±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35965
New Yesterday: 0 Visitors: 175

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Autopsy, Windows Image and yet no results... :(

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

banderas20
Member
 

Autopsy, Windows Image and yet no results... :(

Post Posted: Apr 24, 19 09:39

Hello,


I'm new to forensics and I'm performing some tests with Autopsy and a Windows dump image.
It's a challenge. I am supposed to find relevant info. That's what I have found so far:

- $Logfile, $MFT and orphaned files.
- 2 JPG images.
- 2 txt files with the same name. One of them deleted and the other undeleted. Both with a size of 0 bytes and empty.
- A MS Word document password protected.

I have analyzed all the metadata, and the hex content of every file, but I can't find a clue. I have also digged into the images to see if there is any message hidden in them.

I think that maybe the text that once existed in the txts might help, but I am not able to recover it.

The data HAS to be somewhere, as it's a challenge. But I am lost. ¿Can you point me somewhere or shed some light on this?

Many thanks in advance!  
 
  

BDME
Newbie
 

Re: Autopsy, Windows Image and yet no results... :(

Post Posted: Apr 24, 19 18:48

Is it an open challenge? I can't really point you in any direction without knowing what I'm looking for. If its an open challenge I can see if I can find anything interesting then give you some clues.

Cheers  
 
  

banderas20
Member
 

Re: Autopsy, Windows Image and yet no results... :(

Post Posted: Apr 24, 19 21:39

- BDME
Is it an open challenge? I can't really point you in any direction without knowing what I'm looking for. If its an open challenge I can see if I can find anything interesting then give you some clues.

Cheers


By challenge I mean it's an exercise proposed by my teacher. I am supposed to find a location and an specific item hidden somewhere in the info analyzed.

Thanks!  
 
  

BDME
Newbie
 

Re: Autopsy, Windows Image and yet no results... :(

Post Posted: Apr 25, 19 17:40

Alright, well I can try to help, if you wanted to upload the image to google drive i'd look at it.

Do the images have EXIF data? If they are from the same coordinates maybe that was the location, If not there may be stego involved.

Do a search of the txt document name in unallocated space. So if the files name is "The big purple elephant" try "purple" or "elephant".

finally, see if any of the orphaned files point to stego or encryption software.

Let me know if this helps.  
 
  

banderas20
Member
 

Re: Autopsy, Windows Image and yet no results... :(

Post Posted: Apr 25, 19 22:33

Hello.

First of all, thanks for your help.

The JPG files have no EXIF data apart fro uuid.
I have loaded the Unallocated Space, but although it's big in size, it appears to be empty and full of zeroes. Also, I don't know how to search within the unallocated file in Autopsy.

The orphaned files only contain 3 lines ox base64 code, which don't point to any software.

I can upload the files to drive and share it with you. MP me and we can share accounts.

Thanks for your help!  
 
  

BDME
Newbie
 

Re: Autopsy, Windows Image and yet no results... :(

Post Posted: Apr 26, 19 17:02

my message I sent is appearing in my outbox and not in my sent box. I don't mind posting my email I use for this website. Its BDMExaminer @ gmail.com  
 
  

banderas20
Member
 

Re: Autopsy, Windows Image and yet no results... :(

Post Posted: Apr 28, 19 13:01

- BDME
my message I sent is appearing in my outbox and not in my sent box. I don't mind posting my email I use for this website. Its BDMExaminer @ gmail.com


Thank you so much. I'll send you the files right away.

Best regards and thanks!  
 

Page 1 of 2
Page 1, 2  Next