# [++] Forensic report of case: windowsLog ## [++] Description Analyse der Windows partition ## [++] Timeline of Commands and Comments ### [+] Timestamp: `2025-07-19T08-42-13-560508+00-00` #### [+] Comment from analyst: Markus Winklhofer #### [+] Content: Image bereits als Loopdevice angelegt und jetzt wird anschließend gemounted und die Windoespartition forensisch analysiert --- ### [+] Command: `sudo fdisk -l` - Timestamp: `2025-07-19T08-43-00-004975+00-00` - GPG-signature: [+] Valid - SHA256: `43a7e40ef8949b90c8e89dafdd962bb263e8f6556d2a1c80c3f689bf1fb968c1` #### Output: ```Shell [STDOUT] Disk /dev/vda: 40 GiB, 42949672960 bytes, 83886080 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: gpt Disk identifier: C00980BD-CD97-44C9-A883-C367CE8873C7 Device Start End Sectors Size Type /dev/vda1 2048 34815 32768 16M Linux filesystem /dev/vda2 34816 2035711 2000896 977M EFI System /dev/vda3 2035712 79546367 77510656 37G Linux filesystem /dev/vda4 79546368 83884031 4337664 2.1G Linux swap Disk /dev/nbd0: 33 GiB, 35433480192 bytes, 69206016 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 131072 bytes Disklabel type: gpt ``` #### Context: ### [+] Legal Context for `sudo fdisk -l` **Analyst:** Markus Winklhofer **Timestamp:** 2025-07-20T11:57:41.175563+00:00 **[!] Note:** This command was executed with administrative rights (`sudo`). `fdisk` is an interactive command-line tool to create, delete, and manage partitions on storage devices. Lists partition tables of all recognized devices. --- ### [+] Command: `sudo mmls /dev/nbd0` - Timestamp: `2025-07-19T08-43-21-603461+00-00` - GPG-signature: [+] Valid - SHA256: `1e7e7d7d86604a62aceffd32db9f4f6f897f22c84de9f2367b46bf6fa4d9b77b` #### Output: ```Shell [STDOUT] GUID Partition Table (EFI) Offset Sector: 0 Units are in 512-byte sectors Slot Start End Length Description 000: Meta 0000000000 0000000000 0000000001 Safety Table 001: ------- 0000000000 0000002047 0000002048 Unallocated 002: Meta 0000000001 0000000001 0000000001 GPT Header 003: Meta 0000000002 0000000033 0000000032 Partition Table 004: 000 0000002048 0000004095 0000002048 005: 001 0000004096 0001054719 0001050624 EFI System Partition 006: 002 0001054720 0046135295 0045080576 007: ------- 0046135296 0046874623 0000739328 Unallocated 008: 003 0046874624 0068360191 0021485568 FAT 009: ------- 0068360192 0069206015 0000845824 Unallocated [STDERR] ``` #### Context: ### [+] Legal Context for `sudo mmls /dev/nbd0` **Analyst:** Markus Winklhofer **Timestamp:** 2025-07-20T11:57:41.187798+00:00 **[!] Note:** This command was executed with administrative rights (`sudo`). `mmls` analyzes the partition layout of a disk image without modifying it. It shows partitions, offsets, and sizes — a typical forensic step before mounting. --- ### [+] Command: `sudo mount -o ro /dev/nbd0p4 ~/mnt/windows` - Timestamp: `2025-07-19T08-45-08-725153+00-00` - GPG-signature: [+] Valid - SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f` #### Output: ```Shell [STDOUT] [STDERR] ``` #### Context: ### [+] Legal Context for `sudo mount -o ro /dev/nbd0p4 ~/mnt/windows` **Analyst:** Markus Winklhofer **Timestamp:** 2025-07-20T11:57:41.225568+00:00 **[!] Note:** This command