Ready to Start Your Career?
June 14, 2017
WannaCrack! A Mix of Digital Forensics + Python Cracking
June 14, 2017
~$ whoamiI am Aslam Admani, and this is an interactive article that's most beneficial if you can practically follow along.~$ Setting_The_SceneYou are a digital forensic analyst. Your boss has given you a USB flash drive which was recovered from a suspect's home. He is suspected to be a fraud who is involved in credit card scams.Inside the USB is the following files (which you must set-up):
- Let's download an image and rename it: BlvckAr7.jpg.
- This is a basic image, within this we'll place a secret file i.e. use stenography, which we'll come to a little later.
- [caption id="attachment_94456" align="aligncenter" width="281"] Right click image, then select "save as" or "save image as" to save this file to your computer.[/caption]
- A zip file, which appears to be password protected... We'll come to this later.
- Kali Linux OS (on any environment)
- If you do not have a Kali box, there are plenty of tutorials out there which go through, a step-by-step process in order to install and configure it properly. NOTE, it would be worthless installing and configuring a Kali machine SPECIFICALLY for this article. However, I would suggest it if you're interested in hacking and forensics in general. I'll leave links towards the end of this article for tutorials and guides on the installation process.
- A USB flash drive (to set the scene, this isn't a necessity though)
- sudo apt-get upgrade (if your machine requires upgrading)
- sudo apt-get install steghide
- steghide embed -cf BlvckAr7.jpg -ef S3CR37Z.txt
- Next, it will ask you for a password. For this, we will use qwerty123 (Of course this is significantly insecure, however, the criminal assumes nobody would know that the file is hidden inside of the image).
- Once we have completed this successfully we can delete S3CR37Z.txt
- Type in rm S3CR37Z.txt (to remove the text file with the secret contents).
- zip -e cats.zip BlvckAr7.jpg
- Again, it will ask you for a password, which we will set as scarface23 (this password is more secure than the last, however is it really strong?)
- mkdir Secure_Store
- cd Secure_Store; mkdir image logical physical analysis
- Image will contain the bit-by-bit copied image
- physical will contain the contents of the USB
- and analysis will have our analysis of the USB, i.e. our findings.
- df -hl (this will list the drives withing your machine)
- You should look for the flash drive, if you're finding difficulties in doing so, you could unplug it, run the same command and find the differences between the result.
- umount /media/root/Name_of_USB
- now type the df command again to see if it has been removed from the list.
- dd if=/dev/sdb1 of=~/Desktop/Secure_Store/image/USB_image.dd
- Where it says /dev/sdb1 on this example, you may need to change it depending on the results from the output of your df -lh command.
- ***NOTE BE VERY CAUTIOUS***
- md5sum /dev/sdb1
- mdf5sum ~/Desktop/Secure_Store/image/USB_image.dd
- if these provide the exact same result, we're good to go!
- It may be best to note these down, or store them in a text file, for the final report (We won't be going over the report as part of this article)
- mount ~/Desktop/Secure_Store/image/USB_image.dd ~/Desktop/Secure_Store/physical
- python zipCracker.py
- exiftool BlvckAr7.jpg
- if this command doesn't work, use sudo apt-get install exiftool to install it.
- steghide extract -sf BlvckAr7.jpg
- it's asking us for a passphrase, what do we do here!