F 221: Examining a Windows Disk Image (25 pts extra)

What You Need

A Windows machine with Autopsy installed.
You need about 30 GB available space on your Windows machine.

Downloading the Evidence Files

On your Windows machine, in a Web browser, go to:

https://cfreds.nist.gov/all/NIST/DataLeakageCase

Download the first three files, as shown below, with filenames ending in ".001", ".002", and ".003".

The files total approximately 5 GB in size, so the download may be slow.

Installing 7-Zip

On your Windows machine, in a Web browser, go to:

https://7-zip.org

Download and install 7-Zip.

Unzipping the Evidence File

Right-click the cfreds_2015_data_leakage_pc.7z.001 file and click 7-Zip, "Extract here".

When the extraction is done, you'll have a file named cfreds_2015_data_leakage_pc.dd that is approximately 21 GB in size.

F 221.1: Verifying the Hash (5 pts)
If you don't have Hashcalc installed, get it here:
https://www.slavasoft.com/hashcalc/
Run HashCalc on the cfreds_2015_data_leakage_pc.dd file. This will take several minutes. Verify that the hashes match the image below.
The flag is covered by a green rectangle in the image below.

Analyzing the Evidence with Autopsy

Launch Autopsy.

Creating a New Case

From the Autopsy menu bar, click the "New Case" button.

Enter a Case Name of F221.

Click the Next button.

Click the Finish button.

Importing the Evidence Image

In the Add Data Source, at step 1. Select Host, click the Next button.

At step 2. Select Data Source Type, click "Disk Image or VM File", as shown below.

Click the Next button.

At step 3. Select Data Source, click the Browse button. Navigate to the cfreds_2015_data_leakage_pc.dd. Click it and click the Open button.

Change the Time Zone to "(GMT-5:00) America/Toronto". as shown below.

Click the Next button.

At step 4. Configure Ingest, clear all the check marks except "Recent Activity", as shown below.

Click the Next button.

It takes a minute or so to prepare the data.

At step 5. Add Data Source, click the Finish button.

The progess of the processing is shown at the bottom right. In the image below, the processing is 18% done.

Wait until the processing is done.

Data Artifacts

In the left pane of Autopsy, there are many interesting items, starting with "Installed Programs", as shown below.

Use the Artifacts to find the answers to the questions below.

F 221.2: Most Recently Installed Program (5 pts)
What is the name of the most recently installed program?
The flag is covered by a green rectangle in the image below.

F 221.3: Most Recent Document (5 pts)
What is the name of the most recently accessed document?
The flag is covered by a green rectangle in the image below.

F 221.4: 59 Times (5 pts)
What program was run 59 times, as recorded in the Prefetch folder? (Autopsy calls this "Run Programs") What is the name of the most recently accessed document?
The flag is covered by a green rectangle in the image below.

F 221.5: Search (5 pts)
What suspicious web search was performed, covered by a green rectangle in the image below?

Reference

Windows Registry analysis using Autopsy - CAINE - 08

Posted: 9-29-22
Image for flag 221.4 updated 10-28-22
Title changed and video added 3-20-23