Problem intro:
During my time at KGB I learned how to hide all the stuff from alpha-dog. But damn it, I somehow lost some of the most important files… : 100
They provide what appears to be an ext3 file system image. Just for grins and because its easy, I ran “foremost” (a file carving tool) to see what it would find. It only found one file, a zip file. And that is encrypted and we don’t know the password. So that got me thinking that I would need to examine the file system for clues about the password.
I also ran “strings” on the disk just to see what would pop up, and it turns out there were a ton, and they mostly seemed to be notes about various spy agency goings-on.
Nothing jumped out as a password, so I started mining the strings from the image to try to guess the zip file password. Of course, the password could be something that you’d have to read and figure out, or it could be something that isn’t an ASCII string, or it could be encoded in some way… so I gave up on that in favor of doing some more forensics work.
I decided to use a forensics suite called “dff” to do the work. I really like dff. In the course of examining the file system, there were obviously hundreds of files named “secret123”, “secret124” and so on. Many contained short text strings (found above), some were empty, some were deleted. I resigned myself to reading them, when I noticed a file named “.secretXXX” (I forget the actual name). Two things were interesting about this. The first is that its name starts with a period: in the Unix world that’s a signal that the file should be “invisible” by default. This is often used to hide things (though its trivial to find them). The other item of interest is that “dff” identified the file type as “KGB Archiver”. I thought “wtf?! how could dff know about a file type that appears to have been made up for this scenario?” It wasn’t, of course: turns out this is an actual file compression program.
Downloaded it, installed it in a Windows VM, ran it on the file – the key was right there.
The encrypted zip file was a red herring…