Join Us!

Autopsy, Windows Im...
 
Notifications
Clear all

Autopsy, Windows Image and yet no results... 🙁  

  RSS
banderas20
(@banderas20)
Junior Member

Hello,

I'm new to forensics and I'm performing some tests with Autopsy and a Windows dump image.
It's a challenge. I am supposed to find relevant info. That's what I have found so far

- $Logfile, $MFT and orphaned files.
- 2 JPG images.
- 2 txt files with the same name. One of them deleted and the other undeleted. Both with a size of 0 bytes and empty.
- A MS Word document password protected.

I have analyzed all the metadata, and the hex content of every file, but I can't find a clue. I have also digged into the images to see if there is any message hidden in them.

I think that maybe the text that once existed in the txts might help, but I am not able to recover it.

The data HAS to be somewhere, as it's a challenge. But I am lost. ¿Can you point me somewhere or shed some light on this?

Many thanks in advance!

Quote
Posted : 24/04/2019 10:39 am
BDME
 BDME
(@bdme)
New Member

Is it an open challenge? I can't really point you in any direction without knowing what I'm looking for. If its an open challenge I can see if I can find anything interesting then give you some clues.

Cheers

ReplyQuote
Posted : 24/04/2019 7:48 pm
banderas20
(@banderas20)
Junior Member

Is it an open challenge? I can't really point you in any direction without knowing what I'm looking for. If its an open challenge I can see if I can find anything interesting then give you some clues.

Cheers

By challenge I mean it's an exercise proposed by my teacher. I am supposed to find a location and an specific item hidden somewhere in the info analyzed.

Thanks!

ReplyQuote
Posted : 24/04/2019 10:39 pm
BDME
 BDME
(@bdme)
New Member

Alright, well I can try to help, if you wanted to upload the image to google drive i'd look at it.

Do the images have EXIF data? If they are from the same coordinates maybe that was the location, If not there may be stego involved.

Do a search of the txt document name in unallocated space. So if the files name is "The big purple elephant" try "purple" or "elephant".

finally, see if any of the orphaned files point to stego or encryption software.

Let me know if this helps.

ReplyQuote
Posted : 25/04/2019 6:40 pm
banderas20
(@banderas20)
Junior Member

Hello.

First of all, thanks for your help.

The JPG files have no EXIF data apart fro uuid.
I have loaded the Unallocated Space, but although it's big in size, it appears to be empty and full of zeroes. Also, I don't know how to search within the unallocated file in Autopsy.

The orphaned files only contain 3 lines ox base64 code, which don't point to any software.

I can upload the files to drive and share it with you. MP me and we can share accounts.

Thanks for your help!

ReplyQuote
Posted : 25/04/2019 11:33 pm
BDME
 BDME
(@bdme)
New Member

my message I sent is appearing in my outbox and not in my sent box. I don't mind posting my email I use for this website. Its [email protected]

ReplyQuote
Posted : 26/04/2019 6:02 pm
banderas20
(@banderas20)
Junior Member

my message I sent is appearing in my outbox and not in my sent box. I don't mind posting my email I use for this website. Its [email protected]

Thank you so much. I'll send you the files right away.

Best regards and thanks!

ReplyQuote
Posted : 28/04/2019 2:01 pm
watcher
(@watcher)
Member

…I'm new to forensics … I have also digged into the images to see if there is any message hidden in them. …

I of course don't know what you have so this is pure speculation.

The combination of new or beginner and some images leads me to wonder about old school steganography. Simple as it is, it's still used a lot because it works.

Concatenating an additional file onto the end of a JPG results in a JPG that still works and looks perfectly normal. However the extra file is beyond the end mark of the JPG.

Is the JPG unrealistically large? If it's a small extra file you may not notice.

Look at the end of the JPG with a hex editor.

Again, this is a blind guess,

Good Luck!

ReplyQuote
Posted : 02/05/2019 4:01 pm
banderas20
(@banderas20)
Junior Member

Hello.

I can't seem to find anything at the end of the files. Besides, their size is normal.

Thanks!

ReplyQuote
Posted : 03/05/2019 12:03 pm
watcher
(@watcher)
Member

Please let us know what the answer was when you find out. 8)

ReplyQuote
Posted : 04/05/2019 10:56 pm
banderas20
(@banderas20)
Junior Member

Well. The jpg image didn't contain anything at all. I think it was a maneuvre to distract (as far as I know).

Regarding the other files, I think the issue had to do with some assembler code/trojan embedded into some executable files, according to the alarm given by many antiviruses.

Nothing very clear, for what you can see.

Many thanks!

ReplyQuote
Posted : 02/07/2019 5:16 am
watcher
(@watcher)
Member

… I think the issue had to do with some assembler code/trojan embedded into some executable files, …

Interesting, but your original posting made no mention of executable files? ?

ReplyQuote
Posted : 02/07/2019 5:09 pm
Share: