F 221: Examining a Windows Disk Image (25 pts extra)

What You Need

A Windows machine with Autopsy installed.
You need about 30 GB available space on your Windows machine.

Downloading the Evidence Files

On your Windows machine, in a Web browser, go to:

https://cfreds.nist.gov/all/NIST/DataLeakageCase

Download the first three files, as shown below, with filenames ending in ".001", ".002", and ".003".

The files total approximately 5 GB in size, so the download may be slow.

This information may help to verify your downloads:
cfreds_2015_data_leakage_pc.7z.001 Size: 2,147,483,648 bytes MD5: c327db25292296ab10c2670b94ef28b5 cfreds_2015_data_leakage_pc.7z.002 Size: 2,147,483,648 bytes MD5: 8a5185144c7d38c111d5505e3018ba73 cfreds_2015_data_leakage_pc.7z.003 Size: 1,132,827,932 bytes MD5: e155d374d77643a9ff44a664d628bf87

Installing 7-Zip

On your Windows machine, in a Web browser, go to:

https://7-zip.org

Download and install 7-Zip.

Unzipping the Evidence File

Right-click the cfreds_2015_data_leakage_pc.7z.001 file and click "Show more options", 7-Zip, "Extract here".

When the extraction is done, you'll have a file named cfreds_2015_data_leakage_pc.dd that is approximately 21 GB in size.

F 221.1: Verifying the Hash (5 pts)
Open a PowerShell window and execute the commands, shown below.
cd Downloads Get-FileHash -Algorithm MD5 cfreds_2015_data_leakage_pc.dd
Verify that the MD5 value matches the value shown below. If it does not, re-download the evidence file.
Right-click the cfreds_2015_data_leakage_pc.dd file and click "Show more options", 7-Zip, "CRC SHA", CRC32.
The flag is covered by a green rectangle in the image below.

Analyzing the Evidence with Autopsy

Launch Autopsy.

Creating a New Case

From the Autopsy menu bar, click the "New Case" button.

Enter a Case Name of F221.

Click the Next button.

Click the Finish button.

Importing the Evidence Image

In the Add Data Source, at step 1. Select Host, click the Next button.

At step 2. Select Data Source Type, click "Disk Image or VM File", as shown below.

Click the Next button.

At step 3. Select Data Source, click the Browse button. Navigate to the cfreds_2015_data_leakage_pc.dd. Click it and click the Open button.

Change the Time Zone to "(GMT-5:00) America/Toronto". as shown below.

Click the Next button.

At step 4. Configure Ingest, clear all the check marks except "Recent Activity", as shown below.

Click the Next button.

It takes a minute or so to prepare the data.

At step 5. Add Data Source, click the Finish button.

The progess of the processing is shown at the bottom right. In the image below, the processing is 18% done.

Wait until the processing is done.

Data Artifacts

In the left pane of Autopsy, there are many interesting items, starting with "Installed Programs", as shown below.

Use the Artifacts to find the answers to the questions below.

F 221.2: Most Recently Installed Program (5 pts)
What is the name of the most recently installed program?
The flag is covered by a green rectangle in the image below.

F 221.3: Most Recent Document (5 pts)
What is the name of the most recently accessed document?
The flag is covered by a green rectangle in the image below.

F 221.4: 59 Times (5 pts)
What program was run 59 times, as recorded in the Prefetch folder? (Autopsy calls this "Run Programs") What is the name of the most recently accessed document?
The flag is covered by a green rectangle in the image below.

F 221.5: Search (5 pts)
What suspicious web search was performed, covered by a green rectangle in the image below?

Reference

Windows Registry analysis using Autopsy - CAINE - 08

Posted: 9-29-22
Image for flag 221.4 updated 10-28-22
Title changed and video added 3-20-23
Hashcalc replaced with 7-Zip and PowerShell 2-20-24
Hash of first file added 4-23-24