59 KiB
59 KiB
| banner |
|---|
Übungsaufgabe 4 - 2
Team: 13
Bearbeiter: 3009728 | 3026182 | 3019335 | 3008816
Datum der Erstellung: 09.05.2025
Nicht-technische Zusammenfassung
Eine für Laien verständliche Zusammenfassung der Untersuchung und der wichtigsten Erkenntnisse.
Wir untersuchten in dieser Aufgabe das digitale Abbild eines USB-Sticks, den wir auf Inhalte und mutmaßlich eine Handy-PIN hin untersuchen sollten. Hierbei fanden wir mehrere Bilder, die jedoch keinen Bezug zum PIN aufzeigten - selbigen konnten wir nicht recovern.
Technischer Bericht
1. Übersicht der analysierten Daten
| Datenquelle | Typ | Datentyp | Größe | Hash (SHA256) |
|---|---|---|---|---|
| ~/Downloads/vUSB.img | Disk-image | Image | 3.1GB | 2c9c0f5117cdc3e8f3b9156bb5eef7d95 63f46b4e0e4e51123711d828c89e8a2 |
| Bild1.jpg | Bild | .jpg | d2cc34b1613360da8fe39bd9f95e0749f0d48acc9396d37139b5624ab7655363 | |
| Bild2.jpeg | Bild | .jpeg | 01b8a6d33ba74fec3a5e04fdd3d52f9738bd97d9d3c97c043955e1bd6bc39a92 | |
| Blue.png | Bild | .png | efc4cbf142fdfe55d5695fe02240cd1f0782e086ce5490f1b65e398c3279b375 |
2. Chronologisches Analyseprotokoll
Jede Terminal-Eingabe mit zugehörigem Befehl, Zeitstempel, GPG-Signatur, Hash-Wert, Ausgabe, Kontext und (falls vorhanden) rechtlicher Erklärung .
[++] Timeline of Commands and Comments
[+] Timestamp: 2025-05-09T06-48-10-588708+00-00
[+] Comment from analyst: Niklas Heringer
[+] Content:
Aufgabe 2.1: Verwenden Sie die Datei vUSB.zip und entpacken Sie diese (z.B. mit 7zip)
[+] Command: 7z x /home/kali/Downloads/vUSB.zip -o/home/kali/Documents/analysis-station/Uebung_04
- Timestamp:
2025-05-09T06-50-15-117272+00-00 - GPG-signature: [+] Valid
- SHA256:
e11182132e7dbcf323278e3f318b991e0ebf352fb3d67d9b28cdb34a48872f1e
Output:
[STDOUT]
7-Zip 24.09 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-11-29
64-bit locale=en_US.UTF-8 Threads:32 OPEN_MAX:1024, ASM
Scanning the drive for archives:
1 file, 5484894 bytes (5357 KiB)
Extracting archive: /home/kali/Downloads/vUSB.zip
--
Path = /home/kali/Downloads/vUSB.zip
Type = zip
Physical Size = 5484894
Everything is Ok
Size: 3221225472
Compressed: 5484894
[STDERR]
Context:
Analyst: Niklas Heringer Timestamp: 2025-05-09T06:50:24.148849+00:00
[x] No specific explanation found.
[+] Command: mkdir -p /home/kali/Documents/analysis-station/Uebung_04/mnt
- Timestamp:
2025-05-09T06-50-30-811874+00-00 - GPG-signature: [+] Valid
- SHA256:
aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f
Output:
[STDOUT]
[STDERR]
Context:
Analyst: Niklas Heringer Timestamp: 2025-05-09T06:50:30.823656+00:00
mkdir creates a directory. In forensic workflows, it is often used to prepare target folders for mounts or exported data.
The -p option ensures that parent directories are created as needed. It also avoids errors if the target directory already exists.
[+] Command: xxd /home/kali/Documents/analysis-station/Uebung_04/vUSB.img | head -n 20
- Timestamp:
2025-05-09T06-51-12-136535+00-00 - GPG-signature: [+] Valid
- SHA256:
dda431d77053a843ac735281786200d0a3a7dc4565bc9d2384bef7ecef5ac89e
Output:
[STDOUT]
00000000: eb58 906d 6b66 732e 6661 7400 0208 2000 .X.mkfs.fat... .
00000010: 0200 0000 00f8 0000 3f00 ff00 0000 0000 ........?.......
00000020: 0000 6000 f817 0000 0000 0000 0200 0000 ..`.............
00000030: 0100 0600 0000 0000 0000 0000 0000 0000 ................
00000040: 8000 29ae c100 374e 4f20 4e41 4d45 2020 ..)...7NO NAME
00000050: 2020 4641 5433 3220 2020 0e1f be77 7cac FAT32 ...w|.
00000060: 22c0 740b 56b4 0ebb 0700 cd10 5eeb f032 ".t.V.......^..2
00000070: e4cd 16cd 19eb fe54 6869 7320 6973 206e .......This is n
00000080: 6f74 2061 2062 6f6f 7461 626c 6520 6469 ot a bootable di
00000090: 736b 2e20 2050 6c65 6173 6520 696e 7365 sk. Please inse
000000a0: 7274 2061 2062 6f6f 7461 626c 6520 666c rt a bootable fl
000000b0: 6f70 7079 2061 6e64 0d0a 7072 6573 7320 oppy and..press
000000c0: 616e 7920 6b65 7920 746f 2074 7279 2061 any key to try a
000000d0: 6761 696e 202e 2e2e 200d 0a00 0000 0000 gain ... .......
000000e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000100: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000110: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000120: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000130: 0000 0000 0000 0000 0000 0000 0000 0000 ................
[STDERR]
Context:
Analyst: Niklas Heringer Timestamp: 2025-05-09T06:51:12.146934+00:00
[x] No specific explanation found.
[+] Timestamp: 2025-05-09T06-51-41-886735+00-00
[+] Comment from analyst: Niklas Heringer
[+] Content:
Scheint nicht beschaedigt und alles in Ordnung. Aufgabe beendet.
[+] Timestamp: 2025-05-09T06-52-31-932154+00-00
[+] Comment from analyst: Niklas Heringer
[+] Content:
Aufgabe 2.2 wird gestartet.
[+] Command: sudo losetup --find --show /home/kali/Documents/analysis-station/Uebung_04/vUSB.img
- Timestamp:
2025-05-09T06-59-28-055316+00-00 - GPG-signature: [+] Valid
- SHA256:
7a14c39a9aeb23bd6c1fc88585770ac22b4dc1c9866b9ec193e8139edcdaaba5
Output:
[STDOUT]
/dev/loop1
[STDERR]
Context:
Analyst: Niklas Heringer Timestamp: 2025-05-09T06:59:31.596821+00:00
[x] No specific explanation found.
[+] Timestamp: 2025-05-09T07-04-57-689819+00-00
[+] Comment from analyst: Niklas Heringer
[+] Content:
Aufgabe 2.2: Nun sollen Sicherungen mit drei Tools angelegt werden, dd, dc3dd, dcfldd
[+] Command: lsblk /dev/loop1
- Timestamp:
2025-05-09T07-05-14-970891+00-00 - GPG-signature: [+] Valid
- SHA256:
8747b45e208ba4c685e955d88b42a408e5db35dc8615d8df33f7de2a9f05f017
Output:
[STDOUT]
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
loop1 7:1 0 3G 0 loop
[STDERR]
Context:
Analyst: Niklas Heringer Timestamp: 2025-05-09T07:05:14.981961+00:00
[x] No specific explanation found.
[+] Command: xxd /dev/loop1 | head -n 20
- Timestamp:
2025-05-09T07-05-37-507814+00-00 - GPG-signature: [+] Valid
- SHA256:
5966732467316f16861af4b32af89947d5678807c341a60bf6e55acf00a7b5f5
Output:
[STDOUT]
[STDERR]
xxd: /dev/loop1: Permission denied
Context:
Analyst: Niklas Heringer Timestamp: 2025-05-09T07:05:37.517842+00:00
[x] No specific explanation found.
