From d2712963142d086c58d0da24d4f15fb7f20c67a8 Mon Sep 17 00:00:00 2001 From: Ahzek Date: Mon, 14 Jul 2025 20:42:26 +0200 Subject: [PATCH] Gutachten weitergefuehrt, betraechtliche Dateimengen gesichert --- Pruefungsleistung/abschlussbericht.md | 507 +++++++++++++- Pruefungsleistung/dif_gutachten_report.md | 801 ++++++++++++++++++++++ Pruefungsleistung/gutachten_report_01.md | 399 +++++++++++ 3 files changed, 1701 insertions(+), 6 deletions(-) create mode 100644 Pruefungsleistung/dif_gutachten_report.md create mode 100644 Pruefungsleistung/gutachten_report_01.md diff --git a/Pruefungsleistung/abschlussbericht.md b/Pruefungsleistung/abschlussbericht.md index 4ecc9a2..0fa9d84 100644 --- a/Pruefungsleistung/abschlussbericht.md +++ b/Pruefungsleistung/abschlussbericht.md @@ -8,17 +8,22 @@ Bearbeitende Forensiker: - Niklas Heringer # Datenübergabe -Die Daten des Falls wurden uns via einem **Write Blocker**. +Die Daten des Falls wurden uns via einem **Write Blocker** übergeben, zu sehen im folgenden Bild: ![Image](IMG_4509.png) -+++ gescheite Bildbeschreibungen -Zur Sicherung des digitalen Beweismittels wurde zunächst das Tool `CRUWBlocker_.exe` ausgeführt, um den Write Blocker ordnungsgemäß zu initialisieren -Dies dient der Gewährleistung der Integrität der vorliegenden Daten gemäß forensischer Standards. - +Die technischen Daten des Write Blockers: ![Image](IMG_4513.png) + +Die technischen Daten des Netzteils des Write Blockers: ![Image](IMG_4514.png) +Zur Sicherung des digitalen Beweismittels wurde zunächst das Tool `CRUWBlocker_.exe` ausgeführt, um den Write Blocker ordnungsgemäß zu initialisieren. + +> Die Verwendung des Write Blockers dient der Gewährleistung der Integrität der vorliegenden Daten gemäß forensischer Standards. + +Übertragungsaufbau: ![Image](IMG_4506.png) +Technische Daten der Ursprungsfestplatte: ![Image](IMG_4510.png) Nach erfolgreichem Anschluss des Datenträgers wurden die Systeminformationen des Datenträgers erhoben: @@ -96,4 +101,494 @@ Algorithm Hash --------- ---- ---- MD5 BE61A64B8AAD45ABBC0B4C266B688EB2 C:\Users\herin\Documents\DIF PL\ForImage2.img ``` -+++ gescheite Command-Erklärungen \ No newline at end of file ++++ gescheite Command-Erklärungen + + +## Fallbearbeitung - Initialisierung +Team 13 verwendet in dieser Bearbeitung den eigens angefertigten [Forensic Log Tracker](https://github.com/mev0lent/forensic-log-tracker) - dieser dient der Automatisierung von Hashing, Autor-Signaturen sowie dem Protokollieren sämtlicher Aktionen. + +```bash +flt new-case gutachten --description "Forensisches Gutachten im Fall Tilo Barkholz" + [+] New case created: /home/kali/forensic-log-tracker/logs/gutachten +[+] Logs for case 'gutachten' will be stored in: /home/kali/forensic-log-tracker/logs/gutachten +``` + +```bash +md5sum ForImage2.img +be61a64b8aad45abbc0b4c266b688eb2 ForImage2.img +``` + +Die Übertragung auf die Bearbeitungs-VM erfolgte reibungslos. + + +--- + +## Fallbearbeitung - Bearbeitungslog + + +# [++] Forensic report of case: dif_gutachten + +## [++] Description +Forensisches Gutachten im Fall Tilo Barkholz + + +## [++] Timeline of Commands and Comments + +### [+] Command: `file ForImage2.img` +- Timestamp: `2025-07-14T18-03-17-505557+02-00` +- GPG-signature: [+] Valid +- SHA256: `7bf5d482601016dfe39f3de29aad7f83b3a0f59d3177828e1f1823817b1778d8` + +#### Output: +```Shell +[STDOUT] +ForImage2.img: QEMU QCOW Image (v3), 35433480192 bytes (v3), 35433480192 bytes + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `file ForImage2.img` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T18:21:56.035483+02:00 + +`file` identifies file types by examining magic numbers and headers. Useful for verifying or correcting file extensions and detecting anomalies. + +--- + +### [+] Timestamp: `2025-07-14T18-05-10-852941+02-00` +#### [+] Comment from analyst: Niklas Heringer + +#### [+] Content: +Der file-Befehl wurde verwendet, um das Format des Abbilds zu bestimmen. Dabei wurde erkannt, dass es sich um ein QCOW2-Image handelt, ein haeufig genutztes Format fuer virtuelle Maschinen unter QEMU/KVM + +--- + +### [+] Timestamp: `2025-07-14T18-06-02-925862+02-00` +#### [+] Comment from analyst: Niklas Heringer + +#### [+] Content: +Wir werden nun Partitionen im Image identifizieren, um sie zu extrahiern & zu analysieren + +--- + +### [+] Command: `sudo modprobe nbd max_part=8` +- Timestamp: `2025-07-14T18-06-22-301370+02-00` +- GPG-signature: [+] Valid +- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f` + +#### Output: +```Shell +[STDOUT] + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `sudo modprobe nbd max_part=8` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T18:21:56.051974+02:00 + +**[!] Note:** This command was executed with administrative rights (`sudo`). +[x] No specific explanation found. + +--- + +### [+] Command: `sudo: qemu-nbd: command not found` +- Timestamp: `2025-07-14T18-06-51-644697+02-00` +- GPG-signature: [+] Valid +- SHA256: `7bd21e679c39eb29ea0eebe56f0a54110538c4bdb094fbbd9d7b9e8d7c2a7ed4` + +#### Output: +```Shell +[!] Command failed: +sudo: qemu-nbd: command not found +``` + +#### Context: +### [+] Legal Context for `sudo: qemu-nbd: command not found` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T18:21:56.068456+02:00 + +[x] No specific explanation found. + +--- + +### [+] Command: `qemu-nbd: unrecognized option '--conect=/dev/nbd0'` +- Timestamp: `2025-07-14T18-07-49-932393+02-00` +- GPG-signature: [+] Valid +- SHA256: `23ec6e05fb897e4b0ad2d77613416100a2fcd3f300135a2e5677364b4b115d74` + +#### Output: +```Shell +[!] Command failed: +qemu-nbd: unrecognized option '--conect=/dev/nbd0' +qemu-nbd: Try `qemu-nbd --help' for more information. +``` + +#### Context: +### [+] Legal Context for `qemu-nbd: unrecognized option '--conect=/dev/nbd0'` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T18:21:56.085776+02:00 + +[x] No specific explanation found. + +--- + +### [+] Command: `sudo qemu-nbd --connect=/dev/nbd0 ForImage2.img` +- Timestamp: `2025-07-14T18-08-00-970730+02-00` +- GPG-signature: [+] Valid +- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f` + +#### Output: +```Shell +[STDOUT] + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `sudo qemu-nbd --connect=/dev/nbd0 ForImage2.img` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T18:21:56.102182+02:00 + +**[!] Note:** This command was executed with administrative rights (`sudo`). +[x] No specific explanation found. + +--- + +### [+] Command: `sudo fdisk -l /dev/nbd0` +- Timestamp: `2025-07-14T18-08-17-811009+02-00` +- GPG-signature: [+] Valid +- SHA256: `4a2bcce842d23a7b6e392a9e547e0942145cdd7450910980c116667d81b5078a` + +#### Output: +```Shell +[STDOUT] +Disk /dev/nbd0: 33 GiB, 35433480192 bytes, 69206016 sectors +Units: sectors of 1 * 512 = 512 bytes +Sector size (logical/physical): 512 bytes / 512 bytes +I/O size (minimum/optimal): 512 bytes / 131072 bytes +Disklabel type: gpt +Disk identifier: 7AB35F56-8FB0-407B-AC62-FD7C3E10AB6A + +Device Start End Sectors Size Type +/dev/nbd0p1 2048 4095 2048 1M BIOS boot +/dev/nbd0p2 4096 1054719 1050624 513M EFI System +/dev/nbd0p3 1054720 46135295 45080576 21.5G Linux filesystem +/dev/nbd0p4 46874624 68360191 21485568 10.2G Microsoft basic data + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `sudo fdisk -l /dev/nbd0` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T18:21:56.119311+02:00 + +**[!] Note:** This command was executed with administrative rights (`sudo`). +`fdisk` is an interactive command-line tool to create, delete, and manage partitions on storage devices. + + +Lists partition tables of all recognized devices. + +--- + +### [+] Timestamp: `2025-07-14T18-09-46-180536+02-00` +#### [+] Comment from analyst: Niklas Heringer + +#### [+] Content: +Das QCOW2-Image wurde mit qemu-nbd als Blockgerät bereitgestellt, um anschließend mit fdisk die Partitionstabelle und Dateisystemtypen zu identifizieren – ein essenzieller Schritt zur Strukturaufklärung und Vorbereitung weiterer Analysen. + +--- + +### [+] Timestamp: `2025-07-14T18-10-39-291304+02-00` +#### [+] Comment from analyst: Niklas Heringer + +#### [+] Content: +Hierbei haben wir vier Partitionen entdeckt, die wir nun naeher untersuchen werden + +--- + +### [+] Command: `sudo mmls /dev/nbd0` +- Timestamp: `2025-07-14T18-10-44-804259+02-00` +- GPG-signature: [+] Valid +- SHA256: `1e7e7d7d86604a62aceffd32db9f4f6f897f22c84de9f2367b46bf6fa4d9b77b` + +#### Output: +```Shell +[STDOUT] +GUID Partition Table (EFI) +Offset Sector: 0 +Units are in 512-byte sectors + + Slot Start End Length Description +000: Meta 0000000000 0000000000 0000000001 Safety Table +001: ------- 0000000000 0000002047 0000002048 Unallocated +002: Meta 0000000001 0000000001 0000000001 GPT Header +003: Meta 0000000002 0000000033 0000000032 Partition Table +004: 000 0000002048 0000004095 0000002048 +005: 001 0000004096 0001054719 0001050624 EFI System Partition +006: 002 0001054720 0046135295 0045080576 +007: ------- 0046135296 0046874623 0000739328 Unallocated +008: 003 0046874624 0068360191 0021485568 FAT +009: ------- 0068360192 0069206015 0000845824 Unallocated + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `sudo mmls /dev/nbd0` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T18:21:56.136172+02:00 + +**[!] Note:** This command was executed with administrative rights (`sudo`). +`mmls` analyzes the partition layout of a disk image without modifying it. It shows partitions, offsets, and sizes — a typical forensic step before mounting. + +--- + +### [+] Timestamp: `2025-07-14T18-11-51-739620+02-00` +#### [+] Comment from analyst: Niklas Heringer + +#### [+] Content: +Die Analyse mit mmls dient der genauen Bestimmung der Partitionsstruktur und der Start-Offsets, was erforderlich ist, um gezielt Dateien zu extrahieren und das Dateisystem forensisch korrekt zu analysieren. + +--- + +### [+] Timestamp: `2025-07-14T18-13-42-016732+02-00` +#### [+] Comment from analyst: Niklas Heringer + +#### [+] Content: +Die mmls-Ausgabe zeigt vier Partitionen. Drei davon sind relevant für die Analyse – die BIOS-Boot-Partition (nur 1 MB) enthält keine Nutzdaten und wird daher übersprungen. + +--- + +### [+] Timestamp: `2025-07-14T18-13-51-840180+02-00` +#### [+] Comment from analyst: Niklas Heringer + +#### [+] Content: +Die Partitionen 005 (EFI), 006 (Linux-Dateisystem) und 008 (Microsoft-Dateisystem) werden einzeln gemountet und analysiert, um strukturierte und nachvollziehbare Ergebnisse zu erhalten. + +--- + +### [+] Timestamp: `2025-07-14T18-13-59-612800+02-00` +#### [+] Comment from analyst: Niklas Heringer + +#### [+] Content: +Eine sequentielle Analyse aller nutzbaren Partitionen erlaubt eine saubere Trennung der Datenquellen und kann forensisch besser dokumentiert werden. + +--- + +### [+] Command: `sudo mkdir -p /mnt/efi /mnt/linuxfs /mnt/windows` +- Timestamp: `2025-07-14T18-16-06-814084+02-00` +- GPG-signature: [+] Valid +- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f` + +#### Output: +```Shell +[STDOUT] + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `sudo mkdir -p /mnt/efi /mnt/linuxfs /mnt/windows` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T18:21:56.154189+02:00 + +**[!] Note:** This command was executed with administrative rights (`sudo`). +`mkdir` creates a directory. In forensic workflows, it is often used to prepare target folders for mounts or exported data. + + +The `-p` option ensures that parent directories are created as needed. It also avoids errors if the target directory already exists. + +--- + +### [+] Timestamp: `2025-07-14T18-16-14-867728+02-00` +#### [+] Comment from analyst: Niklas Heringer + +#### [+] Content: +Drei dedizierte Mount-Verzeichnisse wurden erstellt, um die Partitionen getrennt voneinander und nachvollziehbar analysieren zu können. + +--- + +### [+] Command: `sudo mount -o ro /dev/nbd0p3 /mnt/linuxfs` +- Timestamp: `2025-07-14T18-18-28-516252+02-00` +- GPG-signature: [+] Valid +- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f` + +#### Output: +```Shell +[STDOUT] + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `sudo mount -o ro /dev/nbd0p3 /mnt/linuxfs` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T18:21:56.171151+02:00 + +**[!] Note:** This command was executed with administrative rights (`sudo`). +`mount` is used to attach a filesystem to the directory tree. In forensic contexts, it must be used cautiously, as mounting can alter timestamps or content. + + +The `-o` option sets mount parameters — e.g., to enable read-only mode or suppress timestamp changes. + + +`ro` stands for "read-only". It ensures that the mounted filesystem is not modified. This is critical in digital forensics. + +--- + +### [+] Timestamp: `2025-07-14T18-18-36-250749+02-00` +#### [+] Comment from analyst: Niklas Heringer + +#### [+] Content: +Das Linux-Dateisystem wurde readonly in /mnt/linuxfs eingebunden, um die Hauptdatenstruktur des Betriebssystems forensisch zu untersuchen. + +--- + +### [+] Command: `sudo mount -o ro /dev/nbd0p4 /mnt/windows` +- Timestamp: `2025-07-14T18-18-44-352022+02-00` +- GPG-signature: [+] Valid +- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f` + +#### Output: +```Shell +[STDOUT] + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `sudo mount -o ro /dev/nbd0p4 /mnt/windows` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T18:21:56.188116+02:00 + +**[!] Note:** This command was executed with administrative rights (`sudo`). +`mount` is used to attach a filesystem to the directory tree. In forensic contexts, it must be used cautiously, as mounting can alter timestamps or content. + + +The `-o` option sets mount parameters — e.g., to enable read-only mode or suppress timestamp changes. + + +`ro` stands for "read-only". It ensures that the mounted filesystem is not modified. This is critical in digital forensics. + +--- + +### [+] Timestamp: `2025-07-14T18-18-48-788722+02-00` +#### [+] Comment from analyst: Niklas Heringer + +#### [+] Content: +Die als 'Microsoft Basic Data' gekennzeichnete Partition wurde readonly in /mnt/windows eingebunden, vermutlich zur Analyse von Benutzerdaten oder Überresten eines Dual-Boot-Systems. + +--- + +### [+] Command: `qemu-nbd: Failed to blk_new_open 'ForImage2.img': Failed to get "write" lock` +- Timestamp: `2025-07-14T18-20-16-782579+02-00` +- GPG-signature: [+] Valid +- SHA256: `927576f78ad2da1d55b32d2e32af8a13ec8a59dcde4168fcfbea80ab6c3161be` + +#### Output: +```Shell +[!] Command failed: +qemu-nbd: Failed to blk_new_open 'ForImage2.img': Failed to get "write" lock +Is another process using the image [ForImage2.img]? +``` + +#### Context: +### [+] Legal Context for `qemu-nbd: Failed to blk_new_open 'ForImage2.img': Failed to get "write" lock` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T18:21:56.204455+02:00 + +[x] No specific explanation found. + +--- + + +## [+] GPG-Overview +Each `.log`-file was digitally signed with GPG where applicable. +The signature status is documented per command. + + +--- + +### Wichtige Abfolge nach Neustart der Forensischen Untersuchungsstation + +Nach einem Neustart der virtuellen Maschine muss die Verbindung zum QCOW-Image erneut hergestellt werden, da die `qemu-nbd`-Verbindung und die Mountpunkte nicht persistent sind. Die folgenden Schritte sind erforderlich: + +**1. NBD-Modul erneut laden** +Bindet das Netzwerk-Block-Device-Modul mit ausreichend Partitionseinträgen ein: + +```bash +sudo modprobe nbd max_part=8 +``` + +**2. Image erneut mit NBD verbinden** +Stellt die Verbindung zwischen dem QCOW-Image und dem NBD-Gerät her: + +```bash +sudo qemu-nbd --connect=/dev/nbd0 ForImage2.img +``` + +**3. Partitionen erneut mounten (readonly)** +Mountet die relevanten Partitionen wieder in die vorgesehenen Verzeichnisse: + +```bash +sudo mount -o ro /dev/nbd0p2 /mnt/efi +sudo mount -o ro /dev/nbd0p3 /mnt/linuxfs +sudo mount -o ro /dev/nbd0p4 /mnt/windows +``` + +Diese Schritte müssen nach jedem VM-Neustart durchgeführt werden, um erneut forensischen Zugriff auf die Dateisysteme zu erhalten. + +--- + + + + + + + + + + + + + + + + + + + + + + + + + +--- + +## Ergebnis: Feststellung von Dateien zum Ermittlungsverfahren wegen Verkauf gefälschter Pässe + +--- + +## Ergebnis: Nachweis der Nutzung/ Verbreitung + +--- + +## Ergebnis Extrahierung der elektronischen Kommunikation (E-Mail, Chat) + +--- \ No newline at end of file diff --git a/Pruefungsleistung/dif_gutachten_report.md b/Pruefungsleistung/dif_gutachten_report.md new file mode 100644 index 0000000..6cc2778 --- /dev/null +++ b/Pruefungsleistung/dif_gutachten_report.md @@ -0,0 +1,801 @@ +# [++] Forensic report of case: dif_gutachten + +## [++] Description +Forensisches Gutachten im Fall Tilo Barkholz + + +## [++] Timeline of Commands and Comments + +### [+] Command: `file ForImage2.img` +- Timestamp: `2025-07-14T18-03-17-505557+02-00` +- GPG-signature: [+] Valid +- SHA256: `7bf5d482601016dfe39f3de29aad7f83b3a0f59d3177828e1f1823817b1778d8` + +#### Output: +```Shell +[STDOUT] +ForImage2.img: QEMU QCOW Image (v3), 35433480192 bytes (v3), 35433480192 bytes + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `file ForImage2.img` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T20:40:59.760772+02:00 + +`file` identifies file types by examining magic numbers and headers. Useful for verifying or correcting file extensions and detecting anomalies. + +--- + +### [+] Timestamp: `2025-07-14T18-05-10-852941+02-00` +#### [+] Comment from analyst: Niklas Heringer + +#### [+] Content: +Der file-Befehl wurde verwendet, um das Format des Abbilds zu bestimmen. Dabei wurde erkannt, dass es sich um ein QCOW2-Image handelt, ein haeufig genutztes Format fuer virtuelle Maschinen unter QEMU/KVM + +--- + +### [+] Timestamp: `2025-07-14T18-06-02-925862+02-00` +#### [+] Comment from analyst: Niklas Heringer + +#### [+] Content: +Wir werden nun Partitionen im Image identifizieren, um sie zu extrahiern & zu analysieren + +--- + +### [+] Command: `sudo modprobe nbd max_part=8` +- Timestamp: `2025-07-14T18-06-22-301370+02-00` +- GPG-signature: [+] Valid +- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f` + +#### Output: +```Shell +[STDOUT] + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `sudo modprobe nbd max_part=8` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T20:40:59.839755+02:00 + +**[!] Note:** This command was executed with administrative rights (`sudo`). +[x] No specific explanation found. + +--- + +### [+] Command: `sudo: qemu-nbd: command not found` +- Timestamp: `2025-07-14T18-06-51-644697+02-00` +- GPG-signature: [+] Valid +- SHA256: `7bd21e679c39eb29ea0eebe56f0a54110538c4bdb094fbbd9d7b9e8d7c2a7ed4` + +#### Output: +```Shell +[!] Command failed: +sudo: qemu-nbd: command not found +``` + +#### Context: +### [+] Legal Context for `sudo: qemu-nbd: command not found` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T20:40:59.860730+02:00 + +[x] No specific explanation found. + +--- + +### [+] Command: `qemu-nbd: unrecognized option '--conect=/dev/nbd0'` +- Timestamp: `2025-07-14T18-07-49-932393+02-00` +- GPG-signature: [+] Valid +- SHA256: `23ec6e05fb897e4b0ad2d77613416100a2fcd3f300135a2e5677364b4b115d74` + +#### Output: +```Shell +[!] Command failed: +qemu-nbd: unrecognized option '--conect=/dev/nbd0' +qemu-nbd: Try `qemu-nbd --help' for more information. +``` + +#### Context: +### [+] Legal Context for `qemu-nbd: unrecognized option '--conect=/dev/nbd0'` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T20:40:59.889332+02:00 + +[x] No specific explanation found. + +--- + +### [+] Command: `sudo qemu-nbd --connect=/dev/nbd0 ForImage2.img` +- Timestamp: `2025-07-14T18-08-00-970730+02-00` +- GPG-signature: [+] Valid +- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f` + +#### Output: +```Shell +[STDOUT] + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `sudo qemu-nbd --connect=/dev/nbd0 ForImage2.img` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T20:40:59.907323+02:00 + +**[!] Note:** This command was executed with administrative rights (`sudo`). +[x] No specific explanation found. + +--- + +### [+] Command: `sudo fdisk -l /dev/nbd0` +- Timestamp: `2025-07-14T18-08-17-811009+02-00` +- GPG-signature: [+] Valid +- SHA256: `4a2bcce842d23a7b6e392a9e547e0942145cdd7450910980c116667d81b5078a` + +#### Output: +```Shell +[STDOUT] +Disk /dev/nbd0: 33 GiB, 35433480192 bytes, 69206016 sectors +Units: sectors of 1 * 512 = 512 bytes +Sector size (logical/physical): 512 bytes / 512 bytes +I/O size (minimum/optimal): 512 bytes / 131072 bytes +Disklabel type: gpt +Disk identifier: 7AB35F56-8FB0-407B-AC62-FD7C3E10AB6A + +Device Start End Sectors Size Type +/dev/nbd0p1 2048 4095 2048 1M BIOS boot +/dev/nbd0p2 4096 1054719 1050624 513M EFI System +/dev/nbd0p3 1054720 46135295 45080576 21.5G Linux filesystem +/dev/nbd0p4 46874624 68360191 21485568 10.2G Microsoft basic data + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `sudo fdisk -l /dev/nbd0` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T20:40:59.937090+02:00 + +**[!] Note:** This command was executed with administrative rights (`sudo`). +`fdisk` is an interactive command-line tool to create, delete, and manage partitions on storage devices. + + +Lists partition tables of all recognized devices. + +--- + +### [+] Timestamp: `2025-07-14T18-09-46-180536+02-00` +#### [+] Comment from analyst: Niklas Heringer + +#### [+] Content: +Das QCOW2-Image wurde mit qemu-nbd als Blockgerät bereitgestellt, um anschließend mit fdisk die Partitionstabelle und Dateisystemtypen zu identifizieren – ein essenzieller Schritt zur Strukturaufklärung und Vorbereitung weiterer Analysen. + +--- + +### [+] Timestamp: `2025-07-14T18-10-39-291304+02-00` +#### [+] Comment from analyst: Niklas Heringer + +#### [+] Content: +Hierbei haben wir vier Partitionen entdeckt, die wir nun naeher untersuchen werden + +--- + +### [+] Command: `sudo mmls /dev/nbd0` +- Timestamp: `2025-07-14T18-10-44-804259+02-00` +- GPG-signature: [+] Valid +- SHA256: `1e7e7d7d86604a62aceffd32db9f4f6f897f22c84de9f2367b46bf6fa4d9b77b` + +#### Output: +```Shell +[STDOUT] +GUID Partition Table (EFI) +Offset Sector: 0 +Units are in 512-byte sectors + + Slot Start End Length Description +000: Meta 0000000000 0000000000 0000000001 Safety Table +001: ------- 0000000000 0000002047 0000002048 Unallocated +002: Meta 0000000001 0000000001 0000000001 GPT Header +003: Meta 0000000002 0000000033 0000000032 Partition Table +004: 000 0000002048 0000004095 0000002048 +005: 001 0000004096 0001054719 0001050624 EFI System Partition +006: 002 0001054720 0046135295 0045080576 +007: ------- 0046135296 0046874623 0000739328 Unallocated +008: 003 0046874624 0068360191 0021485568 FAT +009: ------- 0068360192 0069206015 0000845824 Unallocated + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `sudo mmls /dev/nbd0` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T20:40:59.975491+02:00 + +**[!] Note:** This command was executed with administrative rights (`sudo`). +`mmls` analyzes the partition layout of a disk image without modifying it. It shows partitions, offsets, and sizes — a typical forensic step before mounting. + +--- + +### [+] Timestamp: `2025-07-14T18-11-51-739620+02-00` +#### [+] Comment from analyst: Niklas Heringer + +#### [+] Content: +Die Analyse mit mmls dient der genauen Bestimmung der Partitionsstruktur und der Start-Offsets, was erforderlich ist, um gezielt Dateien zu extrahieren und das Dateisystem forensisch korrekt zu analysieren. + +--- + +### [+] Timestamp: `2025-07-14T18-13-42-016732+02-00` +#### [+] Comment from analyst: Niklas Heringer + +#### [+] Content: +Die mmls-Ausgabe zeigt vier Partitionen. Drei davon sind relevant für die Analyse – die BIOS-Boot-Partition (nur 1 MB) enthält keine Nutzdaten und wird daher übersprungen. + +--- + +### [+] Timestamp: `2025-07-14T18-13-51-840180+02-00` +#### [+] Comment from analyst: Niklas Heringer + +#### [+] Content: +Die Partitionen 005 (EFI), 006 (Linux-Dateisystem) und 008 (Microsoft-Dateisystem) werden einzeln gemountet und analysiert, um strukturierte und nachvollziehbare Ergebnisse zu erhalten. + +--- + +### [+] Timestamp: `2025-07-14T18-13-59-612800+02-00` +#### [+] Comment from analyst: Niklas Heringer + +#### [+] Content: +Eine sequentielle Analyse aller nutzbaren Partitionen erlaubt eine saubere Trennung der Datenquellen und kann forensisch besser dokumentiert werden. + +--- + +### [+] Command: `sudo mkdir -p /mnt/efi /mnt/linuxfs /mnt/windows` +- Timestamp: `2025-07-14T18-16-06-814084+02-00` +- GPG-signature: [+] Valid +- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f` + +#### Output: +```Shell +[STDOUT] + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `sudo mkdir -p /mnt/efi /mnt/linuxfs /mnt/windows` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T20:40:59.996144+02:00 + +**[!] Note:** This command was executed with administrative rights (`sudo`). +`mkdir` creates a directory. In forensic workflows, it is often used to prepare target folders for mounts or exported data. + + +The `-p` option ensures that parent directories are created as needed. It also avoids errors if the target directory already exists. + +--- + +### [+] Timestamp: `2025-07-14T18-16-14-867728+02-00` +#### [+] Comment from analyst: Niklas Heringer + +#### [+] Content: +Drei dedizierte Mount-Verzeichnisse wurden erstellt, um die Partitionen getrennt voneinander und nachvollziehbar analysieren zu können. + +--- + +### [+] Command: `sudo mount -o ro /dev/nbd0p3 /mnt/linuxfs` +- Timestamp: `2025-07-14T18-18-28-516252+02-00` +- GPG-signature: [+] Valid +- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f` + +#### Output: +```Shell +[STDOUT] + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `sudo mount -o ro /dev/nbd0p3 /mnt/linuxfs` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T20:41:00.016107+02:00 + +**[!] Note:** This command was executed with administrative rights (`sudo`). +`mount` is used to attach a filesystem to the directory tree. In forensic contexts, it must be used cautiously, as mounting can alter timestamps or content. + + +The `-o` option sets mount parameters — e.g., to enable read-only mode or suppress timestamp changes. + + +`ro` stands for "read-only". It ensures that the mounted filesystem is not modified. This is critical in digital forensics. + +--- + +### [+] Timestamp: `2025-07-14T18-18-36-250749+02-00` +#### [+] Comment from analyst: Niklas Heringer + +#### [+] Content: +Das Linux-Dateisystem wurde readonly in /mnt/linuxfs eingebunden, um die Hauptdatenstruktur des Betriebssystems forensisch