I am currently taking a computer forensics class where we make an evidence disk and then provide it to another group to retrieve any information on there.
We have a 16 GB USB that we will be using as a Bootable USB holding a Unix distro.
Obviously, we can encrypt the files or make them hidden but that doesn't really provide a challenge to the group that has to retrieve the information, as the class requirement is that any encryption password be placed somewhere on the drive as well.
What are the best ways to make a challenging evidence disk?
I heard that we could have some incriminating evidence (maybe Socials) but have those in binary or hex to make it harder as people would not be able to search for social formats alone.
I also heard that we could have the file replace a very unusual unix binary to make it harder to find. If this is true, what exactly is the process of doing this?
Any other ways to create a challenging evidence disk?
What level are the class at and what software would they be using?
Get multiple partitions on a USB (unusual), make first bootable, and NTFS, the second one HFS+ and then hide it. Create complex fragmentation in both partitions. Create decoy $MFTs and other partial NTFS structures.
Write the data in plaintext, EBCDIC.