Digital Forensics Case B4DM755

As a Forensics Lab Analyst, you analyse the artefacts from crime scenes. Occasionally, the law enforcement agency you work for receives “intelligence reports” about different cases, and today is one such day. A trusted informant, who has connections to an international crime syndicate, contacted your supervisor about William S. McClean from Case #B4DM755.

The informant provided information about the suspect’s whereabouts in Metro Manila, Philippines, which is currently at large, and a transaction that will happen today with a local gang member. They also knew the exact location of the meetup and that the suspect would have incriminating materials at the time.

The law enforcement agency prepared for the operation by obtaining proper search authority and assigning a DFIR (Digital Forensics & Incident Response) First Responder (i.e., you) to ensure the appropriate acquisition of digital artefacts and evidence for examination at the Forensics Lab, and eventually for use in litigation. The court issued a search warrant on the same day, allowing law enforcement officers to investigate the suspect and his place of residence based on the informant’s tip.

1) What is the visible extension of the “hideout” file?

2) View the metadata of the “hideout” file. What is its actual extension?

$targetDir = 'C:\Users\analyst\Desktop\artefacts\[root]\'

Get-ChildItem -LiteralPath $targetDir -File -Recurse | ForEach-Object {
    # Run ExifTool, redirect errors to $null
    $rawOutput = C:\tools\exiftool-12.47\exiftool.exe -s3 -FileTypeExtension $_.FullName 2>$null
    
    # Only proceed if ExifTool actually returned a value
    if ($rawOutput) {
        # By wrapping $rawOutput in double quotes, we safely force it into a string
        $trueExt = "$rawOutput".Trim().ToLower()
        $currentExt = $_.Extension.TrimStart('.').ToLower()
        
        # Check for a mismatch
        if ($trueExt -ne $currentExt) {
            [PSCustomObject]@{
                FileName     = $_.Name
                CurrentExt   = $currentExt
                TrueExt      = $trueExt
                FullPath     = $_.FullName
            }
        }
    }
} | Format-Table -AutoSize

3) A phone was used to photograph the “hideout”. What is the phone’s model?

4) A phone was used to photograph the “warehouse”. What is the phone’s model?

5) Who was the point of contact of Mr William S. McClean in 2022?

6) A meetup occurred in 2022. What are the GPS coordinates during that time?

7) What is the password to extract the contents of pandorasbox.zip?