zu untersuchen. + +--- + +### [+] Command: `sudo mount -o ro /dev/nbd0p4 /mnt/windows` +- Timestamp: `2025-07-14T18-18-44-352022+02-00` +- GPG-signature: [+] Valid +- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f` + +#### Output: +```Shell +[STDOUT] + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `sudo mount -o ro /dev/nbd0p4 /mnt/windows` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T20:41:00.034851+02:00 + +**[!] Note:** This command was executed with administrative rights (`sudo`). +`mount` is used to attach a filesystem to the directory tree. In forensic contexts, it must be used cautiously, as mounting can alter timestamps or content. + + +The `-o` option sets mount parameters — e.g., to enable read-only mode or suppress timestamp changes. + + +`ro` stands for "read-only". It ensures that the mounted filesystem is not modified. This is critical in digital forensics. + +--- + +### [+] Timestamp: `2025-07-14T18-18-48-788722+02-00` +#### [+] Comment from analyst: Niklas Heringer + +#### [+] Content: +Die als 'Microsoft Basic Data' gekennzeichnete Partition wurde readonly in /mnt/windows eingebunden, vermutlich zur Analyse von Benutzerdaten oder Überresten eines Dual-Boot-Systems. + +--- + +### [+] Command: `qemu-nbd: Failed to blk_new_open 'ForImage2.img': Failed to get "write" lock` +- Timestamp: `2025-07-14T18-20-16-782579+02-00` +- GPG-signature: [+] Valid +- SHA256: `927576f78ad2da1d55b32d2e32af8a13ec8a59dcde4168fcfbea80ab6c3161be` + +#### Output: +```Shell +[!] Command failed: +qemu-nbd: Failed to blk_new_open 'ForImage2.img': Failed to get "write" lock +Is another process using the image [ForImage2.img]? +``` + +#### Context: +### [+] Legal Context for `qemu-nbd: Failed to blk_new_open 'ForImage2.img': Failed to get "write" lock` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T20:41:00.052907+02:00 + +[x] No specific explanation found. + +--- + +### [+] Command: `mount | grep /mnt` +- Timestamp: `2025-07-14T18-26-37-707012+02-00` +- GPG-signature: [+] Valid +- SHA256: `064de49535ebcda317b47383a76e27d37389b0e7b710cfa86f0437592927437a` + +#### Output: +```Shell +[STDOUT] +/dev/nbd0p3 on /mnt/linuxfs type ext4 (ro,relatime) +/dev/nbd0p4 on /mnt/windows type vfat (ro,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro) + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `mount | grep /mnt` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T20:41:00.071170+02:00 + +`mount` is used to attach a filesystem to the directory tree. In forensic contexts, it must be used cautiously, as mounting can alter timestamps or content. + +--- + +### [+] Command: `mount | grep /mnt` +- Timestamp: `2025-07-14T18-27-36-979838+02-00` +- GPG-signature: [+] Valid +- SHA256: `064de49535ebcda317b47383a76e27d37389b0e7b710cfa86f0437592927437a` + +#### Output: +```Shell +[STDOUT] +/dev/nbd0p3 on /mnt/linuxfs type ext4 (ro,relatime) +/dev/nbd0p4 on /mnt/windows type vfat (ro,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro) + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `mount | grep /mnt` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T20:41:00.089190+02:00 + +`mount` is used to attach a filesystem to the directory tree. In forensic contexts, it must be used cautiously, as mounting can alter timestamps or content. + +--- + +### [+] Command: `sudo mount -o ro /dev/nbd0p2 /mnt/efi` +- Timestamp: `2025-07-14T18-28-47-827648+02-00` +- GPG-signature: [+] Valid +- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f` + +#### Output: +```Shell +[STDOUT] + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `sudo mount -o ro /dev/nbd0p2 /mnt/efi` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T20:41:00.107459+02:00 + +**[!] Note:** This command was executed with administrative rights (`sudo`). +`mount` is used to attach a filesystem to the directory tree. In forensic contexts, it must be used cautiously, as mounting can alter timestamps or content. + + +The `-o` option sets mount parameters — e.g., to enable read-only mode or suppress timestamp changes. + + +`ro` stands for "read-only". It ensures that the mounted filesystem is not modified. This is critical in digital forensics. + +--- + +### [+] Command: `mount | grep /mnt` +- Timestamp: `2025-07-14T18-28-49-632890+02-00` +- GPG-signature: [+] Valid +- SHA256: `5701af33c9936d5a4213bdc9ce95b07383533c58de3746fdb6cb08961ebc76d9` + +#### Output: +```Shell +[STDOUT] +/dev/nbd0p3 on /mnt/linuxfs type ext4 (ro,relatime) +/dev/nbd0p4 on /mnt/windows type vfat (ro,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro) +/dev/nbd0p2 on /mnt/efi type vfat (ro,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro) + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `mount | grep /mnt` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T20:41:00.125685+02:00 + +`mount` is used to attach a filesystem to the directory tree. In forensic contexts, it must be used cautiously, as mounting can alter timestamps or content. + +--- + +### [+] Timestamp: `2025-07-14T18-29-46-776359+02-00` +#### [+] Comment from analyst: Niklas Heringer + +#### [+] Content: +Nun sind alle drei Partitionen von Interesse korrekt eingebunden und die Arbeit kann beginnen + +--- + +### [+] Command: `mount | grep /mnt` +- Timestamp: `2025-07-14T20-08-59-917952+02-00` +- GPG-signature: [+] Valid +- SHA256: `5701af33c9936d5a4213bdc9ce95b07383533c58de3746fdb6cb08961ebc76d9` + +#### Output: +```Shell +[STDOUT] +/dev/nbd0p3 on /mnt/linuxfs type ext4 (ro,relatime) +/dev/nbd0p4 on /mnt/windows type vfat (ro,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro) +/dev/nbd0p2 on /mnt/efi type vfat (ro,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro) + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `mount | grep /mnt` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T20:41:00.144446+02:00 + +`mount` is used to attach a filesystem to the directory tree. In forensic contexts, it must be used cautiously, as mounting can alter timestamps or content. + +--- + +### [+] Timestamp: `2025-07-14T20-13-50-520875+02-00` +#### [+] Comment from analyst: Niklas Heringer + +#### [+] Content: +Wir beginnen mit /mnt/linuxfs. Die Analyse der Linux-Systempartition dient der Erfassung benutzerspezifischer und systemweiter Artefakte, welche Rückschlüsse auf Nutzung, Konfiguration und potenziell sicherheitsrelevante Aktivitäten ermöglichen. + +--- + +### [+] Command: `ls -la /mnt/linuxfs/home` +- Timestamp: `2025-07-14T20-13-56-887462+02-00` +- GPG-signature: [+] Valid +- SHA256: `f6768291b43b3d15242a63a188af4eef9bb76d1d7b0c857ca045103d57b8f2ad` + +#### Output: +```Shell +[STDOUT] +total 20 +drwxr-xr-x 5 root root 4096 Jul 4 2022 . +drwxr-xr-x 20 root root 4096 Jul 2 2022 .. +drwxr-x--- 16 1001 1001 4096 Jul 4 2022 belle +drwxr-x--- 3 1002 1002 4096 Jul 4 2022 kiara +drwxr-x--- 18 kali kali 4096 Jul 4 2022 pc + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `ls -la /mnt/linuxfs/home` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T20:41:00.163176+02:00 + +`ls` lists files in a directory. It is used to gain an overview and does not modify data. + +--- + +### [+] Timestamp: `2025-07-14T20-14-29-073825+02-00` +#### [+] Comment from analyst: Niklas Heringer + +#### [+] Content: +Wir verzeichnen drei User-Accounts, pc, belle und kiara. + +--- + +### [+] Timestamp: `2025-07-14T20-15-13-781491+02-00` +#### [+] Comment from analyst: Niklas Heringer + +#### [+] Content: +Bevor wir zu diesen im Einzelnen kommen, ueberpruefen wir systemweite Konfigurationen und Logs + +--- + +### [+] Command: `ls -la /mnt/linuxfs/var/log` +- Timestamp: `2025-07-14T20-17-03-043108+02-00` +- GPG-signature: [+] Valid +- SHA256: `957a55a20047fe1e5639161fe828af67ba54211b33fcdb9974be18261331cacb` + +#### Output: +```Shell +[STDOUT] +total 5336 +drwxrwxr-x 13 root pulse 4096 Jul 4 2022 . +drwxr-xr-x 14 root root 4096 Apr 19 2022 .. +-rw-r--r-- 1 root root 21410 Jul 2 2022 alternatives.log +-rw-r----- 1 root adm 0 Jul 4 2022 apport.log +-rw-r----- 1 root adm 2369 Jul 2 2022 apport.log.1 +drwxr-xr-x 2 root root 4096 Jul 4 2022 apt +-rw-r----- 1 tcpdump adm 80955 Jul 4 2022 auth.log +-rw------- 1 root root 34617 Jul 4 2022 boot.log +-rw------- 1 root root 33348 Jul 4 2022 boot.log.1 +-rw-r--r-- 1 root root 108494 Apr 19 2022 bootstrap.log +-rw-rw---- 1 root utmp 0 Apr 19 2022 btmp +drwxr-xr-x 2 root root 4096 Jul 4 2022 cups +drwxr-xr-x 2 root root 4096 Apr 18 2022 dist-upgrade +-rw-r----- 1 root adm 68118 Jul 4 2022 dmesg +-rw-r----- 1 root adm 69151 Jul 4 2022 dmesg.0 +-rw-r----- 1 root adm 16776 Jul 4 2022 dmesg.1.gz +-rw-r----- 1 root adm 17536 Jul 4 2022 dmesg.2.gz +-rw-r----- 1 root adm 17273 Jul 4 2022 dmesg.3.gz +... (truncated, showing first 20 and last 10 lines) +drwxr-xr-x 2 root root 4096 Mar 22 2022 openvpn +drwx------ 2 root root 4096 Apr 19 2022 private +drwx------ 2 Debian-snmp root 4096 Jan 8 2022 speech-dispatcher +-rw-r----- 1 tcpdump adm 2865079 Jul 4 2022 syslog +-rw-r--r-- 1 root root 0 Apr 19 2022 ubuntu-advantage.log +-rw-r--r-- 1 root root 631 Jul 4 2022 ubuntu-advantage-timer.log +drwxr-x--- 2 root adm 4096 Jul 3 2022 unattended-upgrades +-rw-rw-r-- 1 root utmp 31872 Jul 4 2022 wtmp + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `ls -la /mnt/linuxfs/var/log` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T20:41:00.182010+02:00 + +`ls` lists files in a directory. It is used to gain an overview and does not modify data. + +--- + +### [+] Command: `ls -la /mnt/linuxfs/etc` +- Timestamp: `2025-07-14T20-18-24-994518+02-00` +- GPG-signature: [+] Valid +- SHA256: `55c42303907eb58bc29c73525cdde2ef75ba9aa595050b19496e142c3743a22f` + +#### Output: +```Shell +[STDOUT] +total 1120 +drwxr-xr-x 128 root root 12288 Jul 4 2022 . +drwxr-xr-x 20 root root 4096 Jul 2 2022 .. +drwxr-xr-x 3 root root 4096 Apr 19 2022 acpi +-rw-r--r-- 1 root root 3028 Apr 19 2022 adduser.conf +drwxr-xr-x 3 root root 4096 Apr 19 2022 alsa +drwxr-xr-x 2 root root 4096 Jul 3 2022 alternatives +-rw-r--r-- 1 root root 335 Mar 23 2022 anacrontab +-rw-r--r-- 1 root root 433 Mar 23 2022 apg.conf +drwxr-xr-x 5 root root 4096 Apr 19 2022 apm +drwxr-xr-x 3 root root 4096 Apr 19 2022 apparmor +drwxr-xr-x 8 root root 4096 Jul 3 2022 apparmor.d +drwxr-xr-x 3 root root 4096 Jul 3 2022 apport +-rw-r--r-- 1 root root 769 Feb 22 2022 appstream.conf +drwxr-xr-x 8 root root 4096 Jul 2 2022 apt +drwxr-xr-x 3 root root 4096 Apr 19 2022 avahi +-rw-r--r-- 1 root root 2319 Jan 6 2022 bash.bashrc +-rw-r--r-- 1 root root 45 Nov 11 2021 bash_completion +drwxr-xr-x 2 root root 4096 Jul 3 2022 bash_completion.d +... (truncated, showing first 20 and last 10 lines) +drwxr-xr-x 5 root root 4096 Apr 19 2022 vulkan +-rw-r--r-- 1 root root 4942 Jan 24 2022 wgetrc +drwxr-xr-x 2 root root 4096 Apr 19 2022 wpa_supplicant +drwxr-xr-x 12 root root 4096 Apr 19 2022 X11 +-rw-r--r-- 1 root root 681 Mar 23 2022 xattr.conf +drwxr-xr-x 6 root root 4096 Apr 19 2022 xdg +drwxr-xr-x 2 root root 4096 Apr 19 2022 xml +-rw-r--r-- 1 root root 460 Dec 8 2021 zsh_command_not_found + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `ls -la /mnt/linuxfs/etc` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T20:41:00.200282+02:00 + +`ls` lists files in a directory. It is used to gain an overview and does not modify data. + +--- + +### [+] Timestamp: `2025-07-14T20-19-31-817078+02-00` +#### [+] Comment from analyst: Niklas Heringer + +#### [+] Content: +Applikationen, die ins Auge fallen: speech-dispatcher, security + +--- + +### [+] Timestamp: `2025-07-14T20-20-29-497721+02-00` +#### [+] Comment from analyst: Niklas Heringer + +#### [+] Content: +Beginnen wir nun mit dem User-Account 'belle' + +--- + +### [+] Timestamp: `2025-07-14T20-24-57-659634+02-00` +#### [+] Comment from analyst: Niklas Heringer + +#### [+] Content: +Zur beweissicheren Sicherung der Nutzerverzeichnisse wurden die Home-Verzeichnisse der identifizierten Accounts (belle, kiara, pc) aus der gemounteten Partition /mnt/linuxfs mittels tar archiviert. Die Sicherung erfolgte im Read-Only-Modus zur Wahrung der Integrität. + +--- + +### [+] Command: `tar (child): /home/kali/Documents/dif_auswertung/belle_home.tar.gz: Cannot open: No such file or directory` +- Timestamp: `2025-07-14T20-25-28-820189+02-00` +- GPG-signature: [+] Valid +- SHA256: `e186e24efe2970d43583e5551223221c7a714bfab92e4721092ac3f97af4d19d` + +#### Output: +```Shell +[!] Command failed: +tar (child): /home/kali/Documents/dif_auswertung/belle_home.tar.gz: Cannot open: No such file or directory +tar (child): Error is not recoverable: exiting now +tar: /home/kali/Documents/dif_auswertung/belle_home.tar.gz: Cannot write: Broken pipe +tar: Child returned status 2 +tar: Error is not recoverable: exiting now +``` + +#### Context: +### [+] Legal Context for `tar (child): /home/kali/Documents/dif_auswertung/belle_home.tar.gz: Cannot open: No such file or directory` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T20:41:00.220927+02:00 + +`tar` is used to create and extract archive files. In forensics, it’s useful for packaging or reviewing archived evidence sets. + +--- + +### [+] Command: `sudo mkdir -p ~/Documents/auswertung/` +- Timestamp: `2025-07-14T20-30-04-249825+02-00` +- GPG-signature: [+] Valid +- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f` + +#### Output: +```Shell +[STDOUT] + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `sudo mkdir -p ~/Documents/auswertung/` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T20:41:00.238957+02:00 + +**[!] Note:** This command was executed with administrative rights (`sudo`). +`mkdir` creates a directory. In forensic workflows, it is often used to prepare target folders for mounts or exported data. + + +The `-p` option ensures that parent directories are created as needed. It also avoids errors if the target directory already exists. + +--- + +### [+] Command: `Error opening image file (raw_open: file "/dev/nbd0p3" - Permission denied)` +- Timestamp: `2025-07-14T20-30-36-090820+02-00` +- GPG-signature: [+] Valid +- SHA256: `cc9dda0ce603430217d5dc755d2c2e3486fd1ea9dbf2bc073eb00f383b03a3f8` + +#### Output: +```Shell +[!] Command failed: +Error opening image file (raw_open: file "/dev/nbd0p3" - Permission denied) +``` + +#### Context: +### [+] Legal Context for `Error opening image file (raw_open: file "/dev/nbd0p3" - Permission denied)` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T20:41:00.257451+02:00 + +This does not appear to be a valid command. It may be the result of a misinterpreted log line or a failed execution attempt. + +--- + +### [+] Command: `sudo tsk_recover -a /dev/nbd0p3 ~/Documents/auswertung/linuxfs_recover` +- Timestamp: `2025-07-14T20-30-46-797786+02-00` +- GPG-signature: [+] Valid +- SHA256: `215260492c038b4f3647587ef8a654cb227f0fa6748911259c0dcc83c3e40b1a` + +#### Output: +```Shell +[STDOUT] +Files Recovered: 161794 + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `sudo tsk_recover -a /dev/nbd0p3 ~/Documents/auswertung/linuxfs_recover` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T20:41:00.274845+02:00 + +**[!] Note:** This command was executed with administrative rights (`sudo`). +[x] No specific explanation found. + +--- + + +## [+] GPG-Overview +Each `.log`-file was digitally signed with GPG where applicable. +The signature status is documented per command. diff --git a/Pruefungsleistung/gutachten_report_01.md b/Pruefungsleistung/gutachten_report_01.md new file mode 100644 index 0000000..8793791 --- /dev/null +++ b/Pruefungsleistung/gutachten_report_01.md @@ -0,0 +1,399 @@ +# [++] Forensic report of case: gutachten + +## [++] Description +Forensisches Gutachten im Fall Tilo Barkholz + + +## [++] Timeline of Commands and Comments + +### [+] Command: `` +- Timestamp: `2025-07-14T12-40-04-233389+02-00` +- GPG-signature: [+] Valid +- SHA256: `fd919e45a98f1ae9c0947eed0f758c5cc388ed705627f6eb2e150686d70814bc` + +#### Output: +```Shell +[!] Command failed: +``` + +#### Context: +[x] Skipped: command was empty or malformed. + +--- + +### [+] Timestamp: `2025-07-14T12-41-43-682585+02-00` +#### [+] Comment from analyst: Niklas Heringer + +#### [+] Content: +Dass der vorige mmls-Befehl keinen Output zeigt kann daran liegen, dass das vorliegende Image a) keine Partitionstabelle enthaelt, b) korrumpiert ist oder c) das Format nicht unterstuetzt wird - einer der ersteren beiden Faelle ist am wahrscheinlichsten + +--- + +### [+] Command: `file ForImage2.img` +- Timestamp: `2025-07-14T12-42-00-750002+02-00` +- GPG-signature: [+] Valid +- SHA256: `e5574e10aa2e91ce0457096afc0c31af8f3e21c5db3b95cc96154bf564d84f7d` + +#### Output: +```Shell +[STDOUT] +ForImage2.img: data + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `file ForImage2.img` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T13:33:27.735730+02:00 + +`file` identifies file types by examining magic numbers and headers. Useful for verifying or correcting file extensions and detecting anomalies. + +--- + +### [+] Command: `hexdump -C Forimage2.img | head` +- Timestamp: `2025-07-14T12-42-23-145012+02-00` +- GPG-signature: [+] Valid +- SHA256: `ac6841b50ac32ef32fe82a77a7455cdb3a5441c04f828d72f7ffea3ca6f733de` + +#### Output: +```Shell +[STDOUT] + +[STDERR] +hexdump: Forimage2.img: No such file or directory +hexdump: all input file arguments failed +``` + +#### Context: +### [+] Legal Context for `hexdump -C Forimage2.img | head` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T13:33:27.761024+02:00 + +`hexdump` displays file content in hexadecimal and ASCII. Useful for examining file headers, signatures, and patterns. + +--- + +### [+] Command: `hexdump -C ForImage2.img | head` +- Timestamp: `2025-07-14T12-42-31-319015+02-00` +- GPG-signature: [+] Valid +- SHA256: `cb81adfdf9b749fd17c4f7fef893c144865f8c787bebe45b8e98a91aab896474` + +#### Output: +```Shell +[STDOUT] +00000000 28 cb 32 eb 6a b7 b0 8e 3c 00 00 00 00 c0 08 70 |(.2.j...<......p| +00000010 93 5d 39 63 4c c6 71 cc eb fe 05 20 f2 97 2a f2 |.]9cL.q.... ..*.| +00000020 91 52 2a 22 b7 29 14 6a e4 01 00 00 00 00 46 24 |.R*".).j......F$| +00000030 5a 8c 59 57 23 2f 39 e7 d2 ed ee 8a c5 45 20 f2 |Z.YW#/9......E .| +00000040 a3 0b 16 89 88 38 e7 91 b5 56 ba e5 27 01 00 00 |.....8...V..'...| +00000050 00 00 c0 48 5c 9e 71 c6 18 b7 d6 4a ad b5 f4 b7 |...H\.q....J....| +00000060 13 b2 f2 10 f9 4b e9 58 ee c7 12 11 33 c6 48 c6 |.....K.X....3.H.| +00000070 98 8f 10 d1 b1 00 00 00 00 00 46 80 10 82 a2 28 |..........F....(| +00000080 62 49 92 50 96 65 44 44 9a 30 d9 15 22 3f 22 99 |bI.P.eDD.0.."?".| +00000090 a7 34 4d 59 96 65 d6 6d 0a 05 89 07 00 00 00 00 |.4MY.e.m........| + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `hexdump -C ForImage2.img | head` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T13:33:27.786303+02:00 + +`hexdump` displays file content in hexadecimal and ASCII. Useful for examining file headers, signatures, and patterns. + +--- + +### [+] Timestamp: `2025-07-14T12-43-00-357585+02-00` +#### [+] Comment from analyst: Niklas Heringer + +#### [+] Content: +Die Festplatte ist somit schonmal nicht leer + +--- + +### [+] Command: `Possible encryption detected (High entropy (7.78))` +- Timestamp: `2025-07-14T12-43-27-753682+02-00` +- GPG-signature: [+] Valid +- SHA256: `7cf027cc2dd683a3860ce27d3fcd52f6b47597c2f8a4ef714949b9e53d0effcc` + +#### Output: +```Shell +[!] Command failed: +Possible encryption detected (High entropy (7.78)) +``` + +#### Context: +### [+] Legal Context for `Possible encryption detected (High entropy (7.78))` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T13:33:27.810925+02:00 + +[x] No specific explanation found. + +--- + +### [+] Timestamp: `2025-07-14T12-47-33-066391+02-00` +#### [+] Comment from analyst: Niklas Heringer + +#### [+] Content: +Die Festplatte ist verschluesselt - auf ihrer Rueckseite war ein kurzes Passwort zu finden, womoeglich die Passphrase, doch zuvor ueberpruefen wir nun, ob der Verschluesslungstyp ermittelbar ist + +--- + +### [+] Timestamp: `2025-07-14T12-55-11-062938+02-00` +#### [+] Comment from analyst: Niklas Heringer + +#### [+] Content: +fsstat vermutliche Verschluesselung, mmls erkennt keine Partition, hexdump zeigt kein erkennbares Filesystem - bevor wir mounten, muessen wir entschluesseln + +--- + +### [+] Command: `mkdir: cannot create directory ‘/mnt/crypt’: Permission denied` +- Timestamp: `2025-07-14T13-04-39-432095+02-00` +- GPG-signature: [+] Valid +- SHA256: `5eed114f808f358973b99c9c298586336d608a7d7716c47484861730577f9d82` + +#### Output: +```Shell +[!] Command failed: +mkdir: cannot create directory ‘/mnt/crypt’: Permission denied +``` + +#### Context: +### [+] Legal Context for `mkdir: cannot create directory ‘/mnt/crypt’: Permission denied` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T13:33:27.836004+02:00 + +[x] No specific explanation found. + +--- + +### [+] Command: `sudo mkdir -p /mnt/crypt` +- Timestamp: `2025-07-14T13-04-46-220116+02-00` +- GPG-signature: [+] Valid +- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f` + +#### Output: +```Shell +[STDOUT] + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `sudo mkdir -p /mnt/crypt` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T13:33:27.861090+02:00 + +**[!] Note:** This command was executed with administrative rights (`sudo`). +`mkdir` creates a directory. In forensic workflows, it is often used to prepare target folders for mounts or exported data. + + +The `-p` option ensures that parent directories are created as needed. It also avoids errors if the target directory already exists. + +--- + +### [+] Command: `` +- Timestamp: `2025-07-14T13-05-08-024574+02-00` +- GPG-signature: [+] Valid +- SHA256: `fd919e45a98f1ae9c0947eed0f758c5cc388ed705627f6eb2e150686d70814bc` + +#### Output: +```Shell +[!] Command failed: +``` + +#### Context: +[x] Skipped: command was empty or malformed. + +--- + +### [+] Command: `Error: Operation failed due to one or more of the following:` +- Timestamp: `2025-07-14T13-07-02-580209+02-00` +- GPG-signature: [+] Valid +- SHA256: `9350ce5c321f06ca5ca9e7abae3402fe8d9d6d8ea4704f55b8d3bf2c652ed876` + +#### Output: +```Shell +[!] Command failed: +Error: Operation failed due to one or more of the following: + - Incorrect password. + - Incorrect Volume PIM number. + - Incorrect PRF (hash). + - Not a valid volume. + - Volume uses an old algorithm that has been removed. + - TrueCrypt format volumes are no longer supported. +``` + +#### Context: +### [+] Legal Context for `Error: Operation failed due to one or more of the following:` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T13:33:27.895483+02:00 + +[x] No specific explanation found. + +--- + +### [+] Command: `sudo losetup --show -f ForImage2.img` +- Timestamp: `2025-07-14T13-08-09-130846+02-00` +- GPG-signature: [+] Valid +- SHA256: `06e8e0c85abc1ce20202e0043228bd03c02f0b4065d4b70a98f97488dc4a2f38` + +#### Output: +```Shell +[STDOUT] +/dev/loop0 + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `sudo losetup --show -f ForImage2.img` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T13:33:27.950809+02:00 + +**[!] Note:** This command was executed with administrative rights (`sudo`). +`losetup` sets up a loop device to treat a file (like a disk image) as a block device. This is needed to work with partitions inside forensic disk images. + + +Outputs the created loop device — useful for automation and scripting. + +--- + +### [+] Command: `Device /dev/loop0 is not a valid LUKS device.` +- Timestamp: `2025-07-14T13-08-33-250979+02-00` +- GPG-signature: [+] Valid +- SHA256: `19de76617d7416f38df3b577ad24e9b08b499d34b330ec80e4cf1d5ddc70416f` + +#### Output: +```Shell +[!] Command failed: +Device /dev/loop0 is not a valid LUKS device. +``` + +#### Context: +### [+] Legal Context for `Device /dev/loop0 is not a valid LUKS device.` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T13:33:27.976530+02:00 + +[x] No specific explanation found. + +--- + +### [+] Timestamp: `2025-07-14T13-09-13-718013+02-00` +#### [+] Comment from analyst: Niklas Heringer + +#### [+] Content: +Wir wissen also: kein VeraCrypt, kein LUKS, nun tgesten wir BitLocker + +--- + +### [+] Command: `sudo mkdir -p /mnt/dislocker` +- Timestamp: `2025-07-14T13-09-29-295457+02-00` +- GPG-signature: [+] Valid +- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f` + +#### Output: +```Shell +[STDOUT] + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `sudo mkdir -p /mnt/dislocker` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T13:33:28.001769+02:00 + +**[!] Note:** This command was executed with administrative rights (`sudo`). +`mkdir` creates a directory. In forensic workflows, it is often used to prepare target folders for mounts or exported data. + + +The `-p` option ensures that parent directories are created as needed. It also avoids errors if the target directory already exists. + +--- + +### [+] Command: `` +- Timestamp: `2025-07-14T13-12-40-283904+02-00` +- GPG-signature: [+] Valid +- SHA256: `fd919e45a98f1ae9c0947eed0f758c5cc388ed705627f6eb2e150686d70814bc` + +#### Output: +```Shell +[!] Command failed: +``` + +#### Context: +[x] Skipped: command was empty or malformed. + +--- + +### [+] Command: `ls /mnt/dislocker` +- Timestamp: `2025-07-14T13-12-56-961960+02-00` +- GPG-signature: [+] Valid +- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f` + +#### Output: +```Shell +[STDOUT] + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `ls /mnt/dislocker` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T13:33:28.036568+02:00 + +`ls` lists files in a directory. It is used to gain an overview and does not modify data. + +--- + +### [+] Timestamp: `2025-07-14T13-14-26-335058+02-00` +#### [+] Comment from analyst: Niklas Heringer + +#### [+] Content: +BitLocker scheint es auch nicht zu sein + +--- + +### [+] Command: `sudo file -s /dev/loop0` +- Timestamp: `2025-07-14T13-31-07-259372+02-00` +- GPG-signature: [+] Valid +- SHA256: `e5b945a88f260856d6462f69c02d317d93ff08c94e0f6536cf3e14141d11c92d` + +#### Output: +```Shell +[STDOUT] +/dev/loop0: data + +[STDERR] +``` + +#### Context: +### [+] Legal Context for `sudo file -s /dev/loop0` + +**Analyst:** Niklas Heringer +**Timestamp:** 2025-07-14T13:33:28.061908+02:00 + +**[!] Note:** This command was executed with administrative rights (`sudo`). +`file` identifies file types by examining magic numbers and headers. Useful for verifying or correcting file extensions and detecting anomalies. + +--- + + +## [+] GPG-Overview +Each `.log`-file was digitally signed with GPG where applicable. +The signature status is documented per command.