\documentclass[a4paper,12pt]{article}

\usepackage{geometry}
\usepackage[english]{babel}
\usepackage{microtype}
\usepackage{hyperref}
\usepackage{listings}
\usepackage{graphicx}

\lstdefinestyle{mystyle}{
    basicstyle=\ttfamily\footnotesize,
    breakatwhitespace=false,
    breaklines=true,
    captionpos=b,
    keepspaces=true,
    showspaces=false,
    showstringspaces=false,
    showtabs=false,
    tabsize=2
}

\lstset{style=mystyle}

\setlength{\parindent}{0pt}

\title{File System Report}
\author{Tobias Eidelpes 01527193}
\date{\today}

\begin{document}
\maketitle

\section{Findings}

The forensic analysis has been conducted on Windows 10 with the program
\emph{Autopsy} in version 4.19.2.

\subsection{Image}

The seized computer image\footnote{sha1sum:
B4C3AE80F840BB612F982BA5081872B8A6A19E83} is running \emph{Windows 7
Professional} with \emph{Service Pack 1} installed. The computer's name is
\emph{Hyrule} and is owned by the user \emph{Peter}. Peter's Security
Identifier (SID) is S-1-5-21-3032217210-630098460-752710606-1001.

\subsection{E-Mail Conversation}

Peter was in contact with Iris over E-Mail. They went on a date, but decided to
keep their relationship hidden from coworkers. Before a second date could
happen, Iris asked Peter if he would send her a copy of Sabrina's new concept
art of a main character. With pressure from Iris and the promise of a second
date, Peter proceeded to send an image\footnote{sha1sum:
98296EF2B0A297A323EA36CA7E5C31399D412D91} (figure~\ref{fig:drawing}) of
Sabrina's initial drawing to Iris. The conversation over E-Mail is documented
in figures~\ref{fig:e-mail1} to~\ref{fig:e-mail4}.

\subsection{Other Persons}

Other persons that are in involved are: Anna (director of Indiga), John
(co-director of Indiga) and Sabrina (designer).

\subsection{Additional Information}

Peter's online search history include searches for how to hide images on a
computer. In one of his personal folders there is an encrypted \emph{truecrypt}
container\footnote{sha1sum: 7F6048D6293EF22F94D31847CEBBCE116D000D5C}. Multiple
files on the system have an additional \texttt{.mp3} extension to their file
names. These files have been encrypted by malware. The malware has placed a
request for ransom\footnote{sha1sum: 8BDAF44B3454C4DE35B13F66AB04F8092DCAFBE5}
(figure~\ref{fig:malware}) in Peter's personal folder. 

\section{Analysis}

Peter's conversation with Iris confirms Anna's and John's suspicions that Peter
leaked the concept art of the main character. From the conversation it is
evident that Peter was reluctant to do so and was swayed by Iris' apparent
interest in him. It is very likely that Iris was only interested in Peter,
because she knew that he would be an easy target to get the concept art. After
Peter realized that he is a suspect (the last E-Mail to Iris suggests this), he
tried to hide his tracks by searching for ways to hide the image he leaked.

\subsection{Truecrypt Container}

Peter stored four files in an encrypted truecrypt container with the file name
\texttt{personal.tc}. The password to open the container with \emph{Veracrypt
v1.24-Update7} (the successor to the deprecated \emph{Truecrypt}) can be
cracked with \texttt{hashcat} in a matter of seconds: \texttt{sec1}. The four
files stored in the container include two Excel tables
(\texttt{contacts.xlsx}\footnote{sha1sum:
0434109BBC3BC12E86E338B0EF2B9099E9110955},
\texttt{passwords.xlsx}\footnote{sha1sum:
3EB6909C3EFE4F13C7283B47CB41E1F63FB1ADAA}), one image of Iris
(\texttt{iris.jpg}\footnote{sha1sum: B234337053D01A7A60388CBF866096683604ED43})
and a file called \texttt{workinfo.docx}\footnote{sha1sum:
549429BE9608D0A04D47E4A9D69C99CE19EAABB4}. The last file is very likely also
stolen information from Sabrina, because it says \emph{DO NOT SHOW ANYONE} and
mentions that it is a working copy for Peter and Iris. The contents further
specify key characters in the upcoming game and a note that Peter and Iris will
receive the drawings as soon as they are finished and to be integrated into the
game to avoid data theft.

\subsection{Malware}

The image from figure~\ref{fig:malware} has been placed in Peter's personal
folder under the file name \texttt{\_RECoVERY\_+wdbic.png}. Additionally, the
same content is placed into a \texttt{.txt} file as well as an \texttt{.html}
file. It asks for a ransom to be paid in Bitcoin and then promises to decrypt
the encrypted files. Peter's E-Mail to the company's support desk indicate that
there are multiple encrypted \texttt{.mp3} files stored on his computer. The
message placed by the ransomware is indicative of a malware called
\texttt{Teslacrypt}. This type of malware has been prominent on computers of
gamers, specifically. Teslacrypt has been studied extensively by multiple
security research firms and Kaspersky provides a tool called
\texttt{tesladecrypt.exe}\footnote{sha1sum:
0B465C610F2F9E5D87F8C44261CB147D620C5D9A} to decrypt the \texttt{.mp3} files.
The decrypted files do not provide additional information that is not already
present in other files.

\section{Appendix}

This section contains the most relevant information found on the computer
image.

\begin{figure}
    \centering
    \includegraphics[width=1\textwidth]{findings/IMG_20160823_130922.jpg}
    \caption{Sabrina's main character concept.}
    \label{fig:drawing}
\end{figure}

\begin{figure}
    \centering
    \includegraphics{findings/e-mail1.PNG}
    \caption{Peter's conversation with Iris over E-Mail.}
    \label{fig:e-mail1}
\end{figure}

\begin{figure}
    \centering
    \includegraphics{findings/e-mail2.PNG}
    \caption{Peter's conversation with Iris over E-Mail. This message contains
    the image from figure~\ref{fig:drawing}.}
    \label{fig:e-mail2}
\end{figure}

\begin{figure}
    \centering
    \includegraphics{findings/e-mail3.PNG}
    \caption{Peter's conversation with Iris over E-Mail.}
    \label{fig:e-mail3}
\end{figure}

\begin{figure}
    \centering
    \includegraphics{findings/e-mail4.PNG}
    \caption{Indiga's director and co-director are suspecting Peter.}
    \label{fig:e-mail4}
\end{figure}

\begin{figure}
    \centering
    \includegraphics{findings/e-mail5.PNG}
    \caption{Peter needs help with his computer, because multiple files have
    been encrypted by malware.}
    \label{fig:e-mail5}
\end{figure}

\begin{figure}
    \centering
    \includegraphics[width=1\textwidth]{findings/_RECoVERY_+wdbic.png}
    \caption{Ransom request in file named \texttt{\_RECoVERY\_+wdbic.png} from
    \emph{Teslacrypt} malware.}
    \label{fig:malware}
\end{figure}

\end{document}