This repository contains a forensic analysis report on the malware discovered on a hard drive seized from a suspected Rebel malware writer. The investigation aimed to uncover the malware’s purpose, the messages it might send, and any additional artifacts valuable to the Imperial Forces.
The Imperial Forces conducted this investigation after obtaining an image of a hard drive from a suspected Rebel malware writer. The analysis focused on understanding the nature of the malware, decoding any hidden messages, and uncovering additional clues that might aid future investigations.
The goals of this forensic analysis were to:
- Identify the final version of the malware and assess its function.
- Decode any message within the final malware version.
- Uncover other artifacts or items of intelligence that could assist the Imperial Forces.
- Document and overcome any investigative challenges encountered.
The forensic investigation followed a structured approach:
- Data Extraction: Analyzed files, executables, and network traces on the hard drive image.
- Malware Analysis: Inspected suspicious executables and decoded potential messages within network traffic.
- Artifact Collection: Located relevant items that provided insight into the Rebel’s activities.
- Documentation: Compiled findings, notable artifacts, and solutions to challenges faced during the analysis.
- Malware Executables: Two suspicious executables,
obiwan.exeandobiwan2.exe, were identified. Both made network connections, withobiwan2.execontaining encoded messages that revealed the passwordr2d2. - Encrypted Message: Using
r2d2as a decryption key, an encrypted VeraCrypt volume was unlocked, revealing Death Star plans and messages linked to defeating Darth Vader. - Interesting Artifacts: Additional files, such as "obiwan.py" and "places.sqlite," were found, likely contributing to the malware’s operation or containing relevant intelligence.
- Message Decoding: Understanding the base64 encoding within
obiwan2.exerequired familiarity with decryption techniques. - Connecting Artifacts: Identifying the connection between the
not-the-droids-youre-looking-for.mp3file and the VeraCrypt volume posed an initial challenge, resolved after further analysis.
- Autopsy: For comprehensive file analysis.
- Wireshark: To analyze network traffic.
- VeraCrypt: For decryption of the encrypted volume.
- Base64 Decoder: For decoding encoded messages.
This analysis confirmed that the Rebel malware writer’s final version of the malware contained messages linked to strategic Rebel plans. By enhancing monitoring, encryption, and access controls, the Imperial Forces can better prevent similar security breaches.
For more details, please refer to the full investigation report in this repository.