3009728
/
DIF_Team_13
4
1
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
DIF_Team_13/Pruefungsleistung/Verlauf-Hausarbeit.md

200 lines
12 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

Findings:
firefox history von dem user "belle":
```sql
┌──(root㉿kali)-[/mnt/…/common/.mozilla/firefox/e9cqlzsn.default]
└─# cp places.sqlite ~/belle_places.sqlite
cd ~
sqlite3 belle_places.sqlite "SELECT url, title, datetime(visit_date/1000000,'unixepoch') FROM moz_places JOIN moz_historyvisits ON moz_places.id = moz_historyvisits.place_id ORDER BY visit_date DESC LIMIT 50;"
https://i.pinimg.com/236x/41/80/fa/4180fa703a970335721fe445385e7627.jpg|4180fa703a970335721fe445385e7627.jpg|2022-07-04 17:18:46
https://www.google.com/imgres?imgurl=http%3A%2F%2Fwww.theoccidentalobserver.net%2Fwp-content%2Fuploads%2F2013%2F03%2Fpassport.jpg&imgrefurl=https%3A%2F%2Fwww.tanelorn.net%2Findex.php%3Ftopic%3D89563.0&tbnid=aVoZMmKwJEc3nM&vet=12ahUKEwjmxI7K3t_4AhW6X_EDHdnKCQ0QMygPegUIARDIAg..i&docid=RoDgtxExKImejM&w=485&h=325&q=fake%20reisepass&client=ubuntu&ved=2ahUKEwjmxI7K3t_4AhW6X_EDHdnKCQ0QMygPegUIARDIAg#imgrc=aVoZMmKwJEc3nM&imgdii=Wq-UfCzaU1CwWM|fake reisepass - Google Suche|2022-07-04 17:18:40
https://i.pinimg.com/originals/b6/26/5d/b6265df99e65d5023e821832d53413d7.jpg|b6265df99e65d5023e821832d53413d7.jpg|2022-07-04 17:18:21
http://www.theoccidentalobserver.net/wp-content/uploads/2013/03/passport.jpg|passport.jpg|2022-07-04 17:18:13
https://www.google.com/imgres?imgurl=https%3A%2F%2Fi.pinimg.com%2Foriginals%2Fb6%2F26%2F5d%2Fb6265df99e65d5023e821832d53413d7.jpg&imgrefurl=https%3A%2F%2Fwww.pinterest.de%2Fpin%2F665758757412891737%2F&tbnid=2AqgmgjQ-5-K3M&vet=12ahUKEwjmxI7K3t_4AhW6X_EDHdnKCQ0QMygKegUIARC-Ag..i&docid=i8kd5nZiMlnTFM&w=1600&h=903&q=fake%20reisepass&client=ubuntu&ved=2ahUKEwjmxI7K3t_4AhW6X_EDHdnKCQ0QMygKegUIARC-Ag|fake reisepass - Google Suche|2022-07-04 17:17:57
https://www.google.com/imgres?imgurl=http%3A%2F%2Fwww.theoccidentalobserver.net%2Fwp-content%2Fuploads%2F2013%2F03%2Fpassport.jpg&imgrefurl=https%3A%2F%2Fwww.tanelorn.net%2Findex.php%3Ftopic%3D89563.0&tbnid=aVoZMmKwJEc3nM&vet=12ahUKEwjmxI7K3t_4AhW6X_EDHdnKCQ0QMygPegUIARDIAg..i&docid=RoDgtxExKImejM&w=485&h=325&q=fake%20reisepass&client=ubuntu&ved=2ahUKEwjmxI7K3t_4AhW6X_EDHdnKCQ0QMygPegUIARDIAg|fake reisepass - Google Suche|2022-07-04 17:17:53
https://www.google.com/search?q=fake+reisepass&client=ubuntu&hs=fKo&channel=fs&source=lnms&tbm=isch&sa=X&ved=2ahUKEwjUp4PJ3t_4AhUD76QKHe1WAGgQ_AUoAXoECAIQAw&biw=950&bih=656&dpr=1|fake reisepass Google Suche|2022-07-04 17:17:31
https://www.google.com/search?channel=fs&client=ubuntu&q=fake+reisepass+|fake reisepass - Google Suche|2022-07-04 17:17:29
