3009728
/
DIF_Team_13
4
1
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Gutachten weitergefuehrt, betraechtliche Dateimengen gesichert

main
Ahzek 2025-07-14 20:42:26 +02:00
parent 7f4590c407
commit d271296314
3 changed files with 1701 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

505
Pruefungsleistung/abschlussbericht.md
View File

@ -8,17 +8,22 @@ Bearbeitende Forensiker:
- Niklas Heringer
# Datenübergabe
Die Daten des Falls wurden uns via einem **Write Blocker**.
Die Daten des Falls wurden uns via einem **Write Blocker** übergeben, zu sehen im folgenden Bild:
![Image](IMG_4509.png)
+++ gescheite Bildbeschreibungen
Zur Sicherung des digitalen Beweismittels wurde zunächst das Tool `CRUWBlocker_.exe` ausgeführt, um den Write Blocker ordnungsgemäß zu initialisieren
Dies dient der Gewährleistung der Integrität der vorliegenden Daten gemäß forensischer Standards.
Die technischen Daten des Write Blockers:
![Image](IMG_4513.png)
Die technischen Daten des Netzteils des Write Blockers:
![Image](IMG_4514.png)
Zur Sicherung des digitalen Beweismittels wurde zunächst das Tool `CRUWBlocker_.exe` ausgeführt, um den Write Blocker ordnungsgemäß zu initialisieren.
> Die Verwendung des Write Blockers dient der Gewährleistung der Integrität der vorliegenden Daten gemäß forensischer Standards.
Übertragungsaufbau:
![Image](IMG_4506.png)
Technische Daten der Ursprungsfestplatte:
![Image](IMG_4510.png)
Nach erfolgreichem Anschluss des Datenträgers wurden die Systeminformationen des Datenträgers erhoben:
@ -97,3 +102,493 @@ Algorithm Hash
MD5 BE61A64B8AAD45ABBC0B4C266B688EB2 C:\Users\herin\Documents\DIF PL\ForImage2.img
```
+++ gescheite Command-Erklärungen
## Fallbearbeitung - Initialisierung
Team 13 verwendet in dieser Bearbeitung den eigens angefertigten [Forensic Log Tracker](https://github.com/mev0lent/forensic-log-tracker) - dieser dient der Automatisierung von Hashing, Autor-Signaturen sowie dem Protokollieren sämtlicher Aktionen.
```bash
flt new-case gutachten --description "Forensisches Gutachten im Fall Tilo Barkholz"
[+] New case created: /home/kali/forensic-log-tracker/logs/gutachten
[+] Logs for case 'gutachten' will be stored in: /home/kali/forensic-log-tracker/logs/gutachten
```
```bash
md5sum ForImage2.img
be61a64b8aad45abbc0b4c266b688eb2 ForImage2.img
```
Die Übertragung auf die Bearbeitungs-VM erfolgte reibungslos.
---
## Fallbearbeitung - Bearbeitungslog
# [++] Forensic report of case: dif_gutachten
## [++] Description
Forensisches Gutachten im Fall Tilo Barkholz
## [++] Timeline of Commands and Comments
### [+] Command: `file ForImage2.img`
- Timestamp: `2025-07-14T18-03-17-505557+02-00`
- GPG-signature: [+] Valid
- SHA256: `7bf5d482601016dfe39f3de29aad7f83b3a0f59d3177828e1f1823817b1778d8`
#### Output:
```Shell
[STDOUT]
ForImage2.img: QEMU QCOW Image (v3), 35433480192 bytes (v3), 35433480192 bytes
[STDERR]
```
#### Context:
### [+] Legal Context for `file ForImage2.img`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T18:21:56.035483+02:00
`file` identifies file types by examining magic numbers and headers. Useful for verifying or correcting file extensions and detecting anomalies.
---
### [+] Timestamp: `2025-07-14T18-05-10-852941+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Der file-Befehl wurde verwendet, um das Format des Abbilds zu bestimmen. Dabei wurde erkannt, dass es sich um ein QCOW2-Image handelt, ein haeufig genutztes Format fuer virtuelle Maschinen unter QEMU/KVM
---
### [+] Timestamp: `2025-07-14T18-06-02-925862+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Wir werden nun Partitionen im Image identifizieren, um sie zu extrahiern & zu analysieren
---
### [+] Command: `sudo modprobe nbd max_part=8`
- Timestamp: `2025-07-14T18-06-22-301370+02-00`
- GPG-signature: [+] Valid
- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f`
#### Output:
```Shell
[STDOUT]
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo modprobe nbd max_part=8`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T18:21:56.051974+02:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
[x] No specific explanation found.
---
### [+] Command: `sudo: qemu-nbd: command not found`
- Timestamp: `2025-07-14T18-06-51-644697+02-00`
- GPG-signature: [+] Valid
- SHA256: `7bd21e679c39eb29ea0eebe56f0a54110538c4bdb094fbbd9d7b9e8d7c2a7ed4`
#### Output:
```Shell
[!] Command failed:
sudo: qemu-nbd: command not found
```
#### Context:
### [+] Legal Context for `sudo: qemu-nbd: command not found`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T18:21:56.068456+02:00
[x] No specific explanation found.
---
### [+] Command: `qemu-nbd: unrecognized option '--conect=/dev/nbd0'`
- Timestamp: `2025-07-14T18-07-49-932393+02-00`
- GPG-signature: [+] Valid
- SHA256: `23ec6e05fb897e4b0ad2d77613416100a2fcd3f300135a2e5677364b4b115d74`
#### Output:
```Shell
[!] Command failed:
qemu-nbd: unrecognized option '--conect=/dev/nbd0'
qemu-nbd: Try `qemu-nbd --help' for more information.
```
#### Context:
### [+] Legal Context for `qemu-nbd: unrecognized option '--conect=/dev/nbd0'`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T18:21:56.085776+02:00
[x] No specific explanation found.
---
### [+] Command: `sudo qemu-nbd --connect=/dev/nbd0 ForImage2.img`
- Timestamp: `2025-07-14T18-08-00-970730+02-00`
- GPG-signature: [+] Valid
- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f`
#### Output:
```Shell
[STDOUT]
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo qemu-nbd --connect=/dev/nbd0 ForImage2.img`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T18:21:56.102182+02:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
[x] No specific explanation found.
