Stolenidentity

We found a really old USB stick in a wallet belonging to somebody we know is involved in cloning and forging passports and selling them for a tidy profit.

I've had a look at it myself but can't see anything specifically incriminating, although there are a couple of photos of the covers of foreign passports stored - but this doesn't really tell us much beyond what we already know.

The forensics guys have made an 'image' of the drive but they haven't got around to looking at this yet as they are stacked with higher priority cases. I've attached that for you.

Can you tell me the full name on anyone's passport you find on this drive image? We'll need to know so that we can alert them to check their credit history for anything suspicious and perform some checks on the usage activity related to the passport to see whether its already been cloned before and has been used nefariously.

Note: You have 10 attempts for this, avoid guessing at random!

Expected flag format: fullNameOfPassportHolder

The relevant image file can be found in the assets folder. Since this is a raw disk image, we'll need to use a tool to extract the files from it. First I tried kpartx

  1. sudo apt install kpartx

  2. sudo kpartx -av seized_usb_drive.dd

    This gives us the following error:

    device-mapper: reload ioctl on loop24p4  failed: Invalid argument
    create/reload failed on loop24p4
    

    This did attempt to mount TYLER'S USB to the filesystem, but it failed.

So next I tried just mounting directly:

  1. mkdir mydd

  2. sudo mount -t vfat -o ro seized_usb_drive.dd mydd

    This also failed, with the following error:

    mount: ../mydd: wrong fs type, bad option, bad superblock on /dev/loop4, missing codepage or helper program, or other error.
    

Then I tried sleuthkit:

  1. sudo apt install sleuthkit

  2. fsstat seized_usb_drive.dd

    FILE SYSTEM INFORMATION
    --------------------------------------------
    File System Type: NTFS
    Volume Serial Number: 80E6258FE625868E
    OEM Name: NTFS
    Volume Name: TYLER'S USB
    Version: Windows XP
    
    METADATA INFORMATION
    --------------------------------------------
    First Cluster of MFT: 5376
    First Cluster of MFT Mirror: 2
    Size of MFT Entries: 1024 bytes
    Size of Index Records: 4096 bytes
    Range: 0 - 256
    Root Directory: 5
    
    CONTENT INFORMATION
    --------------------------------------------
    Sector Size: 512
    Cluster Size: 4096
    Total Cluster Range: 0 - 16126
    Total Sector Range: 0 - 129022
    
    $AttrDef Attribute Values:
    $STANDARD_INFORMATION (16)   Size: 48-72   Flags: Resident
    $ATTRIBUTE_LIST (32)   Size: No Limit   Flags: Non-resident
    $FILE_NAME (48)   Size: 68-578   Flags: Resident,Index
    $OBJECT_ID (64)   Size: 0-256   Flags: Resident
    $SECURITY_DESCRIPTOR (80)   Size: No Limit   Flags: Non-resident
    $VOLUME_NAME (96)   Size: 2-256   Flags: Resident
    $VOLUME_INFORMATION (112)   Size: 12-12   Flags: Resident
    $DATA (128)   Size: No Limit   Flags:
    $INDEX_ROOT (144)   Size: No Limit   Flags: Resident
    $INDEX_ALLOCATION (160)   Size: No Limit   Flags: Non-resident
    $BITMAP (176)   Size: No Limit   Flags: Non-resident
    $REPARSE_POINT (192)   Size: 0-16384   Flags: Non-resident
    $EA_INFORMATION (208)   Size: 8-8   Flags: Resident
    $EA (224)   Size: 0-65536   Flags:
    $LOGGED_UTILITY_STREAM (256)   Size: 0-65536   Flags: Non-resident
    

    So now we know that it's from Windows XP.

  3. sudo mount -o loop,ro,show_sys_files,streams_interface=windows seized_usb_drive.dd ./mydd gave me "Operation not permitted."


Tags

  1. cyber crime (Private)
  2. 600 points (Private)