$ mmls disk.dd
$ mmcat disk.dd 01 | strings
$ mmcat disk.dd 03 | strings
Partition 02
starts at sector 0000002048
and is described as Linux (0x83)
Lets extract the allocated partition so that we can work on it without having to type the offset all the time. WARNING This takes a long time
$ dd if=disk.dd of=body.dd bs=512 skip=2048 count=6834176
if
is the input fileof
is the output filebs
is the input and output block sizeskip
denotes number of sector skippedcount
denotes number of sector to copy
WARNING I can't get this to work First download the NSRL database
$ wget http://www.nsrl.nist.gov/voting/20140608/NSRLFile.txt
If you are on OS X mavericks+, and don't have wget, you can download the file using
$ curl "http://www.nsrl.nist.gov/voting/20140608/NSRLFile.txt" -o "NSRLFile.txt"
Then index the database for MD5 (see -n nsrl_db
in man sorter
and man hfind
)
$ hfind -i nsrl-md5 NSRLFile.txt
First lets start the search from the home
directory, so we need to find the meta addr
of this directory:
$ fls disk.dd -o 2048
We get that 585: home
meaning that the meta addr we want is 585. Lets look at the different users home directories:
$ fls -o 2048 disk.dd 585
d/d 4610: void
We see that the only user is void
. Lets see what he has in his home directory /home/void/
$ fls -o 2048 disk.dd 4610
...
d/d 38225: .hacking
...
Whoa! Lets search for files in this directory with an extension missmatch.
$ mkdir sorter_output
$ sorter -e -n NSRLFile.txt -o 2048 -d sorter_output disk.dd 38225 2> /dev/null
-e
- look for files with an extention missmatch-n NSRLFILE.txt
- ignore known software-o 2048
- the disk partition offset we learned form mmls-d sorter_output
- the directory to store the generated reportdisk.dd 38225
- search in this disk image at the meta directory representing .hacking
Ok, so now we have the inode for the file, if we look in sorter_output/mismatch.txt
D4_06_this_is_weird.pdf
empty (Zip archive data, at least v2.0 to extract) (Ext: pdf)
Image: disk.dd Inode: 38611
MD5: a495b7b6b126c09db019bd2c84908f97
Lets look at the metadata for this file, such as timestamps and permissions
$ istat -o 2048 disk.dd 38611
We can also use the knowledge of the inode to extract the contents of the file with icat
$ icat -o 2048 disk.dd 38611 > file.zip
And to extract the data, we can simply do the following
$ unzip file.zip -d file
Oups!*, we require a password. Luckily we found one with cat mmcat disk.dd 02
$ diskutil list
Make sure you are using a write blocker at this point.
$ sudo dd if=/dev/disk1 of=copy.img conv=notrunc
This will take some time as it will take a bit-by-bit copy of the flash drive image.
- New case
- Enter case name
- Open case
- Add host