---
### [+] Command: `sudo fdisk -l /dev/nbd0`
- Timestamp: `2025-07-14T18-08-17-811009+02-00`
- GPG-signature: [+] Valid
- SHA256: `4a2bcce842d23a7b6e392a9e547e0942145cdd7450910980c116667d81b5078a`
#### Output:
```Shell
[STDOUT]
Disk /dev/nbd0: 33 GiB, 35433480192 bytes, 69206016 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 131072 bytes
Disklabel type: gpt
Disk identifier: 7AB35F56-8FB0-407B-AC62-FD7C3E10AB6A
Device Start End Sectors Size Type
/dev/nbd0p1 2048 4095 2048 1M BIOS boot
/dev/nbd0p2 4096 1054719 1050624 513M EFI System
/dev/nbd0p3 1054720 46135295 45080576 21.5G Linux filesystem
/dev/nbd0p4 46874624 68360191 21485568 10.2G Microsoft basic data
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo fdisk -l /dev/nbd0`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T18:21:56.119311+02:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
`fdisk` is an interactive command-line tool to create, delete, and manage partitions on storage devices.
Lists partition tables of all recognized devices.
---
### [+] Timestamp: `2025-07-14T18-09-46-180536+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Das QCOW2-Image wurde mit qemu-nbd als Blockgerät bereitgestellt, um anschließend mit fdisk die Partitionstabelle und Dateisystemtypen zu identifizieren ein essenzieller Schritt zur Strukturaufklärung und Vorbereitung weiterer Analysen.
---
### [+] Timestamp: `2025-07-14T18-10-39-291304+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Hierbei haben wir vier Partitionen entdeckt, die wir nun naeher untersuchen werden
---
### [+] Command: `sudo mmls /dev/nbd0`
- Timestamp: `2025-07-14T18-10-44-804259+02-00`
- GPG-signature: [+] Valid
- SHA256: `1e7e7d7d86604a62aceffd32db9f4f6f897f22c84de9f2367b46bf6fa4d9b77b`
#### Output:
```Shell
[STDOUT]
GUID Partition Table (EFI)
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
000: Meta 0000000000 0000000000 0000000001 Safety Table
001: ------- 0000000000 0000002047 0000002048 Unallocated
002: Meta 0000000001 0000000001 0000000001 GPT Header
003: Meta 0000000002 0000000033 0000000032 Partition Table
004: 000 0000002048 0000004095 0000002048
005: 001 0000004096 0001054719 0001050624 EFI System Partition
006: 002 0001054720 0046135295 0045080576
007: ------- 0046135296 0046874623 0000739328 Unallocated
008: 003 0046874624 0068360191 0021485568 FAT
009: ------- 0068360192 0069206015 0000845824 Unallocated
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo mmls /dev/nbd0`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T18:21:56.136172+02:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
`mmls` analyzes the partition layout of a disk image without modifying it. It shows partitions, offsets, and sizes — a typical forensic step before mounting.
---
### [+] Timestamp: `2025-07-14T18-11-51-739620+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Die Analyse mit mmls dient der genauen Bestimmung der Partitionsstruktur und der Start-Offsets, was erforderlich ist, um gezielt Dateien zu extrahieren und das Dateisystem forensisch korrekt zu analysieren.
---
### [+] Timestamp: `2025-07-14T18-13-42-016732+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Die mmls-Ausgabe zeigt vier Partitionen. Drei davon sind relevant für die Analyse die BIOS-Boot-Partition (nur 1MB) enthält keine Nutzdaten und wird daher übersprungen.
---
### [+] Timestamp: `2025-07-14T18-13-51-840180+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Die Partitionen 005 (EFI), 006 (Linux-Dateisystem) und 008 (Microsoft-Dateisystem) werden einzeln gemountet und analysiert, um strukturierte und nachvollziehbare Ergebnisse zu erhalten.
---
### [+] Timestamp: `2025-07-14T18-13-59-612800+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Eine sequentielle Analyse aller nutzbaren Partitionen erlaubt eine saubere Trennung der Datenquellen und kann forensisch besser dokumentiert werden.
---
### [+] Command: `sudo mkdir -p /mnt/efi /mnt/linuxfs /mnt/windows`
- Timestamp: `2025-07-14T18-16-06-814084+02-00`
- GPG-signature: [+] Valid
- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f`
#### Output:
```Shell
[STDOUT]
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo mkdir -p /mnt/efi /mnt/linuxfs /mnt/windows`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T18:21:56.154189+02:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
`mkdir` creates a directory. In forensic workflows, it is often used to prepare target folders for mounts or exported data.
The `-p` option ensures that parent directories are created as needed. It also avoids errors if the target directory already exists.
---
### [+] Timestamp: `2025-07-14T18-16-14-867728+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Drei dedizierte Mount-Verzeichnisse wurden erstellt, um die Partitionen getrennt voneinander und nachvollziehbar analysieren zu können.
---
### [+] Command: `sudo mount -o ro /dev/nbd0p3 /mnt/linuxfs`
- Timestamp: `2025-07-14T18-18-28-516252+02-00`
- GPG-signature: [+] Valid
- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f`
#### Output:
```Shell
[STDOUT]
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo mount -o ro /dev/nbd0p3 /mnt/linuxfs`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T18:21:56.171151+02:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
`mount` is used to attach a filesystem to the directory tree. In forensic contexts, it must be used cautiously, as mounting can alter timestamps or content.
The `-o` option sets mount parameters — e.g., to enable read-only mode or suppress timestamp changes.
`ro` stands for "read-only". It ensures that the mounted filesystem is not modified. This is critical in digital forensics.
---
### [+] Timestamp: `2025-07-14T18-18-36-250749+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Das Linux-Dateisystem wurde readonly in /mnt/linuxfs eingebunden, um die Hauptdatenstruktur des Betriebssystems forensisch zu untersuchen.
---
### [+] Command: `sudo mount -o ro /dev/nbd0p4 /mnt/windows`
- Timestamp: `2025-07-14T18-18-44-352022+02-00`
- GPG-signature: [+] Valid
- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f`
#### Output:
```Shell
[STDOUT]
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo mount -o ro /dev/nbd0p4 /mnt/windows`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T18:21:56.188116+02:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
`mount` is used to attach a filesystem to the directory tree. In forensic contexts, it must be used cautiously, as mounting can alter timestamps or content.
The `-o` option sets mount parameters — e.g., to enable read-only mode or suppress timestamp changes.
`ro` stands for "read-only". It ensures that the mounted filesystem is not modified. This is critical in digital forensics.
---
### [+] Timestamp: `2025-07-14T18-18-48-788722+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Die als 'Microsoft Basic Data' gekennzeichnete Partition wurde readonly in /mnt/windows eingebunden, vermutlich zur Analyse von Benutzerdaten oder Überresten eines Dual-Boot-Systems.
