Sunday, January 3, 2010

Forensic Practical Exercise #3

So I figured many of you may be on vacation and would like a little puzzle to work on during your free time ;)

Scenario:
Your company has been contacted by a very wealthy and prominent business. They have one simple request. They would like you to do some data recovery and recover one simple file. The President of the company explains that he has a USB flash device that contained one simple file and that when he gave it to the company accountant (who uses a MAC), the drive suddenly became unreadable. The President advises you that the file contains the account number of a very important bank account and that he needs that 18 digit account number. Nothing else matters to him.

The file is *very* important and he is willing to pay you whatever fee you demand if you are able to recover the file exactly as it was.

Your mission, if you choose to accept it, is to recover the file and be able to tell the President (me) the account number (via email, please don't spoil it and post it in the comments, send to lance(at)forensickb.com).

Extra Credit:
Can you hypothesize as to what happened to make the file "disappear"?
Can you articulate the status of the drive and what, if anything is different that a typical flash disk?
Provide the MD5 of the recovered file.

I will provide an exact explanation of what was done to the device and file to those who submit answers so you can compare it with what you see. 

There is no encryption or hidden elements to this problem. This is a classic puzzle. For this scenario, I will be the "President" who lost the data and has contacted you. Feel free to "interview me" and ask any further information that you feel necessary, via the comment section (so everyone can benefit).

Good Luck!

Download Here (7.5MB)

18 comments:

Anonymous Monday, 04 January, 2010  

El Presidente
Does the file reside on your primary computer or another device that may have been backed up?

Didn't think so...

What type of file contained the data?
What was the name of the file? If you're not sure exactly, provide a guess as to what it may have been.
What other data was in the file? Did the account number reference a specific customer/entities name, etc.?
Does the accountant recall receiving any errors or onscreen messages when plugging in the device?

Lance Mueller Monday, 04 January, 2010  

hmm good questions..

No back up, that's why I am willing to pay you an absorbent amount of money to recover it ;)

The name of the file was hd.jpg

No other data other than a picture and the account number. No reference to a client name (it's my offshore account in Belize).

Yes he did state there was some type of error screen, but he could not access the drive and does not remember what it said, although he said it has some type of red warning symbol.

Lance Mueller Tuesday, 05 January, 2010  

I received an email asking similar follow-up questions, which I have posted below, along with my answers.

> How many partitions were on USB drive before it became unreadable?

What do you mean by partitions? I dont know what that is ;) I would just plug it in and it would show up in "My Computer"

> What type of file used to be on the USB drive before it was inaccessible?
> (picture, document, etc)

It was a picture file

> When the accountant placed the USB drive in the Mac system did he get any
> message on the screen such as “initialize, ignore or eject”? Does the
> president know if the accountant pressed the initialize button?

He did have problems with it and does remember a message popping up with an error, but cannot remember what it said, but it did have a red symbol on it.

Anonymous Wednesday, 06 January, 2010  

Well, I don't want to give away anything but I just wanted to say thank you for posting this eventhough it is doing my head in! I've found some bits but am certainly no where near solving it.

Thanks again - I'm looking forward to reading the answer!

du212 Wednesday, 06 January, 2010  

Mr President,

When you plugged this USB into your computer, in order to access the file, did you first have to enter any password ?

From what type of computer did you use to access this thumbdrive ? (Windows Vista, Windows 7, Windows XP ?)

Do you recall the name of the manufacturer of the Thumbdrive ? The name is typically emblazoned on the thumbdrive itself...for example "SanDisk"?

Mr. President Thursday, 07 January, 2010  

In response to the questions directly above:

No, there was no password set or any type of encryption used.

I use a laptop and a desktop, both of which use Windows XP SP3

The thumbdrive is fairly generic that I bought at bestbuy. It says "Transcend JF v30 / 4GB" on the outside. IT is primarily black with a green edge where the cap goes on.

Cd-MaN Thursday, 07 January, 2010  

One note: if you don't have enCase, you can convert the image into a RAW image using the Sleuth Kit:

img_cat -v -i ewf Forensic_Practical_3.E01 > dd.raw

Just know that the resulting file will be ~4G, since it is the image of a 4G stick.

Regards.

Anonymous Thursday, 07 January, 2010  

Mr President,
When the accountant received the message on his/her computer, did s/he recall clicking any buttons on the screen? Or did s/he just remove the USB device and return it to you?

Thank you.

Anonymous Thursday, 07 January, 2010  

Okay so there's that jpeg header.....er

Mr. President Thursday, 07 January, 2010  

cdtdelta,

The accountant had the flash drive for several minutes, and although I didn't watch everything he did, he stated he could not read the drive and tried several things. I am not sure what he clicked but when he returned it to me he explained that he tried several times and could not read anything from the drive.

electronics gadgets Friday, 29 January, 2010  
This comment has been removed by a blog administrator.
rocket piano Sunday, 07 November, 2010  

I will provide an exact explanation of what was done to the device and file to those who submit answers so you can compare it with what you see.

Unknown Tuesday, 30 November, 2010  
This comment has been removed by a blog administrator.
satellitedirect review Tuesday, 18 January, 2011  

oh nice article i like it , i am a teacher of english as a second language and i do feel the content of your article so much.

pekom Tuesday, 12 July, 2011  

hi in have a macbook pro and in tried using spada for image but it gave an error 16, someone assist

Chinese Kid Tuesday, 11 October, 2011  

I just downloaded. Ill see if it works for me! i'm excited to try it out!

Unknown Saturday, 03 June, 2017  

The download link says page cannot be found.

Lance Mueller Saturday, 03 June, 2017  

http://www.forensickb.com/2017/02/enscripts-currently-offline-being-moved.html

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles