Metadata Investigation: The Secret of the Mona Lisa

Metadata Investigation: The Secret of the Mona Lisa

In this lab, you will investigate a possible intrusion in a Linux system. The only initial clue is an image of the Mona Lisa that seems harmless... but everything changes when you discover it hides suspicious metadata.

In this lab you will learn:

• Containment and cleanup of unauthorized processes
• Collection and reconstruction of forensic evidence

🌱 How to start this lab

👉 This challenge is solved inside a preconfigured Linux virtual machine.

1. Download the virtual machine from this link:

1https://storage.googleapis.com/cybersecurity-machines/metadata-investigation-lab.ova

1. Import the machine into VirtualBox.

2. Log in as the user artlover:4geeks-lab.
   The system includes essential tools such as:

   • exiftool
   • bash, grep, ps, crontab

Your mission

The system you are auditing contains an image called monalisa.jpg. Something about it doesn't add up—it was modified, and inspecting its metadata reveals suspicious information.

If you manage to completely disable the attacker's infrastructure, you will gain access to the full flag for the challenge.

Validation

If you have cleaned the machine of malicious behaviors, switch to the intruder user and run the following verification command:

1validate-challenge-finished

This command will validate if you have deleted the malicious process and will give you the second part of what you are looking for.

Only if you complete each phase of the analysis will the system reveal the whole truth.

Are you ready to look beyond the mirror?

Good luck, Analyst!