3009728
/
DIF_Team_13
4
1
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
DIF_Team_13/Pruefungsleistung/gutachten_report_01.md

400 lines
11 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

# [++] Forensic report of case: gutachten
## [++] Description
Forensisches Gutachten im Fall Tilo Barkholz
## [++] Timeline of Commands and Comments
### [+] Command: ``
- Timestamp: `2025-07-14T12-40-04-233389+02-00`
- GPG-signature: [+] Valid
- SHA256: `fd919e45a98f1ae9c0947eed0f758c5cc388ed705627f6eb2e150686d70814bc`
#### Output:
```Shell
[!] Command failed:
```
#### Context:
[x] Skipped: command was empty or malformed.
---
### [+] Timestamp: `2025-07-14T12-41-43-682585+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Dass der vorige mmls-Befehl keinen Output zeigt kann daran liegen, dass das vorliegende Image a) keine Partitionstabelle enthaelt, b) korrumpiert ist oder c) das Format nicht unterstuetzt wird - einer der ersteren beiden Faelle ist am wahrscheinlichsten
---
### [+] Command: `file ForImage2.img`
- Timestamp: `2025-07-14T12-42-00-750002+02-00`
- GPG-signature: [+] Valid
- SHA256: `e5574e10aa2e91ce0457096afc0c31af8f3e21c5db3b95cc96154bf564d84f7d`
#### Output:
```Shell
[STDOUT]
ForImage2.img: data
[STDERR]
```
#### Context:
### [+] Legal Context for `file ForImage2.img`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T13:33:27.735730+02:00
`file` identifies file types by examining magic numbers and headers. Useful for verifying or correcting file extensions and detecting anomalies.
---
### [+] Command: `hexdump -C Forimage2.img | head`
- Timestamp: `2025-07-14T12-42-23-145012+02-00`
- GPG-signature: [+] Valid
- SHA256: `ac6841b50ac32ef32fe82a77a7455cdb3a5441c04f828d72f7ffea3ca6f733de`
#### Output:
```Shell
[STDOUT]
[STDERR]
hexdump: Forimage2.img: No such file or directory
hexdump: all input file arguments failed
```
#### Context:
### [+] Legal Context for `hexdump -C Forimage2.img | head`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T13:33:27.761024+02:00
`hexdump` displays file content in hexadecimal and ASCII. Useful for examining file headers, signatures, and patterns.
---
### [+] Command: `hexdump -C ForImage2.img | head`
- Timestamp: `2025-07-14T12-42-31-319015+02-00`
- GPG-signature: [+] Valid
- SHA256: `cb81adfdf9b749fd17c4f7fef893c144865f8c787bebe45b8e98a91aab896474`
#### Output:
```Shell
[STDOUT]
00000000 28 cb 32 eb 6a b7 b0 8e 3c 00 00 00 00 c0 08 70 |(.2.j...<......p|
00000010 93 5d 39 63 4c c6 71 cc eb fe 05 20 f2 97 2a f2 |.]9cL.q.... ..*.|
00000020 91 52 2a 22 b7 29 14 6a e4 01 00 00 00 00 46 24 |.R*".).j......F$|
00000030 5a 8c 59 57 23 2f 39 e7 d2 ed ee 8a c5 45 20 f2 |Z.YW#/9......E .|
00000040 a3 0b 16 89 88 38 e7 91 b5 56 ba e5 27 01 00 00 |.....8...V..'...|
00000050 00 00 c0 48 5c 9e 71 c6 18 b7 d6 4a ad b5 f4 b7 |...H\.q....J....|
00000060 13 b2 f2 10 f9 4b e9 58 ee c7 12 11 33 c6 48 c6 |.....K.X....3.H.|
00000070 98 8f 10 d1 b1 00 00 00 00 00 46 80 10 82 a2 28 |..........F....(|
00000080 62 49 92 50 96 65 44 44 9a 30 d9 15 22 3f 22 99 |bI.P.eDD.0.."?".|
00000090 a7 34 4d 59 96 65 d6 6d 0a 05 89 07 00 00 00 00 |.4MY.e.m........|
[STDERR]
```
#### Context:
### [+] Legal Context for `hexdump -C ForImage2.img | head`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T13:33:27.786303+02:00
`hexdump` displays file content in hexadecimal and ASCII. Useful for examining file headers, signatures, and patterns.
