Now that we have the encrypted file, a natural thing to look for is the password. Raw.out: GPG symmetrically encrypted data (AES256 cipher) This file turns out to be GPG encrypted data. We can dump this data (File > Export packet bytes). Filtering just by size nets us one of these packets. These packets will be rather large and have the URB_BULK in/out flags set. Let’s try to find any files that have been transferred in/out of the flash drive. Other notable devices include a gaming mouse (device 9, bus id 2), a keyboard (device 5, bus id 2), and a tablet (device 4, bus id 2). So, device 2 (with bus id 1) is a flash drive. First thing is first, let’s figure out which devices were connected to the machine. Loading the file in Wireshark, we can clearly see that it is a USB packet capture. Can you help us figure out which country he’s fleeing to? Reconnaissance He’s too smart to email his plans to himself, but I’m certain he took them with him somehow. Luckily, he forgot that we had planted a packet sniffer on his laptop, and we were able to retrieve the following capture when we raided his apartment.
He’s on the run as we speak, but we’re not sure where he’s headed. Our once-venerable president has committed the unspeakable crime of dine-and-dashing the pizza during our own club meetings.
0 kommentar(er)
