11 KiB
[++] Forensic report of case: gutachten
[++] Description
Forensisches Gutachten im Fall Tilo Barkholz
[++] Timeline of Commands and Comments
[+] Command: ``
- Timestamp:
2025-07-14T12-40-04-233389+02-00 - GPG-signature: [+] Valid
- SHA256:
fd919e45a98f1ae9c0947eed0f758c5cc388ed705627f6eb2e150686d70814bc
Output:
[!] Command failed:
Context:
[x] Skipped: command was empty or malformed.
[+] Timestamp: 2025-07-14T12-41-43-682585+02-00
[+] Comment from analyst: Niklas Heringer
[+] Content:
Dass der vorige mmls-Befehl keinen Output zeigt kann daran liegen, dass das vorliegende Image a) keine Partitionstabelle enthaelt, b) korrumpiert ist oder c) das Format nicht unterstuetzt wird - einer der ersteren beiden Faelle ist am wahrscheinlichsten
[+] Command: file ForImage2.img
- Timestamp:
2025-07-14T12-42-00-750002+02-00 - GPG-signature: [+] Valid
- SHA256:
e5574e10aa2e91ce0457096afc0c31af8f3e21c5db3b95cc96154bf564d84f7d
Output:
[STDOUT]
ForImage2.img: data
[STDERR]
Context:
[+] Legal Context for file ForImage2.img
Analyst: Niklas Heringer Timestamp: 2025-07-14T13:33:27.735730+02:00
file identifies file types by examining magic numbers and headers. Useful for verifying or correcting file extensions and detecting anomalies.
[+] Command: hexdump -C Forimage2.img | head
- Timestamp:
2025-07-14T12-42-23-145012+02-00 - GPG-signature: [+] Valid
- SHA256:
ac6841b50ac32ef32fe82a77a7455cdb3a5441c04f828d72f7ffea3ca6f733de
Output:
[STDOUT]
[STDERR]
hexdump: Forimage2.img: No such file or directory
hexdump: all input file arguments failed
Context:
[+] Legal Context for hexdump -C Forimage2.img | head
Analyst: Niklas Heringer Timestamp: 2025-07-14T13:33:27.761024+02:00
hexdump displays file content in hexadecimal and ASCII. Useful for examining file headers, signatures, and patterns.
[+] Command: hexdump -C ForImage2.img | head
- Timestamp:
2025-07-14T12-42-31-319015+02-00 - GPG-signature: [+] Valid
- SHA256:
cb81adfdf9b749fd17c4f7fef893c144865f8c787bebe45b8e98a91aab896474
Output:
[STDOUT]
00000000 28 cb 32 eb 6a b7 b0 8e 3c 00 00 00 00 c0 08 70 |(.2.j...<......p|
00000010 93 5d 39 63 4c c6 71 cc eb fe 05 20 f2 97 2a f2 |.]9cL.q.... ..*.|
00000020 91 52 2a 22 b7 29 14 6a e4 01 00 00 00 00 46 24 |.R*".).j......F$|
00000030 5a 8c 59 57 23 2f 39 e7 d2 ed ee 8a c5 45 20 f2 |Z.YW#/9......E .|
00000040 a3 0b 16 89 88 38 e7 91 b5 56 ba e5 27 01 00 00 |.....8...V..'...|
00000050 00 00 c0 48 5c 9e 71 c6 18 b7 d6 4a ad b5 f4 b7 |...H\.q....J....|
00000060 13 b2 f2 10 f9 4b e9 58 ee c7 12 11 33 c6 48 c6 |.....K.X....3.H.|
00000070 98 8f 10 d1 b1 00 00 00 00 00 46 80 10 82 a2 28 |..........F....(|
00000080 62 49 92 50 96 65 44 44 9a 30 d9 15 22 3f 22 99 |bI.P.eDD.0.."?".|
00000090 a7 34 4d 59 96 65 d6 6d 0a 05 89 07 00 00 00 00 |.4MY.e.m........|
[STDERR]
Context:
[+] Legal Context for hexdump -C ForImage2.img | head
Analyst: Niklas Heringer Timestamp: 2025-07-14T13:33:27.786303+02:00
hexdump displays file content in hexadecimal and ASCII. Useful for examining file headers, signatures, and patterns.
