12 KiB
12 KiB
Findings:
firefox history von dem user "belle":
┌──(root㉿kali)-[/mnt/…/common/.mozilla/firefox/e9cqlzsn.default]
└─# cp places.sqlite ~/belle_places.sqlite
cd ~
sqlite3 belle_places.sqlite "SELECT url, title, datetime(visit_date/1000000,'unixepoch') FROM moz_places JOIN moz_historyvisits ON moz_places.id = moz_historyvisits.place_id ORDER BY visit_date DESC LIMIT 50;"
https://i.pinimg.com/236x/41/80/fa/4180fa703a970335721fe445385e7627.jpg|4180fa703a970335721fe445385e7627.jpg|2022-07-04 17:18:46
https://www.google.com/imgres?imgurl=http%3A%2F%2Fwww.theoccidentalobserver.net%2Fwp-content%2Fuploads%2F2013%2F03%2Fpassport.jpg&imgrefurl=https%3A%2F%2Fwww.tanelorn.net%2Findex.php%3Ftopic%3D89563.0&tbnid=aVoZMmKwJEc3nM&vet=12ahUKEwjmxI7K3t_4AhW6X_EDHdnKCQ0QMygPegUIARDIAg..i&docid=RoDgtxExKImejM&w=485&h=325&q=fake%20reisepass&client=ubuntu&ved=2ahUKEwjmxI7K3t_4AhW6X_EDHdnKCQ0QMygPegUIARDIAg#imgrc=aVoZMmKwJEc3nM&imgdii=Wq-UfCzaU1CwWM|fake reisepass - Google Suche|2022-07-04 17:18:40
https://i.pinimg.com/originals/b6/26/5d/b6265df99e65d5023e821832d53413d7.jpg|b6265df99e65d5023e821832d53413d7.jpg|2022-07-04 17:18:21
http://www.theoccidentalobserver.net/wp-content/uploads/2013/03/passport.jpg|passport.jpg|2022-07-04 17:18:13
https://www.google.com/imgres?imgurl=https%3A%2F%2Fi.pinimg.com%2Foriginals%2Fb6%2F26%2F5d%2Fb6265df99e65d5023e821832d53413d7.jpg&imgrefurl=https%3A%2F%2Fwww.pinterest.de%2Fpin%2F665758757412891737%2F&tbnid=2AqgmgjQ-5-K3M&vet=12ahUKEwjmxI7K3t_4AhW6X_EDHdnKCQ0QMygKegUIARC-Ag..i&docid=i8kd5nZiMlnTFM&w=1600&h=903&q=fake%20reisepass&client=ubuntu&ved=2ahUKEwjmxI7K3t_4AhW6X_EDHdnKCQ0QMygKegUIARC-Ag|fake reisepass - Google Suche|2022-07-04 17:17:57
https://www.google.com/imgres?imgurl=http%3A%2F%2Fwww.theoccidentalobserver.net%2Fwp-content%2Fuploads%2F2013%2F03%2Fpassport.jpg&imgrefurl=https%3A%2F%2Fwww.tanelorn.net%2Findex.php%3Ftopic%3D89563.0&tbnid=aVoZMmKwJEc3nM&vet=12ahUKEwjmxI7K3t_4AhW6X_EDHdnKCQ0QMygPegUIARDIAg..i&docid=RoDgtxExKImejM&w=485&h=325&q=fake%20reisepass&client=ubuntu&ved=2ahUKEwjmxI7K3t_4AhW6X_EDHdnKCQ0QMygPegUIARDIAg|fake reisepass - Google Suche|2022-07-04 17:17:53
https://www.google.com/search?q=fake+reisepass&client=ubuntu&hs=fKo&channel=fs&source=lnms&tbm=isch&sa=X&ved=2ahUKEwjUp4PJ3t_4AhUD76QKHe1WAGgQ_AUoAXoECAIQAw&biw=950&bih=656&dpr=1|fake reisepass – Google Suche|2022-07-04 17:17:31
https://www.google.com/search?channel=fs&client=ubuntu&q=fake+reisepass+|fake reisepass - Google Suche|2022-07-04 17:17:29
https://www.capacitymedia.com/article/29otc9t6wy04gbplov3ls/news/welcome-to-bruce-leegate-as-dos-santoss-lawyers-say-passport-was-faked|Welcome to Bruce Leegate, as Dos Santos’s lawyers say passport was faked | Capacity Media|2022-07-04 17:16:55
https://www.google.com/url?sa=i&url=https%3A%2F%2Fwww.capacitymedia.com%2Farticle%2F29otc9t6wy04gbplov3ls%2Fnews%2Fwelcome-to-bruce-leegate-as-dos-santoss-lawyers-say-passport-was-faked&psig=AOvVaw1gkKsQD4pej9OiJznqp3qE&ust=1657041380579000&source=images&cd=vfe&ved=2ahUKEwjY75qo3t_4AhUL66QKHfX3CSIQjRx6BAgAEAs||2022-07-04 17:16:55
https://www.pinterest.de/pin/1063764374453701873/|Pin auf buy real passport|2022-07-04 17:16:39
https://www.google.com/url?sa=i&url=https%3A%2F%2Fwww.pinterest.de%2Fpin%2F1063764374453701873%2F&psig=AOvVaw1Kyf5mseWxUn9QUrS7dCGR&ust=1657041395616000&source=images&cd=vfe&ved=0CAoQjhxqFwoTCJCPirDe3_gCFQAAAAAdAAAAABAD||2022-07-04 17:16:39
https://www.pinterest.de/pin/1063764374453701873/|Pin auf buy real passport|2022-07-04 17:16:37
https://www.google.com/url?sa=i&url=https%3A%2F%2Fwww.pinterest.de%2Fpin%2F1063764374453701873%2F&psig=AOvVaw1Kyf5mseWxUn9QUrS7dCGR&ust=1657041395616000&source=images&cd=vfe&ved=0CAoQjhxqFwoTCJCPirDe3_gCFQAAAAAdAAAAABAD||2022-07-04 17:16:37
https://www.google.com/search?q=fake+passport+germany&tbm=isch&client=ubuntu&hs=xdT&hl=de&sa=X&ved=2ahUKEwi_oZKj3t_4AhUV0oUKHU9dAdUQrNwCKAB6BQgBEN8B&biw=950&bih=656#imgrc=p4tx4Yn-KOB2dM|fake passport germany – Google Suche|2022-07-04 17:16:37
https://www.google.com/search?q=fake+passport+germany&tbm=isch&client=ubuntu&hs=xdT&hl=de&sa=X&ved=2ahUKEwi_oZKj3t_4AhUV0oUKHU9dAdUQrNwCKAB6BQgBEN8B&biw=950&bih=656|fake passport germany – Google Suche|2022-07-04 17:16:35
https://www.google.com/imgres?imgurl=https%3A%2F%2Fassets.euromoneydigital.com%2Fdims4%2Fdefault%2F52dde24%2F2147483647%2Fstrip%2Ftrue%2Fcrop%2F691x389%2B0%2B0%2Fresize%2F840x473!%2Fquality%2F90%2F%3Furl%3Dhttp%253A%252F%252Feuromoney-brightspot.s3.amazonaws.com%252F3b%252F3b%252Fc65211fc4d1b26967322e6d686f2%252Fserveimage&imgrefurl=https%3A%2F%2Fwww.capacitymedia.com%2Farticle%2F29otc9t6wy04gbplov3ls%2Fnews%2Fwelcome-to-bruce-leegate-as-dos-santoss-lawyers-say-passport-was-faked&tbnid=kiFDAG2HJ1Wa8M&vet=12ahUKEwi_oZKj3t_4AhUV0oUKHU9dAdUQMygLegUIARDDAQ..i&docid=eDNGXz2EPJg-cM&w=840&h=473&q=how%20to%20fake%20passport&client=ubuntu&ved=2ahUKEwi_oZKj3t_4AhUV0oUKHU9dAdUQMygLegUIARDDAQ|how to fake passport - Google Suche|2022-07-04 17:16:20
https://www.google.com/search?q=how+to+fake+passport&client=ubuntu&hs=xdT&channel=fs&source=lnms&tbm=isch&sa=X&ved=2ahUKEwjY_OSf3t_4AhX4wQIHHZdtCNcQ_AUoAXoECAEQAw&biw=950&bih=656|how to fake passport – Google Suche|2022-07-04 17:16:10
https://www.google.com/search?channel=fs&client=ubuntu&q=howto+fake+passport|howto fake passport - Google Suche|2022-07-04 17:16:03
https://www.mozilla.org/de/privacy/firefox/|Firefox Datenschutzhinweis — Mozilla|2022-07-04 17:15:42
https://www.mozilla.org/privacy/firefox/||2022-07-04 17:15:42
In Ordner Downloads bei Belle war eine passport.jpg. war nicht öffenbar, da magicbytes zerstört, kopiert, magic bytes repariert, siehe bild aus der gruppe
┌──(root㉿kali)-[~]
└─# file /mnt/forensik/home/belle/Downloads/passport.jpg
exiftool /mnt/forensik/home/belle/Downloads/passport.jpg
/mnt/forensik/home/belle/Downloads/passport.jpg: data
ExifTool Version Number : 13.25
File Name : passport.jpg
Directory : /mnt/forensik/home/belle/Downloads
File Size : 53 kB
File Modification Date/Time : 2022:07:04 19:19:25+02:00
File Access Date/Time : 2022:07:04 19:19:10+02:00
File Inode Change Date/Time : 2022:07:04 19:19:25+02:00
File Permissions : -rw-rw-r--
Error : File format error
┌──(root㉿kali)-[~]
└─# xxd /mnt/forensik/home/belle/Downloads/passport.jpg | head -n 10
00000000: 0000 ffe0 0010 4a46 4946 0001 0101 0048 ......JFIF.....H
bash history von pc user:
┌──(root㉿kali)-[/mnt/forensik/home/pc]
└─# cat .bash_history
exit
sudo gedit /etc/ssh/ssh_config
sudo gedit /etc/ssh/
sudo gedit /etc/ssh/ssh_config
ssh pc@localhost
sudo service ssh
sudo apt-get install openssh-server
sudo apt-get install openssh-client
gedit /etc/ssh/sshd_config
sudo gedit /etc/ssh/sshd_config
service ssh restart
ssh pc@localhost
ping googl.de
ip
ip a
exit
lsblk
fdisk -l vda
sudo fdisk -l vda
sudo fdisk -l /dev/vda
ip a
sudo usermod aG sudo pc
sudo usermod -aG sudo pc
ip a
exit
sudo parted
Downloadsordner von belle hatte Pass.kdbx datei:
┌──(root㉿kali)-[/mnt/forensik]
└─# keepassxc /mnt/forensik/home/belle/Dokumente/Pass.kdbx
mit passwort: Eip7uoKo (Passwörter gecracked von Markus) findet man Passwort für Veracrypt: forgeMaster
(siehe Gruppe)
Mit dem Passwort kann man den verschlüsselten Windows Ordner öffnen:
┌──(kali㉿kali)-[/mnt/windows/business]
└─$ sudo mkdir -p /mnt/tmp_business
sudo veracrypt --text --pim=0 --hash=sha512 --protect-hidden=no --mount /mnt/windows/business/business /mnt/tmp_business
Enter password for /mnt/windows/business/business: forgeMaster
Enter keyfile [none]:
┌──(kali㉿kali)-[/mnt/windows/business]
└─$ ls -lah /mnt/tmp_business
total 10K
drwx------ 3 kali kali 1.0K Jan 1 1970 .
drwxr-xr-x 9 root root 4.0K Jul 19 16:48 ..
drwx------ 4 kali kali 5.0K Jul 4 2022 paesse
┌──(kali㉿kali)-[/mnt/windows/business]
└─$ ls -lah /mnt/tmp_business/paesse
total 273K
drwx------ 4 kali kali 5.0K Jul 4 2022 .
drwx------ 3 kali kali 1.0K Jan 1 1970 ..
-rwx------ 1 kali kali 1004 Nov 30 2018 back_to_samples.gif
-rwx------ 1 kali kali 11K Nov 30 2018 b-contacts.jpg
-rwx------ 1 kali kali 11K Nov 30 2018 b-news.jpg
-rwx------ 1 kali kali 27K Nov 30 2018 b-samples.jpg
-rwx------ 1 kali kali 1.2K Nov 30 2018 button_email.gif
drwx------ 2 kali kali 2.0K Jul 4 2022 Cover
-rwx------ 1 kali kali 43 Nov 30 2018 emty.gif
-rwx------ 1 kali kali 484 Nov 30 2018 flash_r1_c2e.gif
-rwx------ 1 kali kali 518 Nov 30 2018 flash_r1_c3e.gif
-rwx------ 1 kali kali 508 Nov 30 2018 flash_r1_c6e.gif
-rwx------ 1 kali kali 2.2K Nov 30 2018 head_r1_c1.jpg
-rwx------ 1 kali kali 12K Nov 30 2018 head_r1_c2.jpg
-rwx------ 1 kali kali 1.9K Nov 30 2018 head_r2_c1.gif
-rwx------ 1 kali kali 2.4K Nov 30 2018 index.html
-rwx------ 1 kali kali 29K Nov 30 2018 index.php.CB66877E.html
-rwx------ 1 kali kali 12K Jul 4 2022 index.shtml
drwx------ 2 kali kali 1.0K Jul 4 2022 inside
-rwx------ 1 kali kali 15K Nov 30 2018 main.jpg
-rwx------ 1 kali kali 365 Nov 30 2018 menu_r1_c1e.gif
-rwx------ 1 kali kali 391 Nov 30 2018 menu_r1_c2e.gif
-rwx------ 1 kali kali 460 Nov 30 2018 menu_r1_c3e.gif
-rwx------ 1 kali kali 492 Nov 30 2018 menu_r1_c4e.gif
-rwx------ 1 kali kali 1.1K Nov 30 2018 menu_r1_c5e.gif
-rwx------ 1 kali kali 1.1K Nov 30 2018 menu_r1_c6e.gif
-rwx------ 1 kali kali 483 Nov 30 2018 menu_r1_c7e.gif
-rwx------ 1 kali kali 802 Nov 30 2018 menu_rfid.gif
-rwx------ 1 kali kali 388 Nov 30 2018 m-maine.gif
-rwx------ 1 kali kali 9.1K Nov 30 2018 novelty_fake_id_contacts.shtml
-rwx------ 1 kali kali 19K Nov 30 2018 novelty_fake_id_pricing.shtml
-rwx------ 1 kali kali 14K Nov 30 2018 novelty_fake_id_samples.shtml
-rwx------ 1 kali kali 20K Nov 30 2018 parashut.gif
-rwx------ 1 kali kali 1.9K Nov 30 2018 pricing.GIF
-rwx------ 1 kali kali 3.3K Nov 30 2018 privacy.gif
-rwx------ 1 kali kali 1.9K Nov 30 2018 tab2_r1_c13e.gif
-rwx------ 1 kali kali 1.9K Nov 30 2018 tab2_r1_c14e.gif
-rwx------ 1 kali kali 2.0K Nov 30 2018 tab2_r1_c16e.gif
-rwx------ 1 kali kali 2.0K Nov 30 2018 tab2_r1_c1e.gif
-rwx------ 1 kali kali 1.2K Nov 30 2018 tab2_r4_c2e.gif
-rwx------ 1 kali kali 255 Nov 30 2018 tab_r1_c1.gif
-rwx------ 1 kali kali 252 Nov 30 2018 tab_r1_c4.gif
-rwx------ 1 kali kali 93 Nov 30 2018 tab_r2_c1.gif
-rwx------ 1 kali kali 88 Nov 30 2018 tab_r2_c4.gif
-rwx------ 1 kali kali 62 Nov 30 2018 tab_r3_c1.gif
-rwx------ 1 kali kali 62 Nov 30 2018 tab_r3_c2.gif
-rwx------ 1 kali kali 61 Nov 30 2018 tab_r3_c4.gif
-rwx------ 1 kali kali 136 Nov 30 2018 tab_r4_c1.gif
-rwx------ 1 kali kali 128 Nov 30 2018 tab_r4_c2.gif
-rwx------ 1 kali kali 138 Nov 30 2018 tab_r4_c4.gif
-rwx------ 1 kali kali 116 Nov 30 2018 tab_r5_c1.gif
-rwx------ 1 kali kali 241 Nov 30 2018 tab_r5_c2.gif
-rwx------ 1 kali kali 114 Nov 30 2018 tab_r5_c4.gif
-rwx------ 1 kali kali 1.9K Nov 30 2018 terms.gif
-rwx------ 1 kali kali 20K Nov 30 2018 terms.shtml
-rwx------ 1 kali kali 3.4K Nov 30 2018 Ukpassport-cover.jpg
-rwx------ 1 kali kali 2.9K Nov 30 2018 'UK passport.shtml'
auf den .shtml dateien findet man die website von dem vermutlichen täter