Basic File Analysis

This question covers basic file manipulation. To begin this question use the first button to set up a small file and directory tree in /home/caine. The resulting tree looks like:

/
+--- home
     |
     +--- caine
          |
          +--- theanalysis
          |    +--- file1
          |    +--- file2
          |    +--- file3
          |    +--- file4
          |    +--- file5
          |
          +--- tree (plus directories and subdirectories)
          |
          +--- suspect
               +--- data1

You only have to press the button to create this tree. You do not create this structure yourself. It is completely automatic. If you lose this structure or accidentally delete it then you can press the button again to restore the struture.

Using the "file" command, evaluate the file signature of theanalysis/file1.
What is file1? data ASCII text ELF 32-bit executable ELF 64-bit executable JPEG GIF

User the "file" command, evaluate the file signature of theanalysis/file4.
What is file4? data ASCII text ELF 32-bit executable ELF 64-bit executable JPEG GIF

Use the md5sum command to calculate the md5 hash of file3.
What is the md5 hash of file3? 9369bbf580daf4c52288f951dd547b37 693f40a4d6a497d422372ce4bfd2bbc2 f319a7af4b8889b21159c68606f3b139 79054025255fb1a26e4bc422aef54eb4 dbe0018c2e65da9d3b48f0e5a76d06b9 12cbbf1f2f88dc3b0b289cd368761b7e f319a7af4b8889b21159c68606f3b139 bde0018c2e65da9d3b48f0e5a76d06b9 f19abf1f2f88dc3b0b289cd368761b7e

If another file has the same md5 hash, what does this mean?
Meaning of two files with same hash? File content must be identical File content are probably identical File permissions are probably identical File lengths are different File content are probably different

Use the md5sum command to calculate the md5 hash of file4.
What is the md5 hash of file4? 9369bbf580daf4c52288f951dd547b37 693f40a4d6a497d422372ce4bfd2bbc2 f319a7af4b8889b21159c68606f3b139 79054025255fb1a26e4bc422aef54eb4 dbe0018c2e65da9d3b48f0e5a76d06b9 12cbbf1f2f88dc3b0b289cd368761b7e f319a7af4b8889b21159c68606f3b139 bde0018c2e65da9d3b48f0e5a76d06b9 f19abf1f2f88dc3b0b289cd368761b7e

Use the cmp command to verify that file3 and file4 are identical.
Output of cmp command Command not found file3 file4 similar: ... file3 file4 identical: ... file3 file4 differ: ... file3 file4 inconclusive analysis: ... file3 file4 hash collision detected: ... file3 file4 permission denied: ...

Check file3 and file4 using a 512 bit sha hash.
512 bit hash of file3 a34473cf767c6108a5751a20971f1fdfba97690a 4283dd2d70af1ad3c2d5fdc917330bf502035658 9272889ad0f7372047229d19ca58b93c539002f21f6e3da1697514406fe9b3cb20fcf546b9005ebadc16691a71658af848e35abad58422d5ae4650c21d7ad749 77e921be6902b03a34e6e56aa80f611bb5aec86850f83a5260959ff33012dfc6bb554141fe8641c09ffdd44955ea0af232e9883b91eae6db26a87782640e0a95 06f1d4b4962a1dcca3bcfdfe2d369c800190ca107ad138ced00ae1a20b17032f833226652ef413884e8483eb14cc8b665a98438885fc93de341ae47c447972e7
512 bit hash of file4 a34473cf767c6108a5751a20971f1fdfba97690a 4283dd2d70af1ad3c2d5fdc917330bf502035658 9272889ad0f7372047229d19ca58b93c539002f21f6e3da1697514406fe9b3cb20fcf546b9005ebadc16691a71658af848e35abad58422d5ae4650c21d7ad749 77e921be6902b03a34e6e56aa80f611bb5aec86850f83a5260959ff33012dfc6bb554141fe8641c09ffdd44955ea0af232e9883b91eae6db26a87782640e0a95 06f1d4b4962a1dcca3bcfdfe2d369c800190ca107ad138ced00ae1a20b17032f833226652ef413884e8483eb14cc8b665a98438885fc93de341ae47c447972e7
So this means? File content must be identical File content are almost certainly identical File permissions are probably identical File lengths are different File content are probably different File content are definitely different