[+] Command: sudo xxd /dev/loop1 | head -n 20
- Timestamp:
2025-05-09T07-05-44-461670+00-00 - GPG-signature: [+] Valid
- SHA256:
dda431d77053a843ac735281786200d0a3a7dc4565bc9d2384bef7ecef5ac89e
Output:
[STDOUT]
00000000: eb58 906d 6b66 732e 6661 7400 0208 2000 .X.mkfs.fat... .
00000010: 0200 0000 00f8 0000 3f00 ff00 0000 0000 ........?.......
00000020: 0000 6000 f817 0000 0000 0000 0200 0000 ..`.............
00000030: 0100 0600 0000 0000 0000 0000 0000 0000 ................
00000040: 8000 29ae c100 374e 4f20 4e41 4d45 2020 ..)...7NO NAME
00000050: 2020 4641 5433 3220 2020 0e1f be77 7cac FAT32 ...w|.
00000060: 22c0 740b 56b4 0ebb 0700 cd10 5eeb f032 ".t.V.......^..2
00000070: e4cd 16cd 19eb fe54 6869 7320 6973 206e .......This is n
00000080: 6f74 2061 2062 6f6f 7461 626c 6520 6469 ot a bootable di
00000090: 736b 2e20 2050 6c65 6173 6520 696e 7365 sk. Please inse
000000a0: 7274 2061 2062 6f6f 7461 626c 6520 666c rt a bootable fl
000000b0: 6f70 7079 2061 6e64 0d0a 7072 6573 7320 oppy and..press
000000c0: 616e 7920 6b65 7920 746f 2074 7279 2061 any key to try a
000000d0: 6761 696e 202e 2e2e 200d 0a00 0000 0000 gain ... .......
000000e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000100: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000110: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000120: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000130: 0000 0000 0000 0000 0000 0000 0000 0000 ................
[STDERR]
Context:
Analyst: Niklas Heringer Timestamp: 2025-05-09T07:05:44.488574+00:00
[x] No specific explanation found.
[+] Command: sudo dd if=/dev/loop1 of=/home/kali/Documents/analysis-station/Uebung_04/usb_dd.img status=progress
- Timestamp:
2025-05-09T07-07-01-946380+00-00 - GPG-signature: [+] Valid
- SHA256:
8d6621d3df568cde9986badb67542b72d458ffafd95dc1bd1e584fc02bd1efe8
Output:
[STDOUT]
[STDERR]
165536256 bytes (166 MB, 158 MiB) copied, 1 s, 166 MB/s
341011968 bytes (341 MB, 325 MiB) copied, 2 s, 171 MB/s
516391424 bytes (516 MB, 492 MiB) copied, 3 s, 172 MB/s
689598464 bytes (690 MB, 658 MiB) copied, 4 s, 172 MB/s
868729344 bytes (869 MB, 828 MiB) copied, 5 s, 174 MB/s
1046550016 bytes (1.0 GB, 998 MiB) copied, 6 s, 174 MB/s
1214092800 bytes (1.2 GB, 1.1 GiB) copied, 7 s, 173 MB/s
1395514880 bytes (1.4 GB, 1.3 GiB) copied, 8 s, 174 MB/s
1565343744 bytes (1.6 GB, 1.5 GiB) copied, 9 s, 174 MB/s
1744128512 bytes (1.7 GB, 1.6 GiB) copied, 10 s, 174 MB/s
1919242240 bytes (1.9 GB, 1.8 GiB) copied, 11 s, 174 MB/s
2095894528 bytes (2.1 GB, 2.0 GiB) copied, 12 s, 175 MB/s
2275668480 bytes (2.3 GB, 2.1 GiB) copied, 13 s, 175 MB/s
2448216064 bytes (2.4 GB, 2.3 GiB) copied, 14 s, 175 MB/s
2624709120 bytes (2.6 GB, 2.4 GiB) copied, 15 s, 175 MB/s
2798371328 bytes (2.8 GB, 2.6 GiB) copied, 16 s, 175 MB/s
2970781184 bytes (3.0 GB, 2.8 GiB) copied, 17 s, 175 MB/s
3151798784 bytes (3.2 GB, 2.9 GiB) copied, 18 s, 175 MB/s
6291456+0 records in
6291456+0 records out
3221225472 bytes (3.2 GB, 3.0 GiB) copied, 18.5111 s, 174 MB/s
Context:
Analyst: Niklas Heringer Timestamp: 2025-05-09T07:07:20.489457+00:00
[x] No specific explanation found.
[+] Command: sudo xxd /home/kali/Documents/analysis-station/Uebung_u4/usb_dd.img | head -n 20
- Timestamp:
2025-05-09T07-07-59-269675+00-00 - GPG-signature: [+] Valid
- SHA256:
c915b705c72f6c41ea9a2edce649ea3a7038bbb6ad35c7a7617f603a861ce35e
Output:
[STDOUT]
[STDERR]
xxd: /home/kali/Documents/analysis-station/Uebung_u4/usb_dd.img: No such file or directory
Context:
Analyst: Niklas Heringer Timestamp: 2025-05-09T07:07:59.304707+00:00
[x] No specific explanation found.
[+] Command: sudo xxd /home/kali/Documents/analysis-station/Uebung_04/usb_dd.img | head -n 20
- Timestamp:
2025-05-09T07-08-14-777981+00-00 - GPG-signature: [+] Valid
- SHA256:
dda431d77053a843ac735281786200d0a3a7dc4565bc9d2384bef7ecef5ac89e
Output:
[STDOUT]
00000000: eb58 906d 6b66 732e 6661 7400 0208 2000 .X.mkfs.fat... .
00000010: 0200 0000 00f8 0000 3f00 ff00 0000 0000 ........?.......
00000020: 0000 6000 f817 0000 0000 0000 0200 0000 ..`.............
00000030: 0100 0600 0000 0000 0000 0000 0000 0000 ................
00000040: 8000 29ae c100 374e 4f20 4e41 4d45 2020 ..)...7NO NAME
00000050: 2020 4641 5433 3220 2020 0e1f be77 7cac FAT32 ...w|.
00000060: 22c0 740b 56b4 0ebb 0700 cd10 5eeb f032 ".t.V.......^..2
00000070: e4cd 16cd 19eb fe54 6869 7320 6973 206e .......This is n
00000080: 6f74 2061 2062 6f6f 7461 626c 6520 6469 ot a bootable di
00000090: 736b 2e20 2050 6c65 6173 6520 696e 7365 sk. Please inse
000000a0: 7274 2061 2062 6f6f 7461 626c 6520 666c rt a bootable fl
000000b0: 6f70 7079 2061 6e64 0d0a 7072 6573 7320 oppy and..press
000000c0: 616e 7920 6b65 7920 746f 2074 7279 2061 any key to try a
000000d0: 6761 696e 202e 2e2e 200d 0a00 0000 0000 gain ... .......
000000e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000100: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000110: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000120: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000130: 0000 0000 0000 0000 0000 0000 0000 0000 ................
[STDERR]
Context:
Analyst: Niklas Heringer Timestamp: 2025-05-09T07:08:14.806240+00:00
[x] No specific explanation found.
