3009728
/
DIF_Team_13
4
1
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
DIF_Team_13/Pruefungsleistung/dif_gutachten_report.md

802 lines
25 KiB
Markdown
Raw Permalink Blame History

This file contains invisible Unicode characters!

This file contains invisible Unicode characters that may be processed differently from what appears below. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to reveal hidden characters.

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

# [++] Forensic report of case: dif_gutachten
## [++] Description
Forensisches Gutachten im Fall Tilo Barkholz
## [++] Timeline of Commands and Comments
### [+] Command: `file ForImage2.img`
- Timestamp: `2025-07-14T18-03-17-505557+02-00`
- GPG-signature: [+] Valid
- SHA256: `7bf5d482601016dfe39f3de29aad7f83b3a0f59d3177828e1f1823817b1778d8`
#### Output:
```Shell
[STDOUT]
ForImage2.img: QEMU QCOW Image (v3), 35433480192 bytes (v3), 35433480192 bytes
[STDERR]
```
#### Context:
### [+] Legal Context for `file ForImage2.img`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:40:59.760772+02:00
`file` identifies file types by examining magic numbers and headers. Useful for verifying or correcting file extensions and detecting anomalies.
---
### [+] Timestamp: `2025-07-14T18-05-10-852941+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Der file-Befehl wurde verwendet, um das Format des Abbilds zu bestimmen. Dabei wurde erkannt, dass es sich um ein QCOW2-Image handelt, ein haeufig genutztes Format fuer virtuelle Maschinen unter QEMU/KVM
---
### [+] Timestamp: `2025-07-14T18-06-02-925862+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Wir werden nun Partitionen im Image identifizieren, um sie zu extrahiern & zu analysieren
---
### [+] Command: `sudo modprobe nbd max_part=8`
- Timestamp: `2025-07-14T18-06-22-301370+02-00`
- GPG-signature: [+] Valid
- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f`
#### Output:
```Shell
[STDOUT]
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo modprobe nbd max_part=8`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:40:59.839755+02:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
[x] No specific explanation found.
---
### [+] Command: `sudo: qemu-nbd: command not found`
- Timestamp: `2025-07-14T18-06-51-644697+02-00`
- GPG-signature: [+] Valid
- SHA256: `7bd21e679c39eb29ea0eebe56f0a54110538c4bdb094fbbd9d7b9e8d7c2a7ed4`
#### Output:
```Shell
[!] Command failed:
sudo: qemu-nbd: command not found
```
#### Context:
### [+] Legal Context for `sudo: qemu-nbd: command not found`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:40:59.860730+02:00
[x] No specific explanation found.
---
### [+] Command: `qemu-nbd: unrecognized option '--conect=/dev/nbd0'`
- Timestamp: `2025-07-14T18-07-49-932393+02-00`
- GPG-signature: [+] Valid
- SHA256: `23ec6e05fb897e4b0ad2d77613416100a2fcd3f300135a2e5677364b4b115d74`
#### Output:
```Shell
[!] Command failed:
qemu-nbd: unrecognized option '--conect=/dev/nbd0'
qemu-nbd: Try `qemu-nbd --help' for more information.
```
#### Context:
### [+] Legal Context for `qemu-nbd: unrecognized option '--conect=/dev/nbd0'`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:40:59.889332+02:00
[x] No specific explanation found.
---
### [+] Command: `sudo qemu-nbd --connect=/dev/nbd0 ForImage2.img`
- Timestamp: `2025-07-14T18-08-00-970730+02-00`
- GPG-signature: [+] Valid
- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f`
#### Output:
```Shell
[STDOUT]
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo qemu-nbd --connect=/dev/nbd0 ForImage2.img`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:40:59.907323+02:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
[x] No specific explanation found.
---
### [+] Command: `sudo fdisk -l /dev/nbd0`
- Timestamp: `2025-07-14T18-08-17-811009+02-00`
- GPG-signature: [+] Valid
- SHA256: `4a2bcce842d23a7b6e392a9e547e0942145cdd7450910980c116667d81b5078a`
#### Output:
```Shell
[STDOUT]
Disk /dev/nbd0: 33 GiB, 35433480192 bytes, 69206016 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 131072 bytes
Disklabel type: gpt
Disk identifier: 7AB35F56-8FB0-407B-AC62-FD7C3E10AB6A
Device Start End Sectors Size Type
/dev/nbd0p1 2048 4095 2048 1M BIOS boot
/dev/nbd0p2 4096 1054719 1050624 513M EFI System
/dev/nbd0p3 1054720 46135295 45080576 21.5G Linux filesystem
/dev/nbd0p4 46874624 68360191 21485568 10.2G Microsoft basic data
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo fdisk -l /dev/nbd0`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:40:59.937090+02:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
`fdisk` is an interactive command-line tool to create, delete, and manage partitions on storage devices.
