Prof. Price Lab 2 - Rhino Hunt!

#ctf #forensics #cli

Class: CYBR-405

Notes:

Questions

Q1

Do the reported hash values match the evidence?

Options:

True
False

Overall explanation:

Instruction of the professor

Q2

How many files were visible (not deleted) on the USB thumb drive image?

Options:

Overall explanation:

Open the Lab2 folder and mount the RHINOUSB.dd image to see its contents. To mount an image, right click and select "Open With" and chose "Disk Image Mounter".

Q3

How many image (picture) files did you recover from the file carve process?

Options:

Overall explanation:

To recover deleted files, we will use a program named Photorec. To launch the program, open a terminal window on the Desktop, type photorec, hit enter, and type your Kali password when prompted.
Use the arrow down button to select the 259 MB partition and hit enter to proceed.
Select the FAT16 partition and hit enter to search.
Select "Other" for filesystem type and hit enter to proceed.
Select "Free" and hit enter to proceed.
Hit Shift and C (Capital C) to select the default storage location for the search results. The default location should be where you opened the terminal window. For example, the terminal window below was opened from the Desktop.
After the search, Photorec will indicate if it was able to recover any files and where those recovered files were stored. Hit “Q” twice to Quit the program
- Note that we got 132 files saved in ...
Open the recup_dir.1 to see the recovered files. (Note: to delete the recup_dir.1, open a terminal window, type sudo chmod 777 recup_dir.1, hit enter).
- There are 9 image files (jpg or gif)
The pictures and the .doc file are the only files recovered of evidentiary significance for this lab.
Review the evidence you have processed so far to determine if you can answer any of the questions. When done, unmount the image, you should not need it anymore.
To unmount the image, right click on the image icon and select "Unmount Volume".

Q4

How many recovered files from the USB image were rhino pictures?

Options:

Overall explanation:

Run the following command to open the .jpg files and inspect them:

feh *.jpg

This will show the first image first and if you click on the window it will change to the next image.
In total there are 7 .jpg files so at the top of the window it will say feh [1 of 7].
Cycle through them to see which ones are rhinos, I found only 2 .jpgs that had pictures of rhinos

Run the following command to open the .gif files and inspect them:

feh *.gif

Same process as for the .jpg files
Both of the .gif files had rhino pictures!
In total this gives us 4 rhino pictures.

Q5

Were any files recovered from the network captures?

Options:

True
False

Overall explanation:

The next step is to process the 3 network traces (rhino.log, rhino2.log, rhino3.log). To do that, you will use a tool in Kali named Wireshark. Navigate to where the network trace files are stored. Right click on the first one you want to open and select “Open With” which will open a drop-down menu to the right. Next select “Open With Other Application” and go through the list until you find Wireshark, select it and then hit Open.
Once the capture is mounted in Wireshark, select File at the top again, then select Export Objects and start with FTP-DATA to export data from File Transfer Protocol.
Wireshark searches the capture for data and provides an easy method to export. Hit the Save All button and select the output location.
Answer: yes, we were able to recover some files from the network capture

Q6

Who gave the accused a telnet/ftp account?

Options:

Jeremy
Mary
Frederick
Boudreaux

Overall explanation:

In Wireshark select File at the top again, select Export Objects again, but this time you will select HTTP (HyperText Transfer Protocol)
Hit Save to export a single file, Save All to export everything, or Close if there is nothing you want to export.
Once having done that for the three .log files and having them in the current directory, we can run a quick search for each of the user options to check which one is mentioned in any of the files

Go to the Evidence directory and list all files:

