Overview

What's the story,

Sara was extremely excited about her friend Fatima's upcoming birthday. However, just hours before the celebration was set to begin, Sara accidentally broke her laptop screen. She needed to fix it urgently since she had an online exam the next day. As a result, she couldn't attend the birthday party. A few days later, Sara received a threatening message from an unknown sender.

Using your digital forensics skills, help Sara find out who's behind the threats. Investigate and solve the next tasks ahead.

Writeup

⚠️ Important Reminder: Challenge Yourself First! ⚠️

First, before you start the investigation:

Make sure to start the the windows machine on right screen. It contains all files and tools you need to start Investigation:

1- saraCase.E01: Sara machine image

2- Autopsy 4.21.0: A comprehensive digital forensics platform designed to help you analyze hard drives and smartphones. Dive deep into system files, recover deleted data, and uncover hidden digital evidence to aid your investigations.

3- Sonic Visualiser: A tool for viewing and analyzing the contents of audio files.

Firefox users: to enable copy/paste into browser based machine, type about:config in URL field, search for asyncClipboard, then set all listed items to true

[Disconnect any VPN for fast Internet Connection]

Let's start the investigation,

Did you start the machine? It may takes up to 5 minutes to start.

Scenario Credits

Special thanks to Bayan Al Shahi for creating this engaging scenario

To begin analyzing this case,

first launch the Autopsy program. Next, click on "Open Recent Case" and select the case you want to open (Sara-case).

What the MD5 Hash acquisition of the case?

What operating system is the Sara case running?

Answer Format: XXXXXXXXX XXXXXXX XX XXXXXXX XXXX X

When was the Sara computer last correctly shut down ?

Answer Format:  YYYY/MM/DD-HH:MM:SS e.g 2023/10/05-18:25:30

Who was the victim ?

By analyzing emails who do you think is the blackmailer ?

The credit card was an evidence that showed the name of the blakmailer and his account number.

Could you provide the credit card number in same format ?

Answer Format: 0000 0000 0000 0000