was executed with administrative rights (`sudo`). `mount` is used to attach a filesystem to the directory tree. In forensic contexts, it must be used cautiously, as mounting can alter timestamps or content. The `-o` option sets mount parameters — e.g., to enable read-only mode or suppress timestamp changes. `ro` stands for "read-only". It ensures that the mounted filesystem is not modified. This is critical in digital forensics. --- ### [+] Command: `file ~/mnt/windows/business/business ` - Timestamp: `2025-07-19T08-47-12-169525+00-00` - GPG-signature: [+] Valid - SHA256: `ddde4a678fd1627868e4b7f7be63273df4698f55d6b06069fd92eb5bcf6531db` #### Output: ```Shell [STDOUT] /home/forick/mnt/windows/business/business: data [STDERR] ``` #### Context: ### [+] Legal Context for `file ~/mnt/windows/business/business` **Analyst:** Markus Winklhofer **Timestamp:** 2025-07-20T11:57:41.239020+00:00 `file` identifies file types by examining magic numbers and headers. Useful for verifying or correcting file extensions and detecting anomalies. --- ### [+] Command: `xxd business | head` - Timestamp: `2025-07-19T08-49-20-139817+00-00` - GPG-signature: [+] Valid - SHA256: `d637733a8611dd3a59413fcfccbba0bf9570452f943569608795395f5db9a147` #### Output: ```Shell [STDOUT] 00000000: 6eb4 2189 ffa2 36d4 bddc 7b86 9304 48ae n.!...6...{...H. 00000010: 6efd a848 cdf3 24bc da26 be81 bfd7 9e17 n..H..$..&...... 00000020: 66c6 9f07 d791 1071 7bfd a3a9 4dcd 86af f......q{...M... 00000030: 083a 3b06 ae59 ac64 e294 1f54 6fef 2654 .:;..Y.d...To.&T 00000040: 47cd bcd8 dd96 7fd5 7713 94ca 3860 8081 G.......w...8`.. 00000050: 663a 5711 ad69 2ea2 7b40 5969 bc7f ceb6 f:W..i..{@Yi.... 00000060: 20ca 92d8 6cc4 b540 7799 44a2 c91b e4bc ...l..@w.D..... 00000070: 3d9c 2e45 db8b 6ce8 d2b8 de2a f403 2edc =..E..l....*.... 00000080: 3d61 7ac4 f06d a7d5 828e e896 7138 cd98 =az..m......q8.. 00000090: a4b6 79f3 e518 3c18 e0ff b983 c2f1 1ab2 ..y...<......... [STDERR] ``` #### Context: ### [+] Legal Context for `xxd business | head` **Analyst:** Markus Winklhofer **Timestamp:** 2025-07-20T11:57:41.249584+00:00 The `xxd` command creates a hexadecimal dump of a given file. This is useful for inspecting raw data structures or headers. --- ### [+] Command: `sudo mount -o ro /dev/nbd0p3 ~/mnt/linux` - Timestamp: `2025-07-19T08-52-36-712619+00-00` - GPG-signature: [+] Valid - SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f` #### Output: ```Shell [STDOUT] [STDERR] ``` #### Context: ### [+] Legal Context for `sudo mount -o ro /dev/nbd0p3 ~/mnt/linux` **Analyst:** Markus Winklhofer **Timestamp:** 2025-07-20T11:57:41.296805+00:00 **[!] Note:** This command was executed with administrative rights (`sudo`). `mount` is used to attach a filesystem to the directory tree. In forensic contexts, it must be used cautiously, as mounting can alter timestamps or content. The `-o` option sets mount parameters — e.g., to enable read-only mode or suppress timestamp changes. `ro` stands for "read-only". It ensures that the mounted filesystem is not modified. This is critical in digital forensics. --- ### [+] Timestamp: `2025-07-19T08-53-48-208768+00-00` #### [+] Comment from analyst: Markus Winklhofer #### [+] Content: Unter Windows Partition derzeit keine Ergebnisse, desshalb wurde Linux Partition gemounted und anschließend analysiert. --- ### [+] Command: `sudo cat shadow` - Timestamp: `2025-07-19T09-17-43-927272+00-00` - GPG-signature: [+] Valid - SHA256: `c1f678376e214937833b8b20a631606fdf86a427045f287709f812916ae0f524` #### Output: ```Shell [STDOUT] root:!:19175:0:99999:7::: daemon:*:19101:0:99999:7::: bin:*:19101:0:99999:7::: sys:*:19101:0:99999:7::: sync:*:19101:0:99999:7::: games:*:19101:0:99999:7::: man:*:19101:0:99999:7::: lp:*:19101:0:99999:7::: mail:*:19101:0:99999:7::: news:*:19101:0:99999:7::: uucp:*:19101:0:99999:7::: proxy:*:19101:0:99999:7::: www-data:*:19101:0:99999:7::: backup:*:19101:0:99999:7::: list:*:19101:0:99999:7::: irc:*:19101:0:99999:7::: gnats:*:19101:0:99999:7::: nobody:*:19101:0:99999:7::: systemd-network:*:19101:0:99999:7::: ... (truncated, showing first 20 and last 10 lines) pulse:*:19101:0:99999:7::: gnome-initial-setup:*:19101:0:99999:7::: hplip:*:19101:0:99999:7::: gdm:*:19101:0:99999:7::: pc:$y$j9T$graH6StsN64vZy4TX6DLO1$jFAPKwPTtCP25YeK6fiAIcbse.xZb3XaFXnIuwfaej4:19175:0:99999:7::: sshd:*:19175:0:99999:7::: belle:$6$mysalt$YapdgZlg0yR2OqcmMqMSk7rtEfLo2l0Yh/T4o8s1qilhHZUxHspG7n0nx2kzplXK9bBt1b7xx0/lExTeVDVDw0:19177:0:99999:7::: kiara:$6$mysalt$O3uB2Z2bsrQzEWnKMGiud28mGyGERuQKillaz.0EktBTWK4YfHTCFOiUhUSWGBjgwL5wd1VHMnjVcDBGgFu7r0:19177:0:99999:7::: [STDERR] ``` #### Context: ### [+] Legal Context for `sudo cat shadow` **Analyst:** Markus Winklhofer **Timestamp:** 2025-07-20T11:57:41.309219+00:00 **[!] Note:** This command was executed with administrative rights (`sudo`). `cat` concatenates and displays the content of files. It is commonly used to view file contents or combine multiple files. --- ### [+] Timestamp: `2025-07-19T09-19-32-944437+00-00` #### [+] Comment from analyst: Markus Winklhofer #### [+] Content: Es sind die drei User zu sehen im Shadow-File. Inklusive hash des passworts, verwendetem Salt und gehashtem Wert, sowie Zeitstempel. Anschließend werden diese Hashes gesichert. --- > [!Info] Note > Andere Passwörter hab ich schon mit hashcat und der wordList.txt geknackt. > --- ### [+] Command: `sudo grep '^pc:' shadow > ~/evidence/linux-passHashes/hashes.txt` - Timestamp: `2025-07-19T09-33-23-227939+00-00` - GPG-signature: [+] Valid - SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f` #### Output: ```Shell [STDOUT] [STDERR] ``` #### Context: ### [+] Legal Context for `sudo grep '^pc:' shadow > ~/evidence/linux-passHashes/hashes.txt` **Analyst:** Markus Winklhofer **Timestamp:** 2025-07-20T11:57:41.337992+00:00 **[!] Note:** This command was executed with administrative rights (`sudo`). `grep` searches for patterns in text files. In forensics, it helps extract relevant entries from logs, configs, or dumps. --- ### [+] Command: `cut -d: -f2 ~/evidence/linux-passHashes/hashes.txt > ~/evidence/linux-passHashes/hashes_hashcat.txt` - Timestamp: `2025-07-19T09-41-50-673936+00-00` - GPG-signature: [+] Valid - SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f` #### Output: ```Shell [STDOUT] [STDERR] ``` #### Context: ### [+] Legal Context for `cut -d: -f2 ~/evidence/linux-passHashes/hashes.txt > ~/evidence/linux-passHashes/hashes_hashcat.txt` **Analyst:** Markus Winklhofer **Timestamp:** 2025-07-20T11:57:41.362354+00:00 `cut` removes sections from each line of files. It is commonly used to extract specific columns or fields. Specifies the delimiter character. Specifies the fields to extract. --- ### [+] Timestamp: `2025-07-19T14-35-17-836177+00-00` #### [+] Comment from analyst: Markus Winklhofer #### [+] Content: Passwörter von User belle und kiara wurden geknackt und lauten: ohQuep1A (kiara) und Eip7uoKo (belle) --- ### [+] Timestamp: `2025-07-19T14-46-11-098224+00-00` #### [+] Comment from analyst: Markus Winklhofer #### [+] Content: Anschließend wird versucht die Datei auf der Windowspartition mit den erhaltenen Passwörtern zu öffnen. --- ### [+] Timestamp: `2025-07-19T15-09-38-776505+00-00` #### [+] Comment from analyst: Markus Winklhofer #### [+] Content: Passwort von User pc wird anschließend geknackt. --- ### [+] Timestamp: `2025-07-19T15-28-09-158744+00-00` #### [+] Comment from analyst: Markus Winklhofer #### [+] Content: Okay Passwort von User pc muss jetzt doch mit John geknackt werden weil Hashcat mich verlassen hat. R.I.P hashcat --- ### [+] Timestamp: `2025-07-19T16-08-43-581807+00-00` #### [+] Comment from analyst: Markus Winklhofer #### [+] Content: Alle mit john durchzuprobieren würde zu lange dauern. unshadowed Datei wird manuell bereinigt. --- ### [+] Timestamp: `2025-07-19T16-22-52-786709+00-00` #### [+] Comment from analyst: Markus Winklhofer #### [+] Content: User pc hash lässt sich nicht decrypten. Was bekannt ist: höchst wahrscheinlich yescrypt --- ### [+] Timestamp: `2025-07-19T16-23-12-195637+00-00` #### [+] Comment from analyst: Markus Winklhofer #### [+] Content: Dann schauen wir doch nochmal auf das business file im Windows --- ### [+] Timestamp: `2025-07-19T19-05-53-643688+00-00` #### [+] Comment from analyst: Markus Winklhofer #### [+] Content: Business Datei unter Windowspartition wurde mit veracrypt gemounted. Jetzt haben wir einen Ordner namens paesse, welcher .jpeg, .gif und .html Dateien enthält. Wir haben ihn Kameraden. --- ### [+] Command: `cp -r paesse ~/evidence/paesse_secured` - Timestamp: `2025-07-19T19-08-38-532451+00-00` - GPG-signature: [+] Valid - SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f` #### Output: ```Shell [STDOUT] [STDERR] ``` #### Context: ### [+] Legal Context for `cp -r paesse ~/evidence/paesse_secured` **Analyst:** Markus Winklhofer **Timestamp:** 2025-07-20T11:57:41.463529+00:00 `cp` copies files and directories. Copies directories recursively. --- ### [+] Command: `cat paesse_hashes.txt` - Timestamp: `2025-07-19T19-15-35-249409+00-00` - GPG-signature: [+] Valid - SHA256: `e021c5fb88dbb683e55d00991fcf65e2ecb038e615375b6f8aa95091aa3d5cbc` #### Output: ```Shell [STDOUT] 2337d9209ebc59826b7c6839b62a073bfb4c6084ae7ca7b33091adf5b51124f0 paesse/b-contacts.jpg 56c54308a51a73f1fde781a923a7d5e33c992d54e5698c7a1a5f62df5faf96d6 paesse/b-news.jpg 699d7fbef975e4f75d8755a7cc9bb7c4e0d50e6aac35c676cfb84590cab4cab1 paesse/b-samples.jpg 4ce769d6291abad8e9e57911adbc7e263645c0cd5b2ad81fbfc5dd5339137883 paesse/back_to_samples.gif 88c50adcbd68e9b06317b0f10e4cd118bccb5ee9c6b7d15b2053c7475a0f4b7c