# [++] Forensic report of case: gutachten ## [++] Description Forensisches Gutachten im Fall Tilo Barkholz ## [++] Timeline of Commands and Comments ### [+] Command: `` - Timestamp: `2025-07-14T12-40-04-233389+02-00` - GPG-signature: [+] Valid - SHA256: `fd919e45a98f1ae9c0947eed0f758c5cc388ed705627f6eb2e150686d70814bc` #### Output: ```Shell [!] Command failed: ``` #### Context: [x] Skipped: command was empty or malformed. --- ### [+] Timestamp: `2025-07-14T12-41-43-682585+02-00` #### [+] Comment from analyst: Niklas Heringer #### [+] Content: Dass der vorige mmls-Befehl keinen Output zeigt kann daran liegen, dass das vorliegende Image a) keine Partitionstabelle enthaelt, b) korrumpiert ist oder c) das Format nicht unterstuetzt wird - einer der ersteren beiden Faelle ist am wahrscheinlichsten --- ### [+] Command: `file ForImage2.img` - Timestamp: `2025-07-14T12-42-00-750002+02-00` - GPG-signature: [+] Valid - SHA256: `e5574e10aa2e91ce0457096afc0c31af8f3e21c5db3b95cc96154bf564d84f7d` #### Output: ```Shell [STDOUT] ForImage2.img: data [STDERR] ``` #### Context: ### [+] Legal Context for `file ForImage2.img` **Analyst:** Niklas Heringer **Timestamp:** 2025-07-14T13:33:27.735730+02:00 `file` identifies file types by examining magic numbers and headers. Useful for verifying or correcting file extensions and detecting anomalies. --- ### [+] Command: `hexdump -C Forimage2.img | head` - Timestamp: `2025-07-14T12-42-23-145012+02-00` - GPG-signature: [+] Valid - SHA256: `ac6841b50ac32ef32fe82a77a7455cdb3a5441c04f828d72f7ffea3ca6f733de` #### Output: ```Shell [STDOUT] [STDERR] hexdump: Forimage2.img: No such file or directory hexdump: all input file arguments failed ``` #### Context: ### [+] Legal Context for `hexdump -C Forimage2.img | head` **Analyst:** Niklas Heringer **Timestamp:** 2025-07-14T13:33:27.761024+02:00 `hexdump` displays file content in hexadecimal and ASCII. Useful for examining file headers, signatures, and patterns. --- ### [+] Command: `hexdump -C ForImage2.img | head` - Timestamp: `2025-07-14T12-42-31-319015+02-00` - GPG-signature: [+] Valid - SHA256: `cb81adfdf9b749fd17c4f7fef893c144865f8c787bebe45b8e98a91aab896474` #### Output: ```Shell [STDOUT] 00000000 28 cb 32 eb 6a b7 b0 8e 3c 00 00 00 00 c0 08 70 |(.2.j...<......p| 00000010 93 5d 39 63 4c c6 71 cc eb fe 05 20 f2 97 2a f2 |.]9cL.q.... ..*.| 00000020 91 52 2a 22 b7 29 14 6a e4 01 00 00 00 00 46 24 |.R*".).j......F$| 00000030 5a 8c 59 57 23 2f 39 e7 d2 ed ee 8a c5 45 20 f2 |Z.YW#/9......E .| 00000040 a3 0b 16 89 88 38 e7 91 b5 56 ba e5 27 01 00 00 |.....8...V..'...| 00000050 00 00 c0 48 5c 9e 71 c6 18 b7 d6 4a ad b5 f4 b7 |...H\.q....J....| 00000060 13 b2 f2 10 f9 4b e9 58 ee c7 12 11 33 c6 48 c6 |.....K.X....3.H.| 00000070 98 8f 10 d1 b1 00 00 00 00 00 46 80 10 82 a2 28 |..........F....(| 00000080 62 49 92 50 96 65 44 44 9a 30 d9 15 22 3f 22 99 |bI.P.eDD.0.."?".| 00000090 a7 34 4d 59 96 65 d6 6d 0a 05 89 07 00 00 00 00 |.4MY.e.m........| [STDERR] ``` #### Context: ### [+] Legal Context for `hexdump -C ForImage2.img | head` **Analyst:** Niklas Heringer **Timestamp:** 2025-07-14T13:33:27.786303+02:00 `hexdump` displays file content in hexadecimal and ASCII. Useful for examining file headers, signatures, and patterns. --- ### [+] Timestamp: `2025-07-14T12-43-00-357585+02-00` #### [+] Comment from analyst: Niklas Heringer #### [+] Content: Die Festplatte ist somit schonmal nicht leer --- ### [+] Command: `Possible encryption detected (High entropy (7.78))` - Timestamp: `2025-07-14T12-43-27-753682+02-00` - GPG-signature: [+] Valid - SHA256: `7cf027cc2dd683a3860ce27d3fcd52f6b47597c2f8a4ef714949b9e53d0effcc` #### Output: ```Shell [!] Command failed: Possible encryption detected (High entropy (7.78)) ``` #### Context: ### [+] Legal Context for `Possible encryption detected (High entropy (7.78))` **Analyst:** Niklas Heringer **Timestamp:** 2025-07-14T13:33:27.810925+02:00 [x] No specific explanation found. --- ### [+] Timestamp: `2025-07-14T12-47-33-066391+02-00` #### [+] Comment from analyst: Niklas Heringer #### [+] Content: Die Festplatte ist verschluesselt - auf ihrer Rueckseite war ein kurzes Passwort zu finden, womoeglich die Passphrase, doch zuvor ueberpruefen wir nun, ob der Verschluesslungstyp ermittelbar ist --- ### [+] Timestamp: `2025-07-14T12-55-11-062938+02-00` #### [+] Comment from analyst: Niklas Heringer #### [+] Content: fsstat vermutliche Verschluesselung, mmls erkennt keine Partition, hexdump zeigt kein erkennbares Filesystem - bevor wir mounten, muessen wir entschluesseln --- ### [+] Command: `mkdir: cannot create directory ‘/mnt/crypt’: Permission denied` - Timestamp: `2025-07-14T13-04-39-432095+02-00` - GPG-signature: [+] Valid - SHA256: `5eed114f808f358973b99c9c298586336d608a7d7716c47484861730577f9d82` #### Output: ```Shell [!] Command failed: mkdir: cannot create directory ‘/mnt/crypt’: Permission denied ``` #### Context: ### [+] Legal Context for `mkdir: cannot create directory ‘/mnt/crypt’: Permission denied` **Analyst:** Niklas Heringer **Timestamp:** 2025-07-14T13:33:27.836004+02:00 [x] No specific explanation found. --- ### [+] Command: `sudo mkdir -p /mnt/crypt` - Timestamp: `2025-07-14T13-04-46-220116+02-00` - GPG-signature: [+] Valid - SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f` #### Output: ```Shell [STDOUT] [STDERR] ``` #### Context: ### [+] Legal Context for `sudo mkdir -p /mnt/crypt` **Analyst:** Niklas Heringer **Timestamp:** 2025-07-14T13:33:27.861090+02:00 **[!] Note:** This command was executed with administrative rights (`sudo`). `mkdir` creates a directory. In forensic workflows, it is often used to prepare target folders for mounts or exported data. The `-p` option ensures that parent directories are created as needed. It also avoids errors if the target directory already exists. --- ### [+] Command: `` - Timestamp: `2025-07-14T13-05-08-024574+02-00` - GPG-signature: [+] Valid - SHA256: `fd919e45a98f1ae9c0947eed0f758c5cc388ed705627f6eb2e150686d70814bc` #### Output: ```Shell [!] Command failed: ``` #### Context: [x] Skipped: command was empty or malformed. --- ### [+] Command: `Error: Operation failed due to one or more of the following:` - Timestamp: `2025-07-14T13-07-02-580209+02-00` - GPG-signature: [+] Valid - SHA256: `9350ce5c321f06ca5ca9e7abae3402fe8d9d6d8ea4704f55b8d3bf2c652ed876` #### Output: ```Shell [!] Command failed: Error: Operation failed due to one or more of the following: - Incorrect password. - Incorrect Volume PIM number. - Incorrect PRF (hash). - Not a valid volume. - Volume uses an old algorithm that has been removed. - TrueCrypt format volumes are no longer supported. ``` #### Context: ### [+] Legal Context for `Error: Operation failed due to one or more of the following:` **Analyst:** Niklas Heringer **Timestamp:** 2025-07-14T13:33:27.895483+02:00 [x] No specific explanation found. --- ### [+] Command: `sudo losetup --show -f ForImage2.img` - Timestamp: `2025-07-14T13-08-09-130846+02-00` - GPG-signature: [+] Valid - SHA256: `06e8e0c85abc1ce20202e0043228bd03c02f0b4065d4b70a98f97488dc4a2f38` #### Output: ```Shell [STDOUT] /dev/loop0 [STDERR] ``` #### Context: ### [+] Legal Context for `sudo losetup --show -f ForImage2.img` **Analyst:** Niklas Heringer **Timestamp:** 2025-07-14T13:33:27.950809+02:00 **[!] Note:** This command was executed with administrative rights (`sudo`). `losetup` sets up a loop device to treat a file (like a disk image) as a block device. This is needed to work with partitions inside forensic disk images. Outputs the created loop device — useful for automation and scripting. --- ### [+] Command: `Device /dev/loop0 is not a valid LUKS device.` - Timestamp: `2025-07-14T13-08-33-250979+02-00` - GPG-signature: [+] Valid - SHA256: `19de76617d7416f38df3b577ad24e9b08b499d34b330ec80e4cf1d5ddc70416f` #### Output: ```Shell [!] Command failed: Device /dev/loop0 is not a valid LUKS device. ``` #### Context: ### [+] Legal Context for `Device /dev/loop0 is not a valid LUKS device.` **Analyst:** Niklas Heringer **Timestamp:** 2025-07-14T13:33:27.976530+02:00 [x] No specific explanation found. --- ### [+] Timestamp: `2025-07-14T13-09-13-718013+02-00` #### [+] Comment from analyst: Niklas Heringer #### [+] Content: Wir wissen also: kein VeraCrypt, kein LUKS, nun tgesten wir BitLocker --- ### [+] Command: `sudo mkdir -p /mnt/dislocker` - Timestamp: `2025-07-14T13-09-29-295457+02-00` - GPG-signature: [+] Valid - SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f` #### Output: ```Shell [STDOUT] [STDERR] ``` #### Context: ### [+] Legal Context for `sudo mkdir -p /mnt/dislocker` **Analyst:** Niklas Heringer **Timestamp:** 2025-07-14T13:33:28.001769+02:00 **[!] Note:** This command was executed with administrative rights (`sudo`). `mkdir` creates a directory. In forensic workflows, it is often used to prepare target folders for mounts or exported data. The `-p` option ensures that parent directories are created as needed. It also avoids errors if the target directory already exists. --- ### [+] Command: `` - Timestamp: `2025-07-14T13-12-40-283904+02-00` - GPG-signature: [+] Valid - SHA256: `fd919e45a98f1ae9c0947eed0f758c5cc388ed705627f6eb2e150686d70814bc` #### Output: ```Shell [!] Command failed: ``` #### Context: [x] Skipped: command was empty or malformed. --- ### [+] Command: `ls /mnt/dislocker` - Timestamp: `2025-07-14T13-12-56-961960+02-00` - GPG-signature: [+] Valid - SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f` #### Output: ```Shell [STDOUT] [STDERR] ``` #### Context: ### [+] Legal Context for `ls /mnt/dislocker` **Analyst:** Niklas Heringer **Timestamp:** 2025-07-14T13:33:28.036568+02:00 `ls` lists files in a directory. It is used to gain an overview and does not modify data. --- ### [+] Timestamp: `2025-07-14T13-14-26-335058+02-00` #### [+] Comment from analyst: Niklas Heringer #### [+] Content: BitLocker scheint es auch nicht zu sein --- ### [+] Command: `sudo file -s /dev/loop0` - Timestamp: `2025-07-14T13-31-07-259372+02-00` - GPG-signature: [+] Valid - SHA256: `e5b945a88f260856d6462f69c02d317d93ff08c94e0f6536cf3e14141d11c92d` #### Output: ```Shell [STDOUT] /dev/loop0: data [STDERR] ``` #### Context: ### [+] Legal Context for `sudo file -s /dev/loop0` **Analyst:** Niklas Heringer **Timestamp:** 2025-07-14T13:33:28.061908+02:00 **[!] Note:** This command was executed with administrative rights (`sudo`). `file` identifies file types by examining magic numbers and headers. Useful for verifying or correcting file extensions and detecting anomalies. --- ## [+] GPG-Overview Each `.log`-file was digitally signed with GPG where applicable. The signature status is documented per command.