AF-4DFB-D5 · Disk
The Ghost Operator
Boss case: a threat actor's machine. Nested image, fileless traces in pagefile/hiberfil, secure-delete, multiple false trails, split key. Attribution + TTP.
Scenario
The machine under examination belongs to a hacker; it contains active concealment and heavy noise. There is a nested disk image, fileless malware remnants in pagefile and hiberfil, secure-deleted offensive tooling, multiple misleading trails, and an encrypted container whose key is split between the pagefile and a stego image. Determine the actor, the targets, the TTPs used (MITRE ATT&CK) and what is a false trail.
Anti-forensics techniques
- Nested image (image-in-image)
- Fileless traces (pagefile.sys / hiberfil.sys)
- Secure-delete + timestomp + log clearing
- Split key (pagefile + stego)
- Multiple planted false trails (red herrings)
Provided artifacts
- Disk image (E01) + pagefile.sys + hiberfil.sys + nested image
Sample questions
- What are the actor's identity/infrastructure traces and the target list?
- Map the TTPs used to MITRE ATT&CK.
- From which two sources was the encrypted container's key reassembled?
- Which trails are deliberately false (red herrings)?
Soundness trap
Multiple false trails exist; reporting a wrong target/actor as real is heavily penalized. Triage and cross-validation are essential.
Scoring
Attribution + TTP + key reassembly + multi-false-trail resistance (highest weight).
Artifact coming soon. The downloadable artifact for this case is generated by our instrumented-VM pipeline and released with the F0 pilot.