paesse/button_email.gif b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b paesse/emty.gif 1f3e68eef4da22b8c1991813a58cc2ca931e3a313db4dbb49dd5c64d34231021 paesse/flash_r1_c2e.gif 76eb565cb3290c6542c27d16b075de244bfb055eaba9ed744d6095e3d8163d95 paesse/flash_r1_c3e.gif 0cb5cb828aaa48c5b6ecaaff62812b74376143e8375af99969992d2d7c772290 paesse/flash_r1_c6e.gif 908bc1335ed5d3eb60eff3787cf33162d48e1ced5c116702719673722fc433cb paesse/head_r1_c1.jpg edb7a8c927edbfe365fb0015892c4893f5ccedf217e4d61a94f6fa947daef9ae paesse/head_r1_c2.jpg 6985dfc8eb8836a79084decd3a7df6efbe70af108ea3942b897e16f5865b79bb paesse/head_r2_c1.gif 7a9847daf2ce9f8e612e8daea71c52dbcd2649b83685d9eeeb87e4c4f64b18f0 paesse/index.html d3178da777620b3045cd390842a317c5fb5fb7f7baf49e14f2b85e54a98ecee9 paesse/index.php.CB66877E.html c670355f7938549fa50faa7d80c764e64e9e67ec1e64309f2a68b0a6a5196635 paesse/index.shtml e2704c3f9480d96bc8c70c30b2db3cec6ad73d9f8729ec9ada335eab7fb4534a paesse/m-maine.gif 983e88c639a4a60b8abd68188aabeb16cc1ffd36745ca2bdce29819c0bc3a912 paesse/main.jpg a7d820cf32d4be1a04515f0334abae05cc6ceb385844a6ef57d4c6f9af73c75e paesse/menu_r1_c1e.gif a1e852623a899f3e3be745d2819a650d666f5985cfbfae6d27785fce187a54ac paesse/menu_r1_c2e.gif ... (truncated, showing first 20 and last 10 lines) 2fa9099d8949fc6a6a4a6992ccd1c303ee201d4d7b12aab39c5d7c0c68265a66 paesse/Cover/Canada passport.jpg cb41bb8bb1a969cdd498900574483d966fe3debd2e51996e4a4384a0d3461efc paesse/Cover/Finland passport.jpg 8c692f01c66852ab217b60bd36417b6603a8bf2fbba61163b914deb842dc7233 paesse/Cover/France passport.jpg 1dfb1a35d4a6efe8d6172014078eac070885c195a5c58b95ff47f435d9da22d0 paesse/Cover/German passport.jpg a9723e7b99ffc8a8a36e1fd20346721286e681c9fd533d291b732acbfea10cb2 paesse/Cover/Netherlands passport.jpg f51dda5ad02e23445ea503911324920c3776bb271c741eb6165fc2006e5fc130 paesse/Cover/UK license small.jpg 2963750629e0b3560c2a7ef52c4ffd82183395f551f43bf6548490a10acf0456 paesse/Cover/UK passport.jpg a41f223bdb68803e763969808dcde3fcf14e10c97dd23b7314e083f21edc1b2d paesse/inside/pp-uk-open-big.jpg [STDERR] ``` #### Context: ### [+] Legal Context for `cat paesse_hashes.txt` **Analyst:** Markus Winklhofer **Timestamp:** 2025-07-20T11:57:41.498045+00:00 `cat` concatenates and displays the content of files. It is commonly used to view file contents or combine multiple files. --- ### [+] Timestamp: `2025-07-19T19-44-42-593534+00-00` #### [+] Comment from analyst: Markus Winklhofer #### [+] Content: Forenische Analyse der index.html, konnten viele Hinweise auf den verkauf von gefälschten Pässen gefunden werden. Die Seite beinhaltet mehrere Reiter, darunter auch 'Terms and Conditions', eine Preisliste, eine Enail Adresse (documents.service@safe-mail.net) und weitere Hinweise. Die genauen Hinweise werden anschließend aufgelistet --- ### [+] Timestamp: `2025-07-19T19-45-33-350345+00-00` #### [+] Comment from analyst: Markus Winklhofer #### [+] Content: Passwort für Business File: forgeMaster --- ### [+] Timestamp: `2025-07-19T19-50-48-645917+00-00` #### [+] Comment from analyst: Markus Winklhofer #### [+] Content: Anschließend wird nach Chatverläufen und Emailverkehr, sowie Browserverläufen gesucht --- ### [+] Command: `sudo ls -la belle` - Timestamp: `2025-07-19T19-56-41-335702+00-00` - GPG-signature: [+] Valid - SHA256: `82baa87dfd52f9eaf1f17cb2016d112f83c1ae0428e1737c67b2869d02c0c997` #### Output: ```Shell [STDOUT] total 76 drwxr-x--- 16 1001 1001 4096 Jul 4 2022 . drwxr-xr-x 5 root root 4096 Jul 4 2022 .. -rw-r--r-- 1 1001 1001 220 Jan 6 2022 .bash_logout -rw-r--r-- 1 1001 1001 3771 Jan 6 2022 .bashrc drwxr-xr-x 2 1001 1001 4096 Jul 4 2022 Bilder drwx------ 13 1001 1001 4096 Jul 4 2022 .cache drwx------ 14 1001 1001 4096 Jul 4 2022 .config drwxr-xr-x 2 1001 1001 4096 Jul 4 2022 Dokumente drwxr-xr-x 2 1001 1001 4096 Jul 4 2022 Downloads drwx------ 2 1001 1001 4096 Jul 4 2022 .gnupg drwx------ 3 1001 1001 4096 Jul 4 2022 .local drwxr-xr-x 2 1001 1001 4096 Jul 4 2022 Musik drwxr-xr-x 2 1001 1001 4096 Jul 4 2022 Öffentlich -rw-r--r-- 1 1001 1001 807 Jan 6 2022 .profile drwxr-xr-x 2 1001 1001 4096 Jul 4 2022 Schreibtisch drwx------ 4 1001 1001 4096 Jul 4 2022 snap drwx------ 2 1001 1001 4096 Jul 4 2022 .ssh -rw-r--r-- 1 1001 1001 0 Jul 4 2022 .sudo_as_admin_successful ``` #### Context: ### [+] Legal Context for `sudo ls -la belle` **Analyst:** Markus Winklhofer **Timestamp:** 2025-07-20T11:57:41.509216+00:00 **[!] Note:** This command was executed with administrative rights (`sudo`). `ls` lists files in a directory. It is used to gain an overview and does not modify data. --- ### [+] Timestamp: `2025-07-19T19-57-33-244846+00-00` #### [+] Comment from analyst: Markus Winklhofer #### [+] Content: Zuerst durchsuchen wir den User belle (Der Command davor gehört dazu) --- ### [+] Command: `sudo ls -la belle/Bilder` - Timestamp: `2025-07-19T19-58-19-142111+00-00` - GPG-signature: [+] Valid - SHA256: `b916127be77302898d8d5d0a74789e0da96e597c8cc36239ba3555fdeadde089` #### Output: ```Shell [STDOUT] total 8 drwxr-xr-x 2 1001 1001 4096 Jul 4 2022 . drwxr-x--- 16 1001 1001 4096 Jul 4 2022 .. [STDERR] ``` #### Context: ### [+] Legal Context for `sudo ls -la belle/Bilder` **Analyst:** Markus Winklhofer **Timestamp:** 2025-07-20T11:57:41.520846+00:00 **[!] Note:** This command was executed with administrative rights (`sudo`). `ls` lists files in a directory. It is used to gain an overview and does not modify data. --- ### [+] Command: `sudo ls -la belle/.config` - Timestamp: `2025-07-19T20-08-05-109640+00-00` - GPG-signature: [+] Valid - SHA256: `78eaefb4186c21188354ab750c8082743330d3871e8c0bebbc7cec9b647b686d` #### Output: ```Shell [STDOUT] total 72 drwx------ 14 1001 1001 4096 Jul 4 2022 . drwxr-x--- 16 1001 1001 4096 Jul 4 2022 .. drwx------ 2 1001 1001 4096 Jul 4 2022 dconf drwx------ 3 1001 1001 4096 Jul 4 2022 evolution -rw-rw-r-- 1 1001 1001 3 Jul 4 2022 gnome-initial-setup-done drwx------ 3 1001 1001 4096 Jul 4 2022 gnome-session drwxr-xr-x 2 1001 1001 4096 Jul 4 2022 goa-1.0 -rw-rw-r-- 1 1001 1001 0 Jul 4 2022 .gsd-keyboard.settings-ported drwx------ 2 1001 1001 4096 Jul 4 2022 gtk-3.0 drwx------ 2 1001 1001 4096 Jul 4 2022 gtk-4.0 drwx------ 3 1001 1001 4096 Jul 4 2022 ibus drwxrwxr-x 2 1001 1001 4096 Jul 4 2022 keepassxc drwxr-xr-x 2 1001 1001 4096 Jul 4 2022 nautilus drwx------ 2 1001 1001 4096 Jul 4 2022 pulse -rw-rw-r-- 1 1001 1001 106 Jul 4 2022 QtProject.conf