Walkthrough For Rhino Hunt Part-I
Getting into a digital forensics investigation!
Scenario:
The city of New Orleans passed a law in 2004 making possession of nine or more unique rhinoceros images a serious crime. The network administrator at the University of New Orleans recently alerted police when his instance of RHINOVORE flagged illegal rhino traffic. Evidence in the case includes a computer and USB key seized from one of the University’s labs. Unfortunately, the computer had no hard drive. The USB key was imaged and a copy of the dd image is on the CD-ROM you’ve been given. In addition to the USB key drive image, three network traces are also available — these were provided by the network administrator and involved the machine with the missing hard drive. The suspect is the primary user of this machine, who has been pursuing his Ph.D. at the University since 1972.
reference link to download image: https://cfreds.nist.gov/all/NIST/RhinoHunt
Task:
The task is to Recover at least nine rhino pictures from the available evidence and include them in a brief report. In your report, provide answers to as many of the following questions as possible:
• Who gave the accused a telnet/ftp account?
• What’s the username/password for the account?
• What relevant file transfers appear in the network traces?
• What happened to the hard drive in the computer? Where is it now?
• What happened to the USB key?
• What is recoverable from the dd image of the USB key?
- Is there any evidence that connects the USB key and the network traces? If so, what?
let's begin with the Question What’s the username/password for the account?
we will analyze the network logs for this I am using Wireshark, open the downloaded network logs into Wireshark and start analyzing:
Apply filter to check for FTP/telnet packets:
ftp or ftp data
As FTP is not a secure protocol and does not encrypt its data and control connections so we can see the username and password in clear text in log file after applying the above filter.
Answer: The username is: gnome
The password is: gnome123
now let's move toward the next question which is What relevant file transfers appear in the network traces?
As we can see in the captured traffic the user makes a request for rhino1.jpg, rhino3.jpg, and a contrapand.zip file is shared over a network. we will recover these files from network logs. first, we will recover the rhino1.jpg image:
we will follow the TCP stream which selects all the packets in the current stream.
we select the RAW format as it contains the largest amount of details and can be converted into other formats.
now click on save button to save the image:
now move to the directory where you saved the image and view the saved image:
we recovered one rhino image successfully, there are 8 more images to recover. we will follow the same steps to recover the rhino3.jpg image as we recovered the rhino1.jpg.
now we would also recover the zip file shared over the network in the same way as we recovered the rhino1.jpg and rhino3.jpg files.
lets extract the contraband.zip file to see what it contains.
AHhh! The Zip file is password protected.
we will continue to hunt the remaining rhino images in part-II (https://medium.com/@rabbiyatabassum/walkthrough-for-rhino-hunt-part-ii-ec7977f17941) and part-III. follow the remaining hunt in the Walkthrough For Rhino Hunt Part-II