[+] Command: sudo dc3dd if=/dev/loop1 of=/home/kali/Documents/analysis-station/Uebung_04/usb_dc3dd.img hash=sha256 hlog=/home/kali/Documents/analysis-station/Uebung_04/usb_dc3dd.hash
- Timestamp:
2025-05-09T07-11-38-528356+00-00 - GPG-signature: [+] Valid
- SHA256:
1123e734545cfe4e6d8bce1dc80749d9de1a30dba2b7e1ca6ec9c99517ea3628
Output:
[STDOUT]
[STDERR]
dc3dd 7.3.1 started at 2025-05-09 03:11:38 -0400
compiled options:
command line dc3dd if=/dev/loop1 of=/home/kali/Documents/analysis-station/Uebung_04/usb_dc3dd.img hash=sha256 hlog=/home/kali/Documents/analysis-station/Uebung_04/usb_dc3dd.hash
device size: 6291456 sectors (probed), 3,221,225,472 bytes
sector size: 512 bytes (probed)
18415616 bytes ( 18 M ) copied ( 1% ), 0 s, 171 M/s
41975808 bytes ( 40 M ) copied ( 1% ), 0 s, 197 M/s
67993600 bytes ( 65 M ) copied ( 2% ), 0 s, 214 M/s
91521024 bytes ( 87 M ) copied ( 3% ), 0 s, 216 M/s
115179520 bytes ( 110 M ) copied ( 4% ), 1 s, 218 M/s
138215424 bytes ( 132 M ) copied ( 4% ), 1 s, 218 M/s
163020800 bytes ( 155 M ) copied ( 5% ), 1 s, 220 M/s
187367424 bytes ( 179 M ) copied ( 6% ), 1 s, 222 M/s
211746816 bytes ( 202 M ) copied ( 7% ), 1 s, 223 M/s
235929600 bytes ( 225 M ) copied ( 7% ), 1 s, 224 M/s
260210688 bytes ( 248 M ) copied ( 8% ), 1 s, 224 M/s
284000256 bytes ( 271 M ) copied ( 9% ), 1 s, 224 M/s
305004544 bytes ( 291 M ) copied ( 9% ), 1 s, 223 M/s
329613312 bytes ( 314 M ) copied ( 10% ), 1 s, 223 M/s
354451456 bytes ( 338 M ) copied ( 11% ), 2 s, 224 M/s
376569856 bytes ( 359 M ) copied ( 12% ), 2 s, 223 M/s
402685952 bytes ( 384 M ) copied ( 13% ), 2 s, 225 M/s
426508288 bytes ( 407 M ) copied ( 13% ), 2 s, 225 M/s
450134016 bytes ( 429 M ) copied ( 14% ), 2 s, 225 M/s
473038848 bytes ( 451 M ) copied ( 15% ), 2 s, 224 M/s
498794496 bytes ( 476 M ) copied ( 15% ), 2 s, 225 M/s
523894784 bytes ( 500 M ) copied ( 16% ), 2 s, 226 M/s
542081024 bytes ( 517 M ) copied ( 17% ), 2 s, 224 M/s
569016320 bytes ( 543 M ) copied ( 18% ), 2 s, 225 M/s
596836352 bytes ( 569 M ) copied ( 19% ), 3 s, 227 M/s
624721920 bytes ( 596 M ) copied ( 19% ), 3 s, 228 M/s
652443648 bytes ( 622 M ) copied ( 20% ), 3 s, 229 M/s
675774464 bytes ( 644 M ) copied ( 21% ), 3 s, 229 M/s
698155008 bytes ( 666 M ) copied ( 22% ), 3 s, 228 M/s
717357056 bytes ( 684 M ) copied ( 22% ), 3 s, 227 M/s
738295808 bytes ( 704 M ) copied ( 23% ), 3 s, 226 M/s
759660544 bytes ( 724 M ) copied ( 24% ), 3 s, 225 M/s
785088512 bytes ( 749 M ) copied ( 24% ), 3 s, 226 M/s
809500672 bytes ( 772 M ) copied ( 25% ), 3 s, 226 M/s
834994176 bytes ( 796 M ) copied ( 26% ), 4 s, 226 M/s
860815360 bytes ( 821 M ) copied ( 27% ), 4 s, 227 M/s
884801536 bytes ( 844 M ) copied ( 27% ), 4 s, 227 M/s
907345920 bytes ( 865 M ) copied ( 28% ), 4 s, 227 M/s
925728768 bytes ( 883 M ) copied ( 29% ), 4 s, 225 M/s
950468608 bytes ( 906 M ) copied ( 30% ), 4 s, 225 M/s
978518016 bytes ( 933 M ) copied ( 30% ), 4 s, 226 M/s
1006174208 bytes ( 960 M ) copied ( 31% ), 4 s, 227 M/s
1034223616 bytes ( 986 M ) copied ( 32% ), 4 s, 228 M/s
1062371328 bytes ( 1013 M ) copied ( 33% ), 4 s, 229 M/s
1090453504 bytes ( 1 G ) copied ( 34% ), 5 s, 230 M/s
1116405760 bytes ( 1 G ) copied ( 35% ), 5 s, 230 M/s
1143341056 bytes ( 1.1 G ) copied ( 35% ), 5 s, 231 M/s
1168408576 bytes ( 1.1 G ) copied ( 36% ), 5 s, 231 M/s
1180303360 bytes ( 1.1 G ) copied ( 37% ), 5 s, 228 M/s
1195081728 bytes ( 1.1 G ) copied ( 37% ), 5 s, 227 M/s
1220739072 bytes ( 1.1 G ) copied ( 38% ), 5 s, 227 M/s
1248067584 bytes ( 1.2 G ) copied ( 39% ), 5 s, 227 M/s
1274937344 bytes ( 1.2 G ) copied ( 40% ), 5 s, 228 M/s
1301872640 bytes ( 1.2 G ) copied ( 40% ), 5 s, 228 M/s
1326907392 bytes ( 1.2 G ) copied ( 41% ), 6 s, 229 M/s
1349844992 bytes ( 1.3 G ) copied ( 42% ), 6 s, 228 M/s
1374388224 bytes ( 1.3 G ) copied ( 43% ), 6 s, 228 M/s
1396637696 bytes ( 1.3 G ) copied ( 43% ), 6 s, 228 M/s
1420328960 bytes ( 1.3 G ) copied ( 44% ), 6 s, 228 M/s
1443758080 bytes ( 1.3 G ) copied ( 45% ), 6 s, 228 M/s
1468891136 bytes ( 1.4 G ) copied ( 46% ), 6 s, 228 M/s
1493794816 bytes ( 1.4 G ) copied ( 46% ), 6 s, 228 M/s
1514012672 bytes ( 1.4 G ) copied ( 47% ), 6 s, 228 M/s
1542815744 bytes ( 1.4 G ) copied ( 48% ), 6 s, 228 M/s
1570963456 bytes ( 1.5 G ) copied ( 49% ), 7 s, 229 M/s
1597440000 bytes ( 1.5 G ) copied ( 50% ), 7 s, 229 M/s
1623031808 bytes ( 1.5 G ) copied ( 50% ), 7 s, 230 M/s
1650294784 bytes ( 1.5 G ) copied ( 51% ), 7 s, 230 M/s
1678901248 bytes ( 1.6 G ) copied ( 52% ), 7 s, 231 M/s
1701642240 bytes ( 1.6 G ) copied ( 53% ), 7 s, 230 M/s
1728675840 bytes ( 1.6 G ) copied ( 54% ), 7 s, 231 M/s
1755676672 bytes ( 1.6 G ) copied ( 55% ), 7 s, 231 M/s
1774682112 bytes ( 1.7 G ) copied ( 55% ), 7 s, 230 M/s
1796997120 bytes ( 1.7 G ) copied ( 56% ), 7 s, 230 M/s
1824063488 bytes ( 1.7 G ) copied ( 57% ), 8 s, 230 M/s
1850998784 bytes ( 1.7 G ) copied ( 57% ), 8 s, 231 M/s
1873870848 bytes ( 1.7 G ) copied ( 58% ), 8 s, 231 M/s
1898971136 bytes ( 1.8 G ) copied ( 59% ), 8 s, 231 M/s
1922400256 bytes ( 1.8 G ) copied ( 60% ), 8 s, 231 M/s
1949007872 bytes ( 1.8 G ) copied ( 61% ), 8 s, 231 M/s
1973420032 bytes ( 1.8 G ) copied ( 61% ), 8 s, 231 M/s
1996881920 bytes ( 1.9 G ) copied ( 62% ), 8 s, 231 M/s
2020081664 bytes ( 1.9 G ) copied ( 63% ), 8 s, 231 M/s
2046689280 bytes ( 1.9 G ) copied ( 64% ), 8 s, 231 M/s
2075197440 bytes ( 1.9 G ) copied ( 64% ), 9 s, 231 M/s
2099740672 bytes ( 2 G ) copied ( 65% ), 9 s, 231 M/s
2123202560 bytes ( 2 G ) copied ( 66% ), 9 s, 231 M/s
2151612416 bytes ( 2 G ) copied ( 67% ), 9 s, 232 M/s
2177564672 bytes ( 2 G ) copied ( 68% ), 9 s, 232 M/s
2201550848 bytes ( 2.1 G ) copied ( 68% ), 9 s, 232 M/s
2225733632 bytes ( 2.1 G ) copied ( 69% ), 9 s, 232 M/s
2253160448 bytes ( 2.1 G ) copied ( 70% ), 9 s, 232 M/s
2277441536 bytes ( 2.1 G ) copied ( 71% ), 9 s, 232 M/s
2301394944 bytes ( 2.1 G ) copied ( 71% ), 9 s, 232 M/s
2325676032 bytes ( 2.2 G ) copied ( 72% ), 10 s, 232 M/s
2353692672 bytes ( 2.2 G ) copied ( 73% ), 10 s, 232 M/s
2380103680 bytes ( 2.2 G ) copied ( 74% ), 10 s, 233 M/s
2404122624 bytes ( 2.2 G ) copied ( 75% ), 10 s, 233 M/s
2431352832 bytes ( 2.3 G ) copied ( 75% ), 10 s, 233 M/s
2458714112 bytes ( 2.3 G ) copied ( 76% ), 10 s, 233 M/s
2482601984 bytes ( 2.3 G ) copied ( 77% ), 10 s, 233 M/s
2505801728 bytes ( 2.3 G ) copied ( 78% ), 10 s, 233 M/s
2530017280 bytes ( 2.4 G ) copied ( 79% ), 10 s, 233 M/s
2555740160 bytes ( 2.4 G ) copied ( 79% ), 10 s, 233 M/s
2579562496 bytes ( 2.4 G ) copied ( 80% ), 11 s, 233 M/s
2601058304 bytes ( 2.4 G ) copied ( 81% ), 11 s, 233 M/s
2615279616 bytes ( 2.4 G ) copied ( 81% ), 11 s, 232 M/s
2626224128 bytes ( 2.4 G ) copied ( 82% ), 11 s, 231 M/s
2638184448 bytes ( 2.5 G ) copied ( 82% ), 11 s, 229 M/s
2653487104 bytes ( 2.5 G ) copied ( 82% ), 11 s, 229 M/s
2672590848 bytes ( 2.5 G ) copied ( 83% ), 11 s, 228 M/s
2693464064 bytes ( 2.5 G ) copied ( 84% ), 11 s, 228 M/s
2718859264 bytes ( 2.5 G ) copied ( 84% ), 11 s, 228 M/s
2744418304 bytes ( 2.6 G ) copied ( 85% ), 11 s, 228 M/s
2761523200 bytes ( 2.6 G ) copied ( 86% ), 12 s, 228 M/s
2780364800 bytes ( 2.6 G ) copied ( 86% ), 12 s, 227 M/s
2804744192 bytes ( 2.6 G ) copied ( 87% ), 12 s, 227 M/s
2827288576 bytes ( 2.6 G ) copied ( 88% ), 12 s, 227 M/s
2849767424 bytes ( 2.7 G ) copied ( 88% ), 12 s, 227 M/s
2871230464 bytes ( 2.7 G ) copied ( 89% ), 12 s, 227 M/s
2893414400 bytes ( 2.7 G ) copied ( 90% ), 12 s, 227 M/s
2914254848 bytes ( 2.7 G ) copied ( 90% ), 12 s, 227 M/s
2938601472 bytes ( 2.7 G ) copied ( 91% ), 12 s, 227 M/s
2964586496 bytes ( 2.8 G ) copied ( 92% ), 12 s, 227 M/s
2988081152 bytes ( 2.8 G ) copied ( 93% ), 13 s, 227 M/s
3012001792 bytes ( 2.8 G ) copied ( 94% ), 13 s, 227 M/s
3038380032 bytes ( 2.8 G ) copied ( 94% ), 13 s, 227 M/s
3063382016 bytes ( 2.9 G ) copied ( 95% ), 13 s, 227 M/s
3088187392 bytes ( 2.9 G ) copied ( 96% ), 13 s, 227 M/s
3113910272 bytes ( 2.9 G ) copied ( 97% ), 13 s, 227 M/s
3137437696 bytes ( 2.9 G ) copied ( 97% ), 13 s, 227 M/s
3160145920 bytes ( 2.9 G ) copied ( 98% ), 13 s, 227 M/s
3184328704 bytes ( 3 G ) copied ( 99% ), 13 s, 227 M/s
3208577024 bytes ( 3 G ) copied ( 100% ), 13 s, 227 M/s
3221225472 bytes ( 3 G ) copied ( 100% ), 14 s, 226 M/s
3221225472 bytes ( 3 G ) copied ( 100% ), 14 s, 226 M/s
input results for device `/dev/loop1':
6291456 sectors in
0 bad sectors replaced by zeros
2c9c0f5117cdc3e8f3b9156bb5eef7d9563f46b4e0e4e51123711d828c89e8a2 (sha256)
output results for file `/home/kali/Documents/analysis-station/Uebung_04/usb_dc3dd.img':
6291456 sectors out
dc3dd completed at 2025-05-09 03:11:52 -0400
Context:
Analyst: Niklas Heringer Timestamp: 2025-05-09T07:11:52.137822+00:00
[x] No specific explanation found.
[+] Command: sudo xxd /home/kali/Documents/analysis-station/Uebung_04/usb_dc3dd.img | head -n 20
- Timestamp:
2025-05-09T07-13-09-028006+00-00 - GPG-signature: [+] Valid
- SHA256:
dda431d77053a843ac735281786200d0a3a7dc4565bc9d2384bef7ecef5ac89e
Output:
[STDOUT]
00000000: eb58 906d 6b66 732e 6661 7400 0208 2000 .X.mkfs.fat... .
00000010: 0200 0000 00f8 0000 3f00 ff00 0000 0000 ........?.......
00000020: 0000 6000 f817 0000 0000 0000 0200 0000 ..`.............
00000030: 0100 0600 0000 0000 0000 0000 0000 0000 ................
00000040: 8000 29ae c100 374e 4f20 4e41 4d45 2020 ..)...7NO NAME
00000050: 2020 4641 5433 3220 2020 0e1f be77 7cac FAT32 ...w|.
00000060: 22c0 740b 56b4 0ebb 0700 cd10 5eeb f032 ".t.V.......^..2
00000070: e4cd 16cd 19eb fe54 6869 7320 6973 206e .......This is n
00000080: 6f74 2061 2062 6f6f 7461 626c 6520 6469 ot a bootable di
00000090: 736b 2e20 2050 6c65 6173 6520 696e 7365 sk. Please inse
000000a0: 7274 2061 2062 6f6f 7461 626c 6520 666c rt a bootable fl
000000b0: 6f70 7079 2061 6e64 0d0a 7072 6573 7320 oppy and..press
000000c0: 616e 7920 6b65 7920 746f 2074 7279 2061 any key to try a
000000d0: 6761 696e 202e 2e2e 200d 0a00 0000 0000 gain ... .......
000000e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000100: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000110: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000120: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000130: 0000 0000 0000 0000 0000 0000 0000 0000 ................
[STDERR]
Context:
Analyst: Niklas Heringer Timestamp: 2025-05-09T07:13:09.054618+00:00
[x] No specific explanation found.
[+] Command: sudo dcfldd if=/dev/loop1 of=/home/kali/Documents/analysis-station/Uebung_04/usb_dcfldd.img hash=sha256 hashlog=usb_dcfldd.hash status=off errlog=usb_dcfldd.log
- Timestamp:
2025-05-09T07-15-58-157193+00-00 - GPG-signature: [+] Valid
- SHA256:
2f673332b624a1e8b049e9b0bdfe9c4782f98aa598588a983b1cca12a0433c64
Output:
[STDOUT]
[STDERR]
98304+0 records in
98304+0 records out
Context:
Analyst: Niklas Heringer Timestamp: 2025-05-09T07:16:16.724835+00:00
[x] No specific explanation found.
[+] Command: sudo xxd /home/kali/Documents/analysis-station/Uebung_04/usb_dcfldd.img | head -n 20
- Timestamp:
2025-05-09T07-17-24-431943+00-00 - GPG-signature: [+] Valid
- SHA256:
dda431d77053a843ac735281786200d0a3a7dc4565bc9d2384bef7ecef5ac89e
Output:
[STDOUT]
00000000: eb58 906d 6b66 732e 6661 7400 0208 2000 .X.mkfs.fat... .
00000010: 0200 0000 00f8 0000 3f00 ff00 0000 0000 ........?.......
00000020: 0000 6000 f817 0000 0000 0000 0200 0000 ..`.............
00000030: 0100 0600 0000 0000 0000 0000 0000 0000 ................
00000040: 8000 29ae c100 374e 4f20 4e41 4d45 2020 ..)...7NO NAME
00000050: 2020 4641 5433 3220 2020 0e1f be77 7cac FAT32 ...w|.
00000060: 22c0 740b 56b4 0ebb 0700 cd10 5eeb f032 ".t.V.......^..2
00000070: e4cd 16cd 19eb fe54 6869 7320 6973 206e .......This is n
00000080: 6f74 2061 2062 6f6f 7461 626c 6520 6469 ot a bootable di
00000090: 736b 2e20 2050 6c65 6173 6520 696e 7365 sk. Please inse
000000a0: 7274 2061 2062 6f6f 7461 626c 6520 666c rt a bootable fl
000000b0: 6f70 7079 2061 6e64 0d0a 7072 6573 7320 oppy and..press
000000c0: 616e 7920 6b65 7920 746f 2074 7279 2061 any key to try a
000000d0: 6761 696e 202e 2e2e 200d 0a00 0000 0000 gain ... .......
000000e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000100: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000110: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000120: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000130: 0000 0000 0000 0000 0000 0000 0000 0000 ................
[STDERR]
Context:
Analyst: Niklas Heringer Timestamp: 2025-05-09T07:17:24.460514+00:00
[x] No specific explanation found.
[+] Timestamp: 2025-05-09T07-18-03-201283+00-00
[+] Comment from analyst: Niklas Heringer
[+] Content:
Aufgabe 2.2 beendet.
[+] Timestamp: 2025-05-09T07-18-26-494801+00-00
[+] Comment from analyst: Niklas Heringer
[+] Content:
Aufgabe 2.4 gestartet, 2.3 wird haendisch niedergeschrieben
[+] Command: Error opening image file (raw_open: file "/dev/loop1" - Permission denied)
- Timestamp:
2025-05-09T07-19-45-852848+00-00 - GPG-signature: [+] Valid
- SHA256:
b0546c981e99537e5a6a3fe7bc230ca5fb3dcec663695329cce6d0c6eeac7709
Output:
[!] Command failed:
Error opening image file (raw_open: file "/dev/loop1" - Permission denied)
Context:
Analyst: Niklas Heringer Timestamp: 2025-05-09T07:19:45.891807+00:00
[x] No specific explanation found.
[+] Command: sudo fsstat /dev/loop1
- Timestamp:
2025-05-09T07-19-52-695798+00-00 - GPG-signature: [+] Valid
- SHA256:
377bc3ffe4760f092973bb1a77d97c33b11307bb392768fdcc6dd1a63fe91332
Output:
[STDOUT]
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: FAT32
OEM Name: mkfs.fat
Volume ID: 0x3700c1ae
Volume Label (Boot Sector): NO NAME
Volume Label (Root Directory):
File System Type Label: FAT32
Next Free Sector (FS Info): 16920
Free Sector Count (FS Info): 6274528
Sectors before file system: 0
File System Layout (in sectors)
Total Range: 0 - 6291455
* Reserved: 0 - 31
** Boot Sector: 0
** FS Info Sector: 1
** Backup Boot Sector: 6
* FAT 0: 32 - 6167
* FAT 1: 6168 - 12303
* Data Area: 12304 - 6291455
** Cluster Area: 12304 - 6291455
*** Root Directory: 12304 - 12311
METADATA INFORMATION
--------------------------------------------
Range: 2 - 100466438
Root Directory: 2
CONTENT INFORMATION
--------------------------------------------
Sector Size: 512
Cluster Size: 4096
Total Cluster Range: 2 - 784895
FAT CONTENTS (in sectors)
--------------------------------------------
12304-12311 (8) -> EOF
12312-12695 (384) -> EOF
12696-16895 (4200) -> EOF
16896-16927 (32) -> EOF
[STDERR]
Context:
Analyst: Niklas Heringer Timestamp: 2025-05-09T07:19:52.802013+00:00
[x] No specific explanation found.
[+] Timestamp: 2025-05-09T07-20-25-017861+00-00
[+] Comment from analyst: Niklas Heringer
[+] Content:
Es handelt sich also um FAT32
[+] Timestamp: 2025-05-09T07-21-02-367502+00-00
[+] Comment from analyst: Niklas Heringer
[+] Content:
Nun zu Aufgabe 2.5, bei der wir mit speziellen Parametern arbeiten sollen
[+] Command: sudo dcfldd if=/dev/loop1 of=/home/kali/Documents/analysis-station/Uebung_04/usb_dcfldd_with_extras.img hash=sha1 hashwindow=1M hashlog=/home/kali/Documents/analysis-station/Uebung_04/usb_dcfldd_with_extras.hash status=on | head -n 20
- Timestamp:
2025-05-09T07-25-25-239093+00-00 - GPG-signature: [+] Valid
- SHA256:
1374dd6d0390e65da9cf0fa2f36c796c948bb1784f9dd33b35ab5650db6f27f4
Output:
[STDOUT]
[STDERR]
256 blocks (8Mb) written.
512 blocks (16Mb) written.
768 blocks (24Mb) written.
1024 blocks (32Mb) written.
1280 blocks (40Mb) written.
1536 blocks (48Mb) written.
1792 blocks (56Mb) written.
2048 blocks (64Mb) written.
2304 blocks (72Mb) written.
2560 blocks (80Mb) written.
2816 blocks (88Mb) written.
3072 blocks (96Mb) written.
3328 blocks (104Mb) written.
3584 blocks (112Mb) written.
3840 blocks (120Mb) written.
4096 blocks (128Mb) written.
4352 blocks (136Mb) written.
4608 blocks (144Mb) written.
4864 blocks (152Mb) written.
5120 blocks (160Mb) written.
5376 blocks (168Mb) written.
5632 blocks (176Mb) written.
5888 blocks (184Mb) written.
6144 blocks (192Mb) written.
6400 blocks (200Mb) written.
6656 blocks (208Mb) written.
6912 blocks (216Mb) written.
7168 blocks (224Mb) written.
7424 blocks (232Mb) written.
7680 blocks (240Mb) written.
7936 blocks (248Mb) written.
8192 blocks (256Mb) written.
8448 blocks (264Mb) written.
8704 blocks (272Mb) written.
8960 blocks (280Mb) written.
9216 blocks (288Mb) written.
9472 blocks (296Mb) written.
9728 blocks (304Mb) written.
9984 blocks (312Mb) written.
10240 blocks (320Mb) written.
10496 blocks (328Mb) written.
10752 blocks (336Mb) written.
11008 blocks (344Mb) written.
11264 blocks (352Mb) written.
11520 blocks (360Mb) written.
11776 blocks (368Mb) written.
12032 blocks (376Mb) written.
12288 blocks (384Mb) written.
12544 blocks (392Mb) written.
12800 blocks (400Mb) written.
13056 blocks (408Mb) written.
13312 blocks (416Mb) written.
13568 blocks (424Mb) written.
13824 blocks (432Mb) written.
14080 blocks (440Mb) written.
14336 blocks (448Mb) written.
14592 blocks (456Mb) written.
14848 blocks (464Mb) written.
15104 blocks (472Mb) written.
15360 blocks (480Mb) written.
15616 blocks (488Mb) written.
15872 blocks (496Mb) written.
16128 blocks (504Mb) written.
16384 blocks (512Mb) written.
16640 blocks (520Mb) written.
16896 blocks (528Mb) written.
17152 blocks (536Mb) written.
17408 blocks (544Mb) written.
17664 blocks (552Mb) written.
17920 blocks (560Mb) written.
18176 blocks (568Mb) written.
18432 blocks (576Mb) written.
18688 blocks (584Mb) written.
18944 blocks (592Mb) written.
19200 blocks (600Mb) written.
19456 blocks (608Mb) written.
19712 blocks (616Mb) written.
19968 blocks (624Mb) written.
20224 blocks (632Mb) written.
20480 blocks (640Mb) written.
20736 blocks (648Mb) written.
20992 blocks (656Mb) written.
21248 blocks (664Mb) written.
21504 blocks (672Mb) written.
21760 blocks (680Mb) written.
22016 blocks (688Mb) written.
22272 blocks (696Mb) written.
22528 blocks (704Mb) written.
22784 blocks (712Mb) written.
23040 blocks (720Mb) written.
23296 blocks (728Mb) written.
23552 blocks (736Mb) written.
23808 blocks (744Mb) written.
24064 blocks (752Mb) written.
24320 blocks (760Mb) written.
24576 blocks (768Mb) written.
24832 blocks (776Mb) written.
25088 blocks (784Mb) written.
25344 blocks (792Mb) written.
25600 blocks (800Mb) written.
25856 blocks (808Mb) written.
26112 blocks (816Mb) written.
26368 blocks (824Mb) written.
26624 blocks (832Mb) written.
26880 blocks (840Mb) written.
27136 blocks (848Mb) written.
27392 blocks (856Mb) written.
27648 blocks (864Mb) written.
27904 blocks (872Mb) written.
28160 blocks (880Mb) written.
28416 blocks (888Mb) written.
28672 blocks (896Mb) written.
28928 blocks (904Mb) written.
29184 blocks (912Mb) written.
29440 blocks (920Mb) written.
29696 blocks (928Mb) written.
29952 blocks (936Mb) written.
30208 blocks (944Mb) written.
30464 blocks (952Mb) written.
30720 blocks (960Mb) written.
30976 blocks (968Mb) written.
31232 blocks (976Mb) written.
31488 blocks (984Mb) written.
31744 blocks (992Mb) written.
32000 blocks (1000Mb) written.
32256 blocks (1008Mb) written.
32512 blocks (1016Mb) written.
32768 blocks (1024Mb) written.
33024 blocks (1032Mb) written.
33280 blocks (1040Mb) written.
33536 blocks (1048Mb) written.
33792 blocks (1056Mb) written.
34048 blocks (1064Mb) written.
34304 blocks (1072Mb) written.
34560 blocks (1080Mb) written.
34816 blocks (1088Mb) written.
35072 blocks (1096Mb) written.
35328 blocks (1104Mb) written.
35584 blocks (1112Mb) written.
35840 blocks (1120Mb) written.
36096 blocks (1128Mb) written.
36352 blocks (1136Mb) written.
36608 blocks (1144Mb) written.
36864 blocks (1152Mb) written.
37120 blocks (1160Mb) written.
37376 blocks (1168Mb) written.
37632 blocks (1176Mb) written.
37888 blocks (1184Mb) written.
38144 blocks (1192Mb) written.
38400 blocks (1200Mb) written.
38656 blocks (1208Mb) written.
38912 blocks (1216Mb) written.
39168 blocks (1224Mb) written.
39424 blocks (1232Mb) written.
39680 blocks (1240Mb) written.
39936 blocks (1248Mb) written.
40192 blocks (1256Mb) written.
40448 blocks (1264Mb) written.
40704 blocks (1272Mb) written.
40960 blocks (1280Mb) written.
41216 blocks (1288Mb) written.
41472 blocks (1296Mb) written.
41728 blocks (1304Mb) written.
41984 blocks (1312Mb) written.
42240 blocks (1320Mb) written.
42496 blocks (1328Mb) written.
42752 blocks (1336Mb) written.
43008 blocks (1344Mb) written.
43264 blocks (1352Mb) written.
43520 blocks (1360Mb) written.
43776 blocks (1368Mb) written.
44032 blocks (1376Mb) written.
44288 blocks (1384Mb) written.
44544 blocks (1392Mb) written.
44800 blocks (1400Mb) written.
45056 blocks (1408Mb) written.
45312 blocks (1416Mb) written.
45568 blocks (1424Mb) written.
45824 blocks (1432Mb) written.
46080 blocks (1440Mb) written.
46336 blocks (1448Mb) written.
46592 blocks (1456Mb) written.
46848 blocks (1464Mb) written.
47104 blocks (1472Mb) written.
47360 blocks (1480Mb) written.
47616 blocks (1488Mb) written.
47872 blocks (1496Mb) written.
48128 blocks (1504Mb) written.
48384 blocks (1512Mb) written.
48640 blocks (1520Mb) written.
48896 blocks (1528Mb) written.
49152 blocks (1536Mb) written.
49408 blocks (1544Mb) written.
49664 blocks (1552Mb) written.
49920 blocks (1560Mb) written.
50176 blocks (1568Mb) written.
50432 blocks (1576Mb) written.
50688 blocks (1584Mb) written.
50944 blocks (1592Mb) written.
51200 blocks (1600Mb) written.
51456 blocks (1608Mb) written.
51712 blocks (1616Mb) written.
51968 blocks (1624Mb) written.
52224 blocks (1632Mb) written.
52480 blocks (1640Mb) written.
52736 blocks (1648Mb) written.
52992 blocks (1656Mb) written.
53248 blocks (1664Mb) written.
53504 blocks (1672Mb) written.
53760 blocks (1680Mb) written.
54016 blocks (1688Mb) written.
54272 blocks (1696Mb) written.
54528 blocks (1704Mb) written.
54784 blocks (1712Mb) written.
55040 blocks (1720Mb) written.
55296 blocks (1728Mb) written.
55552 blocks (1736Mb) written.
55808 blocks (1744Mb) written.
56064 blocks (1752Mb) written.
56320 blocks (1760Mb) written.
56576 blocks (1768Mb) written.
56832 blocks (1776Mb) written.
57088 blocks (1784Mb) written.
57344 blocks (1792Mb) written.
57600 blocks (1800Mb) written.
57856 blocks (1808Mb) written.
58112 blocks (1816Mb) written.
58368 blocks (1824Mb) written.
58624 blocks (1832Mb) written.
58880 blocks (1840Mb) written.
59136 blocks (1848Mb) written.
59392 blocks (1856Mb) written.
59648 blocks (1864Mb) written.
59904 blocks (1872Mb) written.
60160 blocks (1880Mb) written.
60416 blocks (1888Mb) written.
60672 blocks (1896Mb) written.
60928 blocks (1904Mb) written.
61184 blocks (1912Mb) written.
61440 blocks (1920Mb) written.
61696 blocks (1928Mb) written.
61952 blocks (1936Mb) written.
62208 blocks (1944Mb) written.
62464 blocks (1952Mb) written.
62720 blocks (1960Mb) written.
62976 blocks (1968Mb) written.
63232 blocks (1976Mb) written.
63488 blocks (1984Mb) written.
63744 blocks (1992Mb) written.
64000 blocks (2000Mb) written.
64256 blocks (2008Mb) written.
64512 blocks (2016Mb) written.
64768 blocks (2024Mb) written.
65024 blocks (2032Mb) written.
65280 blocks (2040Mb) written.
