“Digital forensics is a branch of forensics science encompassing the recovery and investigation

of material found in digital devices, often in relation to computer crime.” So, Forensics is the
technical process of recovering or collecting evidence that will be used in an investigation. In
regards to Security Operations, this discipline is often associated with monitoring of employees
to maintain a high-security posture, aiding with incident response to reveal details of how a
compromise occurred and any post-actions (known as DFIR), as well as other tasks which
require a ‘deep-dive’ into technical aspects.
 
 
 

Types of Digital Forensics

 
When looking at the different types of Digital Forensics, we have 4 that would likely be used in a
cybersecurity operations environment:
 
  Computer Forensics – Identifying, collecting, and preserving evidence taken from
desktops, laptops, and other computer systems and storage media for the purpose of
aiding investigations or legal proceedings.
 Network Forensics – The monitoring, collection, and analysis of network activities such
as visited websites and connected IPs, usually associated with incident response and
intrusion detection.
 Memory Forensics – The process of recovering evidence from the RAM of a running
system (also known as live acquisition or live response).
 Mobile Forensics – The process of recovering evidence from mobile phones, SIM cards,
PDAs, tablets, and other mobile devices.
 
 
 

Benefits of Digital Forensics

 
Having a good Digital Forensics capability can provide a number of benefits for an organisation.
Whilst it does require specialist staff (or training) and equipment, these costs can ultimately
provide a great benefit by reducing the impact and likelihood of cyber attacks. Below are some
reasons why it is useful.
 
Supporting Incident Response Capabilities
 
Having a better incident response capability can be achieved by having additional team members
with strong technical backgrounds and skills that can help when responding to escalated security
events. When dealing with an incident, it is important to correctly gather and preserve evidence
so it can be used for analysis, intelligence sharing, and potentially prosecution. Digital Forensics
analysts can be a great asset when it comes to analysing malicious activities, from a malware
infection to an insider threat, using their deep technical knowledge, analysis techniques, and
monitoring capabilities.
 
Legal Prosecution
 
In a future lesson we’ll cover the Chain of Custody, this is a procedure to follow in order for
digital evidence to be submissable in court. If this evidence is not kept secure, accounted for, and
unmodified at all times, it will not be valid and hold no weight in court. Forensics experts will be
familiar with how to collect and handle evidence appropriately, keeping it secure.
 
A Security Deterrent
 
Think about it this way, if you were going to attack two similar organisations, but you know one
of them had a capable Digital Forensics team or capability, which would you attack? The one
without, right? If you know that there’s the potential for you to be caught and prosecuted, you’re
less likely to conduct such activities. Have a strong security team may deter less-sophisticated
actors from conducting attacks in the first place.
 
Monitoring Employees
 
Sometimes employees need to be monitored closely due to suspicious or malicious behaviour.
This could include inappropriate internet browsing on work systems, breaches of an Acceptable
Use Policy, downloading malicious or inappropriate files, or any other scenario that requires
intervention from the security team. Forensics Analysts will likely be trained to monitor for
insider threats, and covertly collect evidence which can be used by the Human Resources
department as justification for firing an employee, or handing over to law enforcement if the
user’s activity breaks any laws.
 

This lesson will cover different security roles that can include work involving digital forensics skills
or tools.
 
 

Tier 1 SOC Analyst

T1 Analysts will conduct initial investigations, mainly first-line incident response, and collect
evidence that will be added to an investigation case. This evidence is then used as justification for
taking defensive measures, such as blocking an IP, domain, or email sender.
 

Tier 2/3 SOC Analyst

T2/T3 Analysts will handle escalated investigations that require more technical expertise, or access
to additional tools or sensors. As these investigations are escalated, the evidence is likely to be
retrieved and stored under more strict conditions.
 

Malware Analyst
Within the security operations domain, Digital Forensics can also be used as a term to refer to the
process of malware analysis. Taking a sample of malware and using different techniques to
discover what its purpose is, and how to detect it in the future by gathering IOCs.
 
Digital Forensics Analyst
Digital Forensics Analysts will work on high-profile investigations, escalated cases, employee
monitoring, working with the Security Incident Response Team (SIRT), and other tasks that require
trusted and highly-technical individuals.
 

