What Can You Discover from a USB Stick Found in the Grass?

  • Thread starter Thread starter Borek
  • Start date Start date
  • Tags Tags
    Usb
Join the discussion
Ask a follow-up here, or get your own question answered by working scientists, mathematicians and engineers — people, not an autocomplete.
Real named experts · corrections over time · the nuance an AI answer skips
5 replies · 2K views
Messages
29,208
Reaction score
4,632
Some of the older forum regulars can remember my strange questions asked over two years ago about ways of stopping NTPD, freshmen may remember my questions about ways of expressing some things in English. As strange as it may sound all these questions were related to the same project. I got to the point where I can share the details.



So, what it is about? It is a forensic challenge - you are given a USB stick and you have to find out who the owner was and reconstruct their story. It requires some reading, some thinking, some common logic and some computer skills. A bit nerdy, but designed to be in range of a reasonably savvy computer user, no need for PhD in hacking.

I had plenty of fun designing whole thing and working around some of the unexpected obstacles. The idea was to make the stick look like if it was used for many years to transfer random files between computers. When the files are added, copied, removed, it all leaves invisible traces in the FAT and the directory structure - and to be convincing the stick needs to have all these traces intact. For example: files can have up to three dates - creation, last modification, last use. All these have to reflect the story and look convincing, and it is not trivial to do so, as OS tries to use real time and tries to get this real time from the net using NTP, so I had to ether somehow block the clock and NTPD, or use a computer that was isolated form the outside world. And that's only a simple example of problems I had to solve, I learned more about some intricacies of different OS-es and structures of different types of files than ever before. Actually I am not 100% sure I haven't missed something, although so far nobody told me about any inconsistencies.

If I had plenty of fun making it, judging from the reaction to the Polish version people have plenty of fun looking for answers.

Fell free to add the add the TUSFitG to your Steam wishlist if you have one, after all that's why I am posting about it :wink: Yes, Greg knows.
 
Reply
  • Like
Likes   Reactions: hutchphd, DennisN, Drakkith and 1 other person
on Phys.org
Pythagorean said:
mfw picking up random USB drives: do you want stuxnet? that's how you get stuxnet.

And with USB Killer you just fry the motherboard.
 
phinds said:
Just so you know, if you are running under Windows you can write a simple program to change any of the 3 dates to whatever you want.

Yes, that's how I did another part of the project, but scripting the copying part was much easier to implement under Linux, and Linux basically supports only two of these dates.