Findings: firefox history von dem user "belle": ```sql ┌──(root㉿kali)-[/mnt/…/common/.mozilla/firefox/e9cqlzsn.default] └─# cp places.sqlite ~/belle_places.sqlite cd ~ sqlite3 belle_places.sqlite "SELECT url, title, datetime(visit_date/1000000,'unixepoch') FROM moz_places JOIN moz_historyvisits ON moz_places.id = moz_historyvisits.place_id ORDER BY visit_date DESC LIMIT 50;" https://i.pinimg.com/236x/41/80/fa/4180fa703a970335721fe445385e7627.jpg|4180fa703a970335721fe445385e7627.jpg|2022-07-04 17:18:46 https://www.google.com/imgres?imgurl=http%3A%2F%2Fwww.theoccidentalobserver.net%2Fwp-content%2Fuploads%2F2013%2F03%2Fpassport.jpg&imgrefurl=https%3A%2F%2Fwww.tanelorn.net%2Findex.php%3Ftopic%3D89563.0&tbnid=aVoZMmKwJEc3nM&vet=12ahUKEwjmxI7K3t_4AhW6X_EDHdnKCQ0QMygPegUIARDIAg..i&docid=RoDgtxExKImejM&w=485&h=325&q=fake%20reisepass&client=ubuntu&ved=2ahUKEwjmxI7K3t_4AhW6X_EDHdnKCQ0QMygPegUIARDIAg#imgrc=aVoZMmKwJEc3nM&imgdii=Wq-UfCzaU1CwWM|fake reisepass - Google Suche|2022-07-04 17:18:40 https://i.pinimg.com/originals/b6/26/5d/b6265df99e65d5023e821832d53413d7.jpg|b6265df99e65d5023e821832d53413d7.jpg|2022-07-04 17:18:21 http://www.theoccidentalobserver.net/wp-content/uploads/2013/03/passport.jpg|passport.jpg|2022-07-04 17:18:13 https://www.google.com/imgres?imgurl=https%3A%2F%2Fi.pinimg.com%2Foriginals%2Fb6%2F26%2F5d%2Fb6265df99e65d5023e821832d53413d7.jpg&imgrefurl=https%3A%2F%2Fwww.pinterest.de%2Fpin%2F665758757412891737%2F&tbnid=2AqgmgjQ-5-K3M&vet=12ahUKEwjmxI7K3t_4AhW6X_EDHdnKCQ0QMygKegUIARC-Ag..i&docid=i8kd5nZiMlnTFM&w=1600&h=903&q=fake%20reisepass&client=ubuntu&ved=2ahUKEwjmxI7K3t_4AhW6X_EDHdnKCQ0QMygKegUIARC-Ag|fake reisepass - Google Suche|2022-07-04 17:17:57 https://www.google.com/imgres?imgurl=http%3A%2F%2Fwww.theoccidentalobserver.net%2Fwp-content%2Fuploads%2F2013%2F03%2Fpassport.jpg&imgrefurl=https%3A%2F%2Fwww.tanelorn.net%2Findex.php%3Ftopic%3D89563.0&tbnid=aVoZMmKwJEc3nM&vet=12ahUKEwjmxI7K3t_4AhW6X_EDHdnKCQ0QMygPegUIARDIAg..i&docid=RoDgtxExKImejM&w=485&h=325&q=fake%20reisepass&client=ubuntu&ved=2ahUKEwjmxI7K3t_4AhW6X_EDHdnKCQ0QMygPegUIARDIAg|fake reisepass - Google Suche|2022-07-04 17:17:53 https://www.google.com/search?q=fake+reisepass&client=ubuntu&hs=fKo&channel=fs&source=lnms&tbm=isch&sa=X&ved=2ahUKEwjUp4PJ3t_4AhUD76QKHe1WAGgQ_AUoAXoECAIQAw&biw=950&bih=656&dpr=1|fake reisepass – Google Suche|2022-07-04 17:17:31 https://www.google.com/search?channel=fs&client=ubuntu&q=fake+reisepass+|fake reisepass - Google Suche|2022-07-04 17:17:29 https://www.capacitymedia.com/article/29otc9t6wy04gbplov3ls/news/welcome-to-bruce-leegate-as-dos-santoss-lawyers-say-passport-was-faked|Welcome to Bruce Leegate, as Dos Santos’s lawyers say passport was faked | Capacity Media|2022-07-04 17:16:55 https://www.google.com/url?sa=i&url=https%3A%2F%2Fwww.capacitymedia.com%2Farticle%2F29otc9t6wy04gbplov3ls%2Fnews%2Fwelcome-to-bruce-leegate-as-dos-santoss-lawyers-say-passport-was-faked&psig=AOvVaw1gkKsQD4pej9OiJznqp3qE&ust=1657041380579000&source=images&cd=vfe&ved=2ahUKEwjY75qo3t_4AhUL66QKHfX3CSIQjRx6BAgAEAs||2022-07-04 17:16:55 https://www.pinterest.de/pin/1063764374453701873/|Pin auf buy real passport|2022-07-04 17:16:39 https://www.google.com/url?sa=i&url=https%3A%2F%2Fwww.pinterest.de%2Fpin%2F1063764374453701873%2F&psig=AOvVaw1Kyf5mseWxUn9QUrS7dCGR&ust=1657041395616000&source=images&cd=vfe&ved=0CAoQjhxqFwoTCJCPirDe3_gCFQAAAAAdAAAAABAD||2022-07-04 17:16:39 https://www.pinterest.de/pin/1063764374453701873/|Pin auf buy real passport|2022-07-04 17:16:37 https://www.google.com/url?sa=i&url=https%3A%2F%2Fwww.pinterest.de%2Fpin%2F1063764374453701873%2F&psig=AOvVaw1Kyf5mseWxUn9QUrS7dCGR&ust=1657041395616000&source=images&cd=vfe&ved=0CAoQjhxqFwoTCJCPirDe3_gCFQAAAAAdAAAAABAD||2022-07-04 17:16:37 https://www.google.com/search?q=fake+passport+germany&tbm=isch&client=ubuntu&hs=xdT&hl=de&sa=X&ved=2ahUKEwi_oZKj3t_4AhUV0oUKHU9dAdUQrNwCKAB6BQgBEN8B&biw=950&bih=656#imgrc=p4tx4Yn-KOB2dM|fake passport germany – Google Suche|2022-07-04 17:16:37 https://www.google.com/search?q=fake+passport+germany&tbm=isch&client=ubuntu&hs=xdT&hl=de&sa=X&ved=2ahUKEwi_oZKj3t_4AhUV0oUKHU9dAdUQrNwCKAB6BQgBEN8B&biw=950&bih=656|fake passport germany – Google Suche|2022-07-04 17:16:35 https://www.google.com/imgres?imgurl=https%3A%2F%2Fassets.euromoneydigital.com%2Fdims4%2Fdefault%2F52dde24%2F2147483647%2Fstrip%2Ftrue%2Fcrop%2F691x389%2B0%2B0%2Fresize%2F840x473!%2Fquality%2F90%2F%3Furl%3Dhttp%253A%252F%252Feuromoney-brightspot.s3.amazonaws.com%252F3b%252F3b%252Fc65211fc4d1b26967322e6d686f2%252Fserveimage&imgrefurl=https%3A%2F%2Fwww.capacitymedia.com%2Farticle%2F29otc9t6wy04gbplov3ls%2Fnews%2Fwelcome-to-bruce-leegate-as-dos-santoss-lawyers-say-passport-was-faked&tbnid=kiFDAG2HJ1Wa8M&vet=12ahUKEwi_oZKj3t_4AhUV0oUKHU9dAdUQMygLegUIARDDAQ..i&docid=eDNGXz2EPJg-cM&w=840&h=473&q=how%20to%20fake%20passport&client=ubuntu&ved=2ahUKEwi_oZKj3t_4AhUV0oUKHU9dAdUQMygLegUIARDDAQ|how to fake passport - Google Suche|2022-07-04 17:16:20 https://www.google.com/search?q=how+to+fake+passport&client=ubuntu&hs=xdT&channel=fs&source=lnms&tbm=isch&sa=X&ved=2ahUKEwjY_OSf3t_4AhX4wQIHHZdtCNcQ_AUoAXoECAEQAw&biw=950&bih=656|how to fake passport – Google Suche|2022-07-04 17:16:10 https://www.google.com/search?channel=fs&client=ubuntu&q=howto+fake+passport|howto fake passport - Google Suche|2022-07-04 17:16:03 https://www.mozilla.org/de/privacy/firefox/|Firefox Datenschutzhinweis — Mozilla|2022-07-04 17:15:42 https://www.mozilla.org/privacy/firefox/||2022-07-04 17:15:42 ``` In Ordner Downloads bei Belle war eine passport.jpg. war nicht öffenbar, da magicbytes zerstört, kopiert, magic bytes repariert, siehe bild aus der gruppe ``` ┌──(root㉿kali)-[~] └─# file /mnt/forensik/home/belle/Downloads/passport.jpg exiftool /mnt/forensik/home/belle/Downloads/passport.jpg /mnt/forensik/home/belle/Downloads/passport.jpg: data ExifTool Version Number : 13.25 File Name : passport.jpg Directory : /mnt/forensik/home/belle/Downloads File Size : 53 kB File Modification Date/Time : 2022:07:04 19:19:25+02:00 File Access Date/Time : 2022:07:04 19:19:10+02:00 File Inode Change Date/Time : 2022:07:04 19:19:25+02:00 File Permissions : -rw-rw-r-- Error : File format error ┌──(root㉿kali)-[~] └─# xxd /mnt/forensik/home/belle/Downloads/passport.jpg | head -n 10 00000000: 0000 ffe0 0010 4a46 4946 0001 0101 0048 ......JFIF.....H ``` bash history von pc user: ``` ┌──(root㉿kali)-[/mnt/forensik/home/pc] └─# cat .bash_history exit sudo gedit /etc/ssh/ssh_config sudo gedit /etc/ssh/ sudo gedit /etc/ssh/ssh_config ssh pc@localhost sudo service ssh sudo apt-get install openssh-server sudo apt-get install openssh-client gedit /etc/ssh/sshd_config sudo gedit /etc/ssh/sshd_config service ssh restart ssh pc@localhost ping googl.de ip ip a exit lsblk fdisk -l vda sudo fdisk -l vda sudo fdisk -l /dev/vda ip a sudo usermod aG sudo pc sudo usermod -aG sudo pc ip a exit sudo parted ``` Downloadsordner von belle hatte Pass.kdbx datei: ``` ┌──(root㉿kali)-[/mnt/forensik] └─# keepassxc /mnt/forensik/home/belle/Dokumente/Pass.kdbx ``` mit passwort: Eip7uoKo (Passwörter gecracked von Markus) findet man Passwort für Veracrypt: forgeMaster (siehe Gruppe) Mit dem Passwort kann man den verschlüsselten Windows Ordner öffnen: ``` ┌──(kali㉿kali)-[/mnt/windows/business] └─$ sudo mkdir -p /mnt/tmp_business sudo veracrypt --text --pim=0 --hash=sha512 --protect-hidden=no --mount /mnt/windows/business/business /mnt/tmp_business Enter password for /mnt/windows/business/business: forgeMaster Enter keyfile [none]: ``` ``` ┌──(kali㉿kali)-[/mnt/windows/business] └─$ ls -lah /mnt/tmp_business total 10K drwx------ 3 kali kali 1.0K Jan 1 1970 . drwxr-xr-x 9 root root 4.0K Jul 19 16:48 .. drwx------ 4 kali kali 5.0K Jul 4 2022 paesse ┌──(kali㉿kali)-[/mnt/windows/business] └─$ ls -lah /mnt/tmp_business/paesse total 273K drwx------ 4 kali kali 5.0K Jul 4 2022 . drwx------ 3 kali kali 1.0K Jan 1 1970 .. -rwx------ 1 kali kali 1004 Nov 30 2018 back_to_samples.gif -rwx------ 1 kali kali 11K Nov 30 2018 b-contacts.jpg -rwx------ 1 kali kali 11K Nov 30 2018 b-news.jpg -rwx------ 1 kali kali 27K Nov 30 2018 b-samples.jpg -rwx------ 1 kali kali 1.2K Nov 30 2018 button_email.gif drwx------ 2 kali kali 2.0K Jul 4 2022 Cover -rwx------ 1 kali