65536 blocks (2048Mb) written.
65792 blocks (2056Mb) written.
66048 blocks (2064Mb) written.
66304 blocks (2072Mb) written.
66560 blocks (2080Mb) written.
66816 blocks (2088Mb) written.
67072 blocks (2096Mb) written.
67328 blocks (2104Mb) written.
67584 blocks (2112Mb) written.
67840 blocks (2120Mb) written.
68096 blocks (2128Mb) written.
68352 blocks (2136Mb) written.
68608 blocks (2144Mb) written.
68864 blocks (2152Mb) written.
69120 blocks (2160Mb) written.
69376 blocks (2168Mb) written.
69632 blocks (2176Mb) written.
69888 blocks (2184Mb) written.
70144 blocks (2192Mb) written.
70400 blocks (2200Mb) written.
70656 blocks (2208Mb) written.
70912 blocks (2216Mb) written.
71168 blocks (2224Mb) written.
71424 blocks (2232Mb) written.
71680 blocks (2240Mb) written.
71936 blocks (2248Mb) written.
72192 blocks (2256Mb) written.
72448 blocks (2264Mb) written.
72704 blocks (2272Mb) written.
72960 blocks (2280Mb) written.
73216 blocks (2288Mb) written.
73472 blocks (2296Mb) written.
73728 blocks (2304Mb) written.
73984 blocks (2312Mb) written.
74240 blocks (2320Mb) written.
74496 blocks (2328Mb) written.
74752 blocks (2336Mb) written.
75008 blocks (2344Mb) written.
75264 blocks (2352Mb) written.
75520 blocks (2360Mb) written.
75776 blocks (2368Mb) written.
76032 blocks (2376Mb) written.
76288 blocks (2384Mb) written.
76544 blocks (2392Mb) written.
76800 blocks (2400Mb) written.
77056 blocks (2408Mb) written.
77312 blocks (2416Mb) written.
77568 blocks (2424Mb) written.
77824 blocks (2432Mb) written.
78080 blocks (2440Mb) written.
78336 blocks (2448Mb) written.
78592 blocks (2456Mb) written.
78848 blocks (2464Mb) written.
79104 blocks (2472Mb) written.
79360 blocks (2480Mb) written.
79616 blocks (2488Mb) written.
79872 blocks (2496Mb) written.
80128 blocks (2504Mb) written.
80384 blocks (2512Mb) written.
80640 blocks (2520Mb) written.
80896 blocks (2528Mb) written.
81152 blocks (2536Mb) written.
81408 blocks (2544Mb) written.
81664 blocks (2552Mb) written.
81920 blocks (2560Mb) written.
82176 blocks (2568Mb) written.
82432 blocks (2576Mb) written.
82688 blocks (2584Mb) written.
82944 blocks (2592Mb) written.
83200 blocks (2600Mb) written.
83456 blocks (2608Mb) written.
83712 blocks (2616Mb) written.
83968 blocks (2624Mb) written.
84224 blocks (2632Mb) written.
84480 blocks (2640Mb) written.
84736 blocks (2648Mb) written.
84992 blocks (2656Mb) written.
85248 blocks (2664Mb) written.
85504 blocks (2672Mb) written.
85760 blocks (2680Mb) written.
86016 blocks (2688Mb) written.
86272 blocks (2696Mb) written.
86528 blocks (2704Mb) written.
86784 blocks (2712Mb) written.
87040 blocks (2720Mb) written.
87296 blocks (2728Mb) written.
87552 blocks (2736Mb) written.
87808 blocks (2744Mb) written.
88064 blocks (2752Mb) written.
88320 blocks (2760Mb) written.
88576 blocks (2768Mb) written.
88832 blocks (2776Mb) written.
89088 blocks (2784Mb) written.
89344 blocks (2792Mb) written.
89600 blocks (2800Mb) written.
89856 blocks (2808Mb) written.
90112 blocks (2816Mb) written.
90368 blocks (2824Mb) written.
90624 blocks (2832Mb) written.
90880 blocks (2840Mb) written.
91136 blocks (2848Mb) written.
91392 blocks (2856Mb) written.
91648 blocks (2864Mb) written.
91904 blocks (2872Mb) written.
92160 blocks (2880Mb) written.
92416 blocks (2888Mb) written.
92672 blocks (2896Mb) written.
92928 blocks (2904Mb) written.
93184 blocks (2912Mb) written.
93440 blocks (2920Mb) written.
93696 blocks (2928Mb) written.
93952 blocks (2936Mb) written.
94208 blocks (2944Mb) written.
94464 blocks (2952Mb) written.
94720 blocks (2960Mb) written.
94976 blocks (2968Mb) written.
95232 blocks (2976Mb) written.
95488 blocks (2984Mb) written.
95744 blocks (2992Mb) written.
96000 blocks (3000Mb) written.
96256 blocks (3008Mb) written.
96512 blocks (3016Mb) written.
96768 blocks (3024Mb) written.
97024 blocks (3032Mb) written.
97280 blocks (3040Mb) written.
97536 blocks (3048Mb) written.
97792 blocks (3056Mb) written.
98048 blocks (3064Mb) written.
98304 blocks (3072Mb) written.
98304+0 records in
98304+0 records out
Context:
Analyst: Niklas Heringer Timestamp: 2025-05-09T07:25:54.424666+00:00
[x] No specific explanation found.
[+] Timestamp: 2025-05-09T07-26-30-741366+00-00
[+] Comment from analyst: Niklas Heringer
[+] Content:
Weiter zu Aufgabe 2.6
[+] Timestamp: 2025-05-09T07-34-19-247795+00-00
[+] Comment from analyst: Niklas Heringer
[+] Content:
Wir werden nun zunaechst die Datei-Inhalte mit fls auflisten
[+] Command: sudo fls -r -m / /dev/loop1
- Timestamp:
2025-05-09T07-35-04-342626+00-00 - GPG-signature: [+] Valid
- SHA256:
6450c6a6b404c0b2b9be24ce2d37798162b9de4c921eb38727ccb12deabf1a56
Output:
[STDOUT]
0|/Bild1.jpg|4|r/rrwxrwxrwx|0|0|192827|1652068800|1652124148|0|1652124149
0|/Bild2.jpeg|6|r/rrwxrwxrwx|0|0|2148214|1652068800|1652124160|0|1652124161
0|/Blue.png|8|r/rrwxrwxrwx|0|0|15540|1652068800|1652125932|0|1652125933
0|/$MBR|100466435|v/v---------|0|0|512|0|0|0|0
0|/$FAT1|100466436|v/v---------|0|0|3141632|0|0|0|0
0|/$FAT2|100466437|v/v---------|0|0|3141632|0|0|0|0
0|/$OrphanFiles|100466438|V/V---------|0|0|0|0|0|0|0
[STDERR]
Context:
Analyst: Niklas Heringer Timestamp: 2025-05-09T07:35:08.857575+00:00
[x] No specific explanation found.
[+] Command: Invalid metadata address (fatxxfs_inode_lookup: 192827 is not an inode)
- Timestamp:
2025-05-09T07-38-10-193453+00-00 - GPG-signature: [+] Valid
- SHA256:
7b36f3a2e00ddafa7c0ff65c621f6122baffcaac0e736d3ade5b12267d2b0be5
Output:
[!] Command failed:
Invalid metadata address (fatxxfs_inode_lookup: 192827 is not an inode)
Context:
Analyst: Niklas Heringer Timestamp: 2025-05-09T07:38:10.263484+00:00
[x] No specific explanation found.
