Take advantage of the SANS DFIR Posters under Resources (Week Fifteen) for locations of different artifacts in Windows.
Scenario: On December 16th, 2022 you were contracted to perform a forensic analysis for Dewey, Cheatum, and Howe, LLP. The CEO of Kidco, William L. Howard has been compromised by an unknown individual. He believes it began sometime around November 19th, 2021. Mr. Howard is concerned that company information has been stolen off of his computer. He recalls receiving an email with an attachment that would not open prior to the 19th, but he’s not sure on the exact date.
Kidco had another security incident in 2020, but that was handled by another firm. As part of the company’s security improvements from that incident, they started testing an open source program called Velociraptor to monitor their workstations and servers. However the software has not been fully implemented yet and was unavailable for this current incident.
A third party forensic firm, Grouppunch, was brought in to image the hard drive of Mr. Howard’s computer. A copy of that image has been provided for your investigation.
Along with the EWF files in your Case Evidence folder is a text file (verification_hashes.txt) that contains the SHA256 hashes for the individual files. This is NOT the hash for the acquisition of the entire hard drive image, that is contained in the 2022FALL340-440.E01.txt file.
Remember when you drag and drop the first E01 image file into EnCase, it will automatically load the other EWF/E0* files in the directory.
You are being tasked with examining the evidence, and providing a forensic report on your findings based on the following questions:
1) What is the Disk Signature?
2) Parse out the Master Boot Record and provide the following data for the valid partitions:
a. Partition Type
b. Starting sector
c. Partition Size
3) Find out the following information about the machine:
a. Computer Name
b. Time Zone of Computer
c. Last Shutdown Time
4) When did the unknown individual get access to Mr. Howard’s laptop?
5) How did the unknown individual get access to Mr. Howard’s laptop?
6) Is there any evidence the unknown individual placed malware on Mr Howard’s laptop?
7) Was any information potentially stolen off of Mr. Howard’s laptop?
A third party forensic firm, Grouppunch, was brought in to image the hard drive of Mr. Howard’s computer. A copy of that image has been provided for your investigation.
Along with the EWF files in your Case Evidence folder is a text file (verification_hashes.txt) that contains the SHA256 hashes for the individual files. This is NOT the hash for the acquisition of the entire hard drive image, that is contained in the 2022FALL340-440.E01.txt file.
Remember when you drag and drop the first E01 image file into EnCase, it will automatically load the other EWF/E0* files in the directory.
You are being tasked with examining the evidence, and providing a forensic report on your findings based on the following questions:
1) What is the Disk Signature?
2) Parse out the Master Boot Record and provide the following data for the valid partitions:
a. Partition Type
b. Starting sector
c. Partition Size
3) Find out the following information about the machine:
a. Computer Name
b. Time Zone of Computer
c. Last Shutdown Time
4) When did the unknown individual get access to Mr. Howard’s laptop?
5) How did the unknown individual get access to Mr. Howard’s laptop?
6) Is there any evidence the unknown individual placed malware on Mr Howard’s laptop?
7) Was any information potentially stolen off of Mr. Howard’s laptop?
8) Is there any possible indication that Mr. Howard was in on the scheme?
9) Is there any evidence that the unknown individual accessed any other systems on the network?
10) Put a timeline together that shows the activity of the unknown individual on Mr. Howard’s machine.