https://www.capacitymedia.com/article/29otc9t6wy04gbplov3ls/news/welcome-to-bruce-leegate-as-dos-santoss-lawyers-say-passport-was-faked|Welcome to Bruce Leegate, as Dos Santoss lawyers say passport was faked | Capacity Media|2022-07-04 17:16:55
https://www.google.com/url?sa=i&url=https%3A%2F%2Fwww.capacitymedia.com%2Farticle%2F29otc9t6wy04gbplov3ls%2Fnews%2Fwelcome-to-bruce-leegate-as-dos-santoss-lawyers-say-passport-was-faked&psig=AOvVaw1gkKsQD4pej9OiJznqp3qE&ust=1657041380579000&source=images&cd=vfe&ved=2ahUKEwjY75qo3t_4AhUL66QKHfX3CSIQjRx6BAgAEAs||2022-07-04 17:16:55
https://www.pinterest.de/pin/1063764374453701873/|Pin auf buy real passport|2022-07-04 17:16:39
https://www.google.com/url?sa=i&url=https%3A%2F%2Fwww.pinterest.de%2Fpin%2F1063764374453701873%2F&psig=AOvVaw1Kyf5mseWxUn9QUrS7dCGR&ust=1657041395616000&source=images&cd=vfe&ved=0CAoQjhxqFwoTCJCPirDe3_gCFQAAAAAdAAAAABAD||2022-07-04 17:16:39
https://www.pinterest.de/pin/1063764374453701873/|Pin auf buy real passport|2022-07-04 17:16:37
https://www.google.com/url?sa=i&url=https%3A%2F%2Fwww.pinterest.de%2Fpin%2F1063764374453701873%2F&psig=AOvVaw1Kyf5mseWxUn9QUrS7dCGR&ust=1657041395616000&source=images&cd=vfe&ved=0CAoQjhxqFwoTCJCPirDe3_gCFQAAAAAdAAAAABAD||2022-07-04 17:16:37
https://www.google.com/search?q=fake+passport+germany&tbm=isch&client=ubuntu&hs=xdT&hl=de&sa=X&ved=2ahUKEwi_oZKj3t_4AhUV0oUKHU9dAdUQrNwCKAB6BQgBEN8B&biw=950&bih=656#imgrc=p4tx4Yn-KOB2dM|fake passport germany Google Suche|2022-07-04 17:16:37
https://www.google.com/search?q=fake+passport+germany&tbm=isch&client=ubuntu&hs=xdT&hl=de&sa=X&ved=2ahUKEwi_oZKj3t_4AhUV0oUKHU9dAdUQrNwCKAB6BQgBEN8B&biw=950&bih=656|fake passport germany Google Suche|2022-07-04 17:16:35
https://www.google.com/imgres?imgurl=https%3A%2F%2Fassets.euromoneydigital.com%2Fdims4%2Fdefault%2F52dde24%2F2147483647%2Fstrip%2Ftrue%2Fcrop%2F691x389%2B0%2B0%2Fresize%2F840x473!%2Fquality%2F90%2F%3Furl%3Dhttp%253A%252F%252Feuromoney-brightspot.s3.amazonaws.com%252F3b%252F3b%252Fc65211fc4d1b26967322e6d686f2%252Fserveimage&imgrefurl=https%3A%2F%2Fwww.capacitymedia.com%2Farticle%2F29otc9t6wy04gbplov3ls%2Fnews%2Fwelcome-to-bruce-leegate-as-dos-santoss-lawyers-say-passport-was-faked&tbnid=kiFDAG2HJ1Wa8M&vet=12ahUKEwi_oZKj3t_4AhUV0oUKHU9dAdUQMygLegUIARDDAQ..i&docid=eDNGXz2EPJg-cM&w=840&h=473&q=how%20to%20fake%20passport&client=ubuntu&ved=2ahUKEwi_oZKj3t_4AhUV0oUKHU9dAdUQMygLegUIARDDAQ|how to fake passport - Google Suche|2022-07-04 17:16:20
https://www.google.com/search?q=how+to+fake+passport&client=ubuntu&hs=xdT&channel=fs&source=lnms&tbm=isch&sa=X&ved=2ahUKEwjY_OSf3t_4AhX4wQIHHZdtCNcQ_AUoAXoECAEQAw&biw=950&bih=656|how to fake passport Google Suche|2022-07-04 17:16:10
