The USB Stick Found in the Grass

Mar 28, 2021


A forensic challenge — find out who the owner of the USB stick was and reconstruct their story.

So this blog is a little bit different. Instead of doing a CTF walkthrough, I’m going to be doing a game walkthrough. This is something I found on Steam while I was in my Digital Forensics class and wanted some more practice.

HERE is a link to the game if you are interested in more information.

Basically, the point is to discover why some mysterious person was hanging out at a bridge. The only clue left behind is a USB stick that was dropped in the grass.

After the short intro, the USB stick will create a new drive on your computer, where you will be able to investigate it with tools you already have:

There is a folder with a few pictures, so I might try some steganography techniques on them a little later.

There are three zip files that are password protected.

And also a large word document that contains diary entries, which is 25 pages long! As I read through the diary, I will be looking for possible passwords.

Before that though, it’s also worth a shot to try and crack the passwords with John the Ripper. The first zip file was easy to crack, the password is just 12345:

Here is what was in that file:

The .jpg was just this:

After trying John again on the others and coming up empty handed. I remembered an even easier tool to use called fcrackzip:

I got the same results here in much less time, just one of the passwords.

I am now going to read through the diary and see what I can find. I might be able to create a custom wordlist for fcrackzip, since they are obviously not in rockyou.

As I go through, I will post some parts that I think are relevant.

Here I came across a passage that mentions a website, so that may offer up some clues if I can find it:

It also looks like this mysterious person is now confirmed as a female, since apparently “girls” pay a certain amount of rent.

Here is a passage that describes how she is noticing someone following her:

She is also a runner. You see her placing her distances in her diary on the days she runs, and mentioning it constantly. I am hoping this is not a situation where she is attacked while running.

This passage talks about two women who are renting her flat with her, Beta and Aga, and how she snapped a picture of them one day (it’s one of the pics found on the USB stick).

This next part also stood out. She apparently used to work at some “agency” (she seems unemployed now except for her freelance photography), and there was some crazy guy who used to work there:

Apparently he is involved in something called Falun Dafa

I didn’t read too in-depth about it, but according to the Wikipedia Page, it’s a religious movement. Apparently practitioners were persecuted, tortured, and allegedly even had their organs harvested by the Chinese government (?!).

Next we find out that Beta has actually run away from the apartment.

Earlier, I found out that Beta is concerned about a man who is visiting Aga (Aga claims he is her cousin). Apparently, he has attempted to sexually assault Beta.

During all of this, there are also numerous mentions of a mystery concerning her grandfather. Apparently he used to go on a lot of business trips, and sent correspondence from all of them, except when he went to Libya.

At this point, our mystery woman is thinking that he may have actually been imprisoned in Libya.

Later on, it seems that she is going to be meeting Beta at the spot in question, by the canal and the bridge:

The bridge seems to be located here, on the northern end of Warsaw.

At the agreed upon time, Beta never even showed:

Then the next day, May 18th, she sees that creepy guy again:

The next day, she finds out that there was actually no trip to Libya, and the mystery surrounding her grandfather seems to deepen:

And also, Beta apparently did turn up at her mother’s house, but her shirt was not ruined as it had been earlier. The diary author shrugs it off as, “That’s so Beta!”, but it doesn’t add up.

Next she discusses that Arek came to visit Aga again, and they start talking about passwords:

This could possibly help me crack the other two passwords.

Next, she gets a weird email from Beta:

I am becoming more convinced that something happened to Beta and someone is impersonating her, likely Arek and Aga.

Moving on, she eventually talks to her Uncle and finds out some more details concerning her Grandpa:

BUT, it seems like this could have all been a lie?

Again, she sees the weird guy:

Soon after, she gets to talk to Jola again and receives some clarifying info about her Grandad. Turns out he took the fall for her father on that night. I wonder if maybe someone is out trying to get revenge for the murder?

Among other revelations, she finds out that her Grandad used to cheat on her Grandmother with several young women, and she starts to have a different view of Arek:

The next day, someone is trying to break into her house:

Then, there seems to be more credence to the theory that Arek is actually related to her:

The very last passage involves Aga asking her to go pick something up:

So now I’m wondering if Aga purposely asked her to go somewhere that she would have to cross the bridge and be ambushed? Perhaps her and Arek are upset that she is asking questions about his origin and family?

Anyways, that’s the end of the diary. I tried to summarize the 25 pages as best as I could through the screenshots, but it’s probably better to read the whole thing yourself if you buy the game.

Something cool I did find though, is that there are random letters in bold through-out the diary, which spell out “DIG DEEPER”.

Also, while I was reading, I started a brute force attack on the second zip file, but I won’t hold my breath on that.

After this, I decided to open up the Local Disk in autopsy and snoop around, to see if I could find any deleted files, among other things.

One file I found talks about moving to Bangkok.

I also found out her name is Martyna Mirowska. Interestingly, there is someone with that name living in Warsaw who works at an infertility clinic, but I think that is just a coincidence:

But I did not find much else here besides a bunch of songs and movies, most things in Polish.

I started thinking about the password again. From the part of the diary that goes into the conversation with Arek, I know she uses phrases as passwords; things she knows by heart related to important events, like, “Dad’s birthday is, Grandpa died when he was XX, Aga is from Kwasówka, and Beta is from X.”

I tried a few of these:




And about a million other variations of all of her examples. She does actually say that she likes Aga’s way better, so perhaps she has changed her method for passwords to only use the first letters?

“Aga’s system is even better because this way the password contains both upper- and lowercase letters, digits and punctuation marks (with no spaces).”

This is actually where I got stuck for quite some time; it took me weeks to finally find this, which is literally exactly what she wrote in her diary. You just have to go through and fill in the values for X based on clues from what you read.

‘Dad’s birthday is, Grandpa died when he was XX, Aga is from Kwasówka, and Beta is from X.’


Here, if you look at the capitalized letters, they spell out PASSWORD, just like with DIG DEEPER earlier.

In the diary, she mentions a bird craps on her house numbers, so it is either house 39 or 93:

If you check out the picture of Mrs. Meow with exiftool, which was apparently taken near her house, there are some GPS coordinates:

52 deg 19' 38.00" N, 21 deg 5' 17.00" E

I converted these with THIS tool, into this:

52.32722°, 21.08806°

This brought me to the correct area geographically (Warsaw), but didn’t seem to help much, since the backyard it lands on is 159 and I don’t see any houses numbered with a 3 and 9 in that general vicinity.

Moving on to the rest of the password though, if you take the same formula as File3 (and yes, this also took me a VERY long time to figure out), using the first capitol letter of every entry in the diary, you will spell out this:


So I tried this:


And it worked!

After this, I started examining all the photos again, this time VERY carefully. I used various steganography techniques and also just simply adjusting brightness/color. Eventually I came to this one. It is seemingly a random photo of a field:

But after I zoomed in much closer, I got a little jump when I spotted THIS:

That is Beta’s hand!

So I suppose we know what happened to poor Beta. I am assuming Arek/Aga killed her.

I never got closure with Martyna though. I am thinking she skipped town after Mrs. Meow died, because that was apparently the only thing keeping her there in Warsaw. She was discontent with her life there.

The thing about this game is that there doesn’t seem to be anything measurable to let you know if you have finished, which is why I think the quote from File3 was included.

I think finding the hand was probably the end, but you could have easily done that within 5 minutes of opening the initial files if you started examining the pictures first.

Overall, this was a fun way to spend my time. I enjoy mystery games, and it did help me practice my forensic skills. It was also very unique. I have never played anything like it.

If anyone has any recommendations for more games like this, please let me know!

Happy Hacking! ❤