Monday, June 4, 2012

Defcon 20 QUALS - Forensics 400


Execute photorec on the memory dump:
$ photorec for400/memory.dmp
Scan for Intel/Whole Disk/Other

During the recovery, notice some gpg files recovered:
$ find . -name "*.gpg"
./recup_dir.5/f1459128.gpg

$ file ./recup_dir.5/f1459128.gpg
./recup_dir.5/f1459128.gpg: PGP key security ring

This seems very good!

Great, now we'll look for GPG files. You may notice through `strings memory.dmp` some mentions of Enigmail.

Now, let's check for files containing some GPG strings:
$ grep -r -l 'BEGIN PGP MESSAGE'  . | xargs grep -l 'END PGP MESSAGE'
./recup_dir.5/f1627504.exe
./recup_dir.5/f1528640.ttf
./recup_dir.5/f1461456.f
./recup_dir.5/f1664432.sqlite
./recup_dir.3/f0847704.ttf
./recup_dir.3/f0858088.sqlite
./recup_dir.3/f0852424.png
./recup_dir.2/f0541352.ttf
./recup_dir.2/f0683024.dll
./recup_dir.2/f0546488.edb
./recup_dir.2/f0375528.dll
./recup_dir.2/f0359888.exe
./recup_dir.2/f0476136.dll
./recup_dir.2/f0385016.f
./recup_dir.2/f0357184.png
./recup_dir.7/f1933464.gz
./recup_dir.4/f1076424.sqlite
./recup_dir.4/f1409480.txt
./recup_dir.4/f1406184.f
./recup_dir.4/f1108112.dll
./recup_dir.4/f1339936.gz
./recup_dir.6/f1740144.txt
./recup_dir.6/f1829160.txt
./recup_dir.6/f1737600.html
./recup_dir.1/f0342920.ttf
./recup_dir.1/f0018928.dll
./recup_dir.1/f0230408.txt
./recup_dir.1/f0037424_body-bg.jpg.gz
./recup_dir.1/f0064464.gz
./recup_dir.1/f0286832.png

Let's take a look at it:
$ grep -r -l 'BEGIN PGP MESSAGE'  . | xargs grep -l 'END PGP MESSAGE' | xargs grep -A10 'BEGIN PGP MESSAGE'   | less

Notice the files:
- ./recup_dir.5/f1461456.f
- ./recup_dir.2/f0385016.f

They both contain the message:

-----BEGIN PGP MESSAGE-----
Charset: ISO-8859-1

hIwDsrGmc9elHMUBA/9aYQWeLQ9tSBdFK9mNKNZKuJ5KbTNtt4irHXnxqDXhFTgW
j77y3oFg6v1MKiEFqVJY1dBsmVYVa6N9pL/hJ5jZswSng6j8bZAGj1DxVobgoSDR
lwXC/UGatkCrB20TvUMlMUgiz3lKFiqwtQBkhvOgAc+NUVpnoyOCkItqx+RV0IUB
DAMhh3587BtR2wEIAMb9yaOBY17hSr01i4594PYBZlW1P4fdQgoK+DskDQRFoYeQ
YFlaR1v0pjTGYz8imFF2KVVym83MRElU/BirXavWaWN3oIIROePp82KgnVKUcoKi
pfFhw5hnHchkhlo4AateQgHBOibknzfZ38jUyqAoY75k5RV42IfZlAlgizSaGdfs
gZKeeBSkPTH0GEbvDh116PCZEtP3eY7WpbZ+meSp2kooXZ2qjWF6O84BE6YeguDd
r5cD5AzkwSpV4kjt9tWZCC0o/eUDZ2yXb1PLYrppdX9kChw+Xc6nkp7nJwvARQNv
o4vAPwP2iibPcttTqsNgRvPUmUstM3Xr20D/sk7SewHWQlEuKSWyMyTdWKNwSU82
MxBcDAODNV1Wju7q8KYYdfPcPXgsIHF0MNPCKnX6J6gyf9H45ERMsPzWGKnJQaIJ
gJQLWPUi6pnqOqf+c68JuINTOmhv7W9XyfyNKEHb/zYcZtF46dK8xYSjyIHzR14E
uzHweaqnPPHo4w==
=x441
-----END PGP MESSAGE-----


Put it in data1.gpg for example:
$ gpg --no-default-keyring --try-all-secrets --secret-keyring ./recup_dir.5/f1459128.gpg data1.gpg && echo data1
gpg: anonymous recipient; trying secret key FB9C695E ...
gpg: anonymous recipient; trying secret key D7A51CC5 ...
gpg: oops: public key not found for preference check
gpg: okay, we are the anonymous recipient.
gpg: encrypted with RSA key, ID EC1B51DB
gpg: encrypted with RSA key, ID D7A51CC5
the key is: as it turns out, Phil Zimmermann also likes sheep.

Self explanatory.

No comments:

Post a Comment