Insider Threat Analyst

Security professionals that focus on detecting and monitoring insider threats will utilize their
extensive digital forensics skills to ensure that no stone is left unturned and that any and all
evidence against an individual is collected in the appropriate manner.
 

Threat Hunter
Threat Hunters are expert technical defenders that have a deep understanding of both offensive
and defensive practices. To be able to effectively hunt these individuals need to truly understand
how computers and networks work, and also understand key artifacts that can be found and used
as evidence of an intrusion.
 

Incident Responder
Incident responders are top-tier security analysts that typical poses skills across incident response,
security operations, and digital forensics. This allows them to conduct in-depth investigations to
how a system was compromised, or activity taken on a device. This may sometimes include work
that is closely aligned with a Forensic Examiner, such as retrieving data from physical media such
as laptops and phones, and using specialist tools to process and analyse the data to find indicators
of malicious activity.

Security professionals that work involve digital forensics has an incredible range of
tools at their disposal. This lesson is designed to give you a brief introduction to some
of the most popular and well-known tools, but remember, there are a lot more out
there!
 
 
 

Evidence Collection
 
 

KAPE
KAPE can be deployed locally or on remote systems to quickly gather key data. This
allows analysts to begin investigating while the lengthy process of taking a disk image
is being conducted. KAPE can retrieve artifacts relating to browser usage, program
execution, the filesystem, logs, and much more.
 

FTK Imager
FTKi is a tool that allows us to create hard drive images, but also memory images,
which can be analyzed in other programs for analysis. We can also import disk images
into FTKi, allowing us to navigate through the file system as if we were on a live
device!
 

EnCase
EnCase is a suite of tools that has a wide range of functionality for digital forensics and
e-Discovery. EnCase can be used to take forensic images of computers, mobile phones,
and internet-of-things devices, which can then be analyzed to collect digital evidence.
 

Cellebrite
Cellebrite is a suite of tools designed primarily for mobile forensics, which allows easy
acquisition of data from a mobile device so it can be processed in the tools covered in
the section below.
 
 
 

Evidence Analysis
 
 

Autopsy
Autopsy is a Windows and Linux tool that, when provided with a disk image file, allows
the user to perform deep forensic analysis of the device. Ingest modules can be run to
quickly retrieve key information, such as recently used programs, deleted files, emails,
visited websites, and much more.
 

Volatility
Volatility is a python-based memory forensics framework that enables the analysis of
memory dumps or memory images. With a wide range of commands, using this tool
we can understand what processes were running on a system, network connections,
programs in use, and much more. If malware is identified that is running in memory,
we can extract it and conduct further analysis.
 
 
While this is just a brief introduction into a handful of tools, we hope it helps you to
understand how different tools can be applied to different situations!
 
It can be very challenging to get hands-on digital forensics experience without actually
working in the industry. Thankfully there are a number of places where you can learn
real-world forensics! Below we will talk about two of our platforms, and provide some
quality reading material links so you can continue researching the world of forensics!
 
 
 

Blue Team Level 1

 
Our junior-level security operations certification has an entire domain dedicated to
digital forensics. This covers everything from the fundamentals of computer systems to
conducting investigations on Windows and Linux systems, and performing memory
and hard drive forensics.
BTL1 is the cheapest practical blue team certification in the world, and includes 4
months of training, 120 hours of labs, and a practical exam with a free re-sit voucher if
you fail.
Find more information here, including the syllabus, lab list, and
more: https://securityblue.team/why-btl1/
 
 
 
 

Blue Team Labs Online

 
Our other platform, BTLO, is designed for existing security professionals to test their
skills in realistic scenarios. As of October 2022 we have 22 unique digital forensics labs
covering everything from cryptocurrency to the recycling bin, investigating insider
threats to helping law enforcement. To gain access to these labs, and 80+ more, it
costs just £15/$20 a month, with unlimited lab time!
We also have 7 completely FREE challenges related to digital forensics. Register for
free today! https://blueteamlabs.online
 
 This section of the course will cover what evidence is. With an ever-increasing amount
of devices, including mobile devices, IoT, games consoles, personal servers, micro-
computers, and many more, any of these devices has the potential to be used in an
illegal or unintended matter. But what is digital evidence? It’s information or data
that is related to an investigation, which is stored on, transmitted, or received by an
electronic device During the first stage of the digital forensics process, identification,
we are looking to identify evidence, where it is stored, and what format it is in. To
make it easy, we’ll split the origin of evidence into three categories; network,
computers, and mobiles.

Evidence via Computers

 
Most of the time, evidence will be files and other data on electronic storage media,
such as hard drives in desktops, laptops, and mobile devices. We could be looking at
an individual who was found to have a folder of inappropriate images on his work
laptop. This folder and all of its contents is evidence and needs to be preserved so that
it can be used for disciplinary action within the company, or used for prosecution
depending on the nature of the images. Other types of evidence found on standalone
computers can include saved emails or saved chat logs, images, text files, videos, audio
files, and more. There are certain places on a computer where data can be hidden from
immediate view, and this is a popular tactic for criminals or individuals engaged in
illegal activities. Files and data can be hidden in slack space on hard drives, and hidden
inside legitimate files using steganography. Learn more about computer forensic
tools here.

Evidence via Network

 
When moving away from physical storage and looking at networking, there are a
number of evidence types we can collect and use. Browser history is a big one, by
working as a record book of what sites the user has visited, we can use this to
understand what resources have been accessed online, and when. This is beneficial
when dealing with events where an employee may be breaching the company’s
Acceptable Use Policy by inappropriately browsing the internet during work hours (too
much time on social media, gaming, inappropriate or pornographic sites, illegal sites,
working on a personal business whilst at work). We don’t need to rely on the browser
either – network devices such as a web proxy or router will also hold information
about requested sites online, as everything will likely go through these systems. In
recent years, social media posts have been used as digital evidence in court, provided
there is a reasonable belief that they were posted by the intended account owner. This
can also extend to other sites where posts can be made, such as forums and blogs.
Instant messaging conversations can also be used as evidence, such as Facebook’s
Messenger, Whatsapp, and other chat-based applications. Learn more about network
forensics and tools here.

Evidence via Mobiles

 
How often do you use your phone? It’s like you use it every day. We all do. The wealth
of information on our phones can be very useful to investigators. Evidence such as call
history (incoming/outgoing/number/duration), text messages, contacts, web history,
images, videos, apps, GPS location, notes, and much more can be retrieved if
appropriate. Deleted files can be restored, old app data can be retrieved, and much
more using specialist mobile forensics tools. Find out more about mobile forensics and
tools here.
 
Chain of Custody is the “logical sequence of gathering evidence, whether it be physical or
electronic in legal cases” [1]. If this process is not followed properly, the evidence collected
may be rendered inadmissible in court, so legal prosecution can’t take place. Forcing prosecutors
to take such a professional and cautious approach to evidence collection and storage ensures that
evidence is accurate and hasn’t been tampered with, so justice can be achieved.
So how can Digital Forensics Analysts ensure that the Chain of Custody is followed? There are a
number of best practices that are used.
 
 It is important to have a record of who collected a piece of evidence, and who has been
responsible for it since it was collected. This means if anything happens to it, the person
assigned can be held accountable. Below is an example of a form that would be found with
physical evidence, such as a laptop or mobile phone.
 
 If an Analyst is conducting a forensic investigation on a hard-drive image, they should NOT be
working on the original copy of the evidence. The original disk image should be hashed (the
mathematical calculation which results in a unique text string specific to that exact file) and then
a full bit copy should be taken, ensuring that absolutely everything is included in the copied
image. This new file should then be hashed, and if it is an exact copy, the file hashes will be the
same. The Analyst should then work on the copy, so the original evidence is not modified,
making it inadmissible in court.
 
 When copying evidence to a forensic disk (a high capacity hard drive used only for forensic
investigations or incident response), the storage media should be completely sanitized, to
ensure that there is no data already on it, as this could contaminate the evidence.