[+] Timestamp: 2025-07-14T12-43-00-357585+02-00
[+] Comment from analyst: Niklas Heringer
[+] Content:
Die Festplatte ist somit schonmal nicht leer
[+] Command: Possible encryption detected (High entropy (7.78))
- Timestamp:
2025-07-14T12-43-27-753682+02-00 - GPG-signature: [+] Valid
- SHA256:
7cf027cc2dd683a3860ce27d3fcd52f6b47597c2f8a4ef714949b9e53d0effcc
Output:
[!] Command failed:
Possible encryption detected (High entropy (7.78))
Context:
[+] Legal Context for Possible encryption detected (High entropy (7.78))
Analyst: Niklas Heringer Timestamp: 2025-07-14T13:33:27.810925+02:00
[x] No specific explanation found.
[+] Timestamp: 2025-07-14T12-47-33-066391+02-00
[+] Comment from analyst: Niklas Heringer
[+] Content:
Die Festplatte ist verschluesselt - auf ihrer Rueckseite war ein kurzes Passwort zu finden, womoeglich die Passphrase, doch zuvor ueberpruefen wir nun, ob der Verschluesslungstyp ermittelbar ist
[+] Timestamp: 2025-07-14T12-55-11-062938+02-00
[+] Comment from analyst: Niklas Heringer
[+] Content:
fsstat vermutliche Verschluesselung, mmls erkennt keine Partition, hexdump zeigt kein erkennbares Filesystem - bevor wir mounten, muessen wir entschluesseln
[+] Command: mkdir: cannot create directory ‘/mnt/crypt’: Permission denied
- Timestamp:
2025-07-14T13-04-39-432095+02-00 - GPG-signature: [+] Valid
- SHA256:
5eed114f808f358973b99c9c298586336d608a7d7716c47484861730577f9d82
Output:
[!] Command failed:
mkdir: cannot create directory ‘/mnt/crypt’: Permission denied
Context:
[+] Legal Context for mkdir: cannot create directory ‘/mnt/crypt’: Permission denied
Analyst: Niklas Heringer Timestamp: 2025-07-14T13:33:27.836004+02:00
[x] No specific explanation found.
[+] Command: sudo mkdir -p /mnt/crypt
- Timestamp:
2025-07-14T13-04-46-220116+02-00 - GPG-signature: [+] Valid
- SHA256:
aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f
Output:
[STDOUT]
[STDERR]
Context:
[+] Legal Context for sudo mkdir -p /mnt/crypt
Analyst: Niklas Heringer Timestamp: 2025-07-14T13:33:27.861090+02:00
[!] Note: This command was executed with administrative rights (sudo).
mkdir creates a directory. In forensic workflows, it is often used to prepare target folders for mounts or exported data.
The -p option ensures that parent directories are created as needed. It also avoids errors if the target directory already exists.
[+] Command: ``
- Timestamp:
2025-07-14T13-05-08-024574+02-00 - GPG-signature: [+] Valid
- SHA256:
fd919e45a98f1ae9c0947eed0f758c5cc388ed705627f6eb2e150686d70814bc
Output:
[!] Command failed:
Context:
[x] Skipped: command was empty or malformed.
[+] Command: Error: Operation failed due to one or more of the following:
- Timestamp:
2025-07-14T13-07-02-580209+02-00 - GPG-signature: [+] Valid
- SHA256:
9350ce5c321f06ca5ca9e7abae3402fe8d9d6d8ea4704f55b8d3bf2c652ed876
Output:
[!] Command failed:
Error: Operation failed due to one or more of the following:
- Incorrect password.
- Incorrect Volume PIM number.
- Incorrect PRF (hash).
- Not a valid volume.
- Volume uses an old algorithm that has been removed.
- TrueCrypt format volumes are no longer supported.
Context:
[+] Legal Context for Error: Operation failed due to one or more of the following:
Analyst: Niklas Heringer Timestamp: 2025-07-14T13:33:27.895483+02:00
[x] No specific explanation found.
[+] Command: sudo losetup --show -f ForImage2.img
- Timestamp:
2025-07-14T13-08-09-130846+02-00 - GPG-signature: [+] Valid
- SHA256:
06e8e0c85abc1ce20202e0043228bd03c02f0b4065d4b70a98f97488dc4a2f38
Output:
[STDOUT]
/dev/loop0
[STDERR]
Context:
[+] Legal Context for sudo losetup --show -f ForImage2.img
Analyst: Niklas Heringer Timestamp: 2025-07-14T13:33:27.950809+02:00
[!] Note: This command was executed with administrative rights (sudo).
losetup sets up a loop device to treat a file (like a disk image) as a block device. This is needed to work with partitions inside forensic disk images.
Outputs the created loop device — useful for automation and scripting.
[+] Command: Device /dev/loop0 is not a valid LUKS device.
- Timestamp:
2025-07-14T13-08-33-250979+02-00 - GPG-signature: [+] Valid
- SHA256:
19de76617d7416f38df3b577ad24e9b08b499d34b330ec80e4cf1d5ddc70416f
Output:
[!] Command failed:
Device /dev/loop0 is not a valid LUKS device.
Context:
[+] Legal Context for Device /dev/loop0 is not a valid LUKS device.
Analyst: Niklas Heringer Timestamp: 2025-07-14T13:33:27.976530+02:00
[x] No specific explanation found.
[+] Timestamp: 2025-07-14T13-09-13-718013+02-00
[+] Comment from analyst: Niklas Heringer
[+] Content:
Wir wissen also: kein VeraCrypt, kein LUKS, nun tgesten wir BitLocker
[+] Command: sudo mkdir -p /mnt/dislocker
- Timestamp:
2025-07-14T13-09-29-295457+02-00 - GPG-signature: [+] Valid
- SHA256:
aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f
Output:
[STDOUT]
[STDERR]
Context:
[+] Legal Context for sudo mkdir -p /mnt/dislocker
Analyst: Niklas Heringer Timestamp: 2025-07-14T13:33:28.001769+02:00
[!] Note: This command was executed with administrative rights (sudo).
mkdir creates a directory. In forensic workflows, it is often used to prepare target folders for mounts or exported data.
The -p option ensures that parent directories are created as needed. It also avoids errors if the target directory already exists.
[+] Command: ``
- Timestamp:
2025-07-14T13-12-40-283904+02-00 - GPG-signature: [+] Valid
- SHA256:
fd919e45a98f1ae9c0947eed0f758c5cc388ed705627f6eb2e150686d70814bc
Output:
[!] Command failed:
Context:
[x] Skipped: command was empty or malformed.
[+] Command: ls /mnt/dislocker
- Timestamp:
2025-07-14T13-12-56-961960+02-00 - GPG-signature: [+] Valid
- SHA256:
aec4dbdae6db78716bf86b6c6d3a9f3327d00c39a9d0715fb7ff7b953c1c499f
Output:
[STDOUT]
[STDERR]
Context:
[+] Legal Context for ls /mnt/dislocker
Analyst: Niklas Heringer Timestamp: 2025-07-14T13:33:28.036568+02:00
ls lists files in a directory. It is used to gain an overview and does not modify data.
[+] Timestamp: 2025-07-14T13-14-26-335058+02-00
[+] Comment from analyst: Niklas Heringer
[+] Content:
BitLocker scheint es auch nicht zu sein
[+] Command: sudo file -s /dev/loop0
- Timestamp:
2025-07-14T13-31-07-259372+02-00 - GPG-signature: [+] Valid
- SHA256:
e5b945a88f260856d6462f69c02d317d93ff08c94e0f6536cf3e14141d11c92d
Output:
[STDOUT]
/dev/loop0: data
[STDERR]
Context:
[+] Legal Context for sudo file -s /dev/loop0
Analyst: Niklas Heringer Timestamp: 2025-07-14T13:33:28.061908+02:00
[!] Note: This command was executed with administrative rights (sudo).
file identifies file types by examining magic numbers and headers. Useful for verifying or correcting file extensions and detecting anomalies.
[+] GPG-Overview
Each .log-file was digitally signed with GPG where applicable.
The signature status is documented per command.