Stark State College · Cyber & Digital Forensics

The USB Drop — Cyber Analyst Challenge

A USB drive was found in the parking lot.

You've been asked to investigate. Five short challenges, each one teaches a real skill cyber analysts use every day. No experience needed. Hints are always available.

Real-world rule: Never plug a mystery USB into a real computer. Drives have been used to deliver malware in the wild. This investigation is a simulation, so you're safe.
Stage 1 of 5

Web Recon — What's Underneath the Page?

What you're learning: Web pages carry hidden information all the time — HTML comments left by developers, white-on-white text, code that never made it to production. Real analysts use curl to download a page raw, then grep to filter for words like "password," "admin," or "backup."

Your job: Download the recovered web page with curl, then filter the output with grep to find the credential the developer left behind. Type each suggested command (or click Insert) and press Enter.

Tasks — run each in the terminal below
1
curl -s http://anonyhost.local/index.html

Download the page source. -s silences curl's progress bar so you only see the response body.

2
curl -s http://anonyhost.local/index.html | grep -iE "pass|admin|cred"

Pipe the page through grep to filter for credential-related words. -i is case-insensitive; -E enables extended regex (the | means "or").

analyst@ssc:~$

What credentials did the developer leave in an HTML comment? (format: user / password)

You used curl and grep to pull a credential out of an HTML comment — admin / r3dD0g!42.
This is the same workflow real analysts and bug bounty hunters use to find secrets developers accidentally commit to public sites.
Stage 2 of 5

Password Cracking — Why Weak Passwords Fall Fast

What you're learning: Modern attackers don't "guess" passwords one at a time. They run wordlists of millions of leaked passwords against captured hashes at billions of attempts per second. Short or common passwords fall in seconds. The math behind why is what you'll explore here.
Password Strength Tester

Type any password to see how long a brute-force attacker would take to guess it. Try a few. Notice what changes the time most: length, character variety, or whether the password is on a known wordlist.

Strength
Estimated time to crack:
Crack a Real Hash with John the Ripper

A captured hash from the suspect's system is in hashes.txt. Use John the Ripper with the rockyou.txt wordlist (a real list of 14 million leaked passwords) to crack it.

Tasks — run each in the terminal below
1
cat hashes.txt

Peek at the captured hash. This is what the attacker has — not the original password.

2
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

Run John against the rockyou.txt wordlist. John will hash each candidate and compare it to the captured hash until one matches.

3
john --show hashes.txt

Show the cracked password in cleartext. After cracking, John saves results in a "pot file"; --show reads them back.

analyst@ssc:~$
You explored what makes passwords weak vs strong, then cracked a real-style hash with John the Ripper using rockyou.txt.
Two takeaways: (1) password length and entropy matter exponentially; (2) any password on a wordlist falls instantly, no matter how long.
Stage 3 of 5

File Recovery — Deleted Isn't Gone

What you're learning: When a file is "deleted," the operating system usually just marks the space available; the bytes stay on disk until something overwrites them. Forensic file carvers like foremost and scalpel scan raw disk images for known file headers (the "magic bytes") and reconstruct files even after the filesystem says they're gone.

Your job: The USB image (usb.img) looks empty when mounted, but it isn't. Carve out the deleted files with foremost, then read the recovered notes for your next lead.

Tasks — run each in the terminal below
1
ls /mnt/usb_image/

Confirm what the mounted filesystem reports. Looks empty, right?

2
foremost -t all -i usb.img -o ./recovered/

Carve the raw image. -t all looks for every supported file type, -i is the input image, -o is the output folder.

3
cat ./recovered/txt/network_notes.txt

Read the carved-out note. The other recovered files are decoys.

analyst@ssc:~$
You ran foremost against the disk image, recovered the carved files, and pulled the network notes that point at the next lead.
Real-world: Autopsy, FTK, and the open-source scalpel all do this in production. File carving is a daily part of digital forensics work.
Stage 4 of 5

Network Scanning — Find the Weak Door

What you're learning: Before attacking or defending, you have to map the territory. nmap sends a probe to every IP in a range and reports which ports are open and what software is listening. Defenders run it weekly to find services that shouldn't be running. Attackers run it as their first move on a target.

Your job: The recovered note pointed at subnet 10.10.10.0/24. Run a service scan, identify the vulnerable host, then run a deeper scan on that host to confirm.

Tasks — run each in the terminal below
1
nmap -sV 10.10.10.0/24

Service-version scan across all 256 IPs in the subnet. -sV tells nmap to identify what software is running on each open port.

2
nmap -A 10.10.10.30

Aggressive scan focused on the suspect host. -A turns on OS detection, version detection, script scanning, and traceroute.

analyst@ssc:~$

Which IP is running an unencrypted, plain-text-authentication service? (format: 10.10.10.X)

10.10.10.30 is running Telnet on port 23. Telnet authenticates in plain text — anyone on the network path can read the username and password.
SSH (port 22) and HTTPS (port 443) encrypt traffic; Telnet (port 23) and HTTP (port 80) do not. "Is it encrypted" is the first question a defender asks of any open service.
Stage 5 of 5

Steganography — Data Inside Data

What you're learning: Steganography is the art of hiding messages inside other files so they look ordinary. Spies, malware authors, and forensic analysts all study the same techniques from different angles. exiftool exposes metadata embedded in image headers, and steghide extracts data hidden in the pixel-level least-significant bits.

Your job: A vacation photo (vacation_2025.jpg) was pulled off the vulnerable Telnet host. Inspect its metadata, then extract any hidden payload.

Tasks — run each in the terminal below
1
file vacation_2025.jpg

Confirm the file type by reading its magic bytes. Don't trust extensions; trust the header.

2
exiftool vacation_2025.jpg

Read every metadata field. Watch for non-standard tags or oddly-sized comment fields — that's where data often hides in plain sight.

3
steghide extract -sf vacation_2025.jpg -p "<passphrase>"

Extract the hidden payload. -sf is the source file, -p takes the passphrase. Steghide hides data in JPEG pixel coefficients in a way that is invisible to the eye, and protects the payload with a passphrase. You found the passphrase in the recovered note from Stage 3 — use it here.

4
cat secret.txt

Read the extracted file.

analyst@ssc:~$
You inspected the image with exiftool, extracted the hidden payload with steghide, and recovered the secret message.
Real-world: steghide, zsteg, stegseek, and exiftool are standard tools in CTFs, malware analysis, and counter-intelligence work.

Case Solved

In about 20 minutes, you just did five things that real cyber professionals do every day.

You found data hidden in a webpage
Web reconnaissance. Penetration testers and bug bounty hunters do this on every engagement.
You cracked a weak password
Password security analysis. Red teams test it. Blue teams build defenses against it.
You recovered deleted files
Digital forensics. The core of how investigators reconstruct what happened on a device.
You scanned a network and identified a vulnerable host
Vulnerability assessment. The first move on both sides of the security fence.
You extracted a message hidden inside an image
Steganalysis. Used in counter-intelligence, malware analysis, and CTF competitions.

If any of that felt fun, you'd probably enjoy the rest of cybersecurity. Talk to your instructor about the program at Stark State.