The Suspect's Machine Is a Hacker's
DOWNLOADABLE flagship case image (8 MiB). The suspect is a threat actor: heavy noisy logs, offensive tool traces, deliberate misleading trails. The real evidence is encrypted; the key leaked in the swapfile (cross-artifact). Investigation questions: who, what, how, which tool, which anti-forensics. Do not fall for the planted false trails.
Scenario
A threat actor's seized machine. The bash history holds hundreds of commands, multiple identities, a VPN/Tor chain and red-herring traffic; offensive tool traces (credential dumping, network scanning, SQL injection) and anti-forensics commands (timestamp forgery, log destruction) are visible. The real operation is hidden: the C2 configuration is SHA256-CTR encrypted and its key fell into the swapfile region (cross-artifact: first take the key from swap, then decrypt the config). The decrypted config gives the real C2 server and the exfil target. The disk also holds a deliberately planted fake C2 and fake victim list (honeypot/misdirection). Skill: extracting the real operation from the haystack; reaching the encrypted evidence; not reporting the planted false trail as real (soundness). Questions are MITRE ATT&CK oriented: the credential-dumping tool used, the anti-forensics technique.
Anti-forensics techniques
- Log noise + multiple identities + Tor/VPN (haystack)
- Planted false trail (honeypot c2 + fake victim list)
- Encrypted evidence + cross-artifact (key in swap)
- Anti-forensics: timestomp + log destruction (shred)
Provided artifacts
- Raw disk image (8 MiB; history + swap + encrypted config + planted decoy)
Sample questions
- q1: The real C2 server address? (from the encrypted config)
- q2: The actual exfiltration target?
- q3: The credential-dumping tool used? (MITRE T1003)
- q4: The anti-forensics technique used?
- trap1: Do NOT report the planted fake C2 / fake victim list as real.
Soundness trap
Scoring
Cross-artifact investigation accuracy (C2+exfil+TTP) + planted-trail decoy resistance (soundness).