Need help with my A...
 
Notifications
Clear all

Need help with my Assignment!

28 Posts
4 Users
0 Likes
6,142 Views
(@nephalem)
Posts: 14
Active Member
Topic starter
 

Hi would like to ask if there's any expert out there can help me out with this assignment that i can't seems to decrypt.

I was given an disk image and asked to decrypt it to see what's inside, once i open the folder there's 2 files ad1 and ad2. and was given afew softwares to work with it, like OSforensics, Prodiscover, Winhex. i was told that need to decrypt and combined the 2 files in order to get the original disk image file.

here are the screenshots of the files
https://imgur.com/a/Zj9d8

Anyone can help me with it?

 
Posted : 15/01/2018 5:18 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Hi would like to ask if there's any expert out there can help me out with this assignment that i can't seems to decrypt.

I was given an disk image and asked to decrypt it to see what's inside, once i open the folder there's 2 files ad1 and ad2. and was given afew softwares to work with it, like OSforensics, Prodiscover, Winhex. i was told that need to decrypt and combined the 2 files in order to get the original disk image file.

here are the screenshots of the files
https://imgur.com/a/Zj9d8

Anyone can help me with it?

Most probably a lot of people would be able to help you with that, the point is more about whether they will.

From a merely ethical standpoint, doing (or helping you do) your homework would be a little like being accomplices in"cheating".

Now if you have specific questions or doubts, that is another thing.

What have you done till now?
In which way what you actually did was different from what you expected to happen?

What I would do first thing would be to open the file(s) with Winhex (or other hex editor) to see if there is any recognizable pattern in the file, possibly hinting at which kind of encryption (if any[1]) has been used, if there is any recognizable header leading to a known file format, etc..

jaclaz

[1] The assignment task doesn't mention encryption

 
Posted : 15/01/2018 9:33 am
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

Two questions are you a student?
What are you studying?
Politics, Medicine or something related to IT (Forensics)?

 
Posted : 15/01/2018 11:57 am
(@nephalem)
Posts: 14
Active Member
Topic starter
 

Hi thanks for the reply, I haven't really started as i really have no idea how to do it. decrypting this 2 files are probably just less then 5% of the total work of what i purpose to do.
But i just need help on solving and opening up this 2 files and i will be able to do the rest myself, the rest of the assignment is basically just open up the files and do case studies, collect evidence and to write out an report of 3000 words with it.
But i already having issue of opening this 2 files, so technically i can't really do anything right now.

Hi would like to ask if there's any expert out there can help me out with this assignment that i can't seems to decrypt.

I was given an disk image and asked to decrypt it to see what's inside, once i open the folder there's 2 files ad1 and ad2. and was given afew softwares to work with it, like OSforensics, Prodiscover, Winhex. i was told that need to decrypt and combined the 2 files in order to get the original disk image file.

here are the screenshots of the files
https://imgur.com/a/Zj9d8

Anyone can help me with it?

Most probably a lot of people would be able to help you with that, the point is more about whether they will.

From a merely ethical standpoint, doing (or helping you do) your homework would be a little like being accomplices in"cheating".

Now if you have specific questions or doubts, that is another thing.

What have you done till now?
In which way what you actually did was different from what you expected to happen?

What I would do first thing would be to open the file(s) with Winhex (or other hex editor) to see if there is any recognizable pattern in the file, possibly hinting at which kind of encryption (if any[1]) has been used, if there is any recognizable header leading to a known file format, etc..

jaclaz

[1] The assignment task doesn't mention encryption

 
Posted : 17/01/2018 4:45 pm
(@nephalem)
Posts: 14
Active Member
Topic starter
 

Yes i am an student, currently majoring in computer forensics

Two questions are you a student?
What are you studying?
Politics, Medicine or something related to IT (Forensics)?

 
Posted : 17/01/2018 4:46 pm
(@mrmacca)
Posts: 20
Eminent Member
 

What happens when you open the AD1 file within FTK Imager?

File > Add Evidence > Image File > Select AD1

 
Posted : 18/01/2018 11:59 am
(@nephalem)
Posts: 14
Active Member
Topic starter
 

https://imgur.com/a/tc3PI
Hi, this is what happened when i used it on FTK imager, I not sure what to do next

What happens when you open the AD1 file within FTK Imager?

File > Add Evidence > Image File > Select AD1

 
Posted : 18/01/2018 12:22 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

https://imgur.com/a/tc3PI
Hi, this is what happened when i used it on FTK imager, I not sure what to do next

So, the file opened normally (there is no encryption). i.e. you can see the files inside the filesystem.

Now what is the problem?

What happens when you select "boot.ini" in the upper part of that view?

Does the bottom part look suddenly *like*?
[boot loader]
Timeout=20
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

If Yes, good ) , you have just viewed the contents of a human readable (plain text) file.

Now what you have in your hands?
Two files
jo-2009-11-19.ad1
jo-2009-11-19.ad2

How could they have been generated?

Maybe - just maybe - they were created by FTK Imager (since at least the .ad1 file opens just fine with it).

Now, how could have been the FTK imager have been used?

Try this test with a small device, let's say a 4 Gb USB stick.
File->Add Evidence Item
Choose a Physical Drive, then select the correponding device (let's say \\.\PhysicalDrive3).
The item will be added to the tree on the left.
Now, expand it.
Try selecting \\.\PhysicalDrive3, and right click on it, among the choices you will see "Export Disk Image".
Now select the first child of \\.\PhysicalDrive3, this can be either an item named "Partition n" or the name/drive letter of the volume on the USB stick.
If the item is "Partition n" when you right click you have still ""Export Disk Image".
If the Item is the volume, when you right click you will have INSTEAD "Export Logical Image AD1".
Choose that, you will be prompted to Add a destination, click on Add, you will be prompted with inputting case number, etc., just type some values in the fields and go forward.
You are now prompted for a folder (on your local hard disk) to store the image and for a name to be given to the image.
Choose a suitable folder and filename (without extension).
If you look just below it there is a default setting "Image Fragment size (MB)" set to 1500.
Press Finish.
In a few minutes the image will have been created.
If you go with Explorer in the folder you chose as destination, you will find a file
<name>.ad1 with size 1.572.864.000 bytes
and one or more files with increasing numbers in the extension, like
<name>.ad2
<name>.ad3

Now you can remove from FTK Imager evidence tree the USB stick/PhysicalDrive and add to it the <name>.ad1 file.
It contents will be very similar to those of the USB Stick/PhysicalDrive seen before.
Now, remove from the evidence tree the <name>.ad1 file and add the <name>.ad2 file.

What has changed?

Now what can we learn from this experiment?

jaclaz

 
Posted : 18/01/2018 6:02 pm
(@nephalem)
Posts: 14
Active Member
Topic starter
 

Thanks!

for the first part Yes, the boot.ini looks exactly like what you shown

for the second part, i plug in an thumbdrive of mine and it only shown Partition 1, there isn't seems to be child on the Partition 1 after i expand it. just an FAT32 file. and i right click it i can only find "Export Disk Image", there's no "Exporting Logical Drive AD1

Please take look at the screenshot and advise me. Thanks for the guides
https://imgur.com/a/erseH

I have also generated an download link for the ADs files, hope you able to download it and guide me along.
http//dropmefiles.com/y1ywM

https://imgur.com/a/tc3PI
Hi, this is what happened when i used it on FTK imager, I not sure what to do next

So, the file opened normally (there is no encryption). i.e. you can see the files inside the filesystem.

Now what is the problem?

What happens when you select "boot.ini" in the upper part of that view?

Does the bottom part look suddenly *like*?
[boot loader]
Timeout=20
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

If Yes, good ) , you have just viewed the contents of a human readable (plain text) file.

Now what you have in your hands?
Two files
jo-2009-11-19.ad1
jo-2009-11-19.ad2

How could they have been generated?

Maybe - just maybe - they were created by FTK Imager (since at least the .ad1 file opens just fine with it).

Now, how could have been the FTK imager have been used?

Try this test with a small device, let's say a 4 Gb USB stick.
File-&gt;Add Evidence Item
Choose a Physical Drive, then select the correponding device (let's say \\.\PhysicalDrive3).
The item will be added to the tree on the left.
Now, expand it.
Try selecting \\.\PhysicalDrive3, and right click on it, among the choices you will see "Export Disk Image".
Now select the first child of \\.\PhysicalDrive3, this can be either an item named "Partition n" or the name/drive letter of the volume on the USB stick.
If the item is "Partition n" when you right click you have still ""Export Disk Image".
If the Item is the volume, when you right click you will have INSTEAD "Export Logical Image AD1".
Choose that, you will be prompted to Add a destination, click on Add, you will be prompted with inputting case number, etc., just type some values in the fields and go forward.
You are now prompted for a folder (on your local hard disk) to store the image and for a name to be given to the image.
Choose a suitable folder and filename (without extension).
If you look just below it there is a default setting "Image Fragment size (MB)" set to 1500.
Press Finish.
In a few minutes the image will have been created.
If you go with Explorer in the folder you chose as destination, you will find a file
&lt;name&gt;.ad1 with size 1.572.864.000 bytes
and one or more files with increasing numbers in the extension, like
&lt;name&gt;.ad2
&lt;name&gt;.ad3

Now you can remove from FTK Imager evidence tree the USB stick/PhysicalDrive and add to it the &lt;name&gt;.ad1 file.
It contents will be very similar to those of the USB Stick/PhysicalDrive seen before.
Now, remove from the evidence tree the &lt;name&gt;.ad1 file and add the &lt;name&gt;.ad2 file.

What has changed?

Now what can we learn from this experiment?

jaclaz

 
Posted : 19/01/2018 4:42 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

for the second part, i plug in an thumbdrive of mine and it only shown Partition 1, there isn't seems to be child on the Partition 1 after i expand it. just an FAT32 file. and i right click it i can only find "Export Disk Image", there's no "Exporting Logical Drive AD1

Naah, the screenshot you posted was made at a time the "Partition 1" was selected.
As you can see in th e"pop-up" window, the image source is set to "Partition 1 [3827MB].

If you select and right click "\\.\Physicaldrive1", you will have "Export Disk Image", the top right pane will be empty and the bottom right entry will be a hex view (usually beginning with 33 C0 FA …

If you select "Partition 1" and right click you will have as well "Export Disk Image", the top right pane will be empty and the bottom right one will be an hex view starting with EB 58 90 … (as in your screenshot)

But if you select "NEPHALEM (FAT32)" and right click you will have "Export Logical Image (AD1).

When you select the "NEPHALEM (FAT32)" on the left, on the right top pane you will have
[root]
[unallocated space]
FAT1
FAT2
file system slack
reserved sector
VBR

And the bottom pane will be an hex view, most probably starting with 4E 45 50 48 41 4C 45 4D (aka "NEPHALEM" that is the label of that stick volume).

The \\.\PhysicalDrive is the actual "disk" (the whole thing)
The Partition1 is the partition that is "inside" the disk.
The NEPHALEM [FAT32] is the volume (or file system inside the partition).

You will need to become familiar with the concepts of disks (or physicaldrive), partitions (primary and extended), (logical) volumes, and file systems.

The concepts are not difficult, the issue is that there is a lot of confusion with the terminology used, the word "drive" is often used instead of disk (drive), what gets a drive letter in Windows is actually the volume, which may (or may not) be the same as the partition.

Cannot say if it helps or confuses you, but this is how my "mental map" of a disk like device is made
http//reboot.pro/topic/13676-the-boot-process-a-step-by-step-approach-to-booting/?p=123056

jaclaz

 
Posted : 19/01/2018 1:32 pm
Page 1 / 3
Share: