Hunting Hackers Using Autopsy on a macOS Image

Oct 3, 2023

Join us as we forensically investigate this interesting scenario that often leads to rabbit holes, red herrings, canards and wild goose chases.

Introduction

In this scenario, we've received an image of a USB thumb drive (orig_128mb_image.dd) confiscated from the hacker's backpack. It was literally sewn in the lining of the backpack, which makes it even more interesting. The primary investigators did not want to plug it into any of their field laptops (they learned from the last time - another story, another time), and kicked it back here to our basement team for further analysis.

After our team imaged the 128MB USB thumb drive (do they even make those anymore?), hashed it for exhibitable evidence, and assigned it to a case, they get to play with it and see if there's anything actually on there. This is where we load it into Autopsy [1] running on macOS Sonoma via Parallels on a Windows 11 VM and see what we see.

We'll continue down below under the Demonstration section, so feel free to skip ahead and check it out.

Meanwhile, we'll discuss digital data in its most modern form. Nowadays, it's very common to keep data in the cloud (aka other people's computers that you or someone else rent) and that's what most people do in the most nonchalant fashion (assuming or not even caring if the data is being encrypted or scrutinized by entities, live, AI or otherwise).

Data is also kept on phones, flash drives, SD cards, DVDs,....

Subscribe
Notify of
guest

0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023