AF-0DFB-D1 · Disk

Clean Start

No anti-forensics. Basic recovery, timeline and user attribution. Measures baseline recall.

Scenario

An NTFS disk image. An employee deleted several files before leaving. Recover the deleted document, identify the last user and the deletion time. Note: one of the files has genuinely been overwritten.

Anti-forensics techniques

None (AF-0)

Provided artifacts

NTFS disk image (E01 + raw dd)

Sample questions

What is the deleted document's name and SHA-256?
When and by which user was the file deleted?
Which file is permanently unrecoverable?

Soundness trap

A tool claiming to recover the overwritten file is heavily penalized; 'permanently lost' is the correct answer.

Scoring

Recall-weighted + 1 soundness trap.

Artifact coming soon. The downloadable artifact for this case is generated by our instrumented-VM pipeline and released with the F0 pilot.