177 lines
6.4 KiB
TeX
177 lines
6.4 KiB
TeX
\documentclass[a4paper,12pt]{article}
|
|
|
|
\usepackage{geometry}
|
|
\usepackage[english]{babel}
|
|
\usepackage{microtype}
|
|
\usepackage{hyperref}
|
|
\usepackage{listings}
|
|
\usepackage{graphicx}
|
|
|
|
\lstdefinestyle{mystyle}{
|
|
basicstyle=\ttfamily\footnotesize,
|
|
breakatwhitespace=false,
|
|
breaklines=true,
|
|
captionpos=b,
|
|
keepspaces=true,
|
|
showspaces=false,
|
|
showstringspaces=false,
|
|
showtabs=false,
|
|
tabsize=2
|
|
}
|
|
|
|
\lstset{style=mystyle}
|
|
|
|
\setlength{\parindent}{0pt}
|
|
|
|
\title{File System Report}
|
|
\author{Tobias Eidelpes 01527193}
|
|
\date{\today}
|
|
|
|
\begin{document}
|
|
\maketitle
|
|
|
|
\section{Findings}
|
|
|
|
The forensic analysis has been conducted on Windows 10 with the program
|
|
\emph{Autopsy} in version 4.19.2.
|
|
|
|
\subsection{Image}
|
|
|
|
The seized computer image\footnote{sha1sum:
|
|
B4C3AE80F840BB612F982BA5081872B8A6A19E83} is running \emph{Windows 7
|
|
Professional} with \emph{Service Pack 1} installed. The computer's name is
|
|
\emph{Hyrule} and is owned by the user \emph{Peter}. Peter's Security
|
|
Identifier (SID) is S-1-5-21-3032217210-630098460-752710606-1001.
|
|
|
|
\subsection{E-Mail Conversation}
|
|
|
|
Peter was in contact with Iris over E-Mail. They went on a date, but decided to
|
|
keep their relationship hidden from coworkers. Before a second date could
|
|
happen, Iris asked Peter if he would send her a copy of Sabrina's new concept
|
|
art of a main character. With pressure from Iris and the promise of a second
|
|
date, Peter proceeded to send an image\footnote{sha1sum:
|
|
98296EF2B0A297A323EA36CA7E5C31399D412D91} (figure~\ref{fig:drawing}) of
|
|
Sabrina's initial drawing to Iris. The conversation over E-Mail is documented
|
|
in figures~\ref{fig:e-mail1} to~\ref{fig:e-mail4}.
|
|
|
|
\subsection{Other Persons}
|
|
|
|
Other persons that are in involved are: Anna (director of Indiga), John
|
|
(co-director of Indiga) and Sabrina (designer).
|
|
|
|
\subsection{Additional Information}
|
|
|
|
Peter's online search history include searches for how to hide images on a
|
|
computer. In one of his personal folders there is an encrypted \emph{truecrypt}
|
|
container\footnote{sha1sum: 7F6048D6293EF22F94D31847CEBBCE116D000D5C}. Multiple
|
|
files on the system have an additional \texttt{.mp3} extension to their file
|
|
names. These files have been encrypted by malware. The malware has placed a
|
|
request for ransom\footnote{sha1sum: 8BDAF44B3454C4DE35B13F66AB04F8092DCAFBE5}
|
|
(figure~\ref{fig:malware}) in Peter's personal folder.
|
|
|
|
\section{Analysis}
|
|
|
|
Peter's conversation with Iris confirms Anna's and John's suspicions that Peter
|
|
leaked the concept art of the main character. From the conversation it is
|
|
evident that Peter was reluctant to do so and was swayed by Iris' apparent
|
|
interest in him. It is very likely that Iris was only interested in Peter,
|
|
because she knew that he would be an easy target to get the concept art. After
|
|
Peter realized that he is a suspect (the last E-Mail to Iris suggests this), he
|
|
tried to hide his tracks by searching for ways to hide the image he leaked.
