If you can see this check that

Main Page

File Searching and Management


Basic File Analysis

User:
Password:

Objectives

In this session you will be covering the basics of file content searching and manipulation, including basic editing and regular expressions.

Question 1: Signatures

This question covers basic file manipulation. To begin this question use the first button to set up a small file and directory tree in /home/caine. The resulting tree looks like:

/
+--- home
     |
     +--- caine
          |
          +--- theanalysis
          |    +--- file1
          |    +--- file2
          |    +--- file3
          |    +--- file4
          |    +--- file5
          |
          +--- tree (plus directories and subdirectories)
          |
          +--- suspect
               +--- data1

You only have to press the button to create this tree. You do not create this structure yourself. It is completely automatic. If you lose this structure or accidentally delete it then you can press the button again to restore the struture.

Tests - not attempted
Created Structure UNTESTED

Using the "file" command, evaluate the file signature of theanalysis/file1.
What is file1?

Tests - not attempted
file1 type identified UNTESTED

User the "file" command, evaluate the file signature of theanalysis/file4.
What is file4?

Tests - not attempted
file1 type identified UNTESTED

Use the md5sum command to calculate the md5 hash of file3.
What is the md5 hash of file3?

Tests - not attempted
md5sum of file3 UNTESTED

If another file has the same md5 hash, what does this mean?
Meaning of two files with same hash?

Tests - not attempted
Identical Hash understanding UNTESTED

Use the md5sum command to calculate the md5 hash of file4.
What is the md5 hash of file4?

Tests - not attempted
Hash of file4 UNTESTED

Use the cmp command to verify that file3 and file4 are identical.
Output of cmp command

Tests - not attempted
cmp output UNTESTED

Check file3 and file4 using a 512 bit sha hash.
512 bit hash of file3
512 bit hash of file4
So this means?

Tests - not attempted
512 bit SHA of file3 UNTESTED
512 bit SHA of file4 UNTESTED
And this means UNTESTED

A USB stick was found containing a number of illegal images. Also on the stick was a file, which has been copied to theanalysis/file6. An automated program has identified Jim Smith as being associated with this USB stick, as the file suspect/data1 has been identified as being identical to theanalysis/file6. Evaluate this position...
What is the md5 hash of file6?
What is the md5 hash of data1?
512 bit hash of file6
512 bit hash of data1
Conclusion

Hint: For the conclusions do an "ls -l" on the files...

Tests - not attempted
md5 hash of file6 ok UNTESTED
md5 hash of data 1ok UNTESTED
sha512 hash of file6 ok UNTESTED
sha512 hash of data 1ok UNTESTED
Conclusion UNTESTED

Question 2: FIND command

Use the find command to locate all files which start with an "a" and end in a ".conf" which exist somewhere in /usr/share. Save this list to a file '/home/caine/alist'. Make sure that the first parameter of find is "/usr/share". Run the command as user "caine" and do not worry about any permission error messages.

Tests - not attempted
/home/caine/alist exists UNTESTED
Files found UNTESTED

Use the find command to locate all FILES in /usr/share which have the permissions "rwxr-xr-x". Save this list to /home/caine/blist. Make sure that the first parameter of find is "/usr/share". Run the command as user "caine" and ignore any permission error messages.

Tests - not attempted
/home/caine/blist exists UNTESTED
Files found UNTESTED

Use the find command to locate all directories in /usr/share which have the permissions "rwxr-xr-x". Pipe this list to wc and count the number of directories.
Number of directories:

Tests - not attempted
Correct number of directories UNTESTED

Again using the find command find out how many files in /usr/share are in group caine.
Number of files:

Tests - not attempted
Correct number of files UNTESTED

Make a directory called /home/caine/thecopy. Write a find command which copies all the files into /home/caine/thecopy which are owned by caine in /usr/share, and which are smaller than 10240 bytes, and which have a filename starting with "a".

Tests - not attempted
/home/caine/thecopy exists UNTESTED
copy correct UNTESTED

Using the find command run md5sum on all files in /usr/share which have a filename with the string "output" in it. Save this output to a file /home/caine/clist. Make sure that the first parameter of find is "/usr/share".

Tests - not attempted
/home/caine/clist exists UNTESTED
Files found UNTESTED

Question 3: GREP and regexp

Using a combination of grep, regular expressions, and wc via a pipe count how many words in the /usr/share/dict/words dictionary starts with "anti" and ends with an "n".
Number of words:

Tests - not attempted
Word count UNTESTED

Using grep and regular expressions, create a file /home/caine/aword which contains all the words which start with "tele" from /usr/share/dict/words, and which are exactly 7 characters long.

Tests - not attempted
/home/caine/aword exists UNTESTED
Words correct UNTESTED

How many words have the string "ra" in them twice in /usr/share/dict/words?
Number of words:

Tests - not attempted
Word count UNTESTED

How many words are in /usr/share/dict/words which contains "ice" then an "s" or a "d" (i.e. ices or iced). Use square brackets to form a set in your regular expression.
Number of words:

Tests - not attempted
Word count UNTESTED

Use grep on words to find a word that contains each of the vowels in alphabetical (i.e first an A, then an E, etc) order in /usr/share/dict/words. How many such words are there? (you may include words with extra vowels such as adventitious. A vowel is one of A,E,I,O,U.
Number of words:

Tests - not attempted
all vowels in order UNTESTED

The word interlinking includes the same two characters (e.g. "in") which appear three times. The word "priestessess" also contains the same two characters repeated three time (e.g. "es").

How many words can you find which contain any two characters repeated three times, like the examples "interlinking" and "priestessess". Use /usr/share/dict/words as your list of possible words and grep to find the answer.
Number of words:

Note. Do a case sensitive match, so do not use "-i".

Tests - not attempted
Two character string appears 3 times (takes a few seconds) UNTESTED

Challenge Question: This is a tricky question. Just give it 10 minutes before moving onto the next question!

How many words are 5 character palindromes? A palindrome is a word spelled the same way forward and backwards, such as "sagas". Use /usr/share/dict/words. Hint: Use multiple groups and backreferences.
Number of words:

Tests - not attempted
Number of 5 character palindromes UNTESTED

Question 4: Nano Editing

Use nano to create a file /home/caine/edit1. Cut and paste the following text into edit1 and save the file. Remember you cannot easily cut and paste to a vnc terminal, so use telnet or ssh. Do not insert additional lines (even blank lines) or extra space characters.

asdaslkalsdklnnnne lazy dog quick frog
6f2d9937604b8422abc7493a7ff0c884 /etc/host.conf
This is an exercise!
Up, down,
left, right,
build your terminal's
muscles bit by bit

In all the editor questions you must WRITE the file in order to pass the question.

Tests - not attempted
Line 1 found somewhere UNTESTED
Line 2 found somewhere UNTESTED
Line 3 found somewhere UNTESTED
Line 4 found somewhere UNTESTED
Line 5 found somewhere UNTESTED
Line 6 found somewhere UNTESTED
Line 7 found somewhere UNTESTED
All edits complete UNTESTED

Delete the word "an" from line 3, plus one of the spaces. The line left should read "This is exercise!".

Tests - not attempted
line check UNTESTED

Add " and byte by byte" to the end of the line "muscles bit by bit".

Tests - not attempted
line check UNTESTED

Append to the end of the file a new line which reads:

123456789 123456789
Tests - not attempted
All edits complete UNTESTED

Using mark (^^ i.e. CTRL and ^) mark the whole of the first line of the file and then cut (^K) that line out. Move that line and paste it back in (^U) so that the line is now line 2 in the file.

Tests - not attempted
All edits complete UNTESTED

Now cut out the long hex word on line 1 (beginning 6f2 and ending 884) Leave this first line with a leading space. Now put this hex number at the end of the last line (after 6789) making sure to put a space between the 6789 and the 6f2. Save the file.

Tests - not attempted
All edits complete UNTESTED


Linux tutorials: intro1 intro2 wildcard permission pipe vi essential admin net fwall DNS diag Apache1 Apache2
Caine 6.0: Essentials | Basic | Search | SysIntro | 5a | 5b | 5c | 6 | 7 | 8a | 8b | WebBrowserA | WebBrowserB | Registry | Browser
Digital Investigation: Editing | Email | Logs | Strength
Kali: 1a | 1b | 1c | 2 | 3 | 4a | 4b | 5 | 6 | 7a | 8a | 8b | 9 | 10 |
Useful: Quiz | Forums | Privacy Policy | Terms and Conditions
Site Links:XMLZoo ActiveSQL ProgZoo SQLZoo

Copyright @ 2004-2014 Gordon Russell. All rights reserved.