• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • Stop wasting time looking for files and revisions. Connect your Gmail, DriveDropbox, and Slack accounts and in less than 2 minutes, Dokkio will automatically organize all your file attachments. Learn more and claim your free account.



Page history last edited by Patrick 5 months, 2 weeks ago


On the evening of Wednesday, April 1st, 2015, Playtronics (located in Daytona Beach, FL) discovered a breach that had occurred on one of their secure workstations. This particular workstation was only connected to the internal network and was not able to reach outside networks; attached devices such as USB flash drives were allowed to be read from, but not written to.


It was discovered that on Tuesday, March 31st, 2015, an unauthorized program was installed one on of the secure workstations. This program facilitated a remote copy of 12 files from the secure workstation to an unsecured workstation in the building; according to logs, the 12 files were then moved to a USB flash drive attached to the unsecured workstation.


Interviews with Playtronics employees were conducted the morning of April 2nd where it was discovered the only employee who could not be reached for questioning was Steven Holt. When Mr. Holt could not be reached, Officers spoke briefly with Mr. Holt’s sister before traveling to Holt’s residence. As the officers approached Holt’s residence, Mr. Holt was seen leaving the residence via car. On his way outside of the neighborhood, Mr. Holt ignored posted stop signs and speed limits, prompting officers to follow to the final destination of a local landfill.


Mr. Holt was seen entering the premises with a desktop computer, but leaving empty-handed. Upon leaving the landfill, Holt was detained for questioning and a computer retrieved. Mr. Holt was found to be in possession of $10,000 cash and a USB flash drive was found inside the vehicle. Bank records later showed a $50,000 incoming transfer on the morning of April 2nd which was all withdrawn and phone records found one outgoing call the morning of April 2nd to 386-555-4183.


The USB drive found in Mr. Holt’s vehicle contained a password protected zip file and what appears to be 12 files containing computer code. Playtronics has confirmed this flash drive was attached to the unsecured workstation on March 31st and has supplied a list of MD5 hashes for 5 of the 12 copied files:










A Document/PDF report that answers the questions below in order in a detailed manner. What's detailed? What information did you find, how did you find it, and where did you find it. After reading the answer, I should be able to verify your results by following your process. I do not want just the answer for questions relating to a process in FTK. If you do not provide all the information, the answer will not be given points.




You'll notice all of the Creation Dates of the files in the image are after the Modified and Accessed dates. This would normally be a huge red flag; however, this image was also made to work with the demo version of FTK which has a 5,000 file limit. in order to provide an image which originally contained a fully functioning operating system, but is now under 5,000 files, the original image had to be changed resulting in the Creation Date changes.


For the purpose of this assignment, use the Modified Date to mean the creation and modified time.


Part 1: Questions


1. What is the MD5 hash of your disk image?


2. How many physical sectors are there in the disk image?


3. What is the cluster size?


4. In the image, there are references to communications with four people – What are their names, email addresses, and inferred relationship to the suspect (i.e., family, co-worker, etc).


Hint: Emails may not always appear as “pretty” messages in the Email tab. You can also use the raw data view of the DBX files. Once you know the names, you can begin searching through email, inside the DBX files and/or use the Live Search function to make your task easier.


5. Is there reference to any files which have recently been sent to the Recycle Bin? What are their original name(s), original location, and removal date?


6. There is an encrypted archived file in the image. What is its name, when did it appear on the system, and how did it get on the system? Once you know the name, you can use the Live Search to make your task a bit easier.


7. What is the password of the zip file (from question 6 above)?


The sender gives you a clue, but I’ll be nicer: two words and nine letters total entered all lowercase and with no spaces.

Hint: The sender mentions the password is a side project of theirs. Google for their name; are they part of another (fictitious) company? You'll get a lot of hits for this fictitious character and the show they're on, but the company you're looking for should be on the first page of results.


8. Describe the contents of zip file. Specifically, what is the name of the program? This will require you to look through the files in a text viewer.


9. There were three files which were emailed as attachments to/from the system. What are their names, and who were they sent to/from? You already have one from the above question – two to go!


Having trouble? Email attachments are often encoded using base64; this may be a good starting search term.


10. Playtronics provided a list of hashes corresponding to files which were copied off of their secure workstation. Do any of your recovered files match any of the below hashes? (Hint: At least one will match. Find it!)









There are over 3,000 files in this image so where should you begin - were any files brought on to / sent from the system? Alternatively, you can also sort Total File Items by the hash value and compare them to the list above - Click on the 'MD5' column to sort by MD5 - for a visual comparison.


11. Regarding any files found from the above question, is there any evidence to suggest the file(s) was sent to anyone else (hint, hint) and if so, how, when, and to whom?


12. Regarding the file from Question 11, were there any attempts to remove the file from the system?  Explain.


13. The suspect was apprehended at, and the computer recovered from, a local landfill – are there any references to this location in the web browsing?


Between versions 4 to 9, Internet Explorer stored the browsing history in an index.dat file for each user account; this file may be of use.


14. The suspect was found with $10,000 in cash, but the suspect received a $50,000 wire transfer the same morning which was immediately withdrawn. Investigators are still trying to determine what happened to the missing $40,000 and they think some clues may reside on the suspect’s computer. After canvassing areas near the suspect’s residence and work, witnesses placed Mr. Holt leaving a local park the morning of April 2nd at 1000 Orange Ave; however, no one saw what Mr. Holt was doing at the park.


Find (search for) any reference to the location 1000 Orange Ave specifically in email and web history. Describe what you found.


15. According to what you found in Question 14, who is it implied that the suspect met with and for what purpose? This will likely require a new, expanded search for the person’s name to view other correspondence between them and the suspect.



Part 2: Story Time


I like to think of digital forensics as "tell me the story of this device". When I made this, I built a narrative and the evidence you found along the way tells that story. The questions are mostly laid out in such a way for you to follow that path and while some may seem to re-ask a question, it's to get you to think of the same piece of information in a different way. Does a specific file exist on the image? Yes. Where's that file? The Recycle Bin. The meaning of that file has now changed from simply residing on the file system to someone actively trying to remove it.


Mr. Holt was a busy person in a couple of days. In a couple paragraphs, give me your interpretation as a forensic examiner of the story this evidence told. There are some files on the system which are not part of questions that can give another piece to the puzzle and events/conversations which can be inferred that do not directly take place on the disk image.





Live searches are very handy and will allow you to search for words, phrases, etc, through all files accessible by FTK. You can further adjust your scope by searching for ASCII characters, case sensitive, etc. Stuck/ Need a starting place? Try the Live Search on some key terms from the question. Found a file? Great! Go to that file and look/search for what else could be in there.



Assignment files:

On Falcon Online

  • Forensic image (172MB compressed zip file)

  • 9e5fbe947e51eff2775b9cb4aa27433f  4860.Assignment.3.dd
  • 2eb125eef9d29c472a1828b9546b6aa9  4860.Assignment.3.zip


Comments (0)

You don't have permission to comment on this page.