---
### [+] Timestamp: `2025-07-14T12-43-00-357585+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Die Festplatte ist somit schonmal nicht leer
---
### [+] Command: `Possible encryption detected (High entropy (7.78))`
- Timestamp: `2025-07-14T12-43-27-753682+02-00`
- GPG-signature: [+] Valid
- SHA256: `7cf027cc2dd683a3860ce27d3fcd52f6b47597c2f8a4ef714949b9e53d0effcc`
#### Output:
```Shell
[!] Command failed:
Possible encryption detected (High entropy (7.78))
```
#### Context:
### [+] Legal Context for `Possible encryption detected (High entropy (7.78))`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T13:33:27.810925+02:00
[x] No specific explanation found.
---
### [+] Timestamp: `2025-07-14T12-47-33-066391+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Die Festplatte ist verschluesselt - auf ihrer Rueckseite war ein kurzes Passwort zu finden, womoeglich die Passphrase, doch zuvor ueberpruefen wir nun, ob der Verschluesslungstyp ermittelbar ist
---
### [+] Timestamp: `2025-07-14T12-55-11-062938+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
fsstat vermutliche Verschluesselung, mmls erkennt keine Partition, hexdump zeigt kein erkennbares Filesystem - bevor wir mounten, muessen wir entschluesseln
---
### [+] Command: `mkdir: cannot create directory /mnt/crypt: Permission denied`
- Timestamp: `2025-07-14T13-04-39-432095+02-00`
- GPG-signature: [+] Valid
- SHA256: `5eed114f808f358973b99c9c298586336d608a7d7716c47484861730577f9d82`
#### Output:
```Shell
[!] Command failed:
mkdir: cannot create directory /mnt/crypt: Permission denied
```
#### Context:
### [+] Legal Context for `mkdir: cannot create directory /mnt/crypt: Permission denied`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T13:33:27.836004+02:00
[x] No specific explanation found.
---
### [+] Command: `sudo mkdir -p /mnt/crypt`
- Timestamp: `2025-07-14T13-04-46-220116+02-00`
- GPG-signature: [+] Valid
- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f`
#### Output:
```Shell
[STDOUT]
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo mkdir -p /mnt/crypt`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T13:33:27.861090+02:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
`mkdir` creates a directory. In forensic workflows, it is often used to prepare target folders for mounts or exported data.
The `-p` option ensures that parent directories are created as needed. It also avoids errors if the target directory already exists.
---
### [+] Command: ``
- Timestamp: `2025-07-14T13-05-08-024574+02-00`
- GPG-signature: [+] Valid
- SHA256: `fd919e45a98f1ae9c0947eed0f758c5cc388ed705627f6eb2e150686d70814bc`
#### Output:
```Shell
[!] Command failed:
```
#### Context:
[x] Skipped: command was empty or malformed.
---
### [+] Command: `Error: Operation failed due to one or more of the following:`
- Timestamp: `2025-07-14T13-07-02-580209+02-00`
- GPG-signature: [+] Valid
- SHA256: `9350ce5c321f06ca5ca9e7abae3402fe8d9d6d8ea4704f55b8d3bf2c652ed876`
#### Output:
```Shell
[!] Command failed:
Error: Operation failed due to one or more of the following:
- Incorrect password.
- Incorrect Volume PIM number.
- Incorrect PRF (hash).
- Not a valid volume.
- Volume uses an old algorithm that has been removed.
- TrueCrypt format volumes are no longer supported.
```
#### Context:
### [+] Legal Context for `Error: Operation failed due to one or more of the following:`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T13:33:27.895483+02:00
[x] No specific explanation found.
