Finish report
This commit is contained in:
parent
bbeb2a9dd1
commit
8cc04bb188
BIN
findings/IMG_20160823_130922.jpg
Normal file
BIN
findings/IMG_20160823_130922.jpg
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 2.2 MiB |
BIN
findings/_RECoVERY_+wdbic.png
Normal file
BIN
findings/_RECoVERY_+wdbic.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 84 KiB |
BIN
findings/e-mail1.PNG
Normal file
BIN
findings/e-mail1.PNG
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 46 KiB |
BIN
findings/e-mail2.PNG
Normal file
BIN
findings/e-mail2.PNG
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 2.6 KiB |
BIN
findings/e-mail3.PNG
Normal file
BIN
findings/e-mail3.PNG
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 3.2 KiB |
BIN
findings/e-mail4.PNG
Normal file
BIN
findings/e-mail4.PNG
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 12 KiB |
BIN
findings/e-mail5.PNG
Normal file
BIN
findings/e-mail5.PNG
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 17 KiB |
143
report.tex
143
report.tex
@ -30,4 +30,147 @@
|
||||
\begin{document}
|
||||
\maketitle
|
||||
|
||||
\section{Findings}
|
||||
|
||||
The forensic analysis has been conducted on Windows 10 with the program
|
||||
\emph{Autopsy} in version 4.19.2.
|
||||
|
||||
\subsection{Image}
|
||||
|
||||
The seized computer image\footnote{sha1sum:
|
||||
B4C3AE80F840BB612F982BA5081872B8A6A19E83} is running \emph{Windows 7
|
||||
Professional} with \emph{Service Pack 1} installed. The computer's name is
|
||||
\emph{Hyrule} and is owned by the user \emph{Peter}. Peter's Security
|
||||
Identifier (SID) is S-1-5-21-3032217210-630098460-752710606-1001.
|
||||
|
||||
\subsection{E-Mail Conversation}
|
||||
|
||||
Peter was in contact with Iris over E-Mail. They went on a date, but decided to
|
||||
keep their relationship hidden from coworkers. Before a second date could
|
||||
happen, Iris asked Peter if he would send her a copy of Sabrina's new concept
|
||||
art of a main character. With pressure from Iris and the promise of a second
|
||||
date, Peter proceeded to send an image\footnote{sha1sum:
|
||||
98296EF2B0A297A323EA36CA7E5C31399D412D91} (figure~\ref{fig:drawing}) of
|
||||
Sabrina's initial drawing to Iris. The conversation over E-Mail is documented
|
||||
in figures~\ref{fig:e-mail1} to~\ref{fig:e-mail4}.
|
||||
|
||||
\subsection{Other Persons}
|
||||
|
||||
Other persons that are in involved are: Anna (director of Indiga), John
|
||||
(co-director of Indiga) and Sabrina (designer).
|
||||
|
||||
\subsection{Additional Information}
|
||||
|
||||
Peter's online search history include searches for how to hide images on a
|
||||
computer. In one of his personal folders there is an encrypted \emph{truecrypt}
|
||||
container\footnote{sha1sum: 7F6048D6293EF22F94D31847CEBBCE116D000D5C}. Multiple
|
||||
files on the system have an additional \texttt{.mp3} extension to their file
|
||||
names. These files have been encrypted by malware. The malware has placed a
|
||||
request for ransom\footnote{sha1sum: 8BDAF44B3454C4DE35B13F66AB04F8092DCAFBE5}
|
||||
(figure~\ref{fig:malware}) in Peter's personal folder.
|
||||
|
||||
\section{Analysis}
|
||||
|
||||
Peter's conversation with Iris confirms Anna's and John's suspicions that Peter
|
||||
leaked the concept art of the main character. From the conversation it is
|
||||
evident that Peter was reluctant to do so and was swayed by Iris' apparent
|
||||
interest in him. It is very likely that Iris was only interested in Peter,
|
||||
because she knew that he would be an easy target to get the concept art. After
|
||||
Peter realized that he is a suspect (the last E-Mail to Iris suggests this), he
|
||||
tried to hide his tracks by searching for ways to hide the image he leaked.
|
||||
|
||||
\subsection{Truecrypt Container}
|
||||
|
||||
Peter stored four files in an encrypted truecrypt container with the file name
|
||||
\texttt{personal.tc}. The password to open the container with \emph{Veracrypt
|
||||
v1.24-Update7} (the successor to the deprecated \emph{Truecrypt}) can be
|
||||
cracked with \texttt{hashcat} in a matter of seconds: \texttt{sec1}. The four
|
||||
files stored in the container include two Excel tables
|
||||
(\texttt{contacts.xlsx}\footnote{sha1sum:
|
||||
0434109BBC3BC12E86E338B0EF2B9099E9110955},
|
||||
\texttt{passwords.xlsx}\footnote{sha1sum:
|
||||
3EB6909C3EFE4F13C7283B47CB41E1F63FB1ADAA}), one image of Iris
|
||||
(\texttt{iris.jpg}\footnote{sha1sum: B234337053D01A7A60388CBF866096683604ED43})
|
||||
and a file called \texttt{workinfo.docx}\footnote{sha1sum:
|
||||
549429BE9608D0A04D47E4A9D69C99CE19EAABB4}. The last file is very likely also
|
||||
stolen information from Sabrina, because it says \emph{DO NOT SHOW ANYONE} and
|
||||
mentions that it is a working copy for Peter and Iris. The contents further
|
||||
specify key characters in the upcoming game and a note that Peter and Iris will
|
||||
receive the drawings as soon as they are finished and to be integrated into the
|
||||
game to avoid data theft.
|
||||
|
||||
\subsection{Malware}
|
||||
|
||||
The image from figure~\ref{fig:malware} has been placed in Peter's personal
|
||||
folder under the file name \texttt{\_RECoVERY\_+wdbic.png}. Additionally, the
|
||||
same content is placed into a \texttt{.txt} file as well as an \texttt{.html}
|
||||
file. It asks for a ransom to be paid in Bitcoin and then promises to decrypt
|
||||
the encrypted files. Peter's E-Mail to the company's support desk indicate that
|
||||
there are multiple encrypted \texttt{.mp3} files stored on his computer. The
|
||||
message placed by the ransomware is indicative of a malware called
|
||||
\texttt{Teslacrypt}. This type of malware has been prominent on computers of
|
||||
gamers, specifically. Teslacrypt has been studied extensively by multiple
|
||||
security research firms and Kaspersky provides a tool called
|
||||
\texttt{tesladecrypt.exe}\footnote{sha1sum:
|
||||
0B465C610F2F9E5D87F8C44261CB147D620C5D9A} to decrypt the \texttt{.mp3} files.
|
||||
The decrypted files do not provide additional information that is not already
|
||||
present in other files.
|
||||
|
||||
\section{Appendix}
|
||||
|
||||
This section contains the most relevant information found on the computer
|
||||
image.
|
||||
|
||||
\begin{figure}
|
||||
\centering
|
||||
\includegraphics[width=1\textwidth]{findings/IMG_20160823_130922.jpg}
|
||||
\caption{Sabrina's main character concept.}
|
||||
\label{fig:drawing}
|
||||
\end{figure}
|
||||
|
||||
\begin{figure}
|
||||
\centering
|
||||
\includegraphics{findings/e-mail1.PNG}
|
||||
\caption{Peter's conversation with Iris over E-Mail.}
|
||||
\label{fig:e-mail1}
|
||||
\end{figure}
|
||||
|
||||
\begin{figure}
|
||||
\centering
|
||||
\includegraphics{findings/e-mail2.PNG}
|
||||
\caption{Peter's conversation with Iris over E-Mail. This message contains
|
||||
the image from figure~\ref{fig:drawing}.}
|
||||
\label{fig:e-mail2}
|
||||
\end{figure}
|
||||
|
||||
\begin{figure}
|
||||
\centering
|
||||
\includegraphics{findings/e-mail3.PNG}
|
||||
\caption{Peter's conversation with Iris over E-Mail.}
|
||||
\label{fig:e-mail3}
|
||||
\end{figure}
|
||||
|
||||
\begin{figure}
|
||||
\centering
|
||||
\includegraphics{findings/e-mail4.PNG}
|
||||
\caption{Indiga's director and co-director are suspecting Peter.}
|
||||
\label{fig:e-mail4}
|
||||
\end{figure}
|
||||
|
||||
\begin{figure}
|
||||
\centering
|
||||
\includegraphics{findings/e-mail5.PNG}
|
||||
\caption{Peter needs help with his computer, because multiple files have
|
||||
been encrypted by malware.}
|
||||
\label{fig:e-mail5}
|
||||
\end{figure}
|
||||
|
||||
\begin{figure}
|
||||
\centering
|
||||
\includegraphics[width=1\textwidth]{findings/_RECoVERY_+wdbic.png}
|
||||
\caption{Ransom request in file named \texttt{\_RECoVERY\_+wdbic.png} from
|
||||
\emph{Teslacrypt} malware.}
|
||||
\label{fig:malware}
|
||||
\end{figure}
|
||||
|
||||
\end{document}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user