---
### [+] Command: `qemu-nbd: Failed to blk_new_open 'ForImage2.img': Failed to get "write" lock`
- Timestamp: `2025-07-14T18-20-16-782579+02-00`
- GPG-signature: [+] Valid
- SHA256: `927576f78ad2da1d55b32d2e32af8a13ec8a59dcde4168fcfbea80ab6c3161be`
#### Output:
```Shell
[!] Command failed:
qemu-nbd: Failed to blk_new_open 'ForImage2.img': Failed to get "write" lock
Is another process using the image [ForImage2.img]?
```
#### Context:
### [+] Legal Context for `qemu-nbd: Failed to blk_new_open 'ForImage2.img': Failed to get "write" lock`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T18:21:56.204455+02:00
[x] No specific explanation found.
---
## [+] GPG-Overview
Each `.log`-file was digitally signed with GPG where applicable.
The signature status is documented per command.
---
### Wichtige Abfolge nach Neustart der Forensischen Untersuchungsstation
Nach einem Neustart der virtuellen Maschine muss die Verbindung zum QCOW-Image erneut hergestellt werden, da die `qemu-nbd`-Verbindung und die Mountpunkte nicht persistent sind. Die folgenden Schritte sind erforderlich:
**1. NBD-Modul erneut laden**
Bindet das Netzwerk-Block-Device-Modul mit ausreichend Partitionseinträgen ein:
```bash
sudo modprobe nbd max_part=8
```
**2. Image erneut mit NBD verbinden**
Stellt die Verbindung zwischen dem QCOW-Image und dem NBD-Gerät her:
```bash
sudo qemu-nbd --connect=/dev/nbd0 ForImage2.img
```
**3. Partitionen erneut mounten (readonly)**
Mountet die relevanten Partitionen wieder in die vorgesehenen Verzeichnisse:
```bash
sudo mount -o ro /dev/nbd0p2 /mnt/efi
sudo mount -o ro /dev/nbd0p3 /mnt/linuxfs
sudo mount -o ro /dev/nbd0p4 /mnt/windows
```
Diese Schritte müssen nach jedem VM-Neustart durchgeführt werden, um erneut forensischen Zugriff auf die Dateisysteme zu erhalten.
---
---
## Ergebnis: Feststellung von Dateien zum Ermittlungsverfahren wegen Verkauf gefälschter Pässe
---
## Ergebnis: Nachweis der Nutzung/ Verbreitung
---
## Ergebnis Extrahierung der elektronischen Kommunikation (E-Mail, Chat)
---

801
Pruefungsleistung/dif_gutachten_report.md 100644
View File

@ -0,0 +1,801 @@
# [++] Forensic report of case: dif_gutachten
## [++] Description
Forensisches Gutachten im Fall Tilo Barkholz
## [++] Timeline of Commands and Comments
### [+] Command: `file ForImage2.img`
- Timestamp: `2025-07-14T18-03-17-505557+02-00`
- GPG-signature: [+] Valid
- SHA256: `7bf5d482601016dfe39f3de29aad7f83b3a0f59d3177828e1f1823817b1778d8`
#### Output:
```Shell
[STDOUT]
ForImage2.img: QEMU QCOW Image (v3), 35433480192 bytes (v3), 35433480192 bytes
[STDERR]
```
#### Context:
### [+] Legal Context for `file ForImage2.img`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:40:59.760772+02:00
`file` identifies file types by examining magic numbers and headers. Useful for verifying or correcting file extensions and detecting anomalies.
---
### [+] Timestamp: `2025-07-14T18-05-10-852941+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Der file-Befehl wurde verwendet, um das Format des Abbilds zu bestimmen. Dabei wurde erkannt, dass es sich um ein QCOW2-Image handelt, ein haeufig genutztes Format fuer virtuelle Maschinen unter QEMU/KVM
---
### [+] Timestamp: `2025-07-14T18-06-02-925862+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Wir werden nun Partitionen im Image identifizieren, um sie zu extrahiern & zu analysieren
---
### [+] Command: `sudo modprobe nbd max_part=8`
- Timestamp: `2025-07-14T18-06-22-301370+02-00`
- GPG-signature: [+] Valid
- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f`
#### Output:
```Shell
[STDOUT]
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo modprobe nbd max_part=8`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:40:59.839755+02:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
[x] No specific explanation found.
---
### [+] Command: `sudo: qemu-nbd: command not found`
- Timestamp: `2025-07-14T18-06-51-644697+02-00`
- GPG-signature: [+] Valid
- SHA256: `7bd21e679c39eb29ea0eebe56f0a54110538c4bdb094fbbd9d7b9e8d7c2a7ed4`
#### Output:
```Shell
[!] Command failed:
sudo: qemu-nbd: command not found
```
#### Context:
### [+] Legal Context for `sudo: qemu-nbd: command not found`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:40:59.860730+02:00
[x] No specific explanation found.
---
### [+] Command: `qemu-nbd: unrecognized option '--conect=/dev/nbd0'`
- Timestamp: `2025-07-14T18-07-49-932393+02-00`
- GPG-signature: [+] Valid
- SHA256: `23ec6e05fb897e4b0ad2d77613416100a2fcd3f300135a2e5677364b4b115d74`
#### Output:
```Shell
[!] Command failed:
qemu-nbd: unrecognized option '--conect=/dev/nbd0'
qemu-nbd: Try `qemu-nbd --help' for more information.
```
#### Context:
### [+] Legal Context for `qemu-nbd: unrecognized option '--conect=/dev/nbd0'`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:40:59.889332+02:00
[x] No specific explanation found.
---
### [+] Command: `sudo qemu-nbd --connect=/dev/nbd0 ForImage2.img`
- Timestamp: `2025-07-14T18-08-00-970730+02-00`
- GPG-signature: [+] Valid
- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f`
#### Output:
```Shell
[STDOUT]
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo qemu-nbd --connect=/dev/nbd0 ForImage2.img`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:40:59.907323+02:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
[x] No specific explanation found.
---
### [+] Command: `sudo fdisk -l /dev/nbd0`
- Timestamp: `2025-07-14T18-08-17-811009+02-00`
- GPG-signature: [+] Valid
- SHA256: `4a2bcce842d23a7b6e392a9e547e0942145cdd7450910980c116667d81b5078a`
#### Output:
```Shell
[STDOUT]
Disk /dev/nbd0: 33 GiB, 35433480192 bytes, 69206016 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 131072 bytes
Disklabel type: gpt
Disk identifier: 7AB35F56-8FB0-407B-AC62-FD7C3E10AB6A
Device Start End Sectors Size Type
/dev/nbd0p1 2048 4095 2048 1M BIOS boot
/dev/nbd0p2 4096 1054719 1050624 513M EFI System
/dev/nbd0p3 1054720 46135295 45080576 21.5G Linux filesystem
/dev/nbd0p4 46874624 68360191 21485568 10.2G Microsoft basic data
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo fdisk -l /dev/nbd0`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:40:59.937090+02:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
`fdisk` is an interactive command-line tool to create, delete, and manage partitions on storage devices.
