From 66efd717750fb57a6399b970d7ba19e0e4d93fa0 Mon Sep 17 00:00:00 2001 From: Lee Ka Shing Date: Wed, 16 Oct 2019 15:25:19 +0800 Subject: [PATCH 01/12] removed files --- 0x1_Forensics_Warmup_1/solution.md | 1 - 0x2_Forensics_Warmup_2/solution.md | 2 -- 0x3_Reading_Between_The_Eyes/solution.md | 1 - 0x4_Recovering_From_The_Snap/solution.md | 1 - 0x5_Admin_Panel/solution.md | 1 - 0x6_Hex_Editor/solution.md | 1 - 0x7_Truly_An_Artist/solution.md | 1 - 0x8_Now_You_Dont/solution.md | 1 - 0x9_Ext_Super_Magic/solution.py | 5 ----- 0xA_Whats_My_Name/solution.md | 1 - 0xC_Load_Some_Bits/solution.py | 25 ------------------------ 11 files changed, 40 deletions(-) delete mode 100644 0x1_Forensics_Warmup_1/solution.md delete mode 100644 0x2_Forensics_Warmup_2/solution.md delete mode 100644 0x3_Reading_Between_The_Eyes/solution.md delete mode 100644 0x4_Recovering_From_The_Snap/solution.md delete mode 100644 0x5_Admin_Panel/solution.md delete mode 100644 0x6_Hex_Editor/solution.md delete mode 100644 0x7_Truly_An_Artist/solution.md delete mode 100644 0x8_Now_You_Dont/solution.md delete mode 100644 0x9_Ext_Super_Magic/solution.py delete mode 100644 0xA_Whats_My_Name/solution.md delete mode 100644 0xC_Load_Some_Bits/solution.py diff --git a/0x1_Forensics_Warmup_1/solution.md b/0x1_Forensics_Warmup_1/solution.md deleted file mode 100644 index 2f5c768..0000000 --- a/0x1_Forensics_Warmup_1/solution.md +++ /dev/null @@ -1 +0,0 @@ -Use the utility unzip to unpack the archive diff --git a/0x2_Forensics_Warmup_2/solution.md b/0x2_Forensics_Warmup_2/solution.md deleted file mode 100644 index 8c30c0f..0000000 --- a/0x2_Forensics_Warmup_2/solution.md +++ /dev/null @@ -1,2 +0,0 @@ -Use file to check what kind of file is this -Change the file extension and open again diff --git a/0x3_Reading_Between_The_Eyes/solution.md b/0x3_Reading_Between_The_Eyes/solution.md deleted file mode 100644 index b9c9ae6..0000000 --- a/0x3_Reading_Between_The_Eyes/solution.md +++ /dev/null @@ -1 +0,0 @@ -Use an online decoder, [this](http://stylesuxx.github.io/steganography/) is the one we used diff --git a/0x4_Recovering_From_The_Snap/solution.md b/0x4_Recovering_From_The_Snap/solution.md deleted file mode 100644 index 1e374f7..0000000 --- a/0x4_Recovering_From_The_Snap/solution.md +++ /dev/null @@ -1 +0,0 @@ -Use a tool such as foremost or binwalk to extract the missing binaries. diff --git a/0x5_Admin_Panel/solution.md b/0x5_Admin_Panel/solution.md deleted file mode 100644 index 5bd7129..0000000 --- a/0x5_Admin_Panel/solution.md +++ /dev/null @@ -1 +0,0 @@ -Use wireshark to analyze and find the flag diff --git a/0x6_Hex_Editor/solution.md b/0x6_Hex_Editor/solution.md deleted file mode 100644 index 0094cfb..0000000 --- a/0x6_Hex_Editor/solution.md +++ /dev/null @@ -1 +0,0 @@ -Use a hex editor such as xxd diff --git a/0x7_Truly_An_Artist/solution.md b/0x7_Truly_An_Artist/solution.md deleted file mode 100644 index 987d159..0000000 --- a/0x7_Truly_An_Artist/solution.md +++ /dev/null @@ -1 +0,0 @@ -Use a tool such as exiftool to view the metadata diff --git a/0x8_Now_You_Dont/solution.md b/0x8_Now_You_Dont/solution.md deleted file mode 100644 index ca44c08..0000000 --- a/0x8_Now_You_Dont/solution.md +++ /dev/null @@ -1 +0,0 @@ -Use gimp/photoshop to change the color diff --git a/0x9_Ext_Super_Magic/solution.py b/0x9_Ext_Super_Magic/solution.py deleted file mode 100644 index 017f410..0000000 --- a/0x9_Ext_Super_Magic/solution.py +++ /dev/null @@ -1,5 +0,0 @@ -import sys - -with open(sys.argv[1], 'rb') as f: - f.seek(0x438) - f.write('\x53\xE3') diff --git a/0xA_Whats_My_Name/solution.md b/0xA_Whats_My_Name/solution.md deleted file mode 100644 index 0fc7341..0000000 --- a/0xA_Whats_My_Name/solution.md +++ /dev/null @@ -1 +0,0 @@ -Use wireshark to find DNS packets diff --git a/0xC_Load_Some_Bits/solution.py b/0xC_Load_Some_Bits/solution.py deleted file mode 100644 index 4b67fc2..0000000 --- a/0xC_Load_Some_Bits/solution.py +++ /dev/null @@ -1,25 +0,0 @@ -import sys - -with open(sys.argv[1], 'rb') as f: - data = f.read() - -for n in range(8): - data_offset = data[n:] - - # get all least significant bits - lsbs = [] - for d in data_offset: - lsbs.append(d & 1) - - # group lsbs in groups of 8 - chars = [lsbs[i:i+8] for i in range(0, len(lsbs), 8)] - - - # join chars and print it - flag = [''.join([str(a) for a in c]) for c in chars] - flag = [chr(int(f, 2)) for f in flag] - flag = ''.join(flag) - - if 'picoCTF' in flag: - print(flag) - break From a5969597897ff7ee730ab898fc81d08abb97887d Mon Sep 17 00:00:00 2001 From: Lee Ka Shing Date: Sun, 20 Oct 2019 01:02:08 +0800 Subject: [PATCH 02/12] Added prerequisite for VT-x and how to check --- README.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/README.md b/README.md index 3b4d87e..890ee74 100644 --- a/README.md +++ b/README.md @@ -6,5 +6,22 @@ We all can agree that computer science is such a big and overwhelming field that ## Where are these challenges taken from? They are taken from the [2018 picoCTF](https://2018game.picoctf.com). I highly suggest you to try the challenges even if you are not interested in computer security as I have personally learned a lot from these challenges, not just in digital forensics but also in fields such as general computing skills, web security and binary exploitation. +## Pre-requisites +For this workshop, we will be using [VirtualBox](https://www.virtualbox.org/) to run a guest [Kali Linux](https://www.kali.org/) virtual machine. However, VirtualBox requires a technology called VT-x for intel machines, or AMD-V for AMD machines. To check if your computer is compatible, refer below. + +### Windows +1. Refer to this [link](https://www.shaileshjha.com/how-to-find-out-if-intel-vt-x-or-amd-v-virtualization-technology-is-supported-in-windows-10-windows-8-windows-vista-or-windows-7-machine/) + +### MacOS +1. Open a terminal +2. Type in the command `sysctl -a | grep machdep.cpu.features | grep VMX` +3. If the output looks something like this, you can use VirtualBox: +``` +machdep.cpu.features: FPU VME DE PSE TSC MSR PAE MCE CX8 APIC SEP MTRR PGE MCA CMOV PAT PSE36 CLFSH DS ACPI MMX FXSR SSE SSE2 SS HTT TM PBE SSE3 PCLMULQDQ DTES64 MON DSCPL VMX SMX EST TM2 SSSE3 FMA CX16 TPR PDCM SSE4.1 SSE4.2 x2APIC MOVBE POPCNT AES PCID XSAVE OSXSAVE SEGLIM64 TSCTMR AVX1.0 RDRAND F16C +``` + +### Linux +If you are already using a linux distribution, you can just use your current machine for this workshop. + ## Installation From 241fc49b470345484758f3647d86485f71e88acc Mon Sep 17 00:00:00 2001 From: Lee Ka Shing Date: Sun, 20 Oct 2019 01:04:36 +0800 Subject: [PATCH 03/12] Added details to prerequisite --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 890ee74..a4f0d73 100644 --- a/README.md +++ b/README.md @@ -11,14 +11,16 @@ For this workshop, we will be using [VirtualBox](https://www.virtualbox.org/) to ### Windows 1. Refer to this [link](https://www.shaileshjha.com/how-to-find-out-if-intel-vt-x-or-amd-v-virtualization-technology-is-supported-in-windows-10-windows-8-windows-vista-or-windows-7-machine/) +2. Note: VT-x or AMD-V may be disabled in the bios, check your CPU model online to see if it is VT-x enabled. If so, enable it in the bios. ### MacOS 1. Open a terminal -2. Type in the command `sysctl -a | grep machdep.cpu.features | grep VMX` +2. Type in this command: `sysctl -a | grep machdep.cpu.features | grep VMX` 3. If the output looks something like this, you can use VirtualBox: ``` machdep.cpu.features: FPU VME DE PSE TSC MSR PAE MCE CX8 APIC SEP MTRR PGE MCA CMOV PAT PSE36 CLFSH DS ACPI MMX FXSR SSE SSE2 SS HTT TM PBE SSE3 PCLMULQDQ DTES64 MON DSCPL VMX SMX EST TM2 SSSE3 FMA CX16 TPR PDCM SSE4.1 SSE4.2 x2APIC MOVBE POPCNT