Simplified Scenario
Due to intelligence provided by the Australian government, two passengers were intercepted by Customs upon arriving at Wellington, New Zealand from Brisbane. The Intel provided stated that Jane Esteban and John Fredricksen may be involved in illegal activity.
The suspects were searched by a customs officer. John Fredricksen’s baggage consisted of clothing, toiletries and a Windows laptop. Jane Esteban’s baggage also consisted of clothing, toiletries and a small windows laptop.
Upon further search of the lining of John Fredricksen’s suitcase, one kilogram of Methamphetamine was located. Both suspects were taken into separate interview rooms where they were interrogated. John Fredricksen refused to answer any questions.
Jane Esteban stated all she knew and that she had to deliver the suitcase to the Eastbourne library but if all else failed then they were to deliver it to 666 Rewera Avenue, Petone as told by John Fredricksen.
Customs and police subsequently raided that address. There was nobody present at the address. Customs did, however, find drugs, guns and a desktop computer in the living room of the suspect’s house.
You are a Customs forensics investigator. Customs officers have delivered a forensic image and memory dump of the suspect’s desktop computer to you. Your task is to determine the relationship between John Fredrickson and the suspect, their future intentions and any other supporting evidence that pertains to the case.
Complex Scenario
Due to intelligence provided by the Australian government, two passengers were intercepted by Customs upon arriving in Wellington, New Zealand from Brisbane. The Intel stated that Jane Esteban and John Fredricksen may be involved in illegal activity.
The suspects were each searched by a customs officer. John Fredricksen’s baggage consisted of clothing, toiletries and a Windows laptop. Jane Esteban’s baggage also consisted of clothing, toiletries and a small windows laptop.
Upon further search of the lining of the suitcase, one kilogram of Methamphetamine was located. Both suspects were taken into separate interview rooms where they were interrogated. John Fredricksen refused to answer any questions.
Jane Esteban stated all she knew was that she had to deliver the suitcase to the “Eastbourne library†but if all else failed then they were to deliver it to 666 Rewera Avenue, Petone as told by John.
Customs and police subsequently raided that address. There was nobody present at the address. Customs did, however, find drugs, guns and a desktop computer in the living room of the suspect’s house.
You are a Customs forensics investigator. Customs officers have delivered images and memory dumps of the 2 laptops and 1 desktop computer to you. Your task is to carry out a forensic examination of John Fredricksen, Jane Esteban and the unknown suspect’s laptops and desktop computers to further understand their motives, goals and objectives. It should be noted that all three devices contain different Windows 10 builds and resulting artefacts may not be located in the same location or even be present.
Personas:
John Fredricksen
John has been communicating with Steve Kowhai (NZ dealer) via with what he believes is a secure and private chat room (Discord) to discuss his new consignment. Their chat contains information on where they are going and what he wants John Fredricksen to deliver. Furthermore, Steve shares some documents via (email, cloud, etc) that will assist with his job.
John Fredricksen now has enough information to concoct his plan of smuggling the 1kg of methamphetamine into New Zealand but he needs to find some cover that can take the heat off of himself if any surprises were to happen. John identifies Jane Esteban a regular user of his businesses product (meth) and thinks she will make a great mule for smuggling the drugs.
Jane Esteban
Jane is an undercover Australian Federal Police (AFP) officer tasked with gathering evidence about a drug ring involving John Fredricksen and his associate Steve Kowhai in New Zealand.
Jane will be using the following persona while working undercover. She has a terrible addiction and has been visiting John to feed her addiction, which has lead to a transactional friendship with him as a result. John approaches Jane soon after his discussion with Steve to try and convince her to assist with his job.
Steve Kowhai
Steve is a big player drug distributor/dealer in the lower north island of New Zealand and is wanting to find some quality product to expand his growing empire even more. Steve has contacted a source (John) in the US to smuggle in a taster of the product he plans to buy in larger quantities later. Steve has provided John with information about New Zealand and points on how best to smuggle the product into Wellington without raising any alarms at customs. Steve knows a thing or two about digital forensics and decided to use steganography to hide the document within a picture.
The root directory for this scenario is here.
The evidence for this scenario includes:
Steve Kowhai drive image: here
Jane Esteban drive image: here
John Fredricksen drive image: here
Steve Kowhai memory image: here
Jane Esteban memory image: here
John Fredricksen memory image: here
As a reminder, this scenario is imaginary, and as such, should only be used for teaching purposes. Any likeness to any real life person or persons is purely coincidental.
The teacher guides are encrypted with the same passphrase that is used to encrypt all of the digitalcorpora.org teacher’s guides. If you do not have it, you can request it using the website’s contact form.
Note: the encrypted Narcos scenario teacher’s guide may generate an error with Windows Defender will give you a Trojan:Win32/Spursint. F! cl windows defender error, but if you are reading this, you probably know that those are typically false positives.
Solving the Case
The memory dumps can be analyzed with Volatility 2.6.1 , Volatility3 and MemProcFS.
With Volatility 2.6.1:
With Volatility 3:
