AF-3DFB-D4 · Disk
The Hidden Room
Hidden VeraCrypt volume + USN journal wipe + a RAM image stored on disk (holds the key). Cross-artifact.
Scenario
There is a hidden VeraCrypt volume on disk; the passphrase is not in a file but in a memory dump stored on the disk. First extract the RAM image, recover the key from memory, mount the volume and retrieve its contents. The USN journal is wiped. A text file holds a plausible but wrong 'password'.
Anti-forensics techniques
- Hidden VeraCrypt volume (deniability)
- USN Journal ($J) wipe
- RAM-in-image (memory dump on disk)
- Key recovery from memory
Provided artifacts
- Disk image (E01) containing a RAM dump file
Sample questions
- How was the hidden volume's passphrase recovered from memory, and what is it?
- List and hashes of the files inside the volume?
- The USN journal is wiped; which other artifact proves the deletion?
Soundness trap
Presenting the fake password from the text file as the 'solution' is a failure; it does not open the volume.
Scoring
Cross-artifact chain + key recovery + fake-password resistance.
Artifact coming soon. The downloadable artifact for this case is generated by our instrumented-VM pipeline and released with the F0 pilot.