[+] Timestamp: 2025-05-09T07-39-18-001829+00-00
[+] Comment from analyst: Niklas Heringer
[+] Content:
Korrektur, wir werden nun die l-Flag verwenden um von fls die korrekten lnodes zu erhalten
[+] Command: sudo fls -o 0 -f fat -l /dev/loop1
- Timestamp:
2025-05-09T07-39-42-150112+00-00 - GPG-signature: [+] Valid
- SHA256:
217b465c426599228c3b679340e8d577acbc010137f84498d4188360a80f65be
Output:
[STDOUT]
r/r 4: Bild1.jpg 2022-05-09 15:22:28 (EDT) 2022-05-09 00:00:00 (EDT) 0000-00-00 00:00:00 (UTC) 2022-05-09 15:22:29 (EDT) 192827 0 0
r/r 6: Bild2.jpeg 2022-05-09 15:22:40 (EDT) 2022-05-09 00:00:00 (EDT) 0000-00-00 00:00:00 (UTC) 2022-05-09 15:22:41 (EDT) 2148214 0 0
r/r 8: Blue.png 2022-05-09 15:52:12 (EDT) 2022-05-09 00:00:00 (EDT) 0000-00-00 00:00:00 (UTC) 2022-05-09 15:52:13 (EDT) 15540 0 0
v/v 100466435: $MBR 0000-00-00 00:00:00 (UTC) 0000-00-00 00:00:00 (UTC) 0000-00-00 00:00:00 (UTC) 0000-00-00 00:00:00 (UTC) 512 0 0
v/v 100466436: $FAT1 0000-00-00 00:00:00 (UTC) 0000-00-00 00:00:00 (UTC) 0000-00-00 00:00:00 (UTC) 0000-00-00 00:00:00 (UTC) 3141632 0 0
v/v 100466437: $FAT2 0000-00-00 00:00:00 (UTC) 0000-00-00 00:00:00 (UTC) 0000-00-00 00:00:00 (UTC) 0000-00-00 00:00:00 (UTC) 3141632 0 0
V/V 100466438: $OrphanFiles 0000-00-00 00:00:00 (UTC) 0000-00-00 00:00:00 (UTC) 0000-00-00 00:00:00 (UTC) 0000-00-00 00:00:00 (UTC) 0 0 0
[STDERR]
Context:
Analyst: Niklas Heringer Timestamp: 2025-05-09T07:39:42.188633+00:00
[x] No specific explanation found.
[+] Timestamp: 2025-05-09T07-40-34-472272+00-00
[+] Comment from analyst: Niklas Heringer
[+] Content:
Nun koennen wir die gefundenen Dateien mit icat extrahieren
[+] Command: sudo icat /dev/loop1 4 > /home/kali/Documents/analysis-station/Uebung_04/Bild1.jpg
- Timestamp:
2025-05-09T07-40-41-860969+00-00 - GPG-signature: [+] Valid
- SHA256:
aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f
Output:
[STDOUT]
[STDERR]
Context:
Analyst: Niklas Heringer Timestamp: 2025-05-09T07:40:41.915848+00:00
[x] No specific explanation found.
[+] Command: sudo icat /dev/loop1 6 > /home/kali/Documents/analysis-station/Uebung_04/Bild2.jpeg
- Timestamp:
2025-05-09T07-40-57-935742+00-00 - GPG-signature: [+] Valid
- SHA256:
aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f
Output:
[STDOUT]
[STDERR]
Context:
Analyst: Niklas Heringer Timestamp: 2025-05-09T07:40:57.991781+00:00
[x] No specific explanation found.
[+] Command: sudo icat /dev/loop1 8 > /home/kali/Documents/analysis-station/Uebung_04/Blue.png
- Timestamp:
2025-05-09T07-41-14-892023+00-00 - GPG-signature: [+] Valid
- SHA256:
aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f
Output:
[STDOUT]
[STDERR]
Context:
Analyst: Niklas Heringer Timestamp: 2025-05-09T07:41:14.943345+00:00
[x] No specific explanation found.
[+] Timestamp: 2025-05-09T07-41-34-889472+00-00
[+] Comment from analyst: Niklas Heringer
[+] Content:
Nun berechnen wir zur Kontrolle die Hashes
[+] Command: sha256sum /home/kali/Documents/analysis-station/Uebung_04/Bild1.jpg > /home/kali/Documents/analysis-station/Uebung_04/Bild1.hash
- Timestamp:
2025-05-09T07-42-06-112318+00-00 - GPG-signature: [+] Valid
- SHA256:
aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f
Output:
[STDOUT]
[STDERR]
Context:
Analyst: Niklas Heringer Timestamp: 2025-05-09T07:42:06.128482+00:00
[x] No specific explanation found.
[+] Command: sha256sum: /home/kali/Documents/analysis-station/Uebung_04/Bild2.jpg: No such file or directory
- Timestamp:
2025-05-09T07-42-27-257676+00-00 - GPG-signature: [+] Valid
- SHA256:
f2df0d991d210ebde33c1eba9038bc0c61a2fc70964881812fe8a3bbe2746ebb
Output:
[!] Command failed:
sha256sum: /home/kali/Documents/analysis-station/Uebung_04/Bild2.jpg: No such file or directory
Context:
Analyst: Niklas Heringer Timestamp: 2025-05-09T07:42:27.270390+00:00
[x] No specific explanation found.
[+] Command: sha256sum /home/kali/Documents/analysis-station/Uebung_04/Bild2.jpeg > /home/kali/Documents/analysis-station/Uebung_04/Bild2.hash
- Timestamp:
2025-05-09T07-42-52-845786+00-00 - GPG-signature: [+] Valid
- SHA256:
aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f
Output:
[STDOUT]
[STDERR]
Context:
Analyst: Niklas Heringer Timestamp: 2025-05-09T07:42:52.863339+00:00
[x] No specific explanation found.
[+] Command: sha256sum /home/kali/Documents/analysis-station/Uebung_04/Blue.png > /home/kali/Documents/analysis-station/Uebung_04/Blue.hash
- Timestamp:
2025-05-09T07-43-19-290292+00-00 - GPG-signature: [+] Valid
- SHA256:
aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f
Output:
[STDOUT]
[STDERR]
Context:
Analyst: Niklas Heringer Timestamp: 2025-05-09T07:43:19.303093+00:00
[x] No specific explanation found.
[+] Timestamp: 2025-05-09T07-44-13-453381+00-00
[+] Comment from analyst: Niklas Heringer
[+] Content:
Wir fanden drei Bilder bisher, zwei von einem Adler oder Falken und ein blaues Bild
[+] Timestamp: 2025-05-09T07-47-53-499583+00-00
[+] Comment from analyst: Niklas Heringer
[+] Content:
Wir fanden ausserdem Hinweise auf verwaiste Dateien, wir werden das untersuchen, da wir den PIN noch nicht gefunden haben.
[+] Command: sudo fls -r -o 0 -f fat /dev/loop1 100466438
- Timestamp:
2025-05-09T07-48-03-381375+00-00 - GPG-signature: [+] Valid
- SHA256:
aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f
Output:
[STDOUT]
[STDERR]
Context:
Analyst: Niklas Heringer Timestamp: 2025-05-09T07:48:08.005654+00:00
[x] No specific explanation found.
[+] Command: sudo losetup -d /dev/loop0
- Timestamp:
2025-05-09T07-56-25-044550+00-00 - GPG-signature: [+] Valid
- SHA256:
aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f
Output:
[STDOUT]
[STDERR]
Context:
Analyst: Niklas Heringer Timestamp: 2025-05-09T07:56:27.046275+00:00
[x] No specific explanation found.
[+] Command: sudo losetup -d /dev/loop1
- Timestamp:
2025-05-09T07-56-32-230410+00-00 - GPG-signature: [+] Valid
- SHA256:
aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f
Output:
[STDOUT]
[STDERR]
Context:
Analyst: Niklas Heringer Timestamp: 2025-05-09T07:56:32.256258+00:00
[x] No specific explanation found.
[+] GPG-Overview
Each .log-file was digitally signed with GPG where applicable.
The signature status is documented per command.
3. Ergebnisse
Der USB-Stick enthielt drei Bilddateien, zwei zeigen einen Adler und das dritte zeigt vollständig das kräftige Blau des Logos der Hochschule Mannheim. Von der Handy-PIN konnten wir nichts entdecken.
4. Verwendete Quellen
[1] [2] [3]