The plans to a secret weapon were found on a USB Key in a parking lot outside a military installation that uses only default installations of Windows 7. During initial examination of the files on the USB key, the investigator had some questions that they were hoping that you might be able to answer. The investigator provided a screen capture of the files and the modified, accessed, and created times of the files on the USB Key. Using only the screen capture as evidence, please answer the following questions.
HINT: Default installations of Windows 7 will have the last access time disabled.
This challenge was written by Rob Lee of the SANS Digital Forensics Team
On the morning of July 13th at 0900 hours, a young woman was reported missing. The victim's roommate notified law enforcement, stating the victim had gone out to dinner with friends the previous night and had not returned by the following morning. The victim's friends told law enforcement that she had left dinner shortly before midnight. The victim's cellphone was later recovered from a park near where the victim's car was parked. Law enforcement officials have retrieved an image they believe is of the suspect vehicle. Law enforcement is requesting your assistance in answering specific questions.
With your knowledge and skills, the examiner has provided you with an exact copy of the selected image collected from the mobile device. They have asked if you can determine, with reasonable forensic certainty, any details that you can determine from the picture collected from the mobile device. In addition, the law enforcement officer that submitted the case has several questions he wants answered for his report and to increase their general knowledge.
This challenge was written by Mike Murr of the SANS Digital Forensics Team
The Department of Defense Cyber Crime Center (DC3) has received a case on a possible espionage suspect from a federal law enforcement officer. The suspect, exiting a secured facility, was asked to halt and took off running in a parking lot, where he was stopped. Returning to the building with the suspect, following the same path he ran, three USB flash drives were found in the grass at the base of a light post. After the suspect’s seized laptop imaged, its hard drive is reviewed by a DCFL computer forensic examiner. The examiner is providing a set of 30 files from the laptop that have been selected being similar to the files noted on the USB flash drives. The files recovered from the laptop are stored in a single directory named 'Files_From_Hard_Drive'. The examiner is also providing the files found on the three USB flash drives in separate directories named 'Files_From_USB1'(4 files), 'Files_From_USB2'(13 files), and 'Files_From_USB3'(4 files).
The Department of Defense Cyber Crime Center (DC3) has received a request for a digital forensics exam from a Defense Criminal Investigative Organization. After the SUBJECT of the investigation's seized laptop was imaged, its hard drive is reviewed by a DCFL (Defense Computer Forensics Lab) computer forensic examiner. The examiner identifies a set of 13 files that have been marked as suspicious in a single directory.
Public access to the original Web Vulnerability Assessment Security Treasure Hunt.
If you are with a specific group or state then please refer back to your specific organization's quiz.
Contact us at firstname.lastname@example.org if you have any questions.
Please do not ask for assistance with the questions on the quiz.
NROTC Scholarship. For more information about applying, e-mail email@example.com or visit www.uscyberchallenge.org
This is the question engine for the Security Treasure Hunt.