Lists partition tables of all recognized devices.
---
### [+] Timestamp: `2025-07-14T18-09-46-180536+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Das QCOW2-Image wurde mit qemu-nbd als Blockgerät bereitgestellt, um anschließend mit fdisk die Partitionstabelle und Dateisystemtypen zu identifizieren ein essenzieller Schritt zur Strukturaufklärung und Vorbereitung weiterer Analysen.
---
### [+] Timestamp: `2025-07-14T18-10-39-291304+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Hierbei haben wir vier Partitionen entdeckt, die wir nun naeher untersuchen werden
---
### [+] Command: `sudo mmls /dev/nbd0`
- Timestamp: `2025-07-14T18-10-44-804259+02-00`
- GPG-signature: [+] Valid
- SHA256: `1e7e7d7d86604a62aceffd32db9f4f6f897f22c84de9f2367b46bf6fa4d9b77b`
#### Output:
```Shell
[STDOUT]
GUID Partition Table (EFI)
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
000: Meta 0000000000 0000000000 0000000001 Safety Table
001: ------- 0000000000 0000002047 0000002048 Unallocated
002: Meta 0000000001 0000000001 0000000001 GPT Header
003: Meta 0000000002 0000000033 0000000032 Partition Table
004: 000 0000002048 0000004095 0000002048
005: 001 0000004096 0001054719 0001050624 EFI System Partition
006: 002 0001054720 0046135295 0045080576
007: ------- 0046135296 0046874623 0000739328 Unallocated
008: 003 0046874624 0068360191 0021485568 FAT
009: ------- 0068360192 0069206015 0000845824 Unallocated
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo mmls /dev/nbd0`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:40:59.975491+02:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
`mmls` analyzes the partition layout of a disk image without modifying it. It shows partitions, offsets, and sizes — a typical forensic step before mounting.
---
### [+] Timestamp: `2025-07-14T18-11-51-739620+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Die Analyse mit mmls dient der genauen Bestimmung der Partitionsstruktur und der Start-Offsets, was erforderlich ist, um gezielt Dateien zu extrahieren und das Dateisystem forensisch korrekt zu analysieren.
---
### [+] Timestamp: `2025-07-14T18-13-42-016732+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Die mmls-Ausgabe zeigt vier Partitionen. Drei davon sind relevant für die Analyse die BIOS-Boot-Partition (nur 1MB) enthält keine Nutzdaten und wird daher übersprungen.
---
### [+] Timestamp: `2025-07-14T18-13-51-840180+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Die Partitionen 005 (EFI), 006 (Linux-Dateisystem) und 008 (Microsoft-Dateisystem) werden einzeln gemountet und analysiert, um strukturierte und nachvollziehbare Ergebnisse zu erhalten.
---
### [+] Timestamp: `2025-07-14T18-13-59-612800+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Eine sequentielle Analyse aller nutzbaren Partitionen erlaubt eine saubere Trennung der Datenquellen und kann forensisch besser dokumentiert werden.
---
### [+] Command: `sudo mkdir -p /mnt/efi /mnt/linuxfs /mnt/windows`
- Timestamp: `2025-07-14T18-16-06-814084+02-00`
- GPG-signature: [+] Valid
- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f`
#### Output:
```Shell
[STDOUT]
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo mkdir -p /mnt/efi /mnt/linuxfs /mnt/windows`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:40:59.996144+02:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
`mkdir` creates a directory. In forensic workflows, it is often used to prepare target folders for mounts or exported data.
The `-p` option ensures that parent directories are created as needed. It also avoids errors if the target directory already exists.
---
### [+] Timestamp: `2025-07-14T18-16-14-867728+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Drei dedizierte Mount-Verzeichnisse wurden erstellt, um die Partitionen getrennt voneinander und nachvollziehbar analysieren zu können.
---
### [+] Command: `sudo mount -o ro /dev/nbd0p3 /mnt/linuxfs`
- Timestamp: `2025-07-14T18-18-28-516252+02-00`
- GPG-signature: [+] Valid
- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f`
#### Output:
```Shell
[STDOUT]
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo mount -o ro /dev/nbd0p3 /mnt/linuxfs`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:41:00.016107+02:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
`mount` is used to attach a filesystem to the directory tree. In forensic contexts, it must be used cautiously, as mounting can alter timestamps or content.
The `-o` option sets mount parameters — e.g., to enable read-only mode or suppress timestamp changes.
`ro` stands for "read-only". It ensures that the mounted filesystem is not modified. This is critical in digital forensics.
---
### [+] Timestamp: `2025-07-14T18-18-36-250749+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Das Linux-Dateisystem wurde readonly in /mnt/linuxfs eingebunden, um die Hauptdatenstruktur des Betriebssystems forensisch zu untersuchen.
---
### [+] Command: `sudo mount -o ro /dev/nbd0p4 /mnt/windows`
- Timestamp: `2025-07-14T18-18-44-352022+02-00`
- GPG-signature: [+] Valid
- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f`
#### Output:
```Shell
[STDOUT]
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo mount -o ro /dev/nbd0p4 /mnt/windows`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:41:00.034851+02:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
`mount` is used to attach a filesystem to the directory tree. In forensic contexts, it must be used cautiously, as mounting can alter timestamps or content.
The `-o` option sets mount parameters — e.g., to enable read-only mode or suppress timestamp changes.
`ro` stands for "read-only". It ensures that the mounted filesystem is not modified. This is critical in digital forensics.
---
### [+] Timestamp: `2025-07-14T18-18-48-788722+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Die als 'Microsoft Basic Data' gekennzeichnete Partition wurde readonly in /mnt/windows eingebunden, vermutlich zur Analyse von Benutzerdaten oder Überresten eines Dual-Boot-Systems.
---
### [+] Command: `qemu-nbd: Failed to blk_new_open 'ForImage2.img': Failed to get "write" lock`
- Timestamp: `2025-07-14T18-20-16-782579+02-00`
- GPG-signature: [+] Valid
- SHA256: `927576f78ad2da1d55b32d2e32af8a13ec8a59dcde4168fcfbea80ab6c3161be`
#### Output:
```Shell
[!] Command failed:
qemu-nbd: Failed to blk_new_open 'ForImage2.img': Failed to get "write" lock
Is another process using the image [ForImage2.img]?
```
#### Context:
### [+] Legal Context for `qemu-nbd: Failed to blk_new_open 'ForImage2.img': Failed to get "write" lock`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:41:00.052907+02:00
[x] No specific explanation found.
---
### [+] Command: `mount | grep /mnt`
- Timestamp: `2025-07-14T18-26-37-707012+02-00`
- GPG-signature: [+] Valid
- SHA256: `064de49535ebcda317b47383a76e27d37389b0e7b710cfa86f0437592927437a`
#### Output:
```Shell
[STDOUT]
/dev/nbd0p3 on /mnt/linuxfs type ext4 (ro,relatime)
/dev/nbd0p4 on /mnt/windows type vfat (ro,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro)
[STDERR]
```
#### Context:
### [+] Legal Context for `mount | grep /mnt`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:41:00.071170+02:00
`mount` is used to attach a filesystem to the directory tree. In forensic contexts, it must be used cautiously, as mounting can alter timestamps or content.
---
### [+] Command: `mount | grep /mnt`
- Timestamp: `2025-07-14T18-27-36-979838+02-00`
- GPG-signature: [+] Valid
- SHA256: `064de49535ebcda317b47383a76e27d37389b0e7b710cfa86f0437592927437a`
#### Output:
```Shell
[STDOUT]
/dev/nbd0p3 on /mnt/linuxfs type ext4 (ro,relatime)
/dev/nbd0p4 on /mnt/windows type vfat (ro,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro)
[STDERR]
```
#### Context:
### [+] Legal Context for `mount | grep /mnt`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:41:00.089190+02:00
`mount` is used to attach a filesystem to the directory tree. In forensic contexts, it must be used cautiously, as mounting can alter timestamps or content.
---
### [+] Command: `sudo mount -o ro /dev/nbd0p2 /mnt/efi`
- Timestamp: `2025-07-14T18-28-47-827648+02-00`
- GPG-signature: [+] Valid
- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f`
#### Output:
```Shell
[STDOUT]
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo mount -o ro /dev/nbd0p2 /mnt/efi`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:41:00.107459+02:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
`mount` is used to attach a filesystem to the directory tree. In forensic contexts, it must be used cautiously, as mounting can alter timestamps or content.
