https://cyberdefenders.org/labs/66

Table of Contents

Introduction

John Doe was accused of doing illegal activities. A disk image of his laptop was taken. Your task is to analyze the image and understand what happened under the hood.

Tools

Preparation

For this challenge I'll use FireEye's FLARE VM, available here: https://github.com/fireeye/flare-vm

It doesn't include all the above tools on it by default (e.g. FTK Imager), so I installed them manually.

The file provided is a .zip containing two files: the image (DiskDrigger.ad1) and a text file.

FTK Imager can open the .ad1 file, but Autopsy cannot (nor can any of the other tools mentioned above). However, FTK has an export function, so I was able to import the .ad1 into FTK Imager then Export it as files (as it's not possible to export it as another disk image that Autopsy can open). This file directory can be imported into Autopsy (and most of the other tools above), allowing for analysis. FTK Imager only allows viewing the files in the image, similar to a file explorer.

Questions