AES PCID XSAVE OSXSAVE SEGLIM64 TSCTMR AVX1.0 RDRAND F16C ``` +4. If it is empty, you do not have VT-x enabled on your machine ### Linux If you are already using a linux distribution, you can just use your current machine for this workshop. From 374892a8fdb82486fc10d6fd9e5cb4589d4243c2 Mon Sep 17 00:00:00 2001 From: Lee Ka Shing Date: Sun, 20 Oct 2019 01:05:18 +0800 Subject: [PATCH 04/12] fixed typo --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a4f0d73..b447a2d 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ For this workshop, we will be using [VirtualBox](https://www.virtualbox.org/) to ``` machdep.cpu.features: FPU VME DE PSE TSC MSR PAE MCE CX8 APIC SEP MTRR PGE MCA CMOV PAT PSE36 CLFSH DS ACPI MMX FXSR SSE SSE2 SS HTT TM PBE SSE3 PCLMULQDQ DTES64 MON DSCPL VMX SMX EST TM2 SSSE3 FMA CX16 TPR PDCM SSE4.1 SSE4.2 x2APIC MOVBE POPCNT AES PCID XSAVE OSXSAVE SEGLIM64 TSCTMR AVX1.0 RDRAND F16C ``` -4. If it is empty, you do not have VT-x enabled on your machine +4. If it is empty, your machine does not support VT-x ### Linux If you are already using a linux distribution, you can just use your current machine for this workshop. From 12a72e887186a0bad426217d851d4b3183a43cbe Mon Sep 17 00:00:00 2001 From: Choo Wei Ken Date: Sun, 20 Oct 2019 14:26:53 +0800 Subject: [PATCH 05/12] Updated README --- README.md | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/README.md b/README.md index b447a2d..5645b26 100644 --- a/README.md +++ b/README.md @@ -27,3 +27,38 @@ If you are already using a linux distribution, you can just use your current mac ## Installation +### Windows + +First, you will have to install VirtualBox. You can download it [here](https://download.virtualbox.org/virtualbox/6.0.14/VirtualBox-6.0.14-133895-Win.exe). + + +Once you have VirtualBox installed, you can proceed to download [Kali Linux](https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image-download/)(recommended) or [Kali Linux Light](https://www.kali.org/downloads/). + +### Kali Linux +Make sure __choose__ from the **VirtualBox Images section** instead of VMware or Hyper-V. + +After you have finish downloading, proceed to open VirtualBox. + +![image](https://user-images.githubusercontent.com/30463224/67142852-f1aad900-f297-11e9-8a20-e7fcfca89fdc.png) + +Once you see the main menu, you can go ahead and import the appliance we just downloaded, by clicking on the import button. + +![image](https://user-images.githubusercontent.com/30463224/67142949-ec9a5980-f298-11e9-8de2-2a5b0f5f6af4.png) + +And once you have located the file you've downloaded previously, click on **next** and then **import**. Then after successfully importing, you should see the device ready to be started at the main menu. + +![image](https://user-images.githubusercontent.com/30463224/67143074-05efd580-f29a-11e9-89b4-c0701c846324.png) + + +### Kali Linux Light +After you have finish downloading, proceed to open VirtualBox. + +![image](https://user-images.githubusercontent.com/30463224/67142852-f1aad900-f297-11e9-8a20-e7fcfca89fdc.png) + +Once you are at the main menu, click on new and name your device as Kali Linux. + +![image](https://user-images.githubusercontent.com/30463224/67143348-2e2d0380-f29d-11e9-9a07-aca914e3ea80.png) + +Continue with the installer interface with the default values, and you should see your machine ready to be started in the main menu. + + From ca55fa0e2428923b1fdddea7166ca7b6e4faecc0 Mon Sep 17 00:00:00 2001 From: Choo Wei Ken Date: Sun, 20 Oct 2019 14:34:52 +0800 Subject: [PATCH 06/12] Updated README --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index 5645b26..3ec6135 100644 --- a/README.md +++ b/README.md @@ -27,9 +27,8 @@ If you are already using a linux distribution, you can just use your current mac ## Installation -### Windows -First, you will have to install VirtualBox. You can download it [here](https://download.virtualbox.org/virtualbox/6.0.14/VirtualBox-6.0.14-133895-Win.exe). +First, you will have to install VirtualBox. You can download it [here](https://www.virtualbox.org/wiki/Downloads). Once you have VirtualBox installed, you can proceed to download [Kali Linux](https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image-download/)(recommended) or [Kali Linux Light](https://www.kali.org/downloads/). From e7735bc20c9cae2800963cae351e268092c56c9c Mon Sep 17 00:00:00 2001 From: Choo Wei Ken Date: Sun, 20 Oct 2019 14:38:21 +0800 Subject: [PATCH 07/12] Modified README --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 3ec6135..3ff4f31 100644 --- a/README.md +++ b/README.md @@ -34,7 +34,9 @@ First, you will have to install VirtualBox. You can download it [here](https://w Once you have VirtualBox installed, you can proceed to download [Kali Linux](https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image-download/)(recommended) or [Kali Linux Light](https://www.kali.org/downloads/). ### Kali Linux -Make sure __choose__ from the **VirtualBox Images section** instead of VMware or Hyper-V. +Make sure to __choose__ from the **VirtualBox Images section** instead of VMware or Hyper-V. + +![image](https://user-images.githubusercontent.com/30463224/67155720-f24e7880-f346-11e9-903d-1fd64737bf33.png) After you have finish downloading, proceed to open VirtualBox. From 11399cd3015aba92806d3293d5f0c69673b7b8ca Mon Sep 17 00:00:00 2001 From: Lee Ka Shing Date: Sun, 20 Oct 2019 17:35:07 +0800 Subject: [PATCH 08/12] fixed context --- README.md | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 3ff4f31..afde63c 100644 --- a/README.md +++ b/README.md @@ -20,18 +20,15 @@ For this workshop, we will be using [VirtualBox](https://www.virtualbox.org/) to ``` machdep.cpu.features: FPU VME DE PSE TSC MSR PAE MCE CX8 APIC SEP MTRR PGE MCA CMOV PAT PSE36 CLFSH DS ACPI MMX FXSR SSE SSE2 SS HTT TM PBE SSE3 PCLMULQDQ DTES64 MON DSCPL VMX SMX EST TM2 SSSE3 FMA CX16 TPR PDCM SSE4.1 SSE4.2 x2APIC MOVBE POPCNT AES PCID XSAVE OSXSAVE SEGLIM64 TSCTMR AVX1.0 RDRAND F16C ``` -4. If it is empty, your machine does not support VT-x +4. If the output is empty, your machine does not support VT-x ### Linux If you are already using a linux distribution, you can just use your current machine for this workshop. ## Installation - - First, you will have to install VirtualBox. You can download it [here](https://www.virtualbox.org/wiki/Downloads). - -Once you have VirtualBox installed, you can proceed to download [Kali Linux](https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image-download/)(recommended) or [Kali Linux Light](https://www.kali.org/downloads/). +Once you have VirtualBox installed, you can proceed to download [Kali Linux](https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image-download/)(recommended) or [Kali Linux Light](https://www.kali.org/downloads/). ### Kali Linux Make sure to __choose__ from the **VirtualBox Images section** instead of VMware or Hyper-V. @@ -61,5 +58,3 @@ Once you are at the main menu, click on new and name your device as Kali Linux. ![image](https://user-images.githubusercontent.com/30463224/67143348-2e2d0380-f29d-11e9-9a07-aca914e3ea80.png) Continue with the installer interface with the default values, and you should see your machine ready to be started in the main menu. - - From 6d4e733c5b1a22f20a6b609fc6b055c20827ab6e Mon Sep 17 00:00:00 2001 From: Lee Ka Shing Date: Sun, 20 Oct 2019 23:37:51 +0800 Subject: [PATCH 09/12] updated installation details --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index afde63c..9c17569 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ If you are already using a linux distribution, you can just use your current mac ## Installation First, you will have to install VirtualBox. You can