Digital Forensics Case B4DM755

Task 1: Introduction

---

Task 2: Case B4DM755: Details of the Crime

What is your official role?

Answer: forensics lab analyst

What role was assigned to you for this specific scenario?

Answer: dfir first responder

What do you have to gather?

Answer: digital artefacts and evidence

What document is needed before performing any legal search?

Answer: search warrant

---

Task 3: Practical Application of the Digital Forensics Process

Before imaging drives, what must we check them for?

Answer: drive encryption

What should be done to ensure and maintain the integrity of original files in the Chain of Custody?

Answer: hash and copy

What must be done before sending obtained artefacts to the Forensics Laboratory?

Answer: Bag, Seal, and Tag the obtained artefacts

---

Task 4 Case B4DM755: At the Scene of Crime

What is the only possible artefact found in the suspect's residence?

Answer: flash drive

Based on the scenario and the previous task, what should be done with that acquired suspect artefact?

Answer: taking an image

What is the crucial aspect of the Chain of Custody that ensures individual accountability and guarantees a transparent and untainted transfer of artefacts and evidence?

Answer: ensure proper documentation

---

Task 5 Introduction to FTK Imager

FTK Imager

FTK Imager is a forensics tool that allows forensic specialists to acquire computer data and perform analysis without affecting the original evidence, preserving its authenticity, integrity, and validity for presentation during a trial in a court of law.

NOTE: In a real-world scenario, a Forensics Lab Analyst will use a write-blocking device to mount the suspect drive / forensic artefact to prevent accidental tampering.

FTK Imager - User Interface (UI)

FTK Imager includes vital UI components that are crucial to its functionality. These components are:

Working with FTK Imager

OBJECTIVES: Verify encryption, obtain a forensic disk image, and analyse the recovered artefact.

IMPORTANT: The VM contains an emulated flash drive,"\\PHYSICALDRIVE2 - Microsoft Virtual Disk [1GB SCSI]", to replicate the scenario where a physical drive, connected to a write blocker, is attached to an actual machine for forensic analysis. The steps performed in this activity are practically the same as in real-world situations. The write-protected flash drive is automatically attached to the VM upon startup.

STEP 1: Detecting EFS Encryption with FTK Imager

IMPORTANT: The drive's file system must be NTFS to utilise EFS encryption. EFS encryption is not compatible with FAT32 or exFAT file systems.

A Forensics Lab Analyst can perform the following steps to detect the presence of EFS encryption on a physical drive:

1. Open FTK Imager and navigate to File > Add Evidence Item

   

1. Choose Physical Drive on the Select Source window, then click Next.

   

1. Choose Microsoft Virtual Disk (our virtual flash drive) on the Select Drive window, then click Finish.

   

1. Navigate and click File > Detect EFS Encryption to scan the drive and detect the presence of encryption.

   

1. A message box will indicate whether or not EFS encryption is on the attached drive.

   

Answer the questions below

What device will prevent tampering when acquiring a forensic disk image?

Answer: write-blocking device

What is the UI element of FTK Imager which displays a hierarchical view of the added evidence sources?

Answer: Evidence tree pane

Is the attached flash drive encrypted? (Y/N)

Answer: n

What is the UI element of FTK Imager which displays a list of files and folders?

Answer: file list pane

---

Task 6: Using FTK Imager to Acquire Digital Artefacts and Evidence

STEP 2: Creating a Forensic Disk Image with FTK Imager

A Forensics Lab Analyst can perform the following steps to create a forensic disk image from a physical drive:

1. Open FTK Imager and navigate to File > Create Disk Image

   

1. Choose Physical Drive on the Select Source window, then click Next.

   

1. Choose Microsoft Virtual Disk (our virtual flash drive) on the Select Drive window, then click Finish.

   

1. Ensure you check "Verify images after they are created" and "Create directory listings of all files in the image after they are created" on the Create Image window. Press Add to open the Select Image Type window, choose Raw (dd), then click Next.

   

1. Enter case details in the Evidence Item Information window, then click Next.

   

1. Enter the Image Destination Folder and Image Filename, then click Finish.

   

1. Press Start to begin creating the forensic disk image.

   

1. When you check "Verify images after they are created", FTK Imager will hash both the physical drive and the forensic disk image after disk imaging. It will then validate if both hashes are equal to confirm a match.

   

Note: You can go ahead and answer Question 1 and 2, then come back and follow along with the Step 3 section.