The `-o` option sets mount parameters — e.g., to enable read-only mode or suppress timestamp changes.
`ro` stands for "read-only". It ensures that the mounted filesystem is not modified. This is critical in digital forensics.
---
### [+] Command: `mount | grep /mnt`
- Timestamp: `2025-07-14T18-28-49-632890+02-00`
- GPG-signature: [+] Valid
- SHA256: `5701af33c9936d5a4213bdc9ce95b07383533c58de3746fdb6cb08961ebc76d9`
#### Output:
```Shell
[STDOUT]
/dev/nbd0p3 on /mnt/linuxfs type ext4 (ro,relatime)
/dev/nbd0p4 on /mnt/windows type vfat (ro,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro)
/dev/nbd0p2 on /mnt/efi type vfat (ro,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro)
[STDERR]
```
#### Context:
### [+] Legal Context for `mount | grep /mnt`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:41:00.125685+02:00
`mount` is used to attach a filesystem to the directory tree. In forensic contexts, it must be used cautiously, as mounting can alter timestamps or content.
---
### [+] Timestamp: `2025-07-14T18-29-46-776359+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Nun sind alle drei Partitionen von Interesse korrekt eingebunden und die Arbeit kann beginnen
---
### [+] Command: `mount | grep /mnt`
- Timestamp: `2025-07-14T20-08-59-917952+02-00`
- GPG-signature: [+] Valid
- SHA256: `5701af33c9936d5a4213bdc9ce95b07383533c58de3746fdb6cb08961ebc76d9`
#### Output:
```Shell
[STDOUT]
/dev/nbd0p3 on /mnt/linuxfs type ext4 (ro,relatime)
/dev/nbd0p4 on /mnt/windows type vfat (ro,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro)
/dev/nbd0p2 on /mnt/efi type vfat (ro,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro)
[STDERR]
```
#### Context:
### [+] Legal Context for `mount | grep /mnt`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:41:00.144446+02:00
`mount` is used to attach a filesystem to the directory tree. In forensic contexts, it must be used cautiously, as mounting can alter timestamps or content.
---
### [+] Timestamp: `2025-07-14T20-13-50-520875+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Wir beginnen mit /mnt/linuxfs. Die Analyse der Linux-Systempartition dient der Erfassung benutzerspezifischer und systemweiter Artefakte, welche Rückschlüsse auf Nutzung, Konfiguration und potenziell sicherheitsrelevante Aktivitäten ermöglichen.
---
### [+] Command: `ls -la /mnt/linuxfs/home`
- Timestamp: `2025-07-14T20-13-56-887462+02-00`
- GPG-signature: [+] Valid
- SHA256: `f6768291b43b3d15242a63a188af4eef9bb76d1d7b0c857ca045103d57b8f2ad`
#### Output:
```Shell
[STDOUT]
total 20
drwxr-xr-x 5 root root 4096 Jul 4 2022 .
drwxr-xr-x 20 root root 4096 Jul 2 2022 ..
drwxr-x--- 16 1001 1001 4096 Jul 4 2022 belle
drwxr-x--- 3 1002 1002 4096 Jul 4 2022 kiara
drwxr-x--- 18 kali kali 4096 Jul 4 2022 pc
[STDERR]
```
#### Context:
### [+] Legal Context for `ls -la /mnt/linuxfs/home`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:41:00.163176+02:00
`ls` lists files in a directory. It is used to gain an overview and does not modify data.
---
### [+] Timestamp: `2025-07-14T20-14-29-073825+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Wir verzeichnen drei User-Accounts, pc, belle und kiara.
---
### [+] Timestamp: `2025-07-14T20-15-13-781491+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Bevor wir zu diesen im Einzelnen kommen, ueberpruefen wir systemweite Konfigurationen und Logs
---
### [+] Command: `ls -la /mnt/linuxfs/var/log`
- Timestamp: `2025-07-14T20-17-03-043108+02-00`
- GPG-signature: [+] Valid
- SHA256: `957a55a20047fe1e5639161fe828af67ba54211b33fcdb9974be18261331cacb`
#### Output:
```Shell
[STDOUT]
total 5336
drwxrwxr-x 13 root pulse 4096 Jul 4 2022 .
drwxr-xr-x 14 root root 4096 Apr 19 2022 ..
