Saturday 19 November 2011 Practice Investigation (Pt 3 - Final)


Welcome to the M57 entry where I present what I learnt during this investigation. Due to its ongoing use, I have removed my results/analysis section. I have also removed any comments mentioning any tools/strategies.

Learning Outcomes:

I spent several days on this - the briefing PDF mentions spending "until lunch" using EnCase (LOL!).
This investigation took a lot longer than I estimated - part of it was learning about/setting up the tools, part of it was discovering Windows places of interest (eg Registry artefacts), part of it was the snoopy factor ("What has this user been up to?") and part of it was just repeating commands so I could document the results more comprehensively. I am still not 100% sure that someone from the company was NOT involved with the bogus email but I can't seem to find anything to support it.

In the future, I should pay more attention to documenting my progress as I investigate. I was using a old fashioned notebook and pen - maybe I should be using a text file / word document? It would certainly make capturing the command lines / paths much easier.
By learning on the fly/diving in and not having a set process to follow, I don't think I was maximising my efficiency either. Still, I guess you have to walk before you run etc.
Also, all details from the client brief should be confirmed/verified before starting - I spent quite some time searching for a .xlsx file as stated in the PDF brief only to find it was a .xls file.

'Nother practice scenario which might interest y'all (see, I can speak like a Southerner too!) is:
In this scenario, possessing more than 9 Rhino pictures has been declared illegal in New Orleans (those dirty Rhinos!). You've been tasked to find as much evidence as you can from 3 tcpdumps and a 256 Mb USB key dd image. This is good for gaining experience using the WireShark network analyser (also included on SANS SIFT) and "foremost". And they have kindly supplied the answers too!