kali 43 Nov 30 2018 emty.gif -rwx------ 1 kali kali 484 Nov 30 2018 flash_r1_c2e.gif -rwx------ 1 kali kali 518 Nov 30 2018 flash_r1_c3e.gif -rwx------ 1 kali kali 508 Nov 30 2018 flash_r1_c6e.gif -rwx------ 1 kali kali 2.2K Nov 30 2018 head_r1_c1.jpg -rwx------ 1 kali kali 12K Nov 30 2018 head_r1_c2.jpg -rwx------ 1 kali kali 1.9K Nov 30 2018 head_r2_c1.gif -rwx------ 1 kali kali 2.4K Nov 30 2018 index.html -rwx------ 1 kali kali 29K Nov 30 2018 index.php.CB66877E.html -rwx------ 1 kali kali 12K Jul 4 2022 index.shtml drwx------ 2 kali kali 1.0K Jul 4 2022 inside -rwx------ 1 kali kali 15K Nov 30 2018 main.jpg -rwx------ 1 kali kali 365 Nov 30 2018 menu_r1_c1e.gif -rwx------ 1 kali kali 391 Nov 30 2018 menu_r1_c2e.gif -rwx------ 1 kali kali 460 Nov 30 2018 menu_r1_c3e.gif -rwx------ 1 kali kali 492 Nov 30 2018 menu_r1_c4e.gif -rwx------ 1 kali kali 1.1K Nov 30 2018 menu_r1_c5e.gif -rwx------ 1 kali kali 1.1K Nov 30 2018 menu_r1_c6e.gif -rwx------ 1 kali kali 483 Nov 30 2018 menu_r1_c7e.gif -rwx------ 1 kali kali 802 Nov 30 2018 menu_rfid.gif -rwx------ 1 kali kali 388 Nov 30 2018 m-maine.gif -rwx------ 1 kali kali 9.1K Nov 30 2018 novelty_fake_id_contacts.shtml -rwx------ 1 kali kali 19K Nov 30 2018 novelty_fake_id_pricing.shtml -rwx------ 1 kali kali 14K Nov 30 2018 novelty_fake_id_samples.shtml -rwx------ 1 kali kali 20K Nov 30 2018 parashut.gif -rwx------ 1 kali kali 1.9K Nov 30 2018 pricing.GIF -rwx------ 1 kali kali 3.3K Nov 30 2018 privacy.gif -rwx------ 1 kali kali 1.9K Nov 30 2018 tab2_r1_c13e.gif -rwx------ 1 kali kali 1.9K Nov 30 2018 tab2_r1_c14e.gif -rwx------ 1 kali kali 2.0K Nov 30 2018 tab2_r1_c16e.gif -rwx------ 1 kali kali 2.0K Nov 30 2018 tab2_r1_c1e.gif -rwx------ 1 kali kali 1.2K Nov 30 2018 tab2_r4_c2e.gif -rwx------ 1 kali kali 255 Nov 30 2018 tab_r1_c1.gif -rwx------ 1 kali kali 252 Nov 30 2018 tab_r1_c4.gif -rwx------ 1 kali kali 93 Nov 30 2018 tab_r2_c1.gif -rwx------ 1 kali kali 88 Nov 30 2018 tab_r2_c4.gif -rwx------ 1 kali kali 62 Nov 30 2018 tab_r3_c1.gif -rwx------ 1 kali kali 62 Nov 30 2018 tab_r3_c2.gif -rwx------ 1 kali kali 61 Nov 30 2018 tab_r3_c4.gif -rwx------ 1 kali kali 136 Nov 30 2018 tab_r4_c1.gif -rwx------ 1 kali kali 128 Nov 30 2018 tab_r4_c2.gif -rwx------ 1 kali kali 138 Nov 30 2018 tab_r4_c4.gif -rwx------ 1 kali kali 116 Nov 30 2018 tab_r5_c1.gif -rwx------ 1 kali kali 241 Nov 30 2018 tab_r5_c2.gif -rwx------ 1 kali kali 114 Nov 30 2018 tab_r5_c4.gif -rwx------ 1 kali kali 1.9K Nov 30 2018 terms.gif -rwx------ 1 kali kali 20K Nov 30 2018 terms.shtml -rwx------ 1 kali kali 3.4K Nov 30 2018 Ukpassport-cover.jpg -rwx------ 1 kali kali 2.9K Nov 30 2018 'UK passport.shtml' ``` auf den .shtml dateien findet man die website von dem vermutlichen täter