-rw-r--r-- 1 root root 21410 Jul 2 2022 alternatives.log
-rw-r----- 1 root adm 0 Jul 4 2022 apport.log
-rw-r----- 1 root adm 2369 Jul 2 2022 apport.log.1
drwxr-xr-x 2 root root 4096 Jul 4 2022 apt
-rw-r----- 1 tcpdump adm 80955 Jul 4 2022 auth.log
-rw------- 1 root root 34617 Jul 4 2022 boot.log
-rw------- 1 root root 33348 Jul 4 2022 boot.log.1
-rw-r--r-- 1 root root 108494 Apr 19 2022 bootstrap.log
-rw-rw---- 1 root utmp 0 Apr 19 2022 btmp
drwxr-xr-x 2 root root 4096 Jul 4 2022 cups
drwxr-xr-x 2 root root 4096 Apr 18 2022 dist-upgrade
-rw-r----- 1 root adm 68118 Jul 4 2022 dmesg
-rw-r----- 1 root adm 69151 Jul 4 2022 dmesg.0
-rw-r----- 1 root adm 16776 Jul 4 2022 dmesg.1.gz
-rw-r----- 1 root adm 17536 Jul 4 2022 dmesg.2.gz
-rw-r----- 1 root adm 17273 Jul 4 2022 dmesg.3.gz
... (truncated, showing first 20 and last 10 lines)
drwxr-xr-x 2 root root 4096 Mar 22 2022 openvpn
drwx------ 2 root root 4096 Apr 19 2022 private
drwx------ 2 Debian-snmp root 4096 Jan 8 2022 speech-dispatcher
-rw-r----- 1 tcpdump adm 2865079 Jul 4 2022 syslog
-rw-r--r-- 1 root root 0 Apr 19 2022 ubuntu-advantage.log
-rw-r--r-- 1 root root 631 Jul 4 2022 ubuntu-advantage-timer.log
drwxr-x--- 2 root adm 4096 Jul 3 2022 unattended-upgrades
-rw-rw-r-- 1 root utmp 31872 Jul 4 2022 wtmp
[STDERR]
```
#### Context:
### [+] Legal Context for `ls -la /mnt/linuxfs/var/log`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:41:00.182010+02:00
`ls` lists files in a directory. It is used to gain an overview and does not modify data.
---
### [+] Command: `ls -la /mnt/linuxfs/etc`
- Timestamp: `2025-07-14T20-18-24-994518+02-00`
- GPG-signature: [+] Valid
- SHA256: `55c42303907eb58bc29c73525cdde2ef75ba9aa595050b19496e142c3743a22f`
#### Output:
```Shell
[STDOUT]
total 1120
drwxr-xr-x 128 root root 12288 Jul 4 2022 .
drwxr-xr-x 20 root root 4096 Jul 2 2022 ..
drwxr-xr-x 3 root root 4096 Apr 19 2022 acpi
-rw-r--r-- 1 root root 3028 Apr 19 2022 adduser.conf
drwxr-xr-x 3 root root 4096 Apr 19 2022 alsa
drwxr-xr-x 2 root root 4096 Jul 3 2022 alternatives
-rw-r--r-- 1 root root 335 Mar 23 2022 anacrontab
-rw-r--r-- 1 root root 433 Mar 23 2022 apg.conf
drwxr-xr-x 5 root root 4096 Apr 19 2022 apm
drwxr-xr-x 3 root root 4096 Apr 19 2022 apparmor
drwxr-xr-x 8 root root 4096 Jul 3 2022 apparmor.d
drwxr-xr-x 3 root root 4096 Jul 3 2022 apport
-rw-r--r-- 1 root root 769 Feb 22 2022 appstream.conf
drwxr-xr-x 8 root root 4096 Jul 2 2022 apt
drwxr-xr-x 3 root root 4096 Apr 19 2022 avahi
-rw-r--r-- 1 root root 2319 Jan 6 2022 bash.bashrc
-rw-r--r-- 1 root root 45 Nov 11 2021 bash_completion
drwxr-xr-x 2 root root 4096 Jul 3 2022 bash_completion.d
... (truncated, showing first 20 and last 10 lines)
drwxr-xr-x 5 root root 4096 Apr 19 2022 vulkan
-rw-r--r-- 1 root root 4942 Jan 24 2022 wgetrc
drwxr-xr-x 2 root root 4096 Apr 19 2022 wpa_supplicant
drwxr-xr-x 12 root root 4096 Apr 19 2022 X11
-rw-r--r-- 1 root root 681 Mar 23 2022 xattr.conf
drwxr-xr-x 6 root root 4096 Apr 19 2022 xdg
drwxr-xr-x 2 root root 4096 Apr 19 2022 xml
-rw-r--r-- 1 root root 460 Dec 8 2021 zsh_command_not_found
[STDERR]
```
#### Context:
### [+] Legal Context for `ls -la /mnt/linuxfs/etc`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:41:00.200282+02:00
`ls` lists files in a directory. It is used to gain an overview and does not modify data.
