Narcos-1 C:/ Image Analysis Using Autopsy Forensic Toolkit
Introduction:
This is
Narcos-1 C:/ Image Analysis Using Autopsy Forensic Toolkit
Introduction:
This is a basic introduction to using Autopsy to examine the contents of a criminal suspect’s
computer. While this is not a real criminal case, but a training tool, there are examples of
paraphernalia and other nefarious dealings throughout the disk image. The situation is that there is
a gang smuggling crystal methamphetamine between Australia and New Zealand. As the new intern
at a computer forensics lab, you have been tasked with finding out some basic information about the
suspect, and the data on their computer’s C: drive.
Assignment:
Before beginning you must download (3) items from here:
https://1drv.ms/u/s!AhucZmhY8LVWgrtSJrsadgbSDK9u-A…
• Narcos_1.aut
• autopsy.db
• Narcos-1.zip
o Unzip this file (30GB)
o Open the “Image” folder within this file
o Drag both Narcos_1.aut and autopsy.db into the “Image” folder
Load the Narcos-1 image into Autopsy and examine the contents. Do this by running Autopsy and
clicking on “Open Case”. If you point the Autopsy software at the “Image” folder in the Narcos-1 folder
that you just unzipped, you should now see the Narcos_1.aut file. Double click on it and the case will
load.
After reviewing the case files, you will answer the questions below. There is a multiple choice test
that has been posted in this lesson where you will answer the questions (1-15) below.
1. What operating system is running on the disk?
Question 1 options:
A)
Unix
B)
macOS
C)
Ubuntu
D)
Windows
2. What was the encryption software used on the encrypted files?
A)
PGP
B)
TrueCrypt
C)
Credent
D)
XTS-AES
3. What method of obfuscation was used to hide files?
A)
ROT13
B)
Base64
C)
XOR
D)
Steganography
4. When was the obfuscation software downloaded?
A)
2019-01-20 19:32:16 EST
B)
2019-01-19 19:16:32 PST
C)
2020-01-19 19:16:32 EST
D)
2019-01-19 19:16:32 EST
5. What is the name of the gang that you discovered for Narcos-1?
A)
Hells Angels MC
B)
Sons of Anarchy
C)
Mongrel Mob fatherland
D)
Head Hunters
6. What application was used to delete files?
A)
BitRaser
B)
File Shredder
C)
iObit Unlocker
D)
CCleaner
7. Where can you find the flight information for the owner of the computer?
A)
Vol_vol7/Users/Steve/Desktop/Secrets/
B)
Vol_vol7/Users/Steve/Pictures/Week04/
C)
Vol_vol7/Users/Steve/Documents/Misc/
D)
Vol_vol7/Users/Steve/Downloads
8. Where would you find the most information about the owner’s personal interests?
A)
Cache
B)
Web history
C)
Desktop
D)
Downloads folder
9. How do you find deleted content in Autopsy?
A)
Deleted files under Views
B)
Recycling bin
C)
You cannot find deleted content with Autopsy
D)
Web history
10. What is the difference between Recycling bin files and deleted files?
A)
Recycling bin files are not deleted files
B)
You require special software to view deleted files
C)
There is no difference
D)
Deleted files cannot be recovered
11. How do you verify the integrity of a file on the machine image compared to the original file on
a suspect’s computer?
A)
Verify using the MD5 hash
B)
Verify if it was encrypted or not
C)
You cannot verify the integrity of a file
D)
Verify the file name
12. What email service was used?
A)
Gmail
B)
Proton Mail
C)
Hotmail
D)
Yahoo!
13. What is the name of the user on the computer?
A)
Brandon
B)
Owen
C)
Mark
D)
Steve
14. What kind of storage file maintains a history of Web searches?
A)
Tmp
B)
.db
C)
Web browser link file
D)
Web cache files
15. How many image/picture files can be found in the computer?
A)
44,467
B)
258
C)
1314
D)
313,000