Illegal Image Possesion Case Study

Illegal Image Possesion Case Study

tree(directories and files relationship)

Test Folder

echo (create a text file based on string)

cat (verify the content of text file)

xxd (check file based on hexa format)

shred (overwrite the file to hide its content)

tail (get the ending hexa values of file)

DD images

shot.jpg (download the image file)

head ( to get the initial values)

wget ( get the dd image file of the USB captured through university)

unzip (to get the access to data)

openssl dgst ( to verify the hash values of log files)

-md5

rhino2.log

rhino3.log

RHINOUSB.dd

Disk Partitions

fdisk (allocated partition)

fls (files and directories details)

loosetup (to mount the partition)

fsstat(details associated with files)

tree(directories and files relationship)

tail (ending files)

icat (to copy files based on inode)

cat(to copy data of files)

istat (display th inode of files)

grep(for searching the text/string)

head (initial files)

egrep( pattern searching command)

rhino.log

Tools

photorec (to recover the recover deleted photos from a records)

choose the media as rhino

select the system type and start searching

save record to current folder as files are recovered

recup_dir.1 (directory of the record files)

display *.jpg/ .gif( all files one by one to get the rhino images)

exiftool (to access and view the metadata files)

.jpg (to get details of all images)

stegdetect (script file to get the hidden images by using steganography)

*.jpg(detect the tools used to hide the images)

stegbreak (to get the missing files and folders)

rules.ini (coniguration file to store the operations perform)

rockyou.txt (stores the password based on the script file and disk image to access the hidden files)

jphs_05.zip (to get the hidden iages)

wine ( to run the windows based software in linux system)

jpseek.exe (software to access the hidden messages from the images)

git (tool to get access to the script files and clone it)

toolkit.git (containing all tools)

stego-toolkit (used to hide data in images)

jphide.sh (script file to change the permissions and access it)

/usr/bin/jphide (file stores at the main file system for future access)

wireshark (to capture and investigate the network traffic)/GUI based tool

examine the log file

Follow the TCP stream to get the exact packet for hexa value of the image and stores as jpg file)

xxd (get the initial and ending hexa value of the lofg file to verify the image)

display images as rhino1, rhino3.jpg

unzip contraband.zip (file to access the hidden data from usb)

fcrackzip ( to crack the password protected zip file)

contraband.zip (crack the password based on the rockyou.txt file)

display rhino2.jpg

examine the rhino2.log file

whois ( querying databases that store the registered users of an Internet resource)

bless ( where we can edit the hexavalue of a log file)