Lists partition tables of all recognized devices.
---
### [+] Timestamp: `2025-07-14T18-09-46-180536+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Das QCOW2-Image wurde mit qemu-nbd als Blockgerät bereitgestellt, um anschließend mit fdisk die Partitionstabelle und Dateisystemtypen zu identifizieren ein essenzieller Schritt zur Strukturaufklärung und Vorbereitung weiterer Analysen.
---
### [+] Timestamp: `2025-07-14T18-10-39-291304+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Hierbei haben wir vier Partitionen entdeckt, die wir nun naeher untersuchen werden
---
### [+] Command: `sudo mmls /dev/nbd0`
- Timestamp: `2025-07-14T18-10-44-804259+02-00`
- GPG-signature: [+] Valid
- SHA256: `1e7e7d7d86604a62aceffd32db9f4f6f897f22c84de9f2367b46bf6fa4d9b77b`
#### Output:
```Shell
[STDOUT]
GUID Partition Table (EFI)
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
000: Meta 0000000000 0000000000 0000000001 Safety Table
001: ------- 0000000000 0000002047 0000002048 Unallocated
002: Meta 0000000001 0000000001 0000000001 GPT Header
003: Meta 0000000002 0000000033 0000000032 Partition Table
004: 000 0000002048 0000004095 0000002048
005: 001 0000004096 0001054719 0001050624 EFI System Partition
006: 002 0001054720 0046135295 0045080576
007: ------- 0046135296 0046874623 0000739328 Unallocated
008: 003 0046874624 0068360191 0021485568 FAT
009: ------- 0068360192 0069206015 0000845824 Unallocated
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo mmls /dev/nbd0`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:40:59.975491+02:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
`mmls` analyzes the partition layout of a disk image without modifying it. It shows partitions, offsets, and sizes — a typical forensic step before mounting.
---
### [+] Timestamp: `2025-07-14T18-11-51-739620+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Die Analyse mit mmls dient der genauen Bestimmung der Partitionsstruktur und der Start-Offsets, was erforderlich ist, um gezielt Dateien zu extrahieren und das Dateisystem forensisch korrekt zu analysieren.
---
### [+] Timestamp: `2025-07-14T18-13-42-016732+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Die mmls-Ausgabe zeigt vier Partitionen. Drei davon sind relevant für die Analyse die BIOS-Boot-Partition (nur 1MB) enthält keine Nutzdaten und wird daher übersprungen.
---
### [+] Timestamp: `2025-07-14T18-13-51-840180+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Die Partitionen 005 (EFI), 006 (Linux-Dateisystem) und 008 (Microsoft-Dateisystem) werden einzeln gemountet und analysiert, um strukturierte und nachvollziehbare Ergebnisse zu erhalten.
---
### [+] Timestamp: `2025-07-14T18-13-59-612800+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Eine sequentielle Analyse aller nutzbaren Partitionen erlaubt eine saubere Trennung der Datenquellen und kann forensisch besser dokumentiert werden.
---
### [+] Command: `sudo mkdir -p /mnt/efi /mnt/linuxfs /mnt/windows`
- Timestamp: `2025-07-14T18-16-06-814084+02-00`
- GPG-signature: [+] Valid
- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f`
#### Output:
```Shell
[STDOUT]
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo mkdir -p /mnt/efi /mnt/linuxfs /mnt/windows`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:40:59.996144+02:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
`mkdir` creates a directory. In forensic workflows, it is often used to prepare target folders for mounts or exported data.
The `-p` option ensures that parent directories are created as needed. It also avoids errors if the target directory already exists.
---
### [+] Timestamp: `2025-07-14T18-16-14-867728+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Drei dedizierte Mount-Verzeichnisse wurden erstellt, um die Partitionen getrennt voneinander und nachvollziehbar analysieren zu können.
---
### [+] Command: `sudo mount -o ro /dev/nbd0p3 /mnt/linuxfs`
- Timestamp: `2025-07-14T18-18-28-516252+02-00`
- GPG-signature: [+] Valid
- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f`
#### Output:
```Shell
[STDOUT]
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo mount -o ro /dev/nbd0p3 /mnt/linuxfs`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:41:00.016107+02:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
`mount` is used to attach a filesystem to the directory tree. In forensic contexts, it must be used cautiously, as mounting can alter timestamps or content.
The `-o` option sets mount parameters — e.g., to enable read-only mode or suppress timestamp changes.
`ro` stands for "read-only". It ensures that the mounted filesystem is not modified. This is critical in digital forensics.
---
### [+] Timestamp: `2025-07-14T18-18-36-250749+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Das Linux-Dateisystem wurde readonly in /mnt/linuxfs eingebunden, um die Hauptdatenstruktur des Betriebssystems forensisch zu untersuchen.
---
### [+] Command: `sudo mount -o ro /dev/nbd0p4 /mnt/windows`
- Timestamp: `2025-07-14T18-18-44-352022+02-00`
- GPG-signature: [+] Valid
- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f`
#### Output:
```Shell
[STDOUT]
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo mount -o ro /dev/nbd0p4 /mnt/windows`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:41:00.034851+02:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
`mount` is used to attach a filesystem to the directory tree. In forensic contexts, it must be used cautiously, as mounting can alter timestamps or content.
The `-o` option sets mount parameters — e.g., to enable read-only mode or suppress timestamp changes.
`ro` stands for "read-only". It ensures that the mounted filesystem is not modified. This is critical in digital forensics.
---
### [+] Timestamp: `2025-07-14T18-18-48-788722+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Die als 'Microsoft Basic Data' gekennzeichnete Partition wurde readonly in /mnt/windows eingebunden, vermutlich zur Analyse von Benutzerdaten oder Überresten eines Dual-Boot-Systems.
---
### [+] Command: `qemu-nbd: Failed to blk_new_open 'ForImage2.img': Failed to get "write" lock`
- Timestamp: `2025-07-14T18-20-16-782579+02-00`
- GPG-signature: [+] Valid
- SHA256: `927576f78ad2da1d55b32d2e32af8a13ec8a59dcde4168fcfbea80ab6c3161be`
#### Output:
```Shell
[!] Command failed:
qemu-nbd: Failed to blk_new_open 'ForImage2.img': Failed to get "write" lock
Is another process using the image [ForImage2.img]?
```
#### Context:
### [+] Legal Context for `qemu-nbd: Failed to blk_new_open 'ForImage2.img': Failed to get "write" lock`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:41:00.052907+02:00
[x] No specific explanation found.
---
### [+] Command: `mount | grep /mnt`
- Timestamp: `2025-07-14T18-26-37-707012+02-00`
- GPG-signature: [+] Valid
- SHA256: `064de49535ebcda317b47383a76e27d37389b0e7b710cfa86f0437592927437a`
#### Output:
```Shell
[STDOUT]
/dev/nbd0p3 on /mnt/linuxfs type ext4 (ro,relatime)
/dev/nbd0p4 on /mnt/windows type vfat (ro,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro)
[STDERR]
```
#### Context:
### [+] Legal Context for `mount | grep /mnt`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:41:00.071170+02:00
`mount` is used to attach a filesystem to the directory tree. In forensic contexts, it must be used cautiously, as mounting can alter timestamps or content.
---
### [+] Command: `mount | grep /mnt`
- Timestamp: `2025-07-14T18-27-36-979838+02-00`
- GPG-signature: [+] Valid
- SHA256: `064de49535ebcda317b47383a76e27d37389b0e7b710cfa86f0437592927437a`
#### Output:
```Shell
[STDOUT]
/dev/nbd0p3 on /mnt/linuxfs type ext4 (ro,relatime)
/dev/nbd0p4 on /mnt/windows type vfat (ro,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro)
[STDERR]
```
#### Context:
### [+] Legal Context for `mount | grep /mnt`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:41:00.089190+02:00
`mount` is used to attach a filesystem to the directory tree. In forensic contexts, it must be used cautiously, as mounting can alter timestamps or content.
---
### [+] Command: `sudo mount -o ro /dev/nbd0p2 /mnt/efi`
- Timestamp: `2025-07-14T18-28-47-827648+02-00`
- GPG-signature: [+] Valid
- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f`
#### Output:
```Shell
[STDOUT]
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo mount -o ro /dev/nbd0p2 /mnt/efi`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:41:00.107459+02:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
`mount` is used to attach a filesystem to the directory tree. In forensic contexts, it must be used cautiously, as mounting can alter timestamps or content.
The `-o` option sets mount parameters — e.g., to enable read-only mode or suppress timestamp changes.
`ro` stands for "read-only". It ensures that the mounted filesystem is not modified. This is critical in digital forensics.
---
### [+] Command: `mount | grep /mnt`
- Timestamp: `2025-07-14T18-28-49-632890+02-00`
- GPG-signature: [+] Valid
- SHA256: `5701af33c9936d5a4213bdc9ce95b07383533c58de3746fdb6cb08961ebc76d9`
#### Output:
```Shell
[STDOUT]
/dev/nbd0p3 on /mnt/linuxfs type ext4 (ro,relatime)
/dev/nbd0p4 on /mnt/windows type vfat (ro,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro)
/dev/nbd0p2 on /mnt/efi type vfat (ro,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro)
[STDERR]
```
#### Context:
### [+] Legal Context for `mount | grep /mnt`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:41:00.125685+02:00
`mount` is used to attach a filesystem to the directory tree. In forensic contexts, it must be used cautiously, as mounting can alter timestamps or content.
---
### [+] Timestamp: `2025-07-14T18-29-46-776359+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Nun sind alle drei Partitionen von Interesse korrekt eingebunden und die Arbeit kann beginnen
---
### [+] Command: `mount | grep /mnt`
- Timestamp: `2025-07-14T20-08-59-917952+02-00`
- GPG-signature: [+] Valid
- SHA256: `5701af33c9936d5a4213bdc9ce95b07383533c58de3746fdb6cb08961ebc76d9`
#### Output:
```Shell
[STDOUT]
/dev/nbd0p3 on /mnt/linuxfs type ext4 (ro,relatime)
/dev/nbd0p4 on /mnt/windows type vfat (ro,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro)
/dev/nbd0p2 on /mnt/efi type vfat (ro,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro)
[STDERR]
```
#### Context:
### [+] Legal Context for `mount | grep /mnt`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:41:00.144446+02:00
`mount` is used to attach a filesystem to the directory tree. In forensic contexts, it must be used cautiously, as mounting can alter timestamps or content.
---
### [+] Timestamp: `2025-07-14T20-13-50-520875+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Wir beginnen mit /mnt/linuxfs. Die Analyse der Linux-Systempartition dient der Erfassung benutzerspezifischer und systemweiter Artefakte, welche Rückschlüsse auf Nutzung, Konfiguration und potenziell sicherheitsrelevante Aktivitäten ermöglichen.
---
### [+] Command: `ls -la /mnt/linuxfs/home`
- Timestamp: `2025-07-14T20-13-56-887462+02-00`
- GPG-signature: [+] Valid
- SHA256: `f6768291b43b3d15242a63a188af4eef9bb76d1d7b0c857ca045103d57b8f2ad`
#### Output:
```Shell
[STDOUT]
total 20
drwxr-xr-x 5 root root 4096 Jul 4 2022 .
drwxr-xr-x 20 root root 4096 Jul 2 2022 ..
drwxr-x--- 16 1001 1001 4096 Jul 4 2022 belle
drwxr-x--- 3 1002 1002 4096 Jul 4 2022 kiara
drwxr-x--- 18 kali kali 4096 Jul 4 2022 pc
[STDERR]
```
#### Context:
### [+] Legal Context for `ls -la /mnt/linuxfs/home`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:41:00.163176+02:00
`ls` lists files in a directory. It is used to gain an overview and does not modify data.
---
### [+] Timestamp: `2025-07-14T20-14-29-073825+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Wir verzeichnen drei User-Accounts, pc, belle und kiara.
---
### [+] Timestamp: `2025-07-14T20-15-13-781491+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Bevor wir zu diesen im Einzelnen kommen, ueberpruefen wir systemweite Konfigurationen und Logs
---
### [+] Command: `ls -la /mnt/linuxfs/var/log`
- Timestamp: `2025-07-14T20-17-03-043108+02-00`
- GPG-signature: [+] Valid
- SHA256: `957a55a20047fe1e5639161fe828af67ba54211b33fcdb9974be18261331cacb`
#### Output:
```Shell
[STDOUT]
total 5336
drwxrwxr-x 13 root pulse 4096 Jul 4 2022 .
drwxr-xr-x 14 root root 4096 Apr 19 2022 ..
