Scribd
Upload
182 views6 pages

Rhino Hunt With Autopsy

This document describes a forensic investigation using Autopsy to analyze evidence from a case involving illegal possession of rhinoceros images. The evidence includes a disk image of a USB key and network traces. Key details discovered include the image of a mother rhinoceros and her child, confirmation of the missing hard drive, and an email address in one of the recovered files.

Uploaded by

Ahmad Saadeh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
182 views6 pages

Rhino Hunt With Autopsy

This document describes a forensic investigation using Autopsy to analyze evidence from a case involving illegal possession of rhinoceros images. The evidence includes a disk image of a USB key and network traces. Key details discovered include the image of a mother rhinoceros and her child, confirmation of the missing hard drive, and an email address in one of the recovered files.

Uploaded by

Ahmad Saadeh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Rhino Hunt with Autopsy

What You Need for This Project :

• A Windows machine with Autopsy installed

purpose :

• To practice basic forensic techniques:


• Reading a scenario
• Verifying a hash value
• Extracting files from a disk image with Autopsy

Scenario :

• The city of New Orleans passed a law in 2004 making possession of nine or more unique
rhinoceros images a serious crime. The network administrator at the University of New
Orleans recently alerted police when his instance of RHINOVORE flagged illegal rhino
traffic. Evidence in the case includes a computer and USB key seized from one of the
University's labs. Unfortunately, the computer had no hard drive. The USB key was imaged
and a copy of the dd image is the case1.zip file you've been given.

• In addition to the USB key drive image, three network traces are also available ”these were
provided by the network administrator and involve the machine with the missing hard drive.
The suspect is the primary user of this machine, who has been pursuing his Ph.D. at the
University since 1972.

Downloading the Evidence File and autopsy :


• On your Windows machine, download this file:
1. autopsy 4.21.0 from (https://www.autopsy.com/download/)
2. case1.zip (3.4 MB)

2
1 2

3 4

Verifying Hash Values for case1 file


• A PowerShell window, also known as PowerShell console or PowerShell command prompt,
is an interface in Microsoft Windows where you can execute PowerShell commands and
scripts
Unzipping the Evidence File
• Right-click the case1.zip file and click "Extract All...". Click the Extract button.
• You see four files, as shown below.

Creating an Autopsy Case


Autopsy : is the premier open-source forensics platform, which is fast, easy-to-use, and capable of
analyzing all types of mobile devices and digital media

• Launch Autopsy. In the Welcome box, click "New Case".


• Make these selections:
o Case Name: Name your case F201
o Base Directory: Select your Documents folder and click Next.
o Assign it a case number of F201 and click Finish.
o In the "1. Select Host" page, click Next.
o In the "2. Select Data Source Type" page, accept the default of "Disk Image or VM
File" and click Next.
o In the "3. Select Data Source" page, click Browse, navigate to the RHINOUSB.dd
file, and double-click it. Then click Next.
o In the "4. Configure Ingest" page, click the "Select All" button and click Next.
o In the "5. Add Data Source" page, Click Finish.

When the data file is imported and processed, in the left pane of Autopsy, expand the containers to
see the Images and "Deleted Files", as shown below

3
When the data file is imported and
processed, in the left pane of Autopsy,
expand the containers to see
the Images and "Deleted Files", as
shown below.
Find the image of a mother rhinoceros and
her child. That's the flag. (If you are using
an automated CTF scoreboard, enter the
filename of the image as the flag.)

Examining Deleted Files


In the left pane, select All. The deleted files
appear in the right pane, as shown below.

Sorting by File Type


In the top right pane, scroll to the right. Click
"MIME Type", outlined in red in the image
below, to sort the files, and put the
"application/msword" file at the top.

Hard Drive (5 pts)

Find the location of the missing hard drive. That's the flag.

There is no hard drive We analyzed a disk image of a USB key


Email Address (10 pts extra)

There are two files containing an email address at MIT. Only one of the files has a real filename. (A
filename beginning with "Unalloc" is a fake filename generated by Autopsy for files recovered from
unallocated clusters.)

The flag is the real filename, which does not begin with "Unalloc"

philg@mit.edu

conclusion:

In this forensic exercise using Autopsy, we investigated a case involving illegal possession of
rhinoceros images at the University of New Orleans. We analyzed a disk image of a USB key and
network traces associated with the suspect's machine. The flag, indicating the image of a mother
rhinoceros and her child, was identified within the evidence files. Additionally, we confirmed the
absence of a hard drive in the system, which served as another flag. Moreover, an email address
associated with MIT was discovered within recovered files, providing an extra challenge. Through this
exercise, we practiced basic forensic techniques such as verifying hash values, extracting files from a
disk image, and examining deleted files to gather evidence and solve the case.

the end

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy