Walkthrough For Rhino Hunt Part-II

Getting into a digital forensics investigation!

In the previous post Walkthrough For Rhino Hunt Part-I “https://medium.com/@rabbiyatabassum/walkthrough-for-rhino-hunt-part-i-2b03bd90a6f6” we answer few questions from the case study.

In part-I, we see the zip file we got from the log file is password protected. Today we will see how to break the password of a zip file to hunt the remaining images and answer a few more questions.

So let's begin!

The first thing you need to break the password is to send the downloaded zip file to your Kali machine(if you have already downloaded the zip file to the Kali machine then you do not need to send the file anywhere). Navigate to the directory where you have saved the zip file into your Kali machine using the “cd command”. In my case, I saved it to my “Desktop”.

contrapand.zip file in the desktop directory on kali linux.

Now the next step is you have to use “fcrackzip” which is a fast password-cracking tool. It is able to crack password-protected zip files with brute force or dictionary-based attacks.

we will use the help flag “-h” to check for the desired options.

fcrackzip help menu

To crack the password of the zip file following command is used:

“fcrackzip -v -D -u -p /usr/share/wordlists/rockyou.txt contrapand.zip”

1. The -v flag to enable verbose output, which means that detailed information will be displayed during the cracking process.
2. The -D flag indicates that a dictionary attack should be used. It tells fcrackzip to try a list of passwords from a dictionary file.
3. The -u flag instructs fcrackzip to use the program unzip for decompressing the zip file.
4. The -p flag specifies that a single password will be used for the cracking attempt. In this case, the password is not explicitly provided in the command. Instead, it will be read from the dictionary file specified later in the command.
5. /usr/share/wordlists/rockyou.txtis the path to the dictionary file that contains a list of passwords. we can use the “locate rockyou.txt” command to find where the dictionary file is located.

using fcrackzip to crack the password

we can see the password is cracked and the password for the zip file is “monkey”. we will use this password to see the content of the zip file on our Windows machine.

cracking zipped file.

The Zip file contains an image of a rhino.

rhino image

Now we have 3 rhino pictures recovered and 6 are remaining so we will check the rhino2 and rhino3 log files in Wireshark and also analyze the USB dd image in Autopsy for remaining proof.

Open the rhino2.log file into Wireshark for analysis.

rhino2.log file in Wireshark

packets captured

When Analyzing the network traffic of the rhino2.log file we can see there is another file transfer named the “rhino4.jpg” file over the HTTP protocol.

rhino4.jpg packets

We will restore the file to our system by clicking on “File>Export Objects>HTTP” to see the list of objects over HTTP.

Exporting HTTP objects

we are able to see different HTTP objects. Also, there are 2 files containing rhino, rhino4.jpg, and a “gif file” that is rhino5.gif. we will recover both of these files.

HTTP object list

Click on each file and save the file.

rhino4.jpg

rhino5.gif

Open the folder where you have saved the files and you would be able to see the images. in my case, I saved both on my Desktop.

rhino4.jpg and rhino5.gif files.

Now open the files to verify the content.

rhino4.jpg

rhino5.gif

WOhoo! We have now recovered a total of 5/9 rhino images.

In the next Part-III, we will analyze the USB key and answer the remaining questions.

The link to Part-I is given at the start.

If you like reading the Rhino Case study give a follow.