-rw-r--r-- 1 root root 21410 Jul 2 2022 alternatives.log
-rw-r----- 1 root adm 0 Jul 4 2022 apport.log
-rw-r----- 1 root adm 2369 Jul 2 2022 apport.log.1
drwxr-xr-x 2 root root 4096 Jul 4 2022 apt
-rw-r----- 1 tcpdump adm 80955 Jul 4 2022 auth.log
-rw------- 1 root root 34617 Jul 4 2022 boot.log
-rw------- 1 root root 33348 Jul 4 2022 boot.log.1
-rw-r--r-- 1 root root 108494 Apr 19 2022 bootstrap.log
-rw-rw---- 1 root utmp 0 Apr 19 2022 btmp
drwxr-xr-x 2 root root 4096 Jul 4 2022 cups
drwxr-xr-x 2 root root 4096 Apr 18 2022 dist-upgrade
-rw-r----- 1 root adm 68118 Jul 4 2022 dmesg
-rw-r----- 1 root adm 69151 Jul 4 2022 dmesg.0
-rw-r----- 1 root adm 16776 Jul 4 2022 dmesg.1.gz
-rw-r----- 1 root adm 17536 Jul 4 2022 dmesg.2.gz
-rw-r----- 1 root adm 17273 Jul 4 2022 dmesg.3.gz
... (truncated, showing first 20 and last 10 lines)
drwxr-xr-x 2 root root 4096 Mar 22 2022 openvpn
drwx------ 2 root root 4096 Apr 19 2022 private
drwx------ 2 Debian-snmp root 4096 Jan 8 2022 speech-dispatcher
-rw-r----- 1 tcpdump adm 2865079 Jul 4 2022 syslog
-rw-r--r-- 1 root root 0 Apr 19 2022 ubuntu-advantage.log
-rw-r--r-- 1 root root 631 Jul 4 2022 ubuntu-advantage-timer.log
drwxr-x--- 2 root adm 4096 Jul 3 2022 unattended-upgrades
-rw-rw-r-- 1 root utmp 31872 Jul 4 2022 wtmp
[STDERR]
```
#### Context:
### [+] Legal Context for `ls -la /mnt/linuxfs/var/log`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:41:00.182010+02:00
`ls` lists files in a directory. It is used to gain an overview and does not modify data.
---
### [+] Command: `ls -la /mnt/linuxfs/etc`
- Timestamp: `2025-07-14T20-18-24-994518+02-00`
- GPG-signature: [+] Valid
- SHA256: `55c42303907eb58bc29c73525cdde2ef75ba9aa595050b19496e142c3743a22f`
#### Output:
```Shell
[STDOUT]
total 1120
drwxr-xr-x 128 root root 12288 Jul 4 2022 .
drwxr-xr-x 20 root root 4096 Jul 2 2022 ..
drwxr-xr-x 3 root root 4096 Apr 19 2022 acpi
-rw-r--r-- 1 root root 3028 Apr 19 2022 adduser.conf
drwxr-xr-x 3 root root 4096 Apr 19 2022 alsa
drwxr-xr-x 2 root root 4096 Jul 3 2022 alternatives
-rw-r--r-- 1 root root 335 Mar 23 2022 anacrontab
-rw-r--r-- 1 root root 433 Mar 23 2022 apg.conf
drwxr-xr-x 5 root root 4096 Apr 19 2022 apm
drwxr-xr-x 3 root root 4096 Apr 19 2022 apparmor
drwxr-xr-x 8 root root 4096 Jul 3 2022 apparmor.d
drwxr-xr-x 3 root root 4096 Jul 3 2022 apport
-rw-r--r-- 1 root root 769 Feb 22 2022 appstream.conf
drwxr-xr-x 8 root root 4096 Jul 2 2022 apt
drwxr-xr-x 3 root root 4096 Apr 19 2022 avahi
-rw-r--r-- 1 root root 2319 Jan 6 2022 bash.bashrc
-rw-r--r-- 1 root root 45 Nov 11 2021 bash_completion
drwxr-xr-x 2 root root 4096 Jul 3 2022 bash_completion.d
... (truncated, showing first 20 and last 10 lines)
drwxr-xr-x 5 root root 4096 Apr 19 2022 vulkan
-rw-r--r-- 1 root root 4942 Jan 24 2022 wgetrc
drwxr-xr-x 2 root root 4096 Apr 19 2022 wpa_supplicant
drwxr-xr-x 12 root root 4096 Apr 19 2022 X11
-rw-r--r-- 1 root root 681 Mar 23 2022 xattr.conf
drwxr-xr-x 6 root root 4096 Apr 19 2022 xdg
drwxr-xr-x 2 root root 4096 Apr 19 2022 xml
-rw-r--r-- 1 root root 460 Dec 8 2021 zsh_command_not_found
[STDERR]
```
#### Context:
### [+] Legal Context for `ls -la /mnt/linuxfs/etc`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:41:00.200282+02:00
`ls` lists files in a directory. It is used to gain an overview and does not modify data.
---
### [+] Timestamp: `2025-07-14T20-19-31-817078+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Applikationen, die ins Auge fallen: speech-dispatcher, security
---
### [+] Timestamp: `2025-07-14T20-20-29-497721+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Beginnen wir nun mit dem User-Account 'belle'
---
### [+] Timestamp: `2025-07-14T20-24-57-659634+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Zur beweissicheren Sicherung der Nutzerverzeichnisse wurden die Home-Verzeichnisse der identifizierten Accounts (belle, kiara, pc) aus der gemounteten Partition /mnt/linuxfs mittels tar archiviert. Die Sicherung erfolgte im Read-Only-Modus zur Wahrung der Integrität.
---
### [+] Command: `tar (child): /home/kali/Documents/dif_auswertung/belle_home.tar.gz: Cannot open: No such file or directory`
- Timestamp: `2025-07-14T20-25-28-820189+02-00`
- GPG-signature: [+] Valid
- SHA256: `e186e24efe2970d43583e5551223221c7a714bfab92e4721092ac3f97af4d19d`
#### Output:
```Shell
[!] Command failed:
tar (child): /home/kali/Documents/dif_auswertung/belle_home.tar.gz: Cannot open: No such file or directory
tar (child): Error is not recoverable: exiting now
tar: /home/kali/Documents/dif_auswertung/belle_home.tar.gz: Cannot write: Broken pipe
tar: Child returned status 2
tar: Error is not recoverable: exiting now
```
#### Context:
### [+] Legal Context for `tar (child): /home/kali/Documents/dif_auswertung/belle_home.tar.gz: Cannot open: No such file or directory`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:41:00.220927+02:00
`tar` is used to create and extract archive files. In forensics, its useful for packaging or reviewing archived evidence sets.
