Welcome!
Introduction
This is a brief walkthrough of the "Digital Forensics Case #B4DM755" room presented by TryHackMe.com. This is intended for users who are stuck and may need a little help or a hint. Please don't copy/paste my answers ;).
Before starting this room, TryHackMe recommends you complete two pre-requisite rooms. Walkthroughs for those rooms can be found here:
- Introduction to Cryptography - TryHackMe (Walkthrough)
- Intro to Digital Forensics - TryHackMe (Walkthrough) [coming soon...]
Task 1 - Intro
Key take-aways from this section:
This room will simulate a crime scenario in which we are authorized to conduct a search.
This room uses a fictitious narrative with made up characters and situations.
This room features two prerequisite rooms: Intro to Digital Forensics and Introduction to Cryptography.
Question for Task 1:
I’m ready to investigate the case.
Answer: No answer needed.
Task 2 - Details of the Crime
Key take-aways from this section:
You are a Forensics Lab Analyst, and you have been assigned as Digital Forensics and Incident Response (DFIR) for a case.
A trusted informant contacted your supervisor about William S. McClean from Case B4DM755.
You will be required to acquire and analyze digital artefacts and evidence.
Questions for Task 2:
What is your official role?
The scenario information provided has the correct answers for all 4 of the questions in this task. See the screenshot below:
Answer: Forensics Lab Analyst
What role was assigned to you for this specific scenario?
Answer: DFIR First Responder
What do you have to gather?
Answer: Digital Artefacts and Evidence (Hint! Spell it the British English way :) )
What document is needed before performing any legal search?
Answer: Search Warrant
Task 3 - Practical Applications of the Process
Key take-aways from this section:
Common first steps in forensic acquisitions include checking the disk for encryption, and taking images of the RAM and drive(s).
It is important to maintain the Chain of Custody, to ensure evidence is kept transparent and untainted.
This includes, but is not limited to, ensuring documentation, hash and copying, & bag/seal/tagging the evidence.
Questions for Task 3:
Before imaging drives, what must we check them for?
In the scenario information, THM lists 3 things we should do during forensic acquisition. One of those three recommends checking the drive for something.
Answer: Drive Encryption
What should be done to ensure and maintain the integrity of original files in the Chain of Custody?
The scenario information also lists 3 important tips for establishing the Chain of Custody. One of those tips involves verifying the integrity of the original files.
Answer: Hash and Copy
What must be done before sending obtained artefacts to the Forensics Laboratory?
The same section also provides us with guidance of what to do with the artefacts. Please see the above screenshot.
Answer: Bag, Seal, and Tag the obtained artefacts
Task 4 - At the Scene of the Crime
Key take-aways from this section:
As police arrived on the scene, everyone was gone. Steps to eradicate data had been taken.
Police find a flash drive with the initials WSM.
You prepare the flash drive according to Chain of Custody, and prepare it for further analysis.
Questions for Task 4:
What is the only possible artefact found in the suspect's residence?
Reading the scenario instructions, we can see that a possible artefact was found under the suspect’s desk bearing the suspect’s initials.
Answer: Flash Drive
Based on the scenario and the previous task, what should be done with that acquired suspect artefact?
For this answer, we must return to Task 3. Revisiting the section about establishing a Proper Chain of Custody, we can find our answer:
Answer: Taking an Image
What is the crucial aspect of the Chain of Custody that ensures individual accountability and guarantees a transparent and untainted transfer of artefacts and evidence?
Once again, we return to Task 3 for this answer. Under the Chain of Custody section, one of the suggestions fits the theme of “individual accountability”. See the screenshot above.
Answer: Ensure Proper Documentation
Task 5 - Introduction to FTK Imager
Key take-aways from this section:
FTK Imager is a forensics tool that allows for the acquisition and analysis of data without affecting the original evidence.
The FTK Imager comes with a graphical user interface (GUI), which has multiple useful components used in the task.
FTK Imager also has the option to detect EFS Encryption, which we learned the importance of in Task 3.
Questions for Task 5:
Start the attached VM, work on the subsequent tasks, and experiment with FTK Imager through a case example.
Answer: No Answer Needed (woo whoo!!)
Although no answer is required, the rest of this room requires technical use of FTK Imager. It is helpful to familiarize yourself with FTK Imager’s GUI and become comfortable with the tool.
What device will prevent tampering when acquiring a forensic disk image?
We find this answer in the introduction to FTK Imager. After explaining the purpose of the tool, THM tells us that a real-world user would use this device to prevent accidental tampering. Please see the screenshot below.
Answer: Write-Blocking Device
What is the UI element of FTK Imager which displays a hierarchical view of the added evidence sources?
While introducing us to the User Interface, THM explains 3 different view panes in FTK Imager. One of them displays evidence.
Answer: Evidence Pane
Is the attached flash drive encrypted?
For this question, we will use the “Detect EFS Encryption” option on the FTK Imager UI. In order to do that, we must follow the step-by-step instructions for mounting the disk image. After, in the “file” menu, we will see the option to detect encryption.
Once selected, FTK Imager will show us the results.
Answer: N
What is the UI element of FTK Imager which displays a list of files and folders?
For this question, we go back to the overview of the FTK Imager’s UI. Of the three different view panes, one of them sorts files and folders. Please see the screenshot under question 3.
Answer: File List Pane
Task 6 - Using FTK Imager for Digital Forensics
Key take-aways from this section:
This task has an easy, step-by-step guide to use FTK Imager to create a new Disk Image.
Once the image is created, you are able to mount the image to FTK Imager and extract files from it.
Files and artefacts from the image mounting can be parsed with the Evidence Tree Pane.
Questions for Task 6:
What is the UI element of FTK Imager which displays the content of selected files?
For this question, we go back to the overview of the FTK Imager’s UI. Of the three different view panes, one of them sorts files and folders. Please see the screenshot under Task 5 question 3.
Answer: Viewer Pane
What is the SHA1 hash of the physical drive and forensic image?
To find the hash, we must follow THM’s step-by–step instructions for mounting and creating a disk image. Pay special attention to the “Verify images after they are created” option. If checked, the answer to this question will pop up after the image has been created:
Answer: d82f393a67c6fc87a023b50c785a7247ab1ac395
Including hidden files, how many files are currently stored on the flash drive?
The key word of this question was “currently”. An easy way to check this is to open the original flash drive and count (or check the summary at the bottom).
Answer: 8
How many files were deleted in total?
To find a record of all files (including deleted and corrupted), we can use FTK Imager to extract them. The files are stored on the [root] directory, so right clicking [root] will allow us to select “Extract Files…”. After saving them to the desktop, we can see this:
We see 14 files and 1 folder. Knowing that there are 8 files currently stored on the drive, that means 6 of the files must have been deleted.
Answer: 6
How many recovered files are corrupted?
To determine which files have been corrupted, we must look for a file size of 0kb. Staying in the [root] folder of extracted files, we can count the files that have a size of 0.
Answer: 3
Task 7 - At the Forensics Labs
Key take-aways from this section:
After artefacts and evidence have been acquired, it is necessary to authenticate them.
This is possible by creating a hash of the forensic disk image and comparing it to the hash of the physical drive.
It is also necessary to document all analysis methods to ensure admissibility in court.
Questions for Task 7:
Aside from FTK Imager, what is the directory name of the other tool located in the tools directory under Desktop?
When we open the Tools folder on the desktop, there are 2 folders inside. The answer is looking for the full folder/directory name.
Answer: exiftool-12.47
The room does not explain what exiftool is, and may expect you to already have familiarity with the tool. If you do not it is worth googling, as you will be expected to use it for the rest of the task. Exiftool is a free and open-source tool created by Phil Harvey. It can be used to read, write, and manipulate the metadata of various file types. In this task, we will be reading metadata!
What is the visible extension of the “hideout” file?
It is simple to find the visible extension of our file. In the [root] directory of extracted files, we can see the extension mentioned under both “name” and “type”.
Answer: .pdf
View the metadata of the "hideout" file. What is its actual extension?
Exiftool frequently crashed while I attempted Task 7. I did some troubleshooting on the AttackBox, and checked with members of the THM Discord. After restarting the target machine and AttackBox twice, I was able to complete the task with no issues.
To quickly read the metadata, we can drag and drop the intended file onto the exiftool.exe. This will enable “open with exiftool” and output the metadata.
Here, we can see that the file name and the file type extension don’t match!
Answer: .jpg
A phone was used to photograph the "hideout". What is the phone's model?
To find this, we must continue to read the metadata. The metadata can hold a scary amount of information, including the phone’s “camera model name” and even the camera’s orientation and exposure program! See the screenshot above.