 
Mark As Complete

 Materials
[1] https://www.linealservices.com/what-is-the-chain-of-custody-in-digital-forensics/

Chain of Custody is the “logical sequence of gathering evidence, whether it be physical

or electronic in legal cases” [1]. If this process is not followed properly, the evidence
collected may be rendered inadmissible in court, so legal prosecution can’t take place.
Forcing prosecutors to take such a professional and cautious approach to evidence
collection and storage ensures that evidence is accurate and hasn’t been tampered
with, so justice can be achieved.
So how can Digital Forensics Analysts ensure that the Chain of Custody is followed?
There are a number of best practices that are used.
 
  It is important to have a record of who collected a piece of evidence, and who has been
responsible for it since it was collected. This means if anything happens to it, the person
assigned can be held accountable. Below is an example of a form that would be found with
physical evidence, such as a laptop or mobile phone.
 
 If an Analyst is conducting a forensic investigation on a hard-drive image, they should NOT
be working on the original copy of the evidence. The original disk image should be hashed
(the mathematical calculation which results in a unique text string specific to that exact file)
and then a full bit copy should be taken, ensuring that absolutely everything is included in
the copied image. This new file should then be hashed, and if it is an exact copy, the file
hashes will be the same. The Analyst should then work on the copy, so the original
evidence is not modified, making it inadmissible in court.
 
 When copying evidence to a forensic disk (a high capacity hard drive used only for forensic
investigations or incident response), the storage media should be completely sanitized, to
ensure that there is no data already on it, as this could contaminate the evidence.

Digital Evidence Quiz

1. Digital Evidence
2. Digital Evidence
3. Digital Evidence Quiz
 
To help get you familiar with digital evidence, we have created a short quiz consisting of 5
questions. Good luck!
 
 

Knowledge Review
In this section we will cover how files can have their extensions altered to hide their
contents, and how to identify files that have been altered, so we can restore them back
to their intended extension. This is a low-level tactic that can be used to hide files in
plain sight. In the Course Challenge, make sure to look for any files that may have an
incorrect extension, and be hiding their true content!
In our test environment, we have 2 files; babyyoda.jpeg  and babyyoda2.zip.
 
 
In this section we will cover how files can have their extensions altered to hide their
contents, and how to identify files that have been altered, so we can restore them back
to their intended extension. This is a low-level tactic that can be used to hide files in
plain sight. In the Course Challenge, make sure to look for any files that may have an
incorrect extension, and be hiding their true content!
In our test environment, we have 2 files; babyyoda.jpeg  and babyyoda2.zip.
 
 
If we try to extract files from the ZIP, nothing will happen. So let’s try and
unzip babyyoda2.zip  from the command line. Now it’s giving us an error and states
that this file may not be a ZIP archive. We can use a handy tool called file which will tell
us the true file type by looking at the file’s header structure. By using file
babyyoda2.zip we learn that this file should actually be a .jpeg!

 
To restore this file to its intended format, we can simply rename the file in the GUI by
right-clicking on it and selecting Rename, or using the command mv babyyoda2.zip
babyyoda2.jpeg to move the original file to the same location, but change the name
to babyyoda2.jpeg. We can now see that the filename is pink, along with the
first .jpeg file. In the GUI we can see the second file now has a thumbnail of its true
content.

 
You will have a chance to use these commands for yourself with our Linux CLI
Activity & Quiz at the end of this course section!
 
Now that you know how to move around directories using the terminal, let’s cover
how to read files using three commands; strings, cat, head. In the Course Challenge,
make sure to look for any files that contain hidden messages! (This will be covered
more in-depth during the Steganography section)
We’re currently in a folder on our Desktop called DesktopFolder. Inside we have a .txt
file called TextFile.txt. We can read the contents of this text file using the
command strings which will print any human-readable strings to the terminal.
 

 
We can achieve something similar by using the command cat which is short for
concatenate. This can be used to print out the contents of a file, not just the human-
readable text that strings will grab from the file. In the screenshot below, we can see
that cat has found an additional line of content! This is because this line is not using
human-readable strings, which is why it was not picked up when we used the first
command.
 
Another command we can use is head, which will output the first part of a file to our
terminal, which by default will be 10 lines. Using this command on our new text
file TextFile2.txt  we can see the first 10 lines!

 
These commands can be used on other files, not just text files. They can be used to
uncover hidden string messages in files such as images and audio files, but this will be
covered in the Steganography section of this course.
Welcome to the section on Steghide, a tool for hiding and retrieving data via
steganography. In preparation for the Course Challenge, make sure you understand
how to extract embedded files, in case you find evidence of a steganography file
during your investigation!
Log into your Kali VM, and type steghide. If nothing comes up, you don’t have the tool
installed, so you’ll need to run the command sudo apt-get install steghide. When
prompted, type ‘y’ and wait for the tool to download and install.
 

 
Before we jump into how to use the tool, let’s cover what it can and can’t do. When
using Steghide, we will always have a cover document, and our secret document.
Below are the file types we can use (note that Cover Documents can only be images or
audio files due to their file structure).
 
In this example, we’re going to be using our cover document laptop.jpg  and our
secret document, a .ZIP archive named secret.ZIP  which contains a text file
called 1.txt.

 
Let’s start off by zipping the /secret/  directory that contains 1.txt. In the terminal,
type the command zip -r secret.zip secret, this command will compress everything
inside secret  and output it to a file named secret.zip.
 
Now we have our cover file and secret file, let’s use Steghide to hide secret.zip  inside
of laptop.jpg. Here’s an explanation of the command we’re using, steghide embed -cf
laptop.jpg -ef secret.zip.
 steghide – Selects the tool we want to use
 embed – Selects the mode we want to use (embedding files)
 -cf laptop.jpg – Selecting the cover file (the file we want to hide data inside)
 -ef secret.zip – Selecting the file we want to embed (the file we want to hide)
When prompted for a passphrase, you may enter any password you like. This will be
used to extract the data later to protect its confidentiality, meaning only the intended
recipient can access it.
 
 
In this example, we’ve overwritten laptop.jpg to become laptop.jpg with an embedded
file. If we want to create a new ‘stego’ file, we can use the -sf flag to output it to a new
file. In the below screenshot we’ve used -sf laptop2.jpg to output to a new file.

 
Now that you know how to embed files, you need to know how to extract data from
steganography files. We know that laptop2.jpg  is a stego file, and contains an
embedded file, and we know the passphrase is ‘password’. We can use the following
command to retrieve the hidden file: steghide extract -sf laptop2.jpg. When prompted for
the passphrase, we enter it, and the tool will extract secret.zip and place it in the
current directory.
 steghide – Selects the tool we want to use
 extract – Selects the mode we want to use (extracting files)
 -sf laptop2.jpg – Selects the steganography file for extraction (combination of cover file
and hidden data)
 
 
You will have a chance to use these commands for yourself with our
Steganography Activity & Quiz at the end of this course section!
 

 
This topic will cover how to password-protect a ZIP file in Kali Linux. This isn’t a secure method of
protecting information, but you will need to know how to do it in order to fully understand and
complete the ZIP cracking section of this course.
Firstly, make sure you have the ZIP tool installed, and fully up-to-date. You can use the
command sudo apt-get install zip.
 

 
In the first example we will compress a text file name text.txt  into a password-protected ZIP file
named Protected.zip, with the password password123. The command I’m using is zip --encrypt
Protected.zip text.txt.
 zip – Selects the tool we want to use
 –encrypt – Selections the function of the tool we want to use. ‘Encrypt’ will encrypt our ZIP
archive and require a password to decrypt the contents.
 Protected.zip – The name of the outputted ZIP file.
  text.txt – The file we want to compress.
 

 
Now when we try to unzip the ZIP archive, it’ll ask us for the password. If we enter it in correctly, it
will extract the compressed file(s).

 
As you’ll see in the next section, these passwords can easily be attacked, allowing us to
access the protected contents.
 

Mark As Complete

Brute-Force Attacks
1. Cracking ZIP Files
2. Cracking ZIP Files
3. Brute-Force Attacks
 
This section will cover how to launch brute-force attacks against a password-protected ZIP, and
discuss the pros and cons of using this attack type compared to dictionary-based attacks.
What are the PROS of using a brute-force attack?
The obvious pro of using this method is that you will ALWAYS get the password. Because you are
trying every possible combination, you will eventually crack the password and gain access, but this
comes with a major downside.
If you have information such as the length of the password, you will cut down the number of
possibilities dramatically. This can be applied to other attacks such as cracking account credentials
– if you know the password policy or requirements, you can reduce the number of possibilities
significantly.
What are the CONS of using a brute-force attack?
This attack method takes time. A lot of time. If you started with AAAAA, the next guess would be
AAAAB then AAAAC. It’s going to take a very long time to get the right password, and each
additional character is going to add a lot more possibilities.
Want to know how long it would take to crack your password? Enter it
at https://howsecureismypassword.net  (or enter any string you want!)
 
Let’s try our own dictionary attack, to do this we’re going to need the tool fcrackzip. You can
check if you have the tool installed by using fcrackzip, if not you can install it using sudo apt-get
install fcrackzip.

 
The command in the screenshot below might look scary at first, but we’ll talk you through exactly
what is happening. In this example, our target ZIP is BruteForceAttack.zip  with a password
of a1bc.
 
 fcrackzip – Selecting the tool we want to use.
 -b – Selecting the option for a brute-force attack.
 BruteForceAttack.zip – The file we want to brute-force.
 -u – This makes sure fcrackzip actually tries to unzip the file, without this we won’t actually
get the right password.
 -c – This is where we pick the characters we want to use in our dictionary attack. In this
example we’re using ‘a’ which represents lowercase letters, and ‘1’ which represents
numbers 0-9.
 -l – This is where we state the length of the password we want to crack. If we know the
password is between 4 and 6 characters, we would use "-l 4-6".
 
 
After a few seconds we can see that fcrackzip has identified the correct password a1b2  and we’re
now able to successfully extract the contents of the password-protected ZIP file!

This section will cover how to launch brute-force attacks against a password-protected
ZIP, and discuss the pros and cons of using this attack type compared to dictionary-
based attacks.
What are the PROS of using a brute-force attack?
The obvious pro of using this method is that you will ALWAYS get the password.
Because you are trying every possible combination, you will eventually crack the
password and gain access, but this comes with a major downside.
If you have information such as the length of the password, you will cut down the
number of possibilities dramatically. This can be applied to other attacks such as
cracking account credentials – if you know the password policy or requirements, you
can reduce the number of possibilities significantly.
What are the CONS of using a brute-force attack?
This attack method takes time. A lot of time. If you started with AAAAA, the next guess
would be AAAAB then AAAAC. It’s going to take a very long time to get the right
password, and each additional character is going to add a lot more possibilities.
Want to know how long it would take to crack your password? Enter it
at https://howsecureismypassword.net  (or enter any string you want!)
 
Let’s try our own dictionary attack, to do this we’re going to need the tool fcrackzip.
You can check if you have the tool installed by using fcrackzip, if not you can install it
using sudo apt-get install fcrackzip.

 
The command in the screenshot below might look scary at first, but we’ll talk you
through exactly what is happening. In this example, our target ZIP
is BruteForceAttack.zip  with a password of a1bc.
 
 fcrackzip – Selecting the tool we want to use.
 -b – Selecting the option for a brute-force attack.
 BruteForceAttack.zip – The file we want to brute-force.
 -u – This makes sure fcrackzip actually tries to unzip the file, without this we won’t actually
get the right password.
 -c – This is where we pick the characters we want to use in our dictionary attack. In this
example we’re using ‘a’ which represents lowercase letters, and ‘1’ which represents
numbers 0-9.
 -l – This is where we state the length of the password we want to crack. If we know the
password is between 4 and 6 characters, we would use "-l 4-6".
 
 
After a few seconds we can see that fcrackzip has identified the correct
password a1b2  and we’re now able to successfully extract the contents of the
password-protected ZIP file!

 
Here’s a cheat sheet with all of the potential options that can be used with
fcrackzip: http://manpages.ubuntu.com/manpages/trusty/man1/fcrackzip.1.html
At this end of this section you’ll get a chance to perform your own brute-force
attack using password-protected ZIPs provided by us.
 
This section will cover how to launch dictionary (also known as password list) attacks
against a password-protected ZIP, and discuss the pros and cons of using this attack
type compared to brute-force attacks. Dictionary attacks use wordlists, which are
collections of thousands of passwords, each on their own separate line in a text
document. These are fed into tools, which will attempt to use each password one after
the other, until it receives the correct password, or runs out of entries to try.
What are the PROS of using a dictionary attack?
This attack method can be really quick. At the end of the day, you’re trying to find a
password that a human has set, and humans are usually predictable. By trying known
passwords, you’re more likely to find the password than if you were cracking it using
brute-force due to the nature of the entries you are trying.
What are the CONS of using a dictionary attack?
If the password you’re looking for isn’t in the wordlist you’re using, then you won’t get
into the entity you’re trying to gain access to. You could leave your computer running
for 3 days trying different wordlists, but if it’s not in there, you will never gain access.
If you have the Offensive Security Kali image for your VM, you should already have the
popular rockyou.txt wordlist installed. Find it using locate rockyou.txt and give it a read!
If the file ends in .gz, you can extract the text file using gunzip rockyou.txt.gz if your
terminal is in the same directory, or gunzip /usr/share/wordlists/rockyou.txt.gz from any
other location.
 

 
Now let’s get on to how to conduct a dictionary attack against a passworded ZIP file!
We’ll be using fcrackzip again, so we will open a terminal in the same location as our
target ZIP. In this example, our target ZIP is DictionaryAttack.zip  with the
password ummwhateva. Here’s the command we’ll be using.
  fcrackzip – Selecting the tool we want to use.
 -D – Selecting the option for a dictionary attack.
 -u – This makes sure fcrackzip actually tries to unzip the file, without this we won’t actually
get the right password.
 -p – Use strings as password.
 /usr/share/wordlists/rockyou.txt – This is the location of our wordlist, required to
perform a dictionary attack.
 DictionaryAttack.zip – The file we want to crack.
 

 
After a few seconds, fcrackzip tells us that it has found the correct password, and we
can now successfully extract the contents of the file.

 
Here’s a cheat sheet with all of the potential options that can be used with
fcrackzip: http://manpages.ubuntu.com/manpages/trusty/man1/fcrackzip.1.html
At this end of this section you’ll get a chance to perform your own dictionary
attack using password-protected ZIPs provided by us.
 To help get you familiar with fcrackzip, we have created a short quiz consisting of 4
questions. In this activity, you’ll be cracking the passwords of two ZIP files. One using a
brute-force attack, and one using a dictionary attack.
 BruteForceAttack.zip – You are to brute-force this ZIP file using fcrackzip. Once you have
the password, extract the text file FLAG1.txt  and enter the text string as your answer for
the quiz. For this file, you have been informed that the password is 6 characters long, and
contains only lowercase letters, and numbers. (Time to crack approx 5mins 30secs)
 DictionaryAttack.zip – You are to brute-force this ZIP file using fcrackzip and
the rockyou.txt wordlist. Once you have the password, extract the text file FLAG2.txt  and
enter the text string as your answer for the quiz. (Time to crack approx 3 mins)
If your attempts are taking significantly longer than the stated approximate times,
reconsider the command you are using, and make sure you’re following the brief above.
The above times are based on a 2017 MacBook Pro.)

FurthSome useful commands include the following:

Remember you can view the manual page for tools by using “man <command>” to get
useful information!
 ls -a (Allows us to identify files hidden using filenames beginning with “.” in the current
directory)
 cat/heads/strings (Allows us to potentially find hidden text strings in image and audio files,
or read text files from the CLI)
 fcrackzip (Allows us to crack password protected .zip files)
 steghide (Allows us to retrieve files hidden in image and audio files)
 file (Allows us to see what the true file-type of the file is, even if the extension has been
changed to trick us)

Starting Point
 
You have been told that the most recent file on the hard-drive was an email file with
an attachment in the “Saved Emails” directory. It is suggested you start there. Below
are some tips for your investigation:
 Always keep an eye out for hidden files that start with a ‘.’ – use ‘ls -a’ in a terminal to view
these files!
 Look at the directories and files both in the Kali Linux GUI, and Command-Line!
  This challenge is based on a narrative. You will be gently guided to find some pieces of
evidence, but remember to look in all folders, and check all files, especially ones that look
strange!
 If you need to bypass a password-protected .zip use fcrackzip with the rockyou.txt word
list.
 If you get stuck, ask people in the forensics module chatroom on our Discord server! Work
together, learn together.
 
 

Reading Material