Stolenidentity
We found a really old USB stick in a wallet belonging to somebody we know is involved in cloning and forging passports and selling them for a tidy profit.
I've had a look at it myself but can't see anything specifically incriminating, although there are a couple of photos of the covers of foreign passports stored - but this doesn't really tell us much beyond what we already know.
The forensics guys have made an 'image' of the drive but they haven't got around to looking at this yet as they are stacked with higher priority cases. I've attached that for you.
Can you tell me the full name on anyone's passport you find on this drive image? We'll need to know so that we can alert them to check their credit history for anything suspicious and perform some checks on the usage activity related to the passport to see whether its already been cloned before and has been used nefariously.
Note: You have 10 attempts for this, avoid guessing at random!
Expected flag format: fullNameOfPassportHolder
The relevant image file can be found in the assets folder. Since this is a raw disk image, we'll need to use a tool to extract the files from it. First I tried kpartx
-
sudo apt install kpartx
-
sudo kpartx -av seized_usb_drive.dd
This gives us the following error:
device-mapper: reload ioctl on loop24p4 failed: Invalid argument create/reload failed on loop24p4
This did attempt to mount
TYLER'S USB
to the filesystem, but it failed.
So next I tried just mounting directly:
-
mkdir mydd
-
sudo mount -t vfat -o ro seized_usb_drive.dd mydd
This also failed, with the following error:
mount: ../mydd: wrong fs type, bad option, bad superblock on /dev/loop4, missing codepage or helper program, or other error.
Then I tried sleuthkit
:
-
sudo apt install sleuthkit
-
fsstat seized_usb_drive.dd
FILE SYSTEM INFORMATION -------------------------------------------- File System Type: NTFS Volume Serial Number: 80E6258FE625868E OEM Name: NTFS Volume Name: TYLER'S USB Version: Windows XP METADATA INFORMATION -------------------------------------------- First Cluster of MFT: 5376 First Cluster of MFT Mirror: 2 Size of MFT Entries: 1024 bytes Size of Index Records: 4096 bytes Range: 0 - 256 Root Directory: 5 CONTENT INFORMATION -------------------------------------------- Sector Size: 512 Cluster Size: 4096 Total Cluster Range: 0 - 16126 Total Sector Range: 0 - 129022 $AttrDef Attribute Values: $STANDARD_INFORMATION (16) Size: 48-72 Flags: Resident $ATTRIBUTE_LIST (32) Size: No Limit Flags: Non-resident $FILE_NAME (48) Size: 68-578 Flags: Resident,Index $OBJECT_ID (64) Size: 0-256 Flags: Resident $SECURITY_DESCRIPTOR (80) Size: No Limit Flags: Non-resident $VOLUME_NAME (96) Size: 2-256 Flags: Resident $VOLUME_INFORMATION (112) Size: 12-12 Flags: Resident $DATA (128) Size: No Limit Flags: $INDEX_ROOT (144) Size: No Limit Flags: Resident $INDEX_ALLOCATION (160) Size: No Limit Flags: Non-resident $BITMAP (176) Size: No Limit Flags: Non-resident $REPARSE_POINT (192) Size: 0-16384 Flags: Non-resident $EA_INFORMATION (208) Size: 8-8 Flags: Resident $EA (224) Size: 0-65536 Flags: $LOGGED_UTILITY_STREAM (256) Size: 0-65536 Flags: Non-resident
So now we know that it's from Windows XP.
-
sudo mount -o loop,ro,show_sys_files,streams_interface=windows seized_usb_drive.dd ./mydd
gave me "Operation not permitted."