A USB stick was found containing a number of illegal images. Also on the stick was a file, which has been copied to theanalysis/file6. An automated program has identified Jim Smith as being associated with this USB stick, as the file suspect/data1 has been identified as being identical to theanalysis/file6. Evaluate this position...
What is the md5 hash of file6? 9369bbf580daf4c52288f951dd547b37 693f40a4d6a497d422372ce4bfd2bbc2 f319a7af4b8889b21159c68606f3b139 79054025255fb1a26e4bc422aef54eb4 dbe0018c2e65da9d3b48f0e5a76d06b9 12cbbf1f2f88dc3b0b289cd368761b7e d41d8cd98f00b204e9800998ecf8427e bde0018c2e65da9d3b48f0e5a76d06b9 f19abf1f2f88dc3b0b289cd368761b7e
What is the md5 hash of data1? 9369bbf580daf4c52288f951dd547b37 693f40a4d6a497d422372ce4bfd2bbc2 f319a7af4b8889b21159c68606f3b139 79054025255fb1a26e4bc422aef54eb4 dbe0018c2e65da9d3b48f0e5a76d06b9 12cbbf1f2f88dc3b0b289cd368761b7e d41d8cd98f00b204e9800998ecf8427e bde0018c2e65da9d3b48f0e5a76d06b9 f19abf1f2f88dc3b0b289cd368761b7e
512 bit hash of file6 a34473cf767c6108a5751a20971f1fdfba97690a 4283dd2d70af1ad3c2d5fdc917330bf502035658 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e 9272889ad0f7372047229d19ca58b93c539002f21f6e3da1697514406fe9b3cb20fcf546b9005ebadc16691a71658af848e35abad58422d5ae4650c21d7ad749 77e921be6902b03a34e6e56aa80f611bb5aec86850f83a5260959ff33012dfc6bb554141fe8641c09ffdd44955ea0af232e9883b91eae6db26a87782640e0a95 06f1d4b4962a1dcca3bcfdfe2d369c800190ca107ad138ced00ae1a20b17032f833226652ef413884e8483eb14cc8b665a98438885fc93de341ae47c447972e7
512 bit hash of data1 a34473cf767c6108a5751a20971f1fdfba97690a 4283dd2d70af1ad3c2d5fdc917330bf502035658 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e 9272889ad0f7372047229d19ca58b93c539002f21f6e3da1697514406fe9b3cb20fcf546b9005ebadc16691a71658af848e35abad58422d5ae4650c21d7ad749 77e921be6902b03a34e6e56aa80f611bb5aec86850f83a5260959ff33012dfc6bb554141fe8641c09ffdd44955ea0af232e9883b91eae6db26a87782640e0a95 06f1d4b4962a1dcca3bcfdfe2d369c800190ca107ad138ced00ae1a20b17032f833226652ef413884e8483eb14cc8b665a98438885fc93de341ae47c447972e7
Conclusion Jim Smith definitely owns the USB stick Jim Smith probably owns the USB stick Jim Smith definitely used the USB stick Jim Smith probably used the USB stick This evidence is faulty as hashes mean nothing Having the same hashes means he is innocent This proves nothing as the files are empty This proves nothing as cmp prints nothing He is innocent as the md5 and sha hashes are different The files are too large to be properly analysed

Hint: For the conclusions do an "ls -l" on the files...

Use the find command to locate all files which start with an "a" and end in a ".conf" which exist somewhere in /usr/share. Save this list to a file '/home/caine/alist'. Make sure that the first parameter of find is "/usr/share". Run the command as user "caine" and do not worry about any permission error messages.

Use the find command to locate all FILES in /usr/share which have the permissions "rwxr-xr-x". Save this list to /home/caine/blist. Make sure that the first parameter of find is "/usr/share". Run the command as user "caine" and ignore any permission error messages.

Use the find command to locate all directories in /usr/share which have the permissions "rwxr-xr-x". Pipe this list to wc and count the number of directories.
Number of directories:

Again using the find command find out how many files in /usr/share are in group caine.
Number of files:

Make a directory called /home/caine/thecopy. Write a find command which copies all the files into /home/caine/thecopy which are owned by caine in /usr/share, and which are smaller than 10240 bytes, and which have a filename starting with "a".

Using the find command run md5sum on all files in /usr/share which have a filename with the string "output" in it. Save this output to a file /home/caine/clist. Make sure that the first parameter of find is "/usr/share".

Use nano to create a file /home/caine/edit1. Cut and paste the following text into edit1 and save the file. Remember you cannot easily cut and paste to a vnc terminal, so use telnet or ssh. Do not insert additional lines (even blank lines) or extra space characters.

asdaslkalsdklnnnne lazy dog quick frog
6f2d9937604b8422abc7493a7ff0c884 /etc/host.conf
This is an exercise!
Up, down,
left, right,
build your terminal's
muscles bit by bit

In all the editor questions you must WRITE the file in order to pass the question.

Delete the word "an" from line 3, plus one of the spaces. The line left should read "This is exercise!".

Add " and byte by byte" to the end of the line "muscles bit by bit".

Append to the end of the file a new line which reads:

123456789 123456789

Using mark (^^ i.e. CTRL and ^) mark the whole of the first line of the file and then cut (^K) that line out. Move that line and paste it back in (^U) so that the line is now line 2 in the file.