---
### [+] Command: `sudo losetup --show -f ForImage2.img`
- Timestamp: `2025-07-14T13-08-09-130846+02-00`
- GPG-signature: [+] Valid
- SHA256: `06e8e0c85abc1ce20202e0043228bd03c02f0b4065d4b70a98f97488dc4a2f38`
#### Output:
```Shell
[STDOUT]
/dev/loop0
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo losetup --show -f ForImage2.img`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T13:33:27.950809+02:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
`losetup` sets up a loop device to treat a file (like a disk image) as a block device. This is needed to work with partitions inside forensic disk images.
Outputs the created loop device — useful for automation and scripting.
---
### [+] Command: `Device /dev/loop0 is not a valid LUKS device.`
- Timestamp: `2025-07-14T13-08-33-250979+02-00`
- GPG-signature: [+] Valid
- SHA256: `19de76617d7416f38df3b577ad24e9b08b499d34b330ec80e4cf1d5ddc70416f`
#### Output:
```Shell
[!] Command failed:
Device /dev/loop0 is not a valid LUKS device.
```
#### Context:
### [+] Legal Context for `Device /dev/loop0 is not a valid LUKS device.`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T13:33:27.976530+02:00
[x] No specific explanation found.
---
### [+] Timestamp: `2025-07-14T13-09-13-718013+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
Wir wissen also: kein VeraCrypt, kein LUKS, nun tgesten wir BitLocker
---
### [+] Command: `sudo mkdir -p /mnt/dislocker`
- Timestamp: `2025-07-14T13-09-29-295457+02-00`
- GPG-signature: [+] Valid
- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f`
#### Output:
```Shell
[STDOUT]
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo mkdir -p /mnt/dislocker`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T13:33:28.001769+02:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
`mkdir` creates a directory. In forensic workflows, it is often used to prepare target folders for mounts or exported data.
The `-p` option ensures that parent directories are created as needed. It also avoids errors if the target directory already exists.
---
### [+] Command: ``
- Timestamp: `2025-07-14T13-12-40-283904+02-00`
- GPG-signature: [+] Valid
- SHA256: `fd919e45a98f1ae9c0947eed0f758c5cc388ed705627f6eb2e150686d70814bc`
#### Output:
```Shell
[!] Command failed:
```
#### Context:
[x] Skipped: command was empty or malformed.
---
### [+] Command: `ls /mnt/dislocker`
- Timestamp: `2025-07-14T13-12-56-961960+02-00`
- GPG-signature: [+] Valid
- SHA256: `aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f`
#### Output:
```Shell
[STDOUT]
[STDERR]
```
#### Context:
### [+] Legal Context for `ls /mnt/dislocker`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T13:33:28.036568+02:00
`ls` lists files in a directory. It is used to gain an overview and does not modify data.
---
### [+] Timestamp: `2025-07-14T13-14-26-335058+02-00`
#### [+] Comment from analyst: Niklas Heringer
#### [+] Content:
BitLocker scheint es auch nicht zu sein
---
### [+] Command: `sudo file -s /dev/loop0`
- Timestamp: `2025-07-14T13-31-07-259372+02-00`
- GPG-signature: [+] Valid
- SHA256: `e5b945a88f260856d6462f69c02d317d93ff08c94e0f6536cf3e14141d11c92d`
#### Output:
```Shell
[STDOUT]
/dev/loop0: data
[STDERR]
```
#### Context:
### [+] Legal Context for `sudo file -s /dev/loop0`
**Analyst:** Niklas Heringer
**Timestamp:** 2025-07-14T13:33:28.061908+02:00
**[!] Note:** This command was executed with administrative rights (`sudo`).
`file` identifies file types by examining magic numbers and headers. Useful for verifying or correcting file extensions and detecting anomalies.
---
## [+] GPG-Overview
Each `.log`-file was digitally signed with GPG where applicable.
The signature status is documented per command.
Reference in New Issue View Git Blame Copy Permalink