STEP 3: Mounting a Forensic Disk Image and Extracting Artefacts

A Forensics Lab Analyst can perform the following steps to mount a forensic disk image and extract artefacts using FTK Imager:

1. Open FTK Imager and navigate to File > Add Evidence Item

   

1. Choose Image File on the Select Source window, then click Next.

   

1. Set Evidence Source to the path of the forensic disk image that we created previously and click Finish.

   

1. The Evidence Tree Pane will be populated, and artefacts will be visible on the File List Pane. The Viewer Pane will display the contents of selected elements for analysis.

   IMPORTANT: During forensic analysis with FTK Imager, it is always crucial to analyse using the forensic disk image that has been created. It is also equally important to look for signs of deleted files (i.e., those with an x symbol), corrupted files (e.g., 0 file size) and obfuscation (e.g., conflicting information about a file's extension and header information).

   

1. To recover all deleted files, right-click on the target directory or file and press Export Files to save artefacts.

   

What is the UI element of FTK Imager which displays the content of selected files?

Answer: viewer pane

What is the SHA1 hash of the physical drive and forensic image?

Answer: d82f393a67c6fc87a023b50c785a7247ab1ac395

Including hidden files, how many files are currently stored on the flash drive?

Answer: 8

How many files were deleted in total?

Answer: 6

How many recovered files are corrupted (e.g., 0 file size)?

Answer: 3

---

Task 7 Case B4DM755: At the Forensics Laboratory

1. What is the UI element of FTK Imager which displays the content of selected files?

   Answer: Viewer pane

2. What is the SHA1 hash of the physical drive and forensic image?

   

   Answer: d82f393a67c6fc87a023b50c785a7247ab1ac395

3. Including hidden files, how many files are currently stored on the flash drive?

   Answer: 8

4. How many files were deleted in total?

   

   Answer: 6

5. How many recovered files are corrupted (e.g., 0 file size)?

   Answer: 3

---

Task 7 Case B4DM755: At the Forensics Laboratory

Aside from FTK Imager, what is the directory name of the other tool located in the tools directory under Desktop?

Answer: exiftool-12.47

What is the visible extension of the "hideout" file?

Answer: .pdf

View the metadata of the "hideout" file. What is its actual extension?

Answer: .jpg

A phone was used to photograph the "hideout". What is the phone's model?

Answer: ONEPLUS A6013

A phone was used to photograph the "warehouse". What is the phone's model?

Answer: mi 9 lite

Are there any indications that the suspect is involved in other illegal activity? (Y/N)

Answer: N

Who was the point of contact of Mr William S. McClean in 2022?

Answer: Karl Renato Abelardo

A meetup occurred in 2022. What are the GPS coordinates during that time?

Answer: 14°26'25.7"N 120°59'00.8"E

What is the password to extract the contents of pandorasbox.zip?

Answer: DarkVault$Pandora=DONOTOPEN!K1ngCr1ms0n!

From which company did the source code in the pandorasbox directory originate?

Answer: SwiftSpend Financial

In one of the documents that the suspect has yet to sign, who was listed as the beneficiary?

Answer: Mr. Giovanni Vittorio DeVentura

What is the hidden flag?

Answer: THM{sCr0LL_sCr0LL_cL1cK_cL1cK_4TT3NT10N_2_D3T41L5_15_CRUC14L!!}

---

Task 8 Post-Analysis of Evidence to Court Proceedings

If there is reasonable suspicion that the suspect possesses and distributes these materials, the law enforcement agency handling the case must follow these 4 Phases of Investigation. Additionally, the DFIR First Responder must observe the following steps before, during, and after acquiring digital artefacts and evidence:

Pre-searchSend a request to preserve the data and logs of the suspect to social media networks (subscriber's information, traffic, and content data).Send a request to preserve the data and logs of the suspect to ISPs (subscriber's information, traffic, and content data).Obtain a warrant for search, seizure, and examination of the suspect's computer data for violation of domestic and international laws.Perform an inspection of the suspect's social media accounts and public profiles.

SearchBy a warrant issued by a court of law, obtain data requested from social media networks and ISPs.Perform search, seizure, and examination of the suspect's computer data.

In which phase is a warrant obtained for search, seizure, and examination of the suspect's computer data due to violations of domestic and international laws?

Answer: pre-search

In which phase is a forensic analysis performed on the acquired digital evidence requested from various sources?

Answer: post-search

Which phase involves presenting forensic artefacts and evidence with proper documentation in a court of law?

Answer: post-search

thanks for reading!!