https://www.google.com/search?channel=fs&client=ubuntu&q=howto+fake+passport|howto fake passport - Google Suche|2022-07-04 17:16:03
https://www.mozilla.org/de/privacy/firefox/|Firefox Datenschutzhinweis — Mozilla|2022-07-04 17:15:42
https://www.mozilla.org/privacy/firefox/||2022-07-04 17:15:42
```
In Ordner Downloads bei Belle war eine passport.jpg. war nicht öffenbar, da magicbytes zerstört, kopiert, magic bytes repariert, siehe bild aus der gruppe
```
┌──(root㉿kali)-[~]
└─# file /mnt/forensik/home/belle/Downloads/passport.jpg
exiftool /mnt/forensik/home/belle/Downloads/passport.jpg
/mnt/forensik/home/belle/Downloads/passport.jpg: data
ExifTool Version Number : 13.25
File Name : passport.jpg
Directory : /mnt/forensik/home/belle/Downloads
File Size : 53 kB
File Modification Date/Time : 2022:07:04 19:19:25+02:00
File Access Date/Time : 2022:07:04 19:19:10+02:00
File Inode Change Date/Time : 2022:07:04 19:19:25+02:00
File Permissions : -rw-rw-r--
Error : File format error
┌──(root㉿kali)-[~]
└─# xxd /mnt/forensik/home/belle/Downloads/passport.jpg | head -n 10
00000000: 0000 ffe0 0010 4a46 4946 0001 0101 0048 ......JFIF.....H
```
bash history von pc user:
```
┌──(root㉿kali)-[/mnt/forensik/home/pc]
└─# cat .bash_history
exit
sudo gedit /etc/ssh/ssh_config
sudo gedit /etc/ssh/
sudo gedit /etc/ssh/ssh_config
ssh pc@localhost
sudo service ssh
sudo apt-get install openssh-server
sudo apt-get install openssh-client
gedit /etc/ssh/sshd_config
sudo gedit /etc/ssh/sshd_config
service ssh restart
ssh pc@localhost
ping googl.de
ip
ip a
exit
lsblk
fdisk -l vda
sudo fdisk -l vda
sudo fdisk -l /dev/vda
ip a
sudo usermod aG sudo pc
sudo usermod -aG sudo pc
ip a
exit
sudo parted
```
Downloadsordner von belle hatte Pass.kdbx datei:
```
┌──(root㉿kali)-[/mnt/forensik]
└─# keepassxc /mnt/forensik/home/belle/Dokumente/Pass.kdbx
```
mit passwort: Eip7uoKo
(Passwörter gecracked von Markus)
findet man Passwort für Veracrypt: forgeMaster
(siehe Gruppe)
Mit dem Passwort kann man den verschlüsselten Windows Ordner öffnen:
```
┌──(kali㉿kali)-[/mnt/windows/business]
└─$ sudo mkdir -p /mnt/tmp_business
sudo veracrypt --text --pim=0 --hash=sha512 --protect-hidden=no --mount /mnt/windows/business/business /mnt/tmp_business
Enter password for /mnt/windows/business/business: forgeMaster
Enter keyfile [none]:
```
```
┌──(kali㉿kali)-[/mnt/windows/business]
└─$ ls -lah /mnt/tmp_business
total 10K
drwx------ 3 kali kali 1.0K Jan 1 1970 .
drwxr-xr-x 9 root root 4.0K Jul 19 16:48 ..
drwx------ 4 kali kali 5.0K Jul 4 2022 paesse
┌──(kali㉿kali)-[/mnt/windows/business]
└─$ ls -lah /mnt/tmp_business/paesse
total 273K
drwx------ 4 kali kali 5.0K Jul 4 2022 .
drwx------ 3 kali kali 1.0K Jan 1 1970 ..
