 Schreibtisch
drwx------ 4 1001 1001 4096 Jul 4 2022 snap
drwx------ 2 1001 1001 4096 Jul 4 2022 .ssh
-rw-r--r-- 1 1001 1001 0 Jul 4 2022 .sudo_as_admin_successful
```
#### Context:
### [+] Legal Context for `sudo ls -la belle`
**Analyst:** Markus Winklhofer
**Timestamp:** 2025-07-20T11:57:41.509216+00:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
`ls` lists files in a directory. It is used to gain an overview and does not modify data.
---
### [+] Timestamp: `2025-07-19T19-57-33-244846+00-00`
#### [+] Comment from analyst: Markus Winklhofer
#### [+] Content:
Zuerst durchsuchen wir den User belle (Der Command davor gehört dazu)
---
### [+] Command: `sudo ls -la belle/Bilder`
- Timestamp: `2025-07-19T19-58-19-142111+00-00`
- GPG-signature: [+] Valid
- SHA256: `b916127be77302898d8d5d0a74789e0da96e597c8cc36239ba3555fdeadde089`
#### Output:
```Shell
[STDOUT]
total 8
drwxr-xr-x 2 1001 1001 4096 Jul 4 2022 .
drwxr-x--- 16 1001 1001 4096 Jul 4 2022 ..
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo ls -la belle/Bilder`
**Analyst:** Markus Winklhofer
**Timestamp:** 2025-07-20T11:57:41.520846+00:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
`ls` lists files in a directory. It is used to gain an overview and does not modify data.
---
### [+] Command: `sudo ls -la belle/.config`
- Timestamp: `2025-07-19T20-08-05-109640+00-00`
- GPG-signature: [+] Valid
- SHA256: `78eaefb4186c21188354ab750c8082743330d3871e8c0bebbc7cec9b647b686d`
#### Output:
```Shell
[STDOUT]
total 72
drwx------ 14 1001 1001 4096 Jul 4 2022 .
drwxr-x--- 16 1001 1001 4096 Jul 4 2022 ..
drwx------ 2 1001 1001 4096 Jul 4 2022 dconf
drwx------ 3 1001 1001 4096 Jul 4 2022 evolution
-rw-rw-r-- 1 1001 1001 3 Jul 4 2022 gnome-initial-setup-done
drwx------ 3 1001 1001 4096 Jul 4 2022 gnome-session
drwxr-xr-x 2 1001 1001 4096 Jul 4 2022 goa-1.0
-rw-rw-r-- 1 1001 1001 0 Jul 4 2022 .gsd-keyboard.settings-ported
drwx------ 2 1001 1001 4096 Jul 4 2022 gtk-3.0
drwx------ 2 1001 1001 4096 Jul 4 2022 gtk-4.0
drwx------ 3 1001 1001 4096 Jul 4 2022 ibus
drwxrwxr-x 2 1001 1001 4096 Jul 4 2022 keepassxc
drwxr-xr-x 2 1001 1001 4096 Jul 4 2022 nautilus
drwx------ 2 1001 1001 4096 Jul 4 2022 pulse
-rw-rw-r-- 1 1001 1001 106 Jul 4 2022 QtProject.conf
drwx------ 2 1001 1001 4096 Jul 4 2022 update-notifier
-rw------- 1 1001 1001 640 Jul 4 2022 user-dirs.dirs
-rw-rw-r-- 1 1001 1001 5 Jul 4 2022 user-dirs.locale
```
#### Context:
### [+] Legal Context for `sudo ls -la belle/.config`
**Analyst:** Markus Winklhofer
**Timestamp:** 2025-07-20T11:57:41.529524+00:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
`ls` lists files in a directory. It is used to gain an overview and does not modify data.
---
### [+] Command: `sudo ls -la belle/.cache`
- Timestamp: `2025-07-19T20-08-50-883916+00-00`
- GPG-signature: [+] Valid
- SHA256: `39e23eb4173556a2dce5e3b0562a4b8ab6b340e77f077cb5e2798ec8b0d76711`
#### Output:
```Shell
[STDOUT]
total 64
drwx------ 13 1001 1001 4096 Jul 4 2022 .
drwxr-x--- 16 1001 1001 4096 Jul 4 2022 ..
