Monday, September 16, 2013

Daily Blog #85: Sunday Funday 9/15/13 Winner!

Hello Reader,
       This was an interesting experiment of a challenge. We left a lot of things to find in this image and tomorrow I'll will do a walk through of the artifacts. Today though its time to announce our anonymous winner!

The Challenge:
 An employee has left your employer and left to a competitor. You have been given an image of his system and are being asked to determine the following:
1. What devices were attached to his system
2. Was data transferred from this system?
3. What data was likely transferred and when?
4. How many different ways was data transferred from the system?
 
The winning answer:
 from Anonymous!

1. What devices were attached to his system
  1. USB Device with S/N: 0707335DB6A54359
  2. Patriot Memory USB Device with S/N: 079805001BB401AC
  3. Generic- Compact Flash USB Device with S/N: 058F63626476
  4. Generic- MS/MS-Pro USB Device with S/N: 058F63626476
  5. Generic- SD/MMC USB Device with S/N: 058F63626476
  6. Generic- SM/xD-Picture USB Device with S/N: 058F63626476
  7. VBTM Store 'n' Go USB Device with S/N: 0AC1F7605250196A
2. Was data transferred from this system?
 
  • Most likely, yes.
3. What data was likely transferred and when?
 
  • The file " Acme 2013 Budget.rtf" was likely transferred to the E:\ drive at approximately 00:53:48 UTC on 08/31/2013.
    • This is supported by the existence of a LNK file referencing access to E:\ Acme 2013 Budget.rtf.  The embedded FILETIME object referencing the creation date of the LNK file target is 08/31/2013 00:53:48 UTC, indicating that Acme 2013 Budget.rtf was created on the E:\ drive at that time.
    •  Access to this file on the E:\ drive is further corroborated through jump list entries and records in index.dat databases. 
  • The file "Acme.zip" was likely burned to an optical disc at approximately 22:22:42 UTC on 09/03/2013.
    • This is supported by a reference to "Acme.zip" in the \Users\Suspect\AppData\Local\Microsoft\Windows\Burn\Burn directory, which was identified by analysis of the USN journal.  Specifically, the creation and subsequent deletion of Acme.zip in the directory with MFT record number 15992, which corresponds to the Burn directory, was identified in records 11674688 and 11674848, respectively, of the USN journal.
       
    • Acme.zip appears to have contained "Information for Patent.rtf" and "Prototype.bmp".
4. How many different ways was data transferred from the system?
 
  • Two: via USB device and burning to optical disc.
Based on event log analysis, the USB device connected to the machine at the time "Acme 2013 Budget.rtf" was created on the E:\ drive was the VBTM Store 'n' Go USB Device with S/N: 0AC1F7605250196A.  

Event log analysis further supports that "Acme.zip" was burned to an optical disc and indicates that the disc burning process may have taken place around 22:27:59 UTC (so the approximation of 22:22:42 UTC is still accurate).  
 

Conclusion
This was a fun challenge for us to make, tomorrow I will be putting up the full solution and the image corresponds to chapter 13 of the new book. I'll be linking the image and the solution document to the new book site, www.leardfir.com and we will be making videos showing how to find all these artifacts on our youtube channel in the near future! 
 
So now is when I am looking for your feedback, do we need more time for these forensic image based challenges? What do you need to succeed? Please comment below.