drwx------ 2 1001 1001 4096 Jul 4 2022 update-notifier -rw------- 1 1001 1001 640 Jul 4 2022 user-dirs.dirs -rw-rw-r-- 1 1001 1001 5 Jul 4 2022 user-dirs.locale ``` #### Context: ### [+] Legal Context for `sudo ls -la belle/.config` **Analyst:** Markus Winklhofer **Timestamp:** 2025-07-20T11:57:41.529524+00:00 **[!] Note:** This command was executed with administrative rights (`sudo`). `ls` lists files in a directory. It is used to gain an overview and does not modify data. --- ### [+] Command: `sudo ls -la belle/.cache` - Timestamp: `2025-07-19T20-08-50-883916+00-00` - GPG-signature: [+] Valid - SHA256: `39e23eb4173556a2dce5e3b0562a4b8ab6b340e77f077cb5e2798ec8b0d76711` #### Output: ```Shell [STDOUT] total 64 drwx------ 13 1001 1001 4096 Jul 4 2022 . drwxr-x--- 16 1001 1001 4096 Jul 4 2022 .. -rw-r--r-- 1 1001 1001 12288 Jul 4 2022 event-sound-cache.tdb.6746c953637546dc9d96c167a444559c.x86_64-pc-linux-gnu drwx------ 8 1001 1001 4096 Jul 4 2022 evolution drwx------ 3 1001 1001 4096 Jul 4 2022 gnome-desktop-thumbnailer drwxrwxr-x 2 1001 1001 4096 Jul 4 2022 gstreamer-1.0 drwxrwxr-x 3 1001 1001 4096 Jul 4 2022 ibus drwxrwxr-x 2 1001 1001 4096 Jul 4 2022 ibus-table drwxrwxr-x 2 1001 1001 4096 Jul 4 2022 keepassxc drwxr-xr-x 97 1001 1001 4096 Jul 4 2022 mesa_shader_cache drwx------ 4 1001 1001 4096 Jul 4 2022 thumbnails drwx------ 3 1001 1001 4096 Jul 4 2022 tracker3 drwx------ 2 1001 1001 4096 Jul 4 2022 ubuntu-report drwxrwxr-x 2 1001 1001 4096 Jul 4 2022 update-manager-core [STDERR] ``` #### Context: ### [+] Legal Context for `sudo ls -la belle/.cache` **Analyst:** Markus Winklhofer **Timestamp:** 2025-07-20T11:57:41.538887+00:00 **[!] Note:** This command was executed with administrative rights (`sudo`). `ls` lists files in a directory. It is used to gain an overview and does not modify data. --- ### [+] Command: `sudo ls -la belle/Dokumente/Pass.kdbx` - Timestamp: `2025-07-19T20-14-23-496084+00-00` - GPG-signature: [+] Valid - SHA256: `d20f70753042c1eb64f27c65792dc833b48f36a22a98a20cbe318741a6cbe9a4` #### Output: ```Shell [STDOUT] -rw------- 1 1001 1001 1605 Jul 4 2022 belle/Dokumente/Pass.kdbx [STDERR] ``` #### Context: ### [+] Legal Context for `sudo ls -la belle/Dokumente/Pass.kdbx` **Analyst:** Markus Winklhofer **Timestamp:** 2025-07-20T11:57:41.547486+00:00 **[!] Note:** This command was executed with administrative rights (`sudo`). `ls` lists files in a directory. It is used to gain an overview and does not modify data. --- ### [+] Timestamp: `2025-07-19T20-15-03-978366+00-00` #### [+] Comment from analyst: Markus Winklhofer #### [+] Content: Passwortmanager schon von Eric gemacht: Passwort für Windows partition. --- ### [+] Command: `sudo cat belle/.ssh/id_rsa` - Timestamp: `2025-07-19T21-05-04-042237+00-00` - GPG-signature: [+] Valid - SHA256: `f36e6f459dcb473e51ffafbbf7c84eb014d20b209b6aec5137be2b2fc8a8d910` #### Output: ```Shell [STDOUT] -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn NhAAAAAwEAAQAAAYEA8HvHvFjaySYQbujRPF/FXnBnq5eUy4UgdcVu2XgZXnqQ14Y/SREG BLPabOxqz11fS8k/xLdU30JLypH0+vUccrcN51k6ZfM5aKszqYvTXgenGc0S8zCGGPC4mt cMs2AzSQglx11fjAOh51DyDcE+nSFV7q11LMDufGgklY7Z0Y/EpTjAlkXJKwgIUPLewSV5 KKcmr3Sj6JhPXZrVcHwbrIIS5f88TLzL7L+bNrLE4EGVmAAsOwSSeNZ0F51uDXuhmnIwxw UMBd4XAhQtSt8OruwoeQcrPO0heUyxCFi19OvOCF+kNp7JhkO2AD+GnanrH79sc2RV8+nN miLJvAOW1bk4yvl784fxvzR6l6q+x3hYy57QqZG6sOhTxJYslQ5A33UiSL6boZ5UrS4zS6 xVgrF7eEy4ZTgh3CaHUc6sK1GqoBqDas+pBKl4ZnygWxWhAxoExfy7p9iqMc27+YkYfAfC LpyKIU7iSV+2D2/QKW+idRohT/HEhyjSPCcLu5KDAAAFqNUGXfjVBl34AAAAB3NzaC1yc2 EAAAGBAPB7x7xY2skmEG7o0TxfxV5wZ6uXlMuFIHXFbtl4GV56kNeGP0kRBgSz2mzsas9d X0vJP8S3VN9CS8qR9Pr1HHK3DedZOmXzOWirM6mL014HpxnNEvMwhhjwuJrXDLNgM0kIJc ddX4wDoedQ8g3BPp0hVe6tdSzA7nxoJJWO2dGPxKU4wJZFySsICFDy3sEleSinJq90o+iY T12a1XB8G6yCEuX/PEy8y+y/mzayxOBBlZgALDsEknjWdBedbg17oZpyMMcFDAXeFwIULU rfDq7sKHkHKzztIXlMsQhYtfTrzghfpDaeyYZDtgA/hp2p6x+/bHNkVfPpzZoiybwDltW5 OMr5e/OH8b80epeqvsd4WMue0KmRurDoU8SWLJUOQN91Iki+m6GeVK0uM0usVYKxe3hMuG U4Idwmh1HOrCtRqqAag2rPqQSpeGZ8oFsVoQMaBMX8u6fYqjHNu/mJGHwHwi6ciiFO4klf tg9v0ClvonUaIU/xxIco0jwnC7uSgwAAAAMBAAEAAAGAMkMUtHN3ytnXTm7/qFg19q6UpG MKmNzqs2K/79jvqHUCh+FJodpagSocCW8CRfP0gnD+EH3m0cDX+W83HiqTtxA2ajeWgo9q ... (truncated, showing first 20 and last 10 lines) J1i1XmO49o/FP0mze51sFnPG7OtWpKOXR7m3pha8akpnNZ7IcnF/xZfVxiykVGmmSRn+eT J9i53CQTukHQSNG12zlYZhXhfXigFjDQAAAMEA9UCGcYR1KkIrx1zlITQAvJfYPIWPEfgz 6iEvErwXZ9wjyVovoi6tT+lWHa/Hz2Larj4uUgXAuqL0ZkNwj4WBNuQOcbzkyMW9oJ8EOb 8wl6AppLW0FqxMhmu2UWl9eGeGEr/DsEnIYfTPu+L8aIGmdLjn6Iefu8QYab/YSvVNEkMW cMJ4yBQhhgpyhFtSO3mxSSZ9sXX16PTuIz0ZZR5EXp5B54RSMlCWSvNv59f4XK0oZ6GdmM rcY97g+jJdO6fPAAAAMWFuc2libGUtZ2VuZXJhdGVkIG9uIHBjLVN0YW5kYXJkLVBDLVEz NS1JQ0g5LTIwMDkB -----END OPENSSH PRIVATE KEY----- [STDERR] ``` #### Context: ### [+] Legal Context for `sudo cat belle/.ssh/id_rsa` **Analyst:** Markus Winklhofer **Timestamp:** 2025-07-20T11:57:41.555969+00:00 **[!] Note:** This command was executed with administrative rights (`sudo`). `cat` concatenates and displays the content of files. It is commonly used to view file contents or combine multiple files. --- ### [+] Command: `sudo cat belle/.ssh/id_rsa.pub` - Timestamp: `2025-07-19T21-06-59-071476+00-00` - GPG-signature: [+] Valid - SHA256: `10e017969f0c7635be44d0a4f8d5ec505414e228883f7a8109b807633c9d19f7` #### Output: ```Shell [STDOUT] ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDwe8e8WNrJJhBu6NE8X8VecGerl5TLhSB1xW7ZeBleepDXhj9JEQYEs9ps7GrPXV9LyT/Et1TfQkvKkfT69Rxytw3nWTpl8zloqzOpi9NeB6cZzRLzMIYY8Lia1wyzYDNJCCXHXV+MA6HnUPINwT6dIVXurXUswO58aCSVjtnRj8SlOMCWRckrCAhQ8t7BJXkopyavdKPomE9dmtVwfBusghLl/zxMvMvsv5s2ssTgQZWYACw7BJJ41nQXnW4Ne6GacjDHBQwF3hcCFC1K3w6u7Ch5Bys87SF5TLEIWLX0684IX6Q2nsmGQ7YAP4adqesfv2xzZFXz6c2aIsm8A5bVuTjK+Xvzh/G/NHqXqr7HeFjLntCpkbqw6FPEliyVDkDfdSJIvpuhnlStLjNLrFWCsXt4TLhlOCHcJodRzqwrUaqgGoNqz6kEqXhmfKBbFaEDGgTF/Lun2Koxzbv5iRh8B8IunIohTuJJX7YPb9Apb6J1GiFP8cSHKNI8Jwu7koM= ansible-generated on pc-Standard-PC-Q35-ICH9-2009 [STDERR] ``` #### Context: ### [+] Legal Context for `sudo cat belle/.ssh/id_rsa.pub` **Analyst:** Markus Winklhofer **Timestamp:** 2025-07-20T11:57:41.564473+00:00 **[!] Note:** This command was executed with administrative rights (`sudo`). `cat` concatenates and displays the content of files. It is commonly used to view file contents or combine multiple files. --- ## [+] GPG-Overview Each `.log`-file was digitally signed with GPG where applicable. The signature status is documented per command.