┌──(kali㉿kali)-[~/Desktop/ProfPriceLabs/Lab2/Evidence]
└─$ ll
total 257132
drwxrwxr-x 2 root root      4096 Feb 27 13:13 ftp_capture
drwxrwxr-x 2 kali kali     12288 Feb 27 00:12 http_capture1
drwxrwxr-x 2 kali kali      4096 Feb 27 16:02 http_capture2
drwxrwxr-x 2 kali kali      4096 Feb 27 16:09 http_capture3
-rw-r--r-- 1 kali kali     41118 Feb 26 21:47 photorec.se2
drwxr-xr-x 2 root root      4096 Feb 26 21:56 recup_dir.1
drwxr-xr-x 2 root root      4096 Feb 26 21:47 recup_dir.2
-rw-r--r-- 1 kali kali    292604 Sep 15 12:04 rhino2.log
-rw-r--r-- 1 kali kali    226094 Sep 15 12:04 rhino3.log
-rw-r--r-- 1 kali kali   3187907 Sep 15 12:04 rhino.log
-rw-r--r-- 1 kali kali 259506176 Sep 15 12:04 RHINOUSB.dd

Use grep to search globally among all the files in the current directory:

┌──(kali㉿kali)-[~/Desktop/ProfPriceLabs/Lab2/Evidence]
└─$ grep -R -i "jeremy" .
grep: ./RHINOUSB.dd: binary file matches
grep: ./recup_dir.1/f0335017_She_died_in_February_at_the_age_of_74.doc: binary file matches

┌──(kali㉿kali)-[~/Desktop/ProfPriceLabs/Lab2/Evidence]
└─$ grep -R -i "mary" .

┌──(kali㉿kali)-[~/Desktop/ProfPriceLabs/Lab2/Evidence]
└─$ grep -R -i "frederick" .

┌──(kali㉿kali)-[~/Desktop/ProfPriceLabs/Lab2/Evidence]
└─$ grep -R -i "boudreaux" .

Note how jeremy is the only search that did returned some matches within the directory.
This means:
- The string "jeremy" exists somewhere in the evidence.
- The other names do not.
Why it says "binary file matches"
- It means the name appears inside a binary file (like the disk image RHINOUSB.dd or a recovered document), not plain text.
- That's completely normal in forensic investigations.

Used strings on the USB disk image:

┌──(kali㉿kali)-[~/Desktop/ProfPriceLabs/Lab2/Evidence]
└─$ strings RHINOUSB.dd | grep -i jeremy

The strings command is a Unix/Linux utility used to find and print human-readable character sequences (strings) embedded within binary files.
- It is most commonly used to peek inside executable programs, object files, or core dumps to find things like error messages, library dependencies, or configuration paths without needing to run the file.
In this case, to make sure about Jeremy being our correct answer I went ahead and printed a few lines around where the word Jeremy made an appearance

Output:

m gonna reformat my USB key after this entry, but try not to destroy the good stuff.  I need to change the password on the gnome account that Jeremy gave me.  I can probably just do that at Radio Shack.

"I need to change the password on the gnome account that Jeremy gave me."
- That sentence directly answers the question.
- The answer is Jeremy.

Just to check the second appearance of the word Jeremy, I will also run strings on the recovered file:

┌──(kali㉿kali)-[~/Desktop/ProfPriceLabs/Lab2/Evidence]
└─$ strings recup_dir.1/f0335017_She_died_in_February_at_the_age_of_74.doc | grep -i jeremy
m gonna reformat my USB key after this entry, but try not to destroy the good stuff.  I need to change the password on the gnome account that Jeremy gave me.  I can probably just do that at Radio Shack.

Exactly the same output!
This make sense because we recovered this deleted files from the USB.

Q7

What’s the password for the account?

Options:

gumbo123
password123
rhino123
gnome123

Overall explanation:

While in a Wireshark session (on rhino.log) Select Tools and then select Credentials to find username and password string.
Click on the blue hyperlinked number in the Packet No. column to see the related PASS (password) request highlighted in the capture or click on the blue hyperlinked name in the Username column to see the USER request.
- We got the password: gnome123

Q8

Do the network traces contain Rhino pictures?

Options:

True
False

Overall explanation:

Yes, when recovering files from the FTP objects there were certainly some rhino pictures

Q10

Where is the hard drive that used to be in the computer?

Options:

Radio Shack
Unknown
Mississippi River
Tatooine

Overall explanation:

Lets apply the same technique we used for the name of the account giver.

I will use grep to find among all the files in the Evidence directory.

┌──(kali㉿kali)-[~/Desktop/ProfPriceLabs/Lab2/Evidence]
└─$ grep -R -i "Radio Shack" .
grep: ./RHINOUSB.dd: binary file matches
grep: ./recup_dir.1/f0335017_She_died_in_February_at_the_age_of_74.doc: binary file matches

┌──(kali㉿kali)-[~/Desktop/ProfPriceLabs/Lab2/Evidence]
└─$ grep -R -i "Mississippi" .
grep: ./RHINOUSB.dd: binary file matches
grep: ./recup_dir.1/f0335017_She_died_in_February_at_the_age_of_74.doc: binary file matches

┌──(kali㉿kali)-[~/Desktop/ProfPriceLabs/Lab2/Evidence]
└─$ grep -R -i "Tatooine" .

From this output, we can already discard the "Tatooine" and the "Unknown" options.

Now I will use strings to show the content around this appearances.

┌──(kali㉿kali)-[~/Desktop/ProfPriceLabs/Lab2/Evidence]
└─$ strings RHINOUSB.dd | grep -i -C 10 "Radio Shack"

Output:

Feeling certain there was a curse upon my head, I gave up, returned home, and took a shower.
Do you have to be a gold member to put in background pics??
A little background: When I was 14, I had eye surgery to correct a birth defect. When I called them the other day to find out when they were open, I got someone very, very stern. And they sent a snotty fool down from Buffalo to run the store. However, after a while of dealing with her crap, management decided they wanted some more room in the store to put...whatever.  What
s the point.
Most of the rides we wanted to take were sold out, but we got to ride on a tall ship from 3-5, which is exactly what we wanted. I found this site that is full of surveys through some people who are now obsessed with the site.
Rhino pictures illegal?   Makes me sick.  I
 the photos
hehehehe.  Apparently, if there are less than 10 photos, it
s no big deal.
OK.  Things are getting a little weird.  I zapped the hard drive and then threw it into the Mississippi River.  I
m gonna reformat my USB key after this entry, but try not to destroy the good stuff.  I need to change the password on the gnome account that Jeremy gave me.  I can probably just do that at Radio Shack.

┌──(kali㉿kali)-[~/Desktop/ProfPriceLabs/Lab2/Evidence]
└─$ strings RHINOUSB.dd | grep -i -C 10 "Mississippi"

Output:

I still have to tell my Tom & Jerry story... probably tomorrow if I have time.
Feeling certain there was a curse upon my head, I gave up, returned home, and took a shower.
Do you have to be a gold member to put in background pics??
A little background: When I was 14, I had eye surgery to correct a birth defect. When I called them the other day to find out when they were open, I got someone very, very stern. And they sent a snotty fool down from Buffalo to run the store. However, after a while of dealing with her crap, management decided they wanted some more room in the store to put...whatever.  What
s the point.
Most of the rides we wanted to take were sold out, but we got to ride on a tall ship from 3-5, which is exactly what we wanted. I found this site that is full of surveys through some people who are now obsessed with the site.
Rhino pictures illegal?   Makes me sick.  I
 the photos
hehehehe.  Apparently, if there are less than 10 photos, it
s no big deal.
OK.  Things are getting a little weird.  I zapped the hard drive and then threw it into the Mississippi River.  I
m gonna reformat my USB key after this entry, but try not to destroy the good stuff.  I need to change the password on the gnome account that Jeremy gave me.  I can probably just do that at Radio Shack.

Both commands return exactly the same paragraph.
Reading it, I found "I zapped the hard drive and then threw it into the Mississippi River"
- This sentence says the answer!
- The hard drive is in the Mississippi River.

Q10

What happened to the USB key?

Options:

nothing
wiped
neutralized
reformatted

Overall explanation:

From the recovered paragraph we know the USB key was later reformatted.