download it [here](https://www.virtualbox.org/wiki/Downloads). -Once you have VirtualBox installed, you can proceed to download [Kali Linux](https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image-download/)(recommended) or [Kali Linux Light](https://www.kali.org/downloads/). +Once you have VirtualBox installed, you can proceed to download the pre-made VirtualBox image for [Kali Linux](https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image-download/) (recommended) or manually install [Kali Linux Light](https://www.kali.org/downloads/). ### Kali Linux Make sure to __choose__ from the **VirtualBox Images section** instead of VMware or Hyper-V. From 726f58795a8a038bcad75bbd1a84e016c548f21f Mon Sep 17 00:00:00 2001 From: Lee Ka Shing Date: Sun, 20 Oct 2019 23:49:16 +0800 Subject: [PATCH 10/12] fixed typo --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9c17569..ea95d32 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # Forensics workshop by CSS 24th October 2019 ## Purpose of this workshop -We all can agree that computer science is such a big and overwhelming field that it can sometimes be hard to find a field that you like to pursue your career with. The goal of this workshop is to expose students to something new that they usually do no come across during their years studying in Nottingham. This workshop aims to get your feet wet with some basic digital forensics and linux skills. +We all can agree that computer science is such a big and overwhelming field that it can sometimes be hard to find a field that you like to pursue your career in. The goal of this workshop is to expose students to something new that they usually would not come across during their years studying in Nottingham. This workshop aims to get your feet wet with some basic digital forensics and linux skills. ## Where are these challenges taken from? They are taken from the [2018 picoCTF](https://2018game.picoctf.com). I highly suggest you to try the challenges even if you are not interested in computer security as I have personally learned a lot from these challenges, not just in digital forensics but also in fields such as general computing skills, web security and binary exploitation. From 687336be494ee0867a50747cf23f15a6827fb062 Mon Sep 17 00:00:00 2001 From: Lee Ka Shing Date: Mon, 21 Oct 2019 00:39:05 +0800 Subject: [PATCH 11/12] fixed date --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ea95d32..76f7290 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# Forensics workshop by CSS 24th October 2019 +# Forensics workshop by CSS 25th October 2019 ## Purpose of this workshop We all can agree that computer science is such a big and overwhelming field that it can sometimes be hard to find a field that you like to pursue your career in. The goal of this workshop is to expose students to something new that they usually would not come across during their years studying in Nottingham. This workshop aims to get your feet wet with some basic digital forensics and linux skills. From f8b6a6f2f688f198b76be055e1466a02c05f1bb9 Mon Sep 17 00:00:00 2001 From: Lee Ka Shing Date: Mon, 21 Oct 2019 01:46:53 +0800 Subject: [PATCH 12/12] fixed date again --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 76f7290..ddf9454 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# Forensics workshop by CSS 25th October 2019 +# Forensics workshop by CSS 23rd October 2019 ## Purpose of this workshop We all can agree that computer science is such a big and overwhelming field that it can sometimes be hard to find a field that you like to pursue your career in. The goal of this workshop is to expose students to something new that they usually would not come across during their years studying in Nottingham. This workshop aims to get your feet wet with some basic digital forensics and linux skills.