Autopsy, Windows Im...
 
Notifications
Clear all

Autopsy, Windows Image and yet no results... 🙁

12 Posts
3 Users
0 Likes
2,426 Views
(@banderas20)
Posts: 29
Eminent Member
Topic starter
 

Hello,

I'm new to forensics and I'm performing some tests with Autopsy and a Windows dump image.
It's a challenge. I am supposed to find relevant info. That's what I have found so far

- $Logfile, $MFT and orphaned files.
- 2 JPG images.
- 2 txt files with the same name. One of them deleted and the other undeleted. Both with a size of 0 bytes and empty.
- A MS Word document password protected.

I have analyzed all the metadata, and the hex content of every file, but I can't find a clue. I have also digged into the images to see if there is any message hidden in them.

I think that maybe the text that once existed in the txts might help, but I am not able to recover it.

The data HAS to be somewhere, as it's a challenge. But I am lost. ¿Can you point me somewhere or shed some light on this?

Many thanks in advance!

 
Posted : 24/04/2019 9:39 am
 BDME
(@bdme)
Posts: 10
Active Member
 

Is it an open challenge? I can't really point you in any direction without knowing what I'm looking for. If its an open challenge I can see if I can find anything interesting then give you some clues.

Cheers

 
Posted : 24/04/2019 6:48 pm
(@banderas20)
Posts: 29
Eminent Member
Topic starter
 

Is it an open challenge? I can't really point you in any direction without knowing what I'm looking for. If its an open challenge I can see if I can find anything interesting then give you some clues.

Cheers

By challenge I mean it's an exercise proposed by my teacher. I am supposed to find a location and an specific item hidden somewhere in the info analyzed.

Thanks!

 
Posted : 24/04/2019 9:39 pm
 BDME
(@bdme)
Posts: 10
Active Member
 

Alright, well I can try to help, if you wanted to upload the image to google drive i'd look at it.

Do the images have EXIF data? If they are from the same coordinates maybe that was the location, If not there may be stego involved.

Do a search of the txt document name in unallocated space. So if the files name is "The big purple elephant" try "purple" or "elephant".

finally, see if any of the orphaned files point to stego or encryption software.

Let me know if this helps.

 
Posted : 25/04/2019 5:40 pm
(@banderas20)
Posts: 29
Eminent Member
Topic starter
 

Hello.

First of all, thanks for your help.

The JPG files have no EXIF data apart fro uuid.
I have loaded the Unallocated Space, but although it's big in size, it appears to be empty and full of zeroes. Also, I don't know how to search within the unallocated file in Autopsy.

The orphaned files only contain 3 lines ox base64 code, which don't point to any software.

I can upload the files to drive and share it with you. MP me and we can share accounts.

Thanks for your help!

 
Posted : 25/04/2019 10:33 pm
 BDME
(@bdme)
Posts: 10
Active Member
 

my message I sent is appearing in my outbox and not in my sent box. I don't mind posting my email I use for this website. Its BDMExaminer@gmail.com

 
Posted : 26/04/2019 5:02 pm
(@banderas20)
Posts: 29
Eminent Member
Topic starter
 

my message I sent is appearing in my outbox and not in my sent box. I don't mind posting my email I use for this website. Its BDMExaminer@gmail.com

Thank you so much. I'll send you the files right away.

Best regards and thanks!

 
Posted : 28/04/2019 1:01 pm
watcher
(@watcher)
Posts: 125
Estimable Member
 

…I'm new to forensics … I have also digged into the images to see if there is any message hidden in them. …

I of course don't know what you have so this is pure speculation.

The combination of new or beginner and some images leads me to wonder about old school steganography. Simple as it is, it's still used a lot because it works.

Concatenating an additional file onto the end of a JPG results in a JPG that still works and looks perfectly normal. However the extra file is beyond the end mark of the JPG.

Is the JPG unrealistically large? If it's a small extra file you may not notice.

Look at the end of the JPG with a hex editor.

Again, this is a blind guess,

Good Luck!

 
Posted : 02/05/2019 3:01 pm
(@banderas20)
Posts: 29
Eminent Member
Topic starter
 

Hello.

I can't seem to find anything at the end of the files. Besides, their size is normal.

Thanks!

 
Posted : 03/05/2019 11:03 am
watcher
(@watcher)
Posts: 125
Estimable Member
 

Please let us know what the answer was when you find out. 8)

 
Posted : 04/05/2019 9:56 pm
Page 1 / 2
Share: