F 201: Rhino Hunt with Autopsy - archie-archana/cyber-forencis GitHub Wiki

Scenario

The city of New Orleans passed a law in 2004 making possession of nine or more unique rhinoceros images a serious crime. The network administrator at the University of New Orleans recently alerted police when his instance of RHINOVORE flagged illegal rhino traffic. Evidence in the case includes a computer and USB key seized from one of the University’s labs. Unfortunately, the computer had no hard drive. The USB key was imaged and a copy of the dd image is the case1.zip file you’ve been given. In addition to the USB key drive image, three network traces are also available—these were provided by the network administrator and involve the machine with the missing hard drive. The suspect is the primary user of this machine, who has been pursuing his Ph.D. at the University since 1972.

Verifying the Hash Value

F 201.1: SHA1

Hash value of file is checked to ensure the file is not tampered in the network transfer.

F 201.2: Mother and Child

Find the image of a mother rhinoceros and her child. That's the flag.

after the extraction all the data in now available for forensics analysis, In this task the image of mother rhino and her child was to be displayed, After navigating through files and images folder the picture was extracted.

F 201.3: Hard Drive

Find the location of the missing hard drive

In the deleted files folder after sorting the files by MIME type the first file was a word file, after reading through that file the location of the hard drive was mention as "Mississippi river".

F 201.4: Email Address (10 pts extra)

There are two files containing an email address at MIT. Only one of the files has a real filename. (A filename beginning with "Unalloc" is a fake filename generated by Autopsy for files recovered from unallocated clusters.)

In the recovered files there was two filed with keyword MIT ],the first one "f0103512.jpg" is the flag name and second one is dummy filed created by autopsy