DC3 2009

Print Friendly

DC3 2009 Challenge

Team NSSAL

University of New Orleans

Report Summary

The 2009 DC3 Challenge (“The Challenge”) consisted of a hard drive image (“The Image”) and witness affidavit, search warrant, and analysis request (“The Documents”). The background information contained in The Documents painted a picture of a planned crime preempted by a tip off from a suspect’s girlfriend. The search warrant identifies The Image as coming from Blane Stallman’s computer. It requests an analysis of this image to locate evidence of the following crimes:

  • 26 USC Sec. 5812 (possession of automatic weapons),

  • 10 USC Chapter 161 – Property Records And Report Of Theft Or Loss Of Certain Property (Weapons)

  • 42 U.S.C. 3713 Computer Crime Enforcement Act

  • 40 USC Sec. 5104 Sec. 5104. Unlawful activities

  • 10 USC Sec. 881 Sec. 881. Art. 81. Conspiracy

  • And all and any other offenses as may be discovered, including but not limited to any relevant Internet activity and/or communications the subject may have conducted prior to 20 February 2009.

Evidence Discrepancies & Notes

The documentation notes there were also five USB thumb drives seized as part of the search warrant, but this data was not provided to us.

When referring to the image file’s partitions, partition 1 is referred to as C, partition 2 as D, and partition 3 as E. C & D are FAT partitions, and E is NTFS as noted in the following table:

Offset Sector: 0

Units are in 512-byte sectors

Slot    Start        End          Length       Description
C:  00:00   0000000063   0000433754   0000433692   DOS FAT16 (0x06)
D:  01:00   0000433818   0003534299   0003100482   Win95 FAT32 (0x0B)
E:  02:00   0003534363   0020000924   0016466562   NTFS (0x07)

Posted in Digital Forensics Tagged with: , , , , ,