TG:HACK 2019 Forensics Write-Up

25/700++!!
another milestone for the team ❤
click to zoom. sorry 😢
mount -o ro store.bin /mnt/<mount_point>
dns && dns.flags.response == 0

“Well, we can export all these packet data to .csv using Wireshark!”

tshark -Y "dns && dns.flags.response == 0" -T fields -e "dns.qry.name"  -r superb-owlput.pcap | cut -d '.' -f1
ffd8ffe000104a46494600010101004800480000ffe100a24578696600004d
4d002a000000080005011a0005000000010000004a011b0005000000010000
0052012800030000000100020000013b00020000003f0000005a0213000300
00000100010000000000000000004800000001000000480000000156456378
4f587455534556665630464d54464e6651564a4658304e50566b5653525552
6656306c555346394e5155644a5130464d58314e425446523943670000ffdb
0043000c08090b09080c0b0a0b0e0d0c0e121e1412111112251b1c161e2c27
2e2e2b272b2a3137463b313442342a2b3d533e42484a4e4f4e2f3b565c554c
5b464d4e4bffdb0043010d0e0e121012241414244b322b324b4b4b4b4b4b4b
4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b
tshark -Y "dns && dns.flags.response == 0" -T fields -e "dns.qry.name"  -r superb-owlput.pcap | cut -d '.' -f1 | tr -d '\n' | xxd -r -p > owl.jpg
UPX
4b582e26646c6a7c77407e406d7a6c706a6d7c7a796a73407d76717e6d6662
b1,rgb,lsb,xy,prime .. text: "297980:SnVzdCBsZWFybmVkIGFib3V0IHRoaXMgbmV3IHRlcm0gY2FsbGVkIHN0ZXJlb2xpdGhvZ3JhcGh5Li4gUHJldHR5IGNvb2wgY29uY2VwdCF0EQAAAACAPzIxjaTKyVMl5Xu6J74fq0L6fhrBJnG5J3qwqkLVIhnBYFG+J74fq0K2wyPBAAAAAIA/MjGNpMrJUyUMQMEn2JiqQjVCLMGpzrEnTmKpQvYoCsFDbMEnTmKpQjTpL8EAAAAAg"
Just learned about this new term called stereolithography.. Pretty cool concept!<some gibberish here>
zsteg -E b1,rgb,lsb,xy,prime office.png > extracted

Conclusion

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store