Answer: ONEPLUS A6013
A phone was used to photograph the "warehouse". What is the phone's model?
We must answer this question using the same methodology as questions 3 & 4. We will find the “warehouse.pdf” file in the [root] directory. After drag/dropping it into exiftool, the metadata will be displayed on our screen. Once again, we’re looking for the “camera model name”.
Answer: Mi 9 Lite
Are there any indications that the suspect is involved in other illegal activity? (Y/N)
Now that we have practiced using exiftool to analyze metadata, it’s time to explore! If we read the hint given to us by THM, we know that one of these files may be a zip drive in disguise! My methodology was to start at the top of the file list, and view the metadata of each file. Thanks to exiftool, this only took a couple of seconds for each file.
Wow! This .xlsx file was secretly a .zip the whole time. In order to unpack it, we will need to right-click the file and rename it to .zip.
Unpacking this .zip file will eventually lead us to another .zip titled “pandorasbox”, with a note as well. Upon reading, we see some shady accounting and some red flag key words!
Answer: Y
Who was the point of contact of Mr William S. McClean in 2022?
The notes.txt file we just read includes 3 years of business records for William S. McClean. Looking at the 2022 listing will show us our answer.
Answer: Karl Renato Abelardo
A meetup occurred in 2022. What are the GPS coordinates during that time?
We are going to find the answer for this in the same location. See the screenshot above.
Answer: 14°26'25.7"N 120°59'00.8"E
What is the password to extract the contents of pandorasbox.zip?
Pandorasbox is password protected - what a smart hacker! However, we can find the password pretty easily, as it is stored in plaintext at the bottom of the note - not so smart.
Answer: DarkVault$Pandora=DONOTOPEN!K1ngCr1ms0n!
From which company did the source code in the pandorasbox directory originate?
This question can be tricky. After we open pandorasbox.zip, we are greeted with several directories. Exploring these directories reveals numerous python scripts, denoted by their “.py” file extension. Perhaps the author of the script left some type of note?
The AttackBox is unable to open the “.py” extension in the user interface, so we need to go to the Command Line. I chose to use Windows Powershell for this task, as it has the “concatenate” function. Once we navigate to the pandorasbox folder, we can type “cat main.py” to investigate the first script.
The hash (#) symbol in Python is used to make comments that are not active lines of code. If we investigate these hashed comments, we’ll see some useful information.
Answer: Swiftspend Financial
In one of the documents that the suspect has yet to sign, who was listed as the beneficiary?
Opening pandorasbox also gives us access to a handful of word documents. Give these a good read, as they tell a fairly juicy story!
Eventually, one of the documents (the one that requires signatures) will reveal “the Principal Beneficiary” of the transfer.
Answer: Mr. Giovanni Vittorio DeVentura
What is the hidden flag?
We have investigated most of the folders and files at this point, except the one telling us not to open it. So... of course we are going to open it, and we’ll open it using the password we copied from “notes.txt”!
Answer: THM{sCr0LL_sCr0LL_cL1cK_cL1cK_4TT3NT10N_2_D3T41L5_15_CRUC14L!!}
Task 8 - Post Analysis to Court Proceedings
Key take-aways from this section:
During the pre-search phase of investigation, you may make requests to preserve a suspect’s data and obtain search warrants.
During the search and post-search stages, you may obtain artefacts, perform analysis, and maintain the chain of custody.
Artefacts must be presented with the appropriate documentation during trial proceedings.
Questions for Task 8:
In which phase is a warrant obtained for search, seizure, and examination of the suspect's computer data due to violations of domestic and international laws?
We have compiled our artefacts and evidence, and created our forensic images. In this task, we will review the steps we need to prepare for court. Using the scenario information given, we can find our answer. See the screenshot below.
Answer: Pre-Search
In which phase is a forensic analysis performed on the acquired digital evidence requested from various sources?
Forensic Analysis can only be performed after the artefacts have been acquired in the search. If we use the scenario information, we’ll see the appropriate section. See the screenshot below:
Answer: Post-Search
Which phase involves presenting forensic artefacts and evidence with proper documentation in a court of law?
The utilization of the forensic artefacts must occur after the analysis has been completed. If we check the scenario information, and the screenshot under question 2, we’ll see our answer.
Answer: Trial
-TW