Exercise – Filecarving USB Stick
1. Introduction
Someone was able to hack one of your staff’s computer and is now blackmailing you. He has received an email containing a file called blackmail.docx. You have a reasonable suspicion that the hacker is one of the other employees and so you told the system administrator to confiscate the suspect’s USB stick. The system administrator confiscated the stick and created a dd image. Eventually he gave it to you for a forensic analysis.
- Download USB dd Image (get it from RESOURCES)
- Unzip USBStickCarving.zip
- Linux Forensic Tools (e.g. https://livecd.hacking-lab.com)
Your goal is:
- Analyze the image of the USB stick.
- Identify the Volume Serial Number of the image
- Search for a copy of blackmail.docx on the image.
- Is there anything else suspiscious?
2. Answer and Solution
Extract dd image
Analyze disk image
fsstat usb_stick.dd
Volume Serial Number is: AE78E78878E74DA1
─ ~/Desktop/Exercises/10 - Forensics/File Carving ✔
╰─ fsstat usb_stick.dd
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: NTFS
Volume Serial Number: AE78E78878E74DA1
OEM Name: NTFS
Volume Name: USB Drive
Version: Windows XP
METADATA INFORMATION
--------------------------------------------
First Cluster of MFT: 43690
First Cluster of MFT Mirror: 2
Size of MFT Entries: 1024 bytes
Size of Index Records: 4096 bytes
Range: 0 - 768
Root Directory: 5
CONTENT INFORMATION
--------------------------------------------
Sector Size: 512
Cluster Size: 4096
Total Cluster Range: 0 - 131070
Total Sector Range: 0 - 1048574
$AttrDef Attribute Values:
$STANDARD_INFORMATION (16) Size: 48-72 Flags: Resident
$ATTRIBUTE_LIST (32) Size: No Limit Flags: Non-resident
$FILE_NAME (48) Size: 68-578 Flags: Resident,Index
$OBJECT_ID (64) Size: 0-256 Flags: Resident
$SECURITY_DESCRIPTOR (80) Size: No Limit Flags: Non-resident
$VOLUME_NAME (96) Size: 2-256 Flags: Resident
$VOLUME_INFORMATION (112) Size: 12-12 Flags: Resident
$DATA (128) Size: No Limit Flags:
$INDEX_ROOT (144) Size: No Limit Flags: Resident
$INDEX_ALLOCATION (160) Size: No Limit Flags: Non-resident
$BITMAP (176) Size: No Limit Flags: Non-resident
$REPARSE_POINT (192) Size: 0-16384 Flags: Non-resident
$EA_INFORMATION (208) Size: 8-8 Flags: Resident
$EA (224) Size: 0-65536 Flags:
$LOGGED_UTILITY_STREAM (256) Size: 0-65536 Flags: Non-resident
Mounting dd image:
mount usb_stick.dd /mnt/usb_image2 -o ro,loop,show_sys_files,streams_interface=windows
Suspiscious files:
While browsing during the html, docs and Tools directory I can find suspiscious files:
- burpsuite_free_windows-x64_v1_7_26.exe
- sqlmap.py
- owasp.txt
- rsnake.txt
- sql.txt
- …
blackmail.docx wasn`t located yet.
Carving files with foremost
foremost -t zip usb_stick.dd
Note: word files (*.docx) are ziped xml files, so you have to look for zip files
In the output directory of foremost we can find a subfolder with zip files:
unzip 00215144.zip
Archive: 00215144.zip
inflating: _rels/.rels
inflating: docProps/core.xml
inflating: docProps/app.xml
inflating: docProps/custom.xml
inflating: word/_rels/document.xml.rels
inflating: word/document.xml
inflating: word/styles.xml
inflating: word/fontTable.xml
inflating: word/settings.xml
inflating: word/theme/theme1.xml
inflating: [Content_Types].xml
This is the default file hierarchy used in word / libreoffice files. The metadata is mainly to be found in docProps/core.xml while the word file’s content appears in word/document.xml
You can of course rename the 00215144.zip to 00215144.docx and open the file using Microsoft Word or LibreOffice
Another filecarving tool we can use is bulkextractor:
bulk_extractor usb_stick.dd -o bulk_data
Inside the bulk_data directory I could find a lot of more files, but none of them showd me a document called blackmail.docx
The last tool we use for our analysis is called the sleuth kit
tsk_recover usb_stick.dd sleuth_data
The Sleuth Kit was able to find and restore the file blackmail.docx