BTLO Pro Lab - Sticky Situation

Items of value attract sticky fingers


Author: Danny Child Published on: May 22, 2021

Preface, Takeaways

In Sticky Situation, a highly confidential document has been stolen from Prime Minister’s laptop and has been sold in the Dark Web. Using Autopsy and other available digital forensic tools, determine which document was obtained and identify the USB drive used by the malicious actor.

Physical security is just as important as technical security. A network may be secured, though physical access to a device introduces new attack vectors to account for. Ensuring that data is encrypted at rest, access is granted after a successful logon, and implementing other factors of authentication such as a security key make the malicious actor’s work much more difficult.

Questions and Answers (Coming Soon)

What is the computer name?

When was the OS installed?

What is the Timezone of the computer?

What is the serial number of the first USB mass storage device connected?

What is the vendor name of the first USB mass storage device?

When was the first USB mass storage device connected for the first time? (system local time)

What is the Volume Label of the unique USB mass storage device?

Find the user that used the USB Device. What is the user’s SID?

What is the last drive letter assigned to the USB device?

What is the filename of the document stolen?