|
|
|
|
\subsection{Truecrypt Container}
|
|
|
|
Peter stored four files in an encrypted truecrypt container with the file name
|
|
\texttt{personal.tc}. The password to open the container with \emph{Veracrypt
|
|
v1.24-Update7} (the successor to the deprecated \emph{Truecrypt}) can be
|
|
cracked with \texttt{hashcat} in a matter of seconds: \texttt{sec1}. The four
|
|
files stored in the container include two Excel tables
|
|
(\texttt{contacts.xlsx}\footnote{sha1sum:
|
|
0434109BBC3BC12E86E338B0EF2B9099E9110955},
|
|
\texttt{passwords.xlsx}\footnote{sha1sum:
|
|
3EB6909C3EFE4F13C7283B47CB41E1F63FB1ADAA}), one image of Iris
|
|
(\texttt{iris.jpg}\footnote{sha1sum: B234337053D01A7A60388CBF866096683604ED43})
|
|
and a file called \texttt{workinfo.docx}\footnote{sha1sum:
|
|
549429BE9608D0A04D47E4A9D69C99CE19EAABB4}. The last file is very likely also
|
|
stolen information from Sabrina, because it says \emph{DO NOT SHOW ANYONE} and
|
|
mentions that it is a working copy for Peter and Iris. The contents further
|
|
specify key characters in the upcoming game and a note that Peter and Iris will
|
|
receive the drawings as soon as they are finished and to be integrated into the
|
|
game to avoid data theft.
|
|
|
|
\subsection{Malware}
|
|
|
|
The image from figure~\ref{fig:malware} has been placed in Peter's personal
|
|
folder under the file name \texttt{\_RECoVERY\_+wdbic.png}. Additionally, the
|
|
same content is placed into a \texttt{.txt} file as well as an \texttt{.html}
|
|
file. It asks for a ransom to be paid in Bitcoin and then promises to decrypt
|
|
the encrypted files. Peter's E-Mail to the company's support desk indicate that
|
|
there are multiple encrypted \texttt{.mp3} files stored on his computer. The
|
|
message placed by the ransomware is indicative of a malware called
|
|
\texttt{Teslacrypt}. This type of malware has been prominent on computers of
|
|
gamers, specifically. Teslacrypt has been studied extensively by multiple
|
|
security research firms and Kaspersky provides a tool called
|
|
\texttt{tesladecrypt.exe}\footnote{sha1sum:
|
|
0B465C610F2F9E5D87F8C44261CB147D620C5D9A} to decrypt the \texttt{.mp3} files.
|
|
The decrypted files do not provide additional information that is not already
|
|
present in other files.
|
|
|
|
\section{Appendix}
|
|
|
|
This section contains the most relevant information found on the computer
|
|
image.
|
|
|
|
\begin{figure}
|
|
\centering
|
|
\includegraphics[width=1\textwidth]{findings/IMG_20160823_130922.jpg}
|
|
\caption{Sabrina's main character concept.}
|
|
\label{fig:drawing}
|
|
\end{figure}
|
|
|
|
\begin{figure}
|
|
\centering
|
|
\includegraphics{findings/e-mail1.PNG}
|
|
\caption{Peter's conversation with Iris over E-Mail.}
|
|
\label{fig:e-mail1}
|
|
\end{figure}
|
|
|
|
\begin{figure}
|
|
\centering
|
|
\includegraphics{findings/e-mail2.PNG}
|
|
\caption{Peter's conversation with Iris over E-Mail. This message contains
|
|
the image from figure~\ref{fig:drawing}.}
|
|
\label{fig:e-mail2}
|
|
\end{figure}
|
|
|
|
\begin{figure}
|
|
\centering
|
|
\includegraphics{findings/e-mail3.PNG}
|
|
\caption{Peter's conversation with Iris over E-Mail.}
|
|
\label{fig:e-mail3}
|
|
\end{figure}
|
|
|
|
\begin{figure}
|
|
\centering
|
|
\includegraphics{findings/e-mail4.PNG}
|
|
\caption{Indiga's director and co-director are suspecting Peter.}
|
|
\label{fig:e-mail4}
|
|
\end{figure}
|
|
|
|
\begin{figure}
|
|
\centering
|
|
\includegraphics{findings/e-mail5.PNG}
|
|
\caption{Peter needs help with his computer, because multiple files have
|
|
been encrypted by malware.}
|
|
\label{fig:e-mail5}
|
|
\end{figure}
|
|
|
|
\begin{figure}
|
|
\centering
|
|
\includegraphics[width=1\textwidth]{findings/_RECoVERY_+wdbic.png}
|
|
\caption{Ransom request in file named \texttt{\_RECoVERY\_+wdbic.png} from
|
|
\emph{Teslacrypt} malware.}
|
|
\label{fig:malware}
|
|
\end{figure}
|
|
|
|
\end{document}
|