-rw-r--r-- 1 1001 1001 12288 Jul 4 2022 event-sound-cache.tdb.6746c953637546dc9d96c167a444559c.x86_64-pc-linux-gnu
drwx------ 8 1001 1001 4096 Jul 4 2022 evolution
drwx------ 3 1001 1001 4096 Jul 4 2022 gnome-desktop-thumbnailer
drwxrwxr-x 2 1001 1001 4096 Jul 4 2022 gstreamer-1.0
drwxrwxr-x 3 1001 1001 4096 Jul 4 2022 ibus
drwxrwxr-x 2 1001 1001 4096 Jul 4 2022 ibus-table
drwxrwxr-x 2 1001 1001 4096 Jul 4 2022 keepassxc
drwxr-xr-x 97 1001 1001 4096 Jul 4 2022 mesa_shader_cache
drwx------ 4 1001 1001 4096 Jul 4 2022 thumbnails
drwx------ 3 1001 1001 4096 Jul 4 2022 tracker3
drwx------ 2 1001 1001 4096 Jul 4 2022 ubuntu-report
drwxrwxr-x 2 1001 1001 4096 Jul 4 2022 update-manager-core
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo ls -la belle/.cache`
**Analyst:** Markus Winklhofer
**Timestamp:** 2025-07-20T11:57:41.538887+00:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
`ls` lists files in a directory. It is used to gain an overview and does not modify data.
---
### [+] Command: `sudo ls -la belle/Dokumente/Pass.kdbx`
- Timestamp: `2025-07-19T20-14-23-496084+00-00`
- GPG-signature: [+] Valid
- SHA256: `d20f70753042c1eb64f27c65792dc833b48f36a22a98a20cbe318741a6cbe9a4`
#### Output:
```Shell
[STDOUT]
-rw------- 1 1001 1001 1605 Jul 4 2022 belle/Dokumente/Pass.kdbx
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo ls -la belle/Dokumente/Pass.kdbx`
**Analyst:** Markus Winklhofer
**Timestamp:** 2025-07-20T11:57:41.547486+00:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
`ls` lists files in a directory. It is used to gain an overview and does not modify data.
---
### [+] Timestamp: `2025-07-19T20-15-03-978366+00-00`
#### [+] Comment from analyst: Markus Winklhofer
#### [+] Content:
Passwortmanager schon von Eric gemacht: Passwort für Windows partition.
---
### [+] Command: `sudo cat belle/.ssh/id_rsa`
- Timestamp: `2025-07-19T21-05-04-042237+00-00`
- GPG-signature: [+] Valid
- SHA256: `f36e6f459dcb473e51ffafbbf7c84eb014d20b209b6aec5137be2b2fc8a8d910`
#### Output:
```Shell
[STDOUT]
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEA8HvHvFjaySYQbujRPF/FXnBnq5eUy4UgdcVu2XgZXnqQ14Y/SREG
BLPabOxqz11fS8k/xLdU30JLypH0+vUccrcN51k6ZfM5aKszqYvTXgenGc0S8zCGGPC4mt
cMs2AzSQglx11fjAOh51DyDcE+nSFV7q11LMDufGgklY7Z0Y/EpTjAlkXJKwgIUPLewSV5
KKcmr3Sj6JhPXZrVcHwbrIIS5f88TLzL7L+bNrLE4EGVmAAsOwSSeNZ0F51uDXuhmnIwxw
UMBd4XAhQtSt8OruwoeQcrPO0heUyxCFi19OvOCF+kNp7JhkO2AD+GnanrH79sc2RV8+nN
miLJvAOW1bk4yvl784fxvzR6l6q+x3hYy57QqZG6sOhTxJYslQ5A33UiSL6boZ5UrS4zS6
xVgrF7eEy4ZTgh3CaHUc6sK1GqoBqDas+pBKl4ZnygWxWhAxoExfy7p9iqMc27+YkYfAfC
LpyKIU7iSV+2D2/QKW+idRohT/HEhyjSPCcLu5KDAAAFqNUGXfjVBl34AAAAB3NzaC1yc2
EAAAGBAPB7x7xY2skmEG7o0TxfxV5wZ6uXlMuFIHXFbtl4GV56kNeGP0kRBgSz2mzsas9d
X0vJP8S3VN9CS8qR9Pr1HHK3DedZOmXzOWirM6mL014HpxnNEvMwhhjwuJrXDLNgM0kIJc
ddX4wDoedQ8g3BPp0hVe6tdSzA7nxoJJWO2dGPxKU4wJZFySsICFDy3sEleSinJq90o+iY
T12a1XB8G6yCEuX/PEy8y+y/mzayxOBBlZgALDsEknjWdBedbg17oZpyMMcFDAXeFwIULU
rfDq7sKHkHKzztIXlMsQhYtfTrzghfpDaeyYZDtgA/hp2p6x+/bHNkVfPpzZoiybwDltW5
OMr5e/OH8b80epeqvsd4WMue0KmRurDoU8SWLJUOQN91Iki+m6GeVK0uM0usVYKxe3hMuG
U4Idwmh1HOrCtRqqAag2rPqQSpeGZ8oFsVoQMaBMX8u6fYqjHNu/mJGHwHwi6ciiFO4klf
tg9v0ClvonUaIU/xxIco0jwnC7uSgwAAAAMBAAEAAAGAMkMUtHN3ytnXTm7/qFg19q6UpG
MKmNzqs2K/79jvqHUCh+FJodpagSocCW8CRfP0gnD+EH3m0cDX+W83HiqTtxA2ajeWgo9q
... (truncated, showing first 20 and last 10 lines)
J1i1XmO49o/FP0mze51sFnPG7OtWpKOXR7m3pha8akpnNZ7IcnF/xZfVxiykVGmmSRn+eT
J9i53CQTukHQSNG12zlYZhXhfXigFjDQAAAMEA9UCGcYR1KkIrx1zlITQAvJfYPIWPEfgz
6iEvErwXZ9wjyVovoi6tT+lWHa/Hz2Larj4uUgXAuqL0ZkNwj4WBNuQOcbzkyMW9oJ8EOb
8wl6AppLW0FqxMhmu2UWl9eGeGEr/DsEnIYfTPu+L8aIGmdLjn6Iefu8QYab/YSvVNEkMW
cMJ4yBQhhgpyhFtSO3mxSSZ9sXX16PTuIz0ZZR5EXp5B54RSMlCWSvNv59f4XK0oZ6GdmM
rcY97g+jJdO6fPAAAAMWFuc2libGUtZ2VuZXJhdGVkIG9uIHBjLVN0YW5kYXJkLVBDLVEz
NS1JQ0g5LTIwMDkB
-----END OPENSSH PRIVATE KEY-----
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo cat belle/.ssh/id_rsa`
**Analyst:** Markus Winklhofer
**Timestamp:** 2025-07-20T11:57:41.555969+00:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
`cat` concatenates and displays the content of files. It is commonly used to view file contents or combine multiple files.
---
### [+] Command: `sudo cat belle/.ssh/id_rsa.pub`
- Timestamp: `2025-07-19T21-06-59-071476+00-00`
- GPG-signature: [+] Valid
- SHA256: `10e017969f0c7635be44d0a4f8d5ec505414e228883f7a8109b807633c9d19f7`
#### Output:
```Shell
[STDOUT]
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDwe8e8WNrJJhBu6NE8X8VecGerl5TLhSB1xW7ZeBleepDXhj9JEQYEs9ps7GrPXV9LyT/Et1TfQkvKkfT69Rxytw3nWTpl8zloqzOpi9NeB6cZzRLzMIYY8Lia1wyzYDNJCCXHXV+MA6HnUPINwT6dIVXurXUswO58aCSVjtnRj8SlOMCWRckrCAhQ8t7BJXkopyavdKPomE9dmtVwfBusghLl/zxMvMvsv5s2ssTgQZWYACw7BJJ41nQXnW4Ne6GacjDHBQwF3hcCFC1K3w6u7Ch5Bys87SF5TLEIWLX0684IX6Q2nsmGQ7YAP4adqesfv2xzZFXz6c2aIsm8A5bVuTjK+Xvzh/G/NHqXqr7HeFjLntCpkbqw6FPEliyVDkDfdSJIvpuhnlStLjNLrFWCsXt4TLhlOCHcJodRzqwrUaqgGoNqz6kEqXhmfKBbFaEDGgTF/Lun2Koxzbv5iRh8B8IunIohTuJJX7YPb9Apb6J1GiFP8cSHKNI8Jwu7koM= ansible-generated on pc-Standard-PC-Q35-ICH9-2009
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo cat belle/.ssh/id_rsa.pub`
**Analyst:** Markus Winklhofer
**Timestamp:** 2025-07-20T11:57:41.564473+00:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
`cat` concatenates and displays the content of files. It is commonly used to view file contents or combine multiple files.
---
## [+] GPG-Overview
Each `.log`-file was digitally signed with GPG where applicable.
The signature status is documented per command.