Forensic
Bitlocker 1
In this challenge, we are given a disk.raw
image that contains partition of a windows machine that has been ciphered using bitlocker. We can use the tool bitlocker2john to extract the password used to encrypt those partitions. We then use john to crack the passwords:
Using fdisk
we can see that a unit has a size of 512 bytes
and that it starts at the 128th
one.
This allows us to decrypt the partition at the correct location. We can use dislockerto recover the decrypted partition:
Now, we can mount the partition on one of our folder and recover the flag:
Note that we needed to copy in an other folder the partition because it was only accessible in read-only. We may have been able to modify the rights of the file but this is easier :)
Bitlocker 2
In this challenge, we are given two files. A Bitlocker
encrypted partition and a memory dump of a windows machine. I used volatility2docker for this challenge because Volatility2
has some issues some times. The use of docker images is great because you don’t have to install all the dependencies needed for the tool.
I found this Github repository that talks about how to recover the content of a Bitlocker
encrypted partition from a memory dump of the machine. First we need to add the Bitlocker
script in the Volatility2
plugins list:
Now we can analyse the image and we find it to be a windows10 machine:
Now we need to recover the Full Volume Encryption Key (FVEK). The Full Volume Encryption Key (FVEK) is a cryptographic key used in full disk encryption (FDE) systems to encrypt and decrypt the entire contents of a storage volume. It serves as the primary encryption key for the entire volume and is typically generated randomly during the encryption process. The FVEK is used to protect the confidentiality of data stored on the disk by encrypting it, making the data unreadable without the key. It is essential for securing sensitive information and ensuring data privacy and security in scenarios where entire disk volumes need to be protected.
We use the newly added plugin bilocker
to export the FVEK
:
Because we had a mounted volume on the docker, we have the files directly on our machine. We use fdisk
to check the size of the units:
We run the dislocker
tool as in the previous exercice but this time we specify the FVEK
file we want to use, the disk image and the folder to mount. Then we copy the decrypted partition in another folder and we mount it to a last folder where we can now read the flag:
Some interesting reading on the subject on LinkedIn
Keypass
Keepass
is a tool used to store credentials. It is a password manager. If the master password, that is used to cipher all the credentials, is weak, then we can have access to all the credentials stored in the Keepass
file. We use keepass2john to recover the hash of the password protecting the file, then we use john to crack it:
Now we can install KeepassXC on our computer and load the bob.kdbx
file in it. We are asked for a password and we specify spongebob
. We get the following result:
As you can see, we get the flag from the Keepass
file.
You may not have the flag showed directly. You may have to click on the eye to be able to see the value that by default is replaced by several dots.
Connaissez-vous la forensique 1
Here, we are tasked to recover the password of the Firefox session and we are given several folder. I found the tool firepwd that allows us to recover all the password saved in Firefox if we specify a profile. We just have to run the following command:
1
python firepwd/firepwd.py -d Roaming/Mozilla/Firefox/Profiles/aiaj08g4.default-release
And now we have at the bottom of the terminal the password for bob’s account on amazon:
Connaissez vous le Forensic
On this challenge, we need to recover the content of the Notepad application. I did a simple research on internet and found the following blog . It gives us all the command we need to run to retrieve the content of our application.
I used the docker image of Volatility3
. In the version 3, we don’t need to specify the profile of the memory image we have. This allows me to directly recover the list of all the process and recover the PID
of Notepad (4100):
Note the use of
>
to store the result of the command. It is a good practice to store the result of the commands we run in a file when usingVolatility
because it may take time to run it several times if we don’t save the results.
Now we can dump the memory of this process:
This gives us a file called pid.4100.dmp
and we can use the string
and grep
commands to recover the flag:
Note the use of
-e l
in the string command. If you dont specify to use the little endian mode, you won’t be able to get any result. This is because Notepad stores text in this format.