Tuesday, December 2, 2014
Kaizen - Forensics #1 (find hidden partition on USB drive image)
Here's the text of the Forensics #1 challenge:
Joey wanted to send some pictures to Phreak on a USB drive. Before sending the drive, Joey deleted his Gzip'd backup of his etc folder that was stored on the drive. Show Joey that he should be more careful when deleting data by recovering Joey's dsa private key file from the imaged copy of the usb drive.
After first mounting the image and failing to see anything other than picture files, I broke out testdisk, a free and open-source data recovery tool.
After running: testdisk usbbackup.img, the following screen pops up:
From here we hit enter to select the usbbackup.img disk, and we're asked to select the partition table type.
Following testdisk's hint of "None" partition type, I hit enter and am asked to select the partition:
Hitting enter again, we're asked if we want to rebuild the boot sector:
Hitting enter again, we can choose "List" to show the differences between the extrapolated boot sector and the current boot sector.
After selecting "List", we're shown a list of all recovered files and directories. Fortunately, it looks like etc.tar.gz is now present!
Untarring the tar.gz file gives us the /etc/ directory. Going to /etc/ssh/ gives us the recovered ssh keys!
In ssh_host_dsa_key, we see the following:
-----BEGIN DSA PRIVATE KEY-----
49BbkYI The Flag is: 8555199cf63b179586e603c5b237bc90 UwIVAMaE
-----END DSA PRIVATE KEY-----