---
### [+] Command: `sudo mkdir -p ~/Documents/auswertung/`
- Timestamp: `2025-07-14T20-30-04-249825+02-00`
- GPG-signature: [+] Valid
- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f`
#### Output:
```Shell
[STDOUT]
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo mkdir -p ~/Documents/auswertung/`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:41:00.238957+02:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
`mkdir` creates a directory. In forensic workflows, it is often used to prepare target folders for mounts or exported data.
The `-p` option ensures that parent directories are created as needed. It also avoids errors if the target directory already exists.
---
### [+] Command: `Error opening image file (raw_open: file "/dev/nbd0p3" - Permission denied)`
- Timestamp: `2025-07-14T20-30-36-090820+02-00`
- GPG-signature: [+] Valid
- SHA256: `cc9dda0ce603430217d5dc755d2c2e3486fd1ea9dbf2bc073eb00f383b03a3f8`
#### Output:
```Shell
[!] Command failed:
Error opening image file (raw_open: file "/dev/nbd0p3" - Permission denied)
```
#### Context:
### [+] Legal Context for `Error opening image file (raw_open: file "/dev/nbd0p3" - Permission denied)`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:41:00.257451+02:00
This does not appear to be a valid command. It may be the result of a misinterpreted log line or a failed execution attempt.
---
### [+] Command: `sudo tsk_recover -a /dev/nbd0p3 ~/Documents/auswertung/linuxfs_recover`
- Timestamp: `2025-07-14T20-30-46-797786+02-00`
- GPG-signature: [+] Valid
- SHA256: `215260492c038b4f3647587ef8a654cb227f0fa6748911259c0dcc83c3e40b1a`
#### Output:
```Shell
[STDOUT]
Files Recovered: 161794
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo tsk_recover -a /dev/nbd0p3 ~/Documents/auswertung/linuxfs_recover`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:41:00.274845+02:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
[x] No specific explanation found.
---
## [+] GPG-Overview
Each `.log`-file was digitally signed with GPG where applicable.
The signature status is documented per command.

399
Pruefungsleistung/gutachten_report_01.md 100644
View File

@ -0,0 +1,399 @@
# [++] Forensic report of case: gutachten
## [++] Description
Forensisches Gutachten im Fall Tilo Barkholz
## [++] Timeline of Commands and Comments
### [+] Command: ``
- Timestamp: `2025-07-14T12-40-04-233389+02-00`
- GPG-signature: [+] Valid
- SHA256: `fd919e45a98f1ae9c0947eed0f758c5cc388ed705627f6eb2e150686d70814bc`
#### Output:
```Shell
[!] Command failed:
```
#### Context:
[x] Skipped: command was empty or malformed.
---
### [+] Timestamp: `2025-07-14T12-41-43-682585+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Dass der vorige mmls-Befehl keinen Output zeigt kann daran liegen, dass das vorliegende Image a) keine Partitionstabelle enthaelt, b) korrumpiert ist oder c) das Format nicht unterstuetzt wird - einer der ersteren beiden Faelle ist am wahrscheinlichsten
---
### [+] Command: `file ForImage2.img`
- Timestamp: `2025-07-14T12-42-00-750002+02-00`
- GPG-signature: [+] Valid
- SHA256: `e5574e10aa2e91ce0457096afc0c31af8f3e21c5db3b95cc96154bf564d84f7d`
#### Output:
```Shell
[STDOUT]
ForImage2.img: data
[STDERR]
```
#### Context:
### [+] Legal Context for `file ForImage2.img`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T13:33:27.735730+02:00
`file` identifies file types by examining magic numbers and headers. Useful for verifying or correcting file extensions and detecting anomalies.
---
### [+] Command: `hexdump -C Forimage2.img | head`
- Timestamp: `2025-07-14T12-42-23-145012+02-00`
- GPG-signature: [+] Valid
- SHA256: `ac6841b50ac32ef32fe82a77a7455cdb3a5441c04f828d72f7ffea3ca6f733de`
#### Output:
```Shell
[STDOUT]
[STDERR]
hexdump: Forimage2.img: No such file or directory
hexdump: all input file arguments failed
```
#### Context:
### [+] Legal Context for `hexdump -C Forimage2.img | head`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T13:33:27.761024+02:00
`hexdump` displays file content in hexadecimal and ASCII. Useful for examining file headers, signatures, and patterns.
---
### [+] Command: `hexdump -C ForImage2.img | head`
- Timestamp: `2025-07-14T12-42-31-319015+02-00`
- GPG-signature: [+] Valid
- SHA256: `cb81adfdf9b749fd17c4f7fef893c144865f8c787bebe45b8e98a91aab896474`
#### Output:
```Shell
[STDOUT]
00000000 28 cb 32 eb 6a b7 b0 8e 3c 00 00 00 00 c0 08 70 |(.2.j...<......p|
00000010 93 5d 39 63 4c c6 71 cc eb fe 05 20 f2 97 2a f2 |.]9cL.q.... ..*.|
00000020 91 52 2a 22 b7 29 14 6a e4 01 00 00 00 00 46 24 |.R*".).j......F$|
00000030 5a 8c 59 57 23 2f 39 e7 d2 ed ee 8a c5 45 20 f2 |Z.YW#/9......E .|
00000040 a3 0b 16 89 88 38 e7 91 b5 56 ba e5 27 01 00 00 |.....8...V..'...|
00000050 00 00 c0 48 5c 9e 71 c6 18 b7 d6 4a ad b5 f4 b7 |...H\.q....J....|
00000060 13 b2 f2 10 f9 4b e9 58 ee c7 12 11 33 c6 48 c6 |.....K.X....3.H.|
00000070 98 8f 10 d1 b1 00 00 00 00 00 46 80 10 82 a2 28 |..........F....(|
00000080 62 49 92 50 96 65 44 44 9a 30 d9 15 22 3f 22 99 |bI.P.eDD.0.."?".|
00000090 a7 34 4d 59 96 65 d6 6d 0a 05 89 07 00 00 00 00 |.4MY.e.m........|
[STDERR]
```
#### Context:
### [+] Legal Context for `hexdump -C ForImage2.img | head`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T13:33:27.786303+02:00
`hexdump` displays file content in hexadecimal and ASCII. Useful for examining file headers, signatures, and patterns.
---
### [+] Timestamp: `2025-07-14T12-43-00-357585+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Die Festplatte ist somit schonmal nicht leer
---
### [+] Command: `Possible encryption detected (High entropy (7.78))`
- Timestamp: `2025-07-14T12-43-27-753682+02-00`
- GPG-signature: [+] Valid
- SHA256: `7cf027cc2dd683a3860ce27d3fcd52f6b47597c2f8a4ef714949b9e53d0effcc`
#### Output:
```Shell
[!] Command failed:
Possible encryption detected (High entropy (7.78))
```
#### Context:
### [+] Legal Context for `Possible encryption detected (High entropy (7.78))`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T13:33:27.810925+02:00
[x] No specific explanation found.
