Continued from Magnet AXIOM Process post
https://www.datadigitally.com/2019/05/processing-image.html
This post will be looking at the processed image from NIST data sets regarding a data leakage case from the Computer Forensics Reference Data Sets Project(CFReDS).
Found at:
https://www.cfreds.nist.gov/data_leakage_case/data-leakage-case.html
Opening Magnet AXIOM Examine and selecting the recent processed case |
![]() |
Magnet Axiom Examine - Home page |
Drop down for different tabs in the home menu |
Artifacts tab, tree pane view, within Axiom Examine |
File system, tree pane, view. 2 partitions, System Reserved and C |
Questions
- What are the hash values (MD5 & SHA-1) of all images?
cfreds_2015_data_leakage_pc.E01
|
72432916933F5A309A8C456B40C9601D1F8D2A4F
|
cfreds_2015_data_leakage_pc.E02
|
0CAF4261ED8432A8B3BAA019B1B28FDF96F79130
|
cfreds_2015_data_leakage_pc.E03
|
BE836C891736C4C0C2253C6803399BF0F2A599BA
|
cfreds_2015_data_leakage_pc.E04
|
9159BFFD56097495F73FBBF967B75EB288B1E3DE
|
- Identify
the partition information of PC image?
- Explain installed OS information in detail.
(OS name, install date, registered owner…)?
In the artifacts tab, drilling down to Operating System Information |
OS information(Windows 7 Ultimate, 3/22/2015 install date, Owner is informant) |
- What is
the timezone setting?
Eastern Standard Time, gathered from registry |
- Who was the last person to logon to the PC?
HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\
LastLoggedOnUser
Registry Key for Last Logged on |
- What application was last installed?
Eraser has the most recent created date in the Installed Programs |
- Identify web related history
Web Related items include artifacts from Chrome History file and Edge\IE Webcache file |
- When was the last recorded shutdown date/time?
HKLM\SYSTEM\ControlSet###\Control\Windows (value: ShutdownTime)
Pathing to registry key value and highlighting the hex |
- What are some artifacts of recent execution?
Jump Lists sorted off recent Last Access time |
Link files showing activity to a D: drive, a share drive, and cloud drive services |
In the NTUSER.DAT location of "Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder" |
Decoded to Unicode |
Shellbags indicating access to a C:, D:, and share drive |
- What was written on the recent sticky note?
"\Users\informant\AppData\Roaming\Microsoft\Sticky Notes\StickyNotes.snt"
Tomorrow ... Everything will be OK |
NIST has kindly posted the solutions for the case.
And can be found at
https://www.cfreds.nist.gov/data_leakage_case/leakage-answers.pdf
It shows in better detail about the data leakage included with USB images that I did not include. As well as looking at email artifacts and a burnt CD.
I do commend and thank NIST for making this and found it to be a fun resource.
--Bryan
No comments:
Post a Comment