---
### [+] Timestamp: `2025-07-14T20-19-31-817078+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Applikationen, die ins Auge fallen: speech-dispatcher, security
---
### [+] Timestamp: `2025-07-14T20-20-29-497721+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Beginnen wir nun mit dem User-Account 'belle'
---
### [+] Timestamp: `2025-07-14T20-24-57-659634+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Zur beweissicheren Sicherung der Nutzerverzeichnisse wurden die Home-Verzeichnisse der identifizierten Accounts (belle, kiara, pc) aus der gemounteten Partition /mnt/linuxfs mittels tar archiviert. Die Sicherung erfolgte im Read-Only-Modus zur Wahrung der Integrität.
---
### [+] Command: `tar (child): /home/kali/Documents/dif_auswertung/belle_home.tar.gz: Cannot open: No such file or directory`
- Timestamp: `2025-07-14T20-25-28-820189+02-00`
- GPG-signature: [+] Valid
- SHA256: `e186e24efe2970d43583e5551223221c7a714bfab92e4721092ac3f97af4d19d`
#### Output:
```Shell
[!] Command failed:
tar (child): /home/kali/Documents/dif_auswertung/belle_home.tar.gz: Cannot open: No such file or directory
tar (child): Error is not recoverable: exiting now
tar: /home/kali/Documents/dif_auswertung/belle_home.tar.gz: Cannot write: Broken pipe
tar: Child returned status 2
tar: Error is not recoverable: exiting now
```
#### Context:
### [+] Legal Context for `tar (child): /home/kali/Documents/dif_auswertung/belle_home.tar.gz: Cannot open: No such file or directory`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:41:00.220927+02:00
`tar` is used to create and extract archive files. In forensics, its useful for packaging or reviewing archived evidence sets.
---
### [+] Command: `sudo mkdir -p ~/Documents/auswertung/`
- Timestamp: `2025-07-14T20-30-04-249825+02-00`
- GPG-signature: [+] Valid
- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f`
#### Output:
```Shell
[STDOUT]
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo mkdir -p ~/Documents/auswertung/`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:41:00.238957+02:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
`mkdir` creates a directory. In forensic workflows, it is often used to prepare target folders for mounts or exported data.
The `-p` option ensures that parent directories are created as needed. It also avoids errors if the target directory already exists.
---
### [+] Command: `Error opening image file (raw_open: file "/dev/nbd0p3" - Permission denied)`
- Timestamp: `2025-07-14T20-30-36-090820+02-00`
- GPG-signature: [+] Valid
- SHA256: `cc9dda0ce603430217d5dc755d2c2e3486fd1ea9dbf2bc073eb00f383b03a3f8`
#### Output:
```Shell
[!] Command failed:
Error opening image file (raw_open: file "/dev/nbd0p3" - Permission denied)
```
#### Context:
### [+] Legal Context for `Error opening image file (raw_open: file "/dev/nbd0p3" - Permission denied)`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:41:00.257451+02:00
This does not appear to be a valid command. It may be the result of a misinterpreted log line or a failed execution attempt.
---
### [+] Command: `sudo tsk_recover -a /dev/nbd0p3 ~/Documents/auswertung/linuxfs_recover`
- Timestamp: `2025-07-14T20-30-46-797786+02-00`
- GPG-signature: [+] Valid
- SHA256: `215260492c038b4f3647587ef8a654cb227f0fa6748911259c0dcc83c3e40b1a`
#### Output:
```Shell
[STDOUT]
Files Recovered: 161794
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo tsk_recover -a /dev/nbd0p3 ~/Documents/auswertung/linuxfs_recover`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T20:41:00.274845+02:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
[x] No specific explanation found.
---
## [+] GPG-Overview
Each `.log`-file was digitally signed with GPG where applicable.
The signature status is documented per command.
Reference in New Issue View Git Blame Copy Permalink