Friday, January 12, 2024

THM - Digital Forensics Case B4DM755

TryHackMe | Digital Forensics Case B4DM755

Room Objectives

Learn about the following to build up the confidence of future Forensics Lab Analysts, DFIR First Responders, and Digital Forensics Investigators:

  • Ensure proper Chain of Custody procedures for transport to the Forensics Laboratory.
  • Use FTK Imager to acquire a forensic disk image and preserve digital artefacts and evidence.
  • Analyse forensic artefacts received at the Forensics Laboratory for presentation during a trial in a court of law.

Case B4DM755 - Details

Answering the first few sections is all pretty simple and the answers are in the content. 


As a Forensics Lab Analyst, you analyse the artefacts from crime scenes. Occasionally, the law enforcement agency you work for receives "intelligence reports" about different cases, and today is one such day. A trusted informant, who has connections to an international crime syndicate, contacted your supervisor about William S. McClean from Case #B4DM755.

The informant provided information about the suspect's whereabouts in Metro Manila, Philippines, which is currently at large, and a transaction that will happen today with a local gang member. They also knew the exact location of the meetup and that the suspect would have incriminating materials at the time.

The law enforcement agency prepared for the operation by obtaining proper search authority and assigning a DFIR (Digital Forensics & Incident Response) First Responder (i.e., you) to ensure the appropriate acquisition of digital artefacts and evidence for examination at the Forensics Lab, and eventually for use in litigation. The court issued a search warrant on the same day, allowing law enforcement officers to investigate the suspect and his place of residence based on the informant's tip.

FTK Imager

FTK Imager is a forensics tool that allows forensic specialists to acquire computer data and perform analysis without affecting the original evidence, preserving its authenticity, integrity, and validity for presentation during a trial in a court of law.

On the VM load up FTK Imager, the "Evidence" is an emulated flash drive located \\PHYSICALDRIVE2 - Microsoft Virtual Disk [1GB SCSI]

The following steps will add the Evidence:

File > Add Evidence Item

Choose Physical Drive

Select the correct drive, in this case it is Microsoft Virtual Disk [1GB SCSI]

Next check for encryption

File > Detect EFS Encryption

In this scenario there is no encryption present. 

As we learnt in the previous task, we have to create an image of the drive, we should never perform forensics on the original as this will tamper with the evidence. 

File > Create Disk Image

Select Physical Drive as the source

Select the correct source, again in this example it is Microsoft Virtual Disk [1GB SCSI]

The task shows up real world operations, we have to ensure we Verify images after they are created, and Create directory listing of all files in the image after they are created. Under the Image Destinations(s) click add and set the Destination Image Type as Raw (dd). Finally, fill out the Evidence Item Information, set the Image Destination. Click start

Ensure the hashes match and there are no bad blocks listed. 

The following can now be answered:

What is the UI element of FTK Imager which displays the content of selected files?

What is the SHA1 hash of the physical drive and forensic image?

We now want to add the copy as our Evidence to investigate, this is a little different to before. 

File > Add Evidence Item

Choose Image File

Browser to the location the Image was saved to and select

We can now remove original Drive from the Evidence Tree

right-click and Remove Evidence Item

We want to analyst and inspect the contents of the drive, be sure to look for delete items, corrupted files, and any obfuscation. Deleted files can be identified by the red cross through the file type icon. 

To recover these deleted files we want to Export Files. Right-click on the target directory and click Export Files, this will save the artefacts. 

We can now answer the final questions of this task:

Including hidden files, how many files are currently stored on the flash drive?

How many files were deleted in total?

How many recovered files are corrupted (e.g., 0 file size)?

Task 7

Aside from FTK Imager, what is the directory name of the other tool located in the tools directory under Desktop?

Navigate to the desktop and look inside the Tools folder. 

What is the visible extension of the "hideout" file?

This can be found within FTK Imager or the exported files, the file is named

View the metadata of the "hideout" file. What is its actual extension?

We can use the tool exiftool.exe, run it or from the commandline exiftool.exe "C:\Users\analyst\Desktop\artefacts\[root]\hideout.pdf" be sure to set the path to where you exported the files. 

This will reveal what the file really is. 

A phone was used to photograph the "hideout". What is the phone's model?

This can be found in the metadata under Camera Model Name 

A phone was used to photograph the "warehouse". What is the phone's model?

Same process using exiftool, again found under the Camera Model Name

Are there any indications that the suspect is involved in other illegal activity? (Y/N)

Use the exiftool to check all the files, one is not what it says it is and is actually a .zip, extract it. 

Who was the point of contact of Mr William S. McClean in 2022?

Check in the newly discovered .zip, there is a notes.txt file

A meetup occurred in 2022. What are the GPS coordinates during that time?

Can also be found in notes.txt

What is the password to extract the contents of

Have a guess... lol yup, notes.txt


From which company did the source code in the pandorasbox directory originate?

Look in the HFT_Algorithm directory, we see some python scripts. These scripts include a header, open with notepad

In one of the documents that the suspect has yet to sign, who was listed as the beneficiary?

Analyse the word docs, the Victim can be found in UTCL242231

What is the hidden flag?

The file named DONOTOPEN looks like it should definitely be opened... change it to a .txt

Task 8 can be answered from the content. 


AiTM Phishing - Defender Investigation

AiTM - Phishing Adversary in The Middle attacks seem to be on the rise and over the past few months I have seen a lot of attacks using EvilG...