#Heath StreetHeath Street was a 100 point forensics challenge. The steps requir

1. #Heath Street
2. Heath Street was a 100 point forensics challenge. The steps required to get the key were extremely simple, and what ultimately caused us to spend time on the challenge was a "red herring" encrypted zip file that seems to have nothing to do with the key. The provided file was an ext4 file system image.
3.  
4.  
5. I mounted the image to a mount point (in my case /mnt/tmp/) via the command
6.  
7. mount secretArchive
8.  
9. Listing the contents of the image showed 1985 files listed as secret1 to secret1985. catting some of the files revealed that each file contained a couple sentences of snippets from multiple 1900s texts.
10. Thinking there might be something useful in one of the text files, I concatenated all of the files into one text file by using
11.  
12. cat * > secrets.txt
13.  
14. Browsing through the concatenated file through less, I noticed one segment was a bunch of unrecognizable text. I grepped a phrase from the text directly below the chunk of text
15.  
16. grep -r "The Nazis had acquired"
17.  
18. which pointed to file secret1338, meaning the problematic chunk was secret1337 (aka the red herring). Checking the file header of secret1337 showed that the file was a zip archive, however when I tried to unzip it, there was a password prompt.
19. I tried a few things to unzip this, such as taking some key words from the texts that this challenge was based on and trying them as passwords. I also tried using a bash utility called fcrackzip and formatted the concatenated text file to be fed into fcrackzip as potential passwords for the zip file, with no luck.
20. Eventually I decided that the password was likely somewhere else on the image. Thinking that that the image might contain some data that was previously deleted, I downloaded a file recovery utility (extundelete) to look through deleted data.
21. I downloaded a fresh image to ensure I hadn't written over anything useful when catting the files together, and ran extundelete on it via the command
22.  
23. extundelete secretArchive --restore-all.
24.  
25. This revealed more ASCII files, this time labeled secret5000 to secret 5366, also ASCII text. Thinking there might be one that was not a text file, similar to the previous situation, I ran
26.  
27. file secret*
28.  
29. which showed that all were 367 were ASCII text. I catted them together into a text file, which just resulted in more excerpts from 1900s texts. Looking for a different angle, I checked for hidden files via ls -a, which revealed a hidden file called secrets.31337. running
30.  
31. file .secret.31337
32.  
33. showed that this file was a kgb file, which is a form of data compression. I downloaded a kgb decompresser (kgb) and used it to decompress the file, resulting in a new file .secret, which contained the key in plaintext.