Scenario –
In a race against time, can you investigate a laptop seized by law enforcement to identify if a bomb threat is real or a hoax? MITTRE T1573 for reference
NYC Police received information that a gang of attackers has entered the city and are planning to detonate an explosive device. Law enforcement have begun investigating all leads to determine whether this is true or a hoax.
Persons of interest were taken into custody, and one additional suspect named ‘Zerry’ was detained while officers raided his house. During the search they found one laptop, collected the digital evidence, and sent it to NYC digital forensics division.
Police believe Zerry is directly associated with the gang and are analyzing his device to uncover any information about the potential attack.
Disclaimer: The story, all names, characters, and incidents portrayed in this challenge are fictitious and any relevance to real-world events is completely coincidental.: zerry = 3993 NTUSER.DAT
serry USERIf = S-1-5-21-2616737018-1440891975-2409143913-1001
Temviewer seems like is the online messenger they are referring to
[ ] 7- What is the GPS location of the blast? The format is the same as found in the evidence . [Hint: Encode(XX Degrees,XX Minutes, XX Seconds)](8 points) 40 degrees 45 minutes 28.6776 seconds N, 73 degrees 59 minutes 7.944 seconds W We followed the hint and learend where to find tor browser history which told us the cipher the attacker they to obfuscate the answer
[ ] 1-Verify the Disk Image. Submit SectorCount and MD5*(7 points) 25,165,824,5c4e94315039f890e839d6992aeb6c58* An interesting one, I gave the wrong answer because I thought sector size and sector count were the same. I found the answer going to: Investigation Files → Disk Image → Zerry.E01 there was a text document that looked like the properties of the forensic disk image file format
[ ] 2- What is the decryption key of the online messenger app used by Zerry?(7 points) c2a0e8d6f0853449cfcf4b75176c277535b3677de1bb59186b32f0dc6ed69998 after googleinng “where do I find the decryption key of signal on a pc” found the answer inside the file: /Users/ZerryD????/AppData/Roaming/Signal/config.json
[ ] 3- What is the registered phone number and profile name of Zerry in the messenger application used?(7 points) 13026482364,ZerryThe?? Inside Signal/sql/db.sqlite which is the Main Signal database, inside Conversations we found the answers ** in the raw key option inside DB Browser for SQLite you have to type 0x and then paste the obtained key*
[ ] 4-What is the email id found in the chat?(7 points) eekurk@baybabes.com found at messages table from the previous sqlite database
[ ] 5-What is the filename(including extension) that is received as an attachment via email?(7 points) ⏳📅.png in recent documents there is a suspicious file which its path show that it should be located in user’s Zerry download folder but seems like he removed it. Fortunately, were are still able to get the name from the LNK file created
[ ] 6-What is the Date and Time of the planned attack?(7 points) 01-02-2021 09:00AM *In this question I just followed the hint from the investigation itself NOTES: Since the file we are looking mostlikely it was removed using Eraser software,
we rely on thumbcache which is a database used by Windwows that stores thumbnail images fo files and folders location: ..Users/<username>/AppData/Local/Microsoft/Windows/Explorer*