-rwx------ 1 kali kali 1004 Nov 30 2018 back_to_samples.gif
-rwx------ 1 kali kali 11K Nov 30 2018 b-contacts.jpg
-rwx------ 1 kali kali 11K Nov 30 2018 b-news.jpg
-rwx------ 1 kali kali 27K Nov 30 2018 b-samples.jpg
-rwx------ 1 kali kali 1.2K Nov 30 2018 button_email.gif
drwx------ 2 kali kali 2.0K Jul 4 2022 Cover
-rwx------ 1 kali kali 43 Nov 30 2018 emty.gif
-rwx------ 1 kali kali 484 Nov 30 2018 flash_r1_c2e.gif
-rwx------ 1 kali kali 518 Nov 30 2018 flash_r1_c3e.gif
-rwx------ 1 kali kali 508 Nov 30 2018 flash_r1_c6e.gif
-rwx------ 1 kali kali 2.2K Nov 30 2018 head_r1_c1.jpg
-rwx------ 1 kali kali 12K Nov 30 2018 head_r1_c2.jpg
-rwx------ 1 kali kali 1.9K Nov 30 2018 head_r2_c1.gif
-rwx------ 1 kali kali 2.4K Nov 30 2018 index.html
-rwx------ 1 kali kali 29K Nov 30 2018 index.php.CB66877E.html
-rwx------ 1 kali kali 12K Jul 4 2022 index.shtml
drwx------ 2 kali kali 1.0K Jul 4 2022 inside
-rwx------ 1 kali kali 15K Nov 30 2018 main.jpg
-rwx------ 1 kali kali 365 Nov 30 2018 menu_r1_c1e.gif
-rwx------ 1 kali kali 391 Nov 30 2018 menu_r1_c2e.gif
-rwx------ 1 kali kali 460 Nov 30 2018 menu_r1_c3e.gif
-rwx------ 1 kali kali 492 Nov 30 2018 menu_r1_c4e.gif
-rwx------ 1 kali kali 1.1K Nov 30 2018 menu_r1_c5e.gif
-rwx------ 1 kali kali 1.1K Nov 30 2018 menu_r1_c6e.gif
-rwx------ 1 kali kali 483 Nov 30 2018 menu_r1_c7e.gif
-rwx------ 1 kali kali 802 Nov 30 2018 menu_rfid.gif
-rwx------ 1 kali kali 388 Nov 30 2018 m-maine.gif
-rwx------ 1 kali kali 9.1K Nov 30 2018 novelty_fake_id_contacts.shtml
-rwx------ 1 kali kali 19K Nov 30 2018 novelty_fake_id_pricing.shtml
-rwx------ 1 kali kali 14K Nov 30 2018 novelty_fake_id_samples.shtml
-rwx------ 1 kali kali 20K Nov 30 2018 parashut.gif
-rwx------ 1 kali kali 1.9K Nov 30 2018 pricing.GIF
-rwx------ 1 kali kali 3.3K Nov 30 2018 privacy.gif
-rwx------ 1 kali kali 1.9K Nov 30 2018 tab2_r1_c13e.gif
-rwx------ 1 kali kali 1.9K Nov 30 2018 tab2_r1_c14e.gif
-rwx------ 1 kali kali 2.0K Nov 30 2018 tab2_r1_c16e.gif
-rwx------ 1 kali kali 2.0K Nov 30 2018 tab2_r1_c1e.gif
-rwx------ 1 kali kali 1.2K Nov 30 2018 tab2_r4_c2e.gif
-rwx------ 1 kali kali 255 Nov 30 2018 tab_r1_c1.gif
-rwx------ 1 kali kali 252 Nov 30 2018 tab_r1_c4.gif
-rwx------ 1 kali kali 93 Nov 30 2018 tab_r2_c1.gif
-rwx------ 1 kali kali 88 Nov 30 2018 tab_r2_c4.gif
-rwx------ 1 kali kali 62 Nov 30 2018 tab_r3_c1.gif
-rwx------ 1 kali kali 62 Nov 30 2018 tab_r3_c2.gif
-rwx------ 1 kali kali 61 Nov 30 2018 tab_r3_c4.gif
-rwx------ 1 kali kali 136 Nov 30 2018 tab_r4_c1.gif
-rwx------ 1 kali kali 128 Nov 30 2018 tab_r4_c2.gif
-rwx------ 1 kali kali 138 Nov 30 2018 tab_r4_c4.gif
-rwx------ 1 kali kali 116 Nov 30 2018 tab_r5_c1.gif
-rwx------ 1 kali kali 241 Nov 30 2018 tab_r5_c2.gif
-rwx------ 1 kali kali 114 Nov 30 2018 tab_r5_c4.gif
-rwx------ 1 kali kali 1.9K Nov 30 2018 terms.gif
-rwx------ 1 kali kali 20K Nov 30 2018 terms.shtml
-rwx------ 1 kali kali 3.4K Nov 30 2018 Ukpassport-cover.jpg
-rwx------ 1 kali kali 2.9K Nov 30 2018 'UK passport.shtml'
```
auf den .shtml dateien findet man die website von dem vermutlichen täter
Reference in New Issue View Git Blame Copy Permalink