Digital Forensics Challenge 2021 Writeup (201 — Shredder Test)

This is the writeup I submitted for problem 201 on Digital Forensics Challenge 2021 held by Korea Institute of Information Security & Cryptology (KIISC). My team name is trying2learn and the score I got from this problem is 60 out of 200. This writeup was posted here after the deadline of this problem for fair competition.

Instructions

Description
Analyze the given USB Image and answer the questions
Questions
1. By analyzing the traces of the use of wiping (shredder) programs, identify which programs were used. Hint: some of the following listed tools were used (default setting, freeware/demo license). (150 points)

2. List the files deleted by the user in order of deletion time. Describe all artifacts that indicate the deletion time. (50 points)
File Given
Test_shredder.zip

Tool Used

Autopsy is the tools that will be used to answer this problem.

Answer

Usually, every wiping (shredder) programs will create a new file after they did the wiping by default setting. The new file is something like log/temp file. So, the existence of this file can be used as artifact to prove that certain wiping (shredder) programs were used.

Autopsy is the tool that will be used to help us answer these questions where we can view all files stored on the USB Image even the files that has been deleted. So, we will check if there is any file related to log/temp file created after wiping (shredder) programs were used to wipe.

First, we will look at all folders and files stored on USB Image File given (test_shredder.E01) as shown in Figure 1.

Figure 1. Folders and subfolders on USB Image file given.

Vol1 does not store any artifact because all files that has been stored to the USB were stored on vol2. We can see that vol1 only store one file and the file is not related to any wiping (shredder) programs as shown in Figure 2.

Figure 2. File stored on vol1.

On the contrary, vol2 stores a lot of files on its folders and subfolders. There is a folder named ~BCWipe.tmp as we can see in Figure 1. The existence of this folder shows us that bcwipe program was used because it is the folder created after bcwipe program was used to wipe. Furthermore, Folder $OrphanFiles also store a subfolder named BCW-DIR-NODES. This subfolder also supports the statement that bcwipe program was used. Besides that, there is also another tool that was used. As shown in Figure 1, we can see that there is a folder named $Unalloc. This folder stores some unalloc file as shown in Figure 3.

Figure 3. File stored on $Unalloc folder

The existence of the fourth file from top which name is Unalloc_148_40398848_1114210304 shows us that wipefile program was used because the content of the file indicates that wipefile program was used to wipe as shown in Figure 4.

Figure 4. Indexed Text of a file named Unalloc_148_40398848_1114210304.

After analyzing the USB, other tools that stated on question number one were not used because there is no other file/folder besides ~BCWipe.tmp, BCW-DIR-NODES, and Unalloc_148_40398848_1114210304 related with wiping (shredder) programs stored on the USB. So, we can conclude that there were only two wiping (shredder) programs used out of 26 tools as stated. The programs were bcwipe and wipefile.

First Question Solved

Next, we can use the same tool (Autopsy) to solve the second problem because Autopsy provide us information about all files that has been deleted as shown in Figure 5.

Figure 5. Deleted files on USB Image

We just need to click on the ‘All’ type to list all deleted files as shown in Figure 6. One of the [current folder] is related to BCW-DIR-NODES and the other [current folder] is related to ~BCWipe.tmp.

Figure 6. List of all deleted files.

After that, we need the find out the deletion time of each file. In order to do that, we can open the file metadata and looking for $FILE_NAME Attribute Values as shown in Figure 7. The value of MFT Modified indicates the deletion time of the file. So, this artifact will be used to help us identify the deletion time of each file.

Figure 7. BCW-DIR-NODES File Metadata

After looking for the file metadata of each deleted files. We can list all deleted files in order of deletion time. One of the [parent folder] with the size of 0 is not found because not containing anything even there is no file metadata. One of the [current folder] is just the same as BCW-DIR-NODES and the other [current folder] is just the same as ~BCWipe.tmp. So, we will assume that there are 13 deleted files instead of 16. Furthermore, file dir1, dir2, dir3, dir4, dan both dir5 was deleted together with BCW-DIR-NODES because all of them are in folder $OrphanFiles (BCW-DIR-NODES is the parent for dir1, dir2, dir3, dir4, and both dir5 where BCW-DIR-NODES folder was deleted while it still store child files as stated). Therefore, deletion time of dir1, dir2, dir3, dir4, and both dir5 will be the same as BCW-DIR-NODES.

Below is the list of the files deleted by the user in order of deletion time (ascending):

Table 1. List of the files deleted by the user in order of deletion time (ascending)

Second Problem Solved

Summary:

1. There were two wiping (shredder) programs used to wipe which were bcwipe and wipefile.
2. Below is the list of the files deleted by the user in order of deletion time (ascending):

As what I have stated before, I only got 60 out of 200 for this question. This means that something was wrong with my writeup. There might be wrong method or artifact used to answer this question. So, feel free to leave any comments and correct me if something is wrong or missing.