---
### [+] Timestamp: `2025-07-14T12-47-33-066391+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Die Festplatte ist verschluesselt - auf ihrer Rueckseite war ein kurzes Passwort zu finden, womoeglich die Passphrase, doch zuvor ueberpruefen wir nun, ob der Verschluesslungstyp ermittelbar ist
---
### [+] Timestamp: `2025-07-14T12-55-11-062938+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
fsstat vermutliche Verschluesselung, mmls erkennt keine Partition, hexdump zeigt kein erkennbares Filesystem - bevor wir mounten, muessen wir entschluesseln
---
### [+] Command: `mkdir: cannot create directory /mnt/crypt: Permission denied`
- Timestamp: `2025-07-14T13-04-39-432095+02-00`
- GPG-signature: [+] Valid
- SHA256: `5eed114f808f358973b99c9c298586336d608a7d7716c47484861730577f9d82`
#### Output:
```Shell
[!] Command failed:
mkdir: cannot create directory /mnt/crypt: Permission denied
```
#### Context:
### [+] Legal Context for `mkdir: cannot create directory /mnt/crypt: Permission denied`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T13:33:27.836004+02:00
[x] No specific explanation found.
---
### [+] Command: `sudo mkdir -p /mnt/crypt`
- Timestamp: `2025-07-14T13-04-46-220116+02-00`
- GPG-signature: [+] Valid
- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f`
#### Output:
```Shell
[STDOUT]
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo mkdir -p /mnt/crypt`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T13:33:27.861090+02:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
`mkdir` creates a directory. In forensic workflows, it is often used to prepare target folders for mounts or exported data.
The `-p` option ensures that parent directories are created as needed. It also avoids errors if the target directory already exists.
---
### [+] Command: ``
- Timestamp: `2025-07-14T13-05-08-024574+02-00`
- GPG-signature: [+] Valid
- SHA256: `fd919e45a98f1ae9c0947eed0f758c5cc388ed705627f6eb2e150686d70814bc`
#### Output:
```Shell
[!] Command failed:
```
#### Context:
[x] Skipped: command was empty or malformed.
---
### [+] Command: `Error: Operation failed due to one or more of the following:`
- Timestamp: `2025-07-14T13-07-02-580209+02-00`
- GPG-signature: [+] Valid
- SHA256: `9350ce5c321f06ca5ca9e7abae3402fe8d9d6d8ea4704f55b8d3bf2c652ed876`
#### Output:
```Shell
[!] Command failed:
Error: Operation failed due to one or more of the following:
- Incorrect password.
- Incorrect Volume PIM number.
- Incorrect PRF (hash).
- Not a valid volume.
- Volume uses an old algorithm that has been removed.
- TrueCrypt format volumes are no longer supported.
```
#### Context:
### [+] Legal Context for `Error: Operation failed due to one or more of the following:`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T13:33:27.895483+02:00
[x] No specific explanation found.
---
### [+] Command: `sudo losetup --show -f ForImage2.img`
- Timestamp: `2025-07-14T13-08-09-130846+02-00`
- GPG-signature: [+] Valid
- SHA256: `06e8e0c85abc1ce20202e0043228bd03c02f0b4065d4b70a98f97488dc4a2f38`
#### Output:
```Shell
[STDOUT]
/dev/loop0
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo losetup --show -f ForImage2.img`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T13:33:27.950809+02:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
`losetup` sets up a loop device to treat a file (like a disk image) as a block device. This is needed to work with partitions inside forensic disk images.
Outputs the created loop device — useful for automation and scripting.
---
### [+] Command: `Device /dev/loop0 is not a valid LUKS device.`
- Timestamp: `2025-07-14T13-08-33-250979+02-00`
- GPG-signature: [+] Valid
- SHA256: `19de76617d7416f38df3b577ad24e9b08b499d34b330ec80e4cf1d5ddc70416f`
#### Output:
```Shell
[!] Command failed:
Device /dev/loop0 is not a valid LUKS device.
```
#### Context:
### [+] Legal Context for `Device /dev/loop0 is not a valid LUKS device.`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T13:33:27.976530+02:00
[x] No specific explanation found.
---
### [+] Timestamp: `2025-07-14T13-09-13-718013+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Wir wissen also: kein VeraCrypt, kein LUKS, nun tgesten wir BitLocker
---
### [+] Command: `sudo mkdir -p /mnt/dislocker`
- Timestamp: `2025-07-14T13-09-29-295457+02-00`
- GPG-signature: [+] Valid
- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f`
#### Output:
```Shell
[STDOUT]
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo mkdir -p /mnt/dislocker`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T13:33:28.001769+02:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
`mkdir` creates a directory. In forensic workflows, it is often used to prepare target folders for mounts or exported data.
The `-p` option ensures that parent directories are created as needed. It also avoids errors if the target directory already exists.
---
### [+] Command: ``
- Timestamp: `2025-07-14T13-12-40-283904+02-00`
- GPG-signature: [+] Valid
- SHA256: `fd919e45a98f1ae9c0947eed0f758c5cc388ed705627f6eb2e150686d70814bc`
#### Output:
```Shell
[!] Command failed:
```
#### Context:
[x] Skipped: command was empty or malformed.
---
### [+] Command: `ls /mnt/dislocker`
- Timestamp: `2025-07-14T13-12-56-961960+02-00`
- GPG-signature: [+] Valid
- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f`
#### Output:
```Shell
[STDOUT]
[STDERR]
```
#### Context:
### [+] Legal Context for `ls /mnt/dislocker`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T13:33:28.036568+02:00
`ls` lists files in a directory. It is used to gain an overview and does not modify data.
---
### [+] Timestamp: `2025-07-14T13-14-26-335058+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
BitLocker scheint es auch nicht zu sein
---
### [+] Command: `sudo file -s /dev/loop0`
- Timestamp: `2025-07-14T13-31-07-259372+02-00`
- GPG-signature: [+] Valid
- SHA256: `e5b945a88f260856d6462f69c02d317d93ff08c94e0f6536cf3e14141d11c92d`
#### Output:
```Shell
[STDOUT]
/dev/loop0: data
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo file -s /dev/loop0`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T13:33:28.061908+02:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
`file` identifies file types by examining magic numbers and headers. Useful for verifying or correcting file extensions and detecting anomalies.
---
## [+] GPG-Overview
Each `.log`-file was digitally signed with GPG where applicable.
The signature status is documented per command.