DFIR Scenario #1 Lone Wolf

Posted on by Krkn

Introduction

This fictional digital investigation scenario examines the disk image and memory of a person’s laptop that was seized. The suspect in question is believed to be planning a mass shooting attack. Our role as the forensic investigator is to find evidence that either supports or disproves this allegation.

Acquisition

The forensic examiner present during the search and seizure saw the laptop on and unlocked which allowed him to dump the memory from the machine. The laptop was then forensically imaged using FTK Imager and sent to the lab for further investigation. Below is the output log for FTK Imager.

FTK Imager Output Log given by the examiner who performed the acquisition

Investigation

After the evidence files made it to my office and the chain-of-custody was signed, I started my analysis using Autopsy. Autopsy is a open-source digital forensics suite similar to FTK and EnCase. The first thing I wanted to do was to look at the hash of the disk image to validate integrity. Autopsy automatically hashes every file as it goes through it’s analysis including the main data source like our disk image. We know that the MD5 sum of the image from the FTK Imager log file is 7af48fa65519e84246b1729e5b68f140 and if we take a look at Autopsy, we can see it’s a match.

Hash verification

After verifying the disk image integrity, I began my investigation on the user’s Desktop. It’s here where you can usually learn a great deal of information about the person. It was here that many files of interest were found.

  • The Cloudy Manifesto.docx
    • MD5: 14c07920ddc81fbd489e61d60e5c9f28
    • Location: C:\Users\jcloudy\Desktop\
    • Times:
      • Modified: 2018-04-01 21:35:27 EDT
      • Accessed: 2018-04-01 21:35:27 EDT
      • Created: 2018-04-01 21:35:27 EDT
      • Changed: 2018-04-01 21:35:39 EDT
  • Planning.docx
    • MD5: 4ef414e469b7830faa2db429fe1321ee
    • Location: C:\Users\jcloudy\Desktop\
    • Times:
      • Modified: 2018-04-04 01:30:41 EDT
      • Accessed: 2018-04-04 01:30:41 EDT
      • Created: 2018-03-29 22:16:48 EDT
      • Changed: 2018-04-04 01:30:49 EDT
  • Operation 2nd Hand Smoke.pptx
    • MD5: b301fbf4104fb64b566b076c12a5d113
    • Location: C:\Users\jcloudy\Desktop\
    • Times: 
      • Modified: 2018-04-04 01:11:27 EDT
      • Accessed: 2018-04-04 01:11:27 EDT
      • Created: 2018-04-04 00:56:19 EDT
      • Changed: 2018-04-04 01:11:53 EDT
  • Cloudy thoughts (4apr).docx
    • MD5: f8c2bc733c109a88405dfd13b47d0690
    • Location: C:\Users\jcloudy\Desktop\
    • Times: 
      • Modified: 2018-04-04 22:39:30 EDT
      • Accessed: 2018-04-04 22:39:30 EDT
      • Created: 2018-04-04 22:39:29 EDT
      • Changed: 2018-04-04 22:39:41 EDT
  • AIRPORT INFORMATION.docx
    • MD5: 297eec248647f33f887d72328ab56f3c
    • Location: C:\Users\jcloudy\Desktop\
    • Times:
      • Modified: 2018-04-04 00:59:32 EDT
      • Accessed: 2018-04-04 00:59:32 EDT
      • Created: 2018-03-29 22:29:57 EDT
      • Changed: 2018-04-04 00:59:40 EDT

The Cloudy Manifesto

This document portrays the suspect’s views on gun control and gun-free zones. According to this document, he intends to prove that gun-free zones solve nothing and in-fact is more dangerous. Below is a snippet from the document.

Something must be done to show that gun-free zones do not work and will never work. So I intend to break the law. Because that’s what the criminals will do. No matter your laws, when they decide to act, they will. Drugs have always been illegal, but that doesn’t stop people from getting drugs. Speeding is illegal, but people still drive fast. Fraud is illegal, but greed is a strong motivator. So I will be the lone wolf that helps demonstrate to the American Public that laws and signs won’t work. Only the ability to protect yourself will work. The Second Amendment was not “poorly written” it was drafted by the same men who drafted the rest of the Constitution. And no one is complaining about the protections and freedom it gives you. Especially the 1st amendment which allows you to spew your crazy gun-control thoughts.

You will soon see when the blood has been shed and the defenseless bodies stacked high. I will do what I must. No matter who is hurt, the collateral damage will be worth it.

 I will be the change. I will be the revolutionary. I will be the history maker. I will fight. I will be the Lone Wolf.

Planning

This document contains the suspect’s plan on executing the attack. This includes items needed, determining target, escape, and performing a press release afterwards.

Contents of Planning.docx

Operation 2nd Hand Smoke

This powerpoint document (screenshots below) seems to be the attack plan. It includes screenshots of the target, escape route, plane ticket information, and the hotel the suspect is planning on staying at once escaped. From the following slides we can conclude that the suspect was planning on performing his attack on the Town Hall For Our Lives event at 21030 Whitfield Place on April 7th. The suspect looked to be entering through the Library entrance, performing his attack, and taking a direct route to the airport to fly to South Korea first and then Indonesia.

Target
Possible entrance the suspect was planning on using
Possible entrance and exit routes that the suspect mapped
Escape route to the airport
Possible escape flights the suspect was planning to take
Possible hotel where the suspect planned to stay

Cloudy Thoughts

This document contains more evidence that the suspect was intent on following through with this attack no matter what the outcome.

Contents of “Cloudy Thoughts (4apr).docx”

Airport Information

This document shows the suspect’s purchased plane ticket along with the airport that he was planning to escape from including a screenshot the suspect took of his Desktop.

Contents of “AIRPORT INFORMATION.docx” showing suspect’s flight booking

Cloud Artifacts

Under the suspect’s planning document, he wrote that he was planning on uploading many documents to multiple different cloud applications for redundancy and he would use these for a press release after escaping. Below are some of the artifacts I managed to find for each of the install cloud applications. The screenshots include the filename and path to the artifacts as well as their contents.

Box Sync

Contains synced files to Box
Folder that gets synced
Contents of the synced folder

Dropbox

Dropbox syncing folder

Google Drive

Google Drive sync folder

OneDrive

OneDrive sync folder

Amazon S3

Shows the folders/files currently queued to sync to S3
File showing the From->To syncing. This job syncs the suspect’s desktop into a “cloudy-thoughts/Desktop” container on S3
Contents of the currently queued file
Sync log 3/27/18
Sync log 4/4/18
Sync log 4/5/18

Memory Analysis

I was performing basic memory forensics and looking for maybe some clipboard information. I ran across the following when I analyzed the open windows from memory. It’s looks to be a keylogger. This was either installed by the subject to make sure no one was snooping around, or installed by the brother who then alerted the authorities based off of the keystrokes recorded.

Snippet of open windows analysis output.
Command used:
volatility.exe -f memdump.mem windows –profile=Win10x64_17134

I extracted the executable using Volatility and did some quick analysis on it and it looks like it’s an executable called Actual Keylogger. This is a paid piece of software available from http://www.actualkeylogger.com/

Conclusion

There were many documents on the suspect’s Desktop that were related to the planning of a mass shooting at 21030 Whitfield Place in Sterling, Virginia on April 7th. The suspect was planning on entering through the Library and escaping to the Dulles airport where they would go to Indonesia and release their information to the press.

The evidence files used can be found on Digital Corpora and you can perform your own analysis. I didn’t touch on many other pieces of evidence such as web history, searches, attached devices or registry. I felt like this post was long enough as it was, especially considering the fact that this was just a sample scenario focusing on cloud artifacts.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

Published by Krkn