You are currently viewing Sticky Situation (Retired Investigation)

Sticky Situation (Retired Investigation)

Scenario –

A highly confidential document has been stolen from the President’s laptop and has been sold on the Dark Web. The Secret Service thinks someone with physical access to the laptop was able to retrieve the important document, and they suspect the likely method was ATT&CK ID T1052.001. Can you help the Secret Service to figure out how this happened?

1-What is the computer name?(5 points)

MSEDGEWIN10

see Autopsy→ Operating System Information

2-When was the OS installed?(5 points)

19/03/2019

Be carefull, with the dates you put on, I went to File Metada an I got thee created day wrogng from it. Then, I went to Results part and obtained the Date form there and it was correct.

3- What is the Timezone of the computer?(5 points)

GMT

we have to be carefull in not provinding the time zone of the host machine instead of the investigation machine. We obtained the info from Autopsy ModuleOutput→Recent Activity → SYSTEM HIVE full

4-What is the serial number of the first USB mass storage device connected?(5 points) 001CC0EC33B0BD10D70C00DE&0

Obtained from the same place as last question

5-What is the vendor name of the first USB mass storage device?(5 points)

Kingston

6-When was the first USB mass storage device connected for the first time? (system local time)(5 points) 2020/12/01 09:40:16

Looking at the same SYSTEM HIVE full file from question1, then USBSTOR and then the time give.

7- What is the Volume Label of the unique USB mass storage device?(5 points)

Darth Vader

found in SOFTWARE HIVE,using the SSN of the previously mentioned usb as a search string, then I found the Drive name.

8- Find the user that used the USB Device. What is the user’s SID?(5 points)

S-1-5-21-321011808-3761883066-353627080-1004

From Recent documents and using the time frame 12-1 ti 12-11 based on the USB usage, by doing a search for “Darth Vader” we can see that PM user handled the USB device. Then using the SAM Hive file from the user PM I obtained the SSID # or From Operating System Usser Account in Autopsy

9-What is the last drive letter assigned to the USB device?(5 points)

E

from previous answer

10- What is the filename of the document stolen?(5 points)

finance.txt

Obtained by looking at the recent documents