📘
CAS Cybersecurity
  • Start
  • Reconnaissance
    • Opensource Intelligence
  • Docker basics and Images
    • Damn Vulnerable Webapp
    • bWAPP
    • Juice Webshop
    • Webgoat
    • Metasploitable 2
    • Metasploitable 3
    • MISP Docker (old)
    • MISP Docker (new)
  • Scanning and Enumeration
    • Scanning with zenmap
    • Scanning with nmap
    • Scanning with msf auxiliary
  • Vulnerability Scanning and Analysis
    • OpenVAS
    • nmap vulnerability scan
    • MSF Auxiliary Modules
  • Exploitation
    • Metasploitable 2
    • Redis Server
    • Print Nightmare
    • Baron Samedit
    • Polkit
    • Heartbleed
  • Man in the Middle
    • ARP Cache poisoning
    • RDP MitM Exercise
  • Windows Hacking
    • Throwback Network
      • Entering the breach
      • Exploring the caverns
      • Webshells and you!
      • First Contact
    • WinAttack LAB
      • Module 01
      • Module 02
      • Module 03
      • Module 04
      • Module 05
      • Module 06
      • Module 07
      • Module 08
      • Module 09
      • Module 10
  • Web Application Security
    • Burp Proxy Introduction
    • DVWA
      • DVWA Exercises 1
      • DVWA Exercises 2
      • DVWA Exercises 3
      • DVWA Exercises 4
      • DVWA Exercises 5
      • DVWA Exercises 6
      • DVWA Exercises 7
      • DVWA Exercises 8
  • CTF and Crypto Exercises
    • Cyberchef Challenge
    • HTB Invite Challenge
    • BSides London 2019 Challenge
    • Ninja Sec Challenge
  • Threat Intelligence
    • MISP Exercise 1
    • MISP Exercise 2
    • MISP Exercise 3
    • MISP Exercise 4
    • MISP Exercise 5
    • MISP Exercise 6
    • MISP Exercise 7
    • MISP Exercise 8
    • Virus Total Graph Exercise
    • RFI Incoming!
  • Forensic Exercises
    • Disk Forensics
      • The Sleuth Kit Intro
      • Filecarving with Foremost
      • Filecarving with scalpel
      • Bulk extractor
      • Disk acquisition with dd
      • Disk acquisition with dcfldd
      • Disk acquisition with ewftools
      • Disk acquisition with FTK Imager
      • Mount disk image (raw)
      • Unknown USB Stick
      • USB Stick Filecarving
      • Autopsy Exercise
    • Windows Forensics
      • Bitunlocker
      • Alternate Datastreams
    • Memory Forensics
      • Volatility2 Basics (Linux)
      • Volatility2 Exercise 1
      • Volatility3 Exercise 1
      • Volatility3 Exercise 2
      • Volatility3 Exercise 3
    • Image Forensics
      • Unswirl Image
      • Manual Filecarving 1
      • Manual Filecarving 2
    • Browser Forensics
    • Mail Header Analysis
    • Timestomping Exercise
    • Network Forensics
      • Tshark Exercise
  • Malware Analysis
    • Ransomware
      • General Introduction
      • Ryuk
      • RansomEXX
      • REvil
      • BlackMatter
      • Hades
      • Egregor
      • DoppelPaymer
    • YARA
      • YARA Install
      • yarGen
      • YARA with Cyberchef
      • TCP dump analysis
      • Memory dump analysis
    • Dosfuscated Scripts
  • Android Malware
    • LAB Setup 1
    • LAB Setup 2
    • Android Manifest
    • Android Permissions
    • APP Tracing with Frida
    • AES Key decryption
    • RedAlert
    • BlackRoseLucy
    • Crackme RE Challenge
  • Forensic Readiness
    • Windows Event Logs
    • Windows Sysmon
    • Sysmon: Capture Clipboard
    • Sysmon: Process Injection
    • Ransomware Detection
      • Signature based
  • Live Response
    • Velociraptor P1
    • Velociraptor P2
    • Velociraptor P3
    • Windows Response LAB
      • Lateral Movement Detection
      • Detect persistence
      • Volatility Analysis
Powered by GitBook
On this page
  • 1. Introduction
  • 2. Analysis Workstation
  • 3. Timeline explorer
  • 4. Analysis USB Stick

Was this helpful?

  1. Forensic Exercises
  2. Disk Forensics

Autopsy Exercise

PreviousUSB Stick FilecarvingNextWindows Forensics

Last updated 3 years ago

Was this helpful?

1. Introduction

Jens Vogel works for a technology company as a research manager in a highly sensitive laboratory work area. During the routine security check at the exit of the company area, the security staff discovers that Mr. Vogel is carrying a private a private USB flash drive in his briefcase. In a conversation with his managers, Mr. Vogel. becomes entangled in contradictions. There is therefore a suspicion that he has tried to steal internal company information or that he has at least been careless with confidential data.

In this scenario, find inculpatory and exculpatory circumstantial evidence in connection with attempted or even completed data theft. For this purpose, we provide you with data carrier images of the workstation PC and the discovered USB stick.

2. Analysis Workstation

Start autopsy, create a new case and load the first image file

Select disk image or VM file

Select data source (Worksation image)

Load all modules (Will be more time consuming)

On the left side we can see a lot of interessting artifacts:

The email artifacts are very interessting. We can see that Jens Vogel had a e-mail conversation with a spy

If we follow the conversation we can see that Jens Vogel did share files over GDrive with spy

He was also instructed to copy even more data. Jens wants to stop it. Spy gave Jens Vogel a warning that he should be careful, because USB Devices can be easyli detected

Jens Vogel tries and got caught!

Let's check another interessting artifact:

I could identify two USB Sticks:

Let's check the Downloads folder:

We can see that Jens Vogel did download gdrive and icloud sync software

Search history reveals that Jens Vogel was searching for anti forensics and how to delete data

Autopsy has a artifact collector for web searches:

Recent documents reveals also interessting informations:

Here we can see that he was working on several files named with secret fom network, local and removable media paths. We also could find a resignation letter.

We can also see this with the shellbags artifact:

Notice: We can see alot of interessting filenames that contains the wording secret

3. Timeline explorer

Autopsy brings a module timelineexplorer. From here I'll set a filter with the keyword secret

Let's check details:

4. Analysis USB Stick

There are a lot of pictures which are probably classified as secret:

More pictures:

Some files are tagged with [secret project]