Metadata Investigation: The Secret of the Mona Lisa

Metadata Investigation: The Secret of the Mona Lisa

In this lab, you will investigate a possible intrusion on a Linux system. The only initial clue is an image of the Mona Lisa that seems harmless... but everything changes when you discover it hides suspicious metadata.

In this lab you will learn:

• Metadata analysis with tools like exiftool
• Identifying suspicious users on the system
• Recognizing persistent tasks (cron jobs and malicious scripts)
• Containing and cleaning up unauthorized processes
• Collecting and reconstructing forensic evidence

🌱 How to Start This Lab

👉 This challenge is solved inside a preconfigured Linux virtual machine.

1. Download the virtual machine from this link:

1https://storage.googleapis.com/cybersecurity-machines/metadata-investigation-lab.ova

1. Import the machine into VirtualBox.

2. Log in as the user artlover:4geeks-lab.
   The system includes essential tools such as:

   • exiftool
   • bash, grep, ps, crontab
   • Preconfigured files with clues and malicious scripts

📄 Instructions

The system you are auditing contains an image called monalisa.jpg. Something about it doesn't add up: it was modified in the future, and inspecting its metadata reveals suspicious paths and the name of a user who shouldn't exist.

If you manage to completely disable the attacker's infrastructure, you will gain access to the full challenge flag.

Your tasks are:

1. Analyze the metadata of the monalisa.jpg image located in artlover's home directory.
   Look for fields like Comment, Note, or anomalous dates.

2. Follow the clues to available files that may contain suspicious credentials.

3. Access the attacker's user account with the credentials you find.

4. Check their home directory. There you will find a fragment of the flag.

5. Discover malicious cron jobs running.

6. Remove the cron job and stop the persistent task.

7. If you have eliminated the malicious behavior, switch to the intruder user and run the verification command:

1validate-challenge-finished

This command will validate if you have deleted the malicious process and will give you the second part of the flag.

This lab is designed to help you think like a real forensic analyst who follows clues, tracks malicious actions, and contains an ongoing incident.

Only if you complete each phase of the analysis will the system reveal the whole truth.

Are you ready to look beyond the mirror?

Good luck, Analyst!