I have found the following text on a computer I am using Autopsy to perform a forensics examination upon:
we have received your payment and will now proceed to decrypt your files.if you fail to comply within 36h, the ransom will be raised. you have been warned.wfmmp8@sigaint.orge:\projects\brc\brc\obj\x86\release\brc.pdbbrc.exesupportscam:html/techbrolo.bx
The text is showing up in Autopsy but I cannot find the text on the original computer the image was taken from. How can I find the file with this text on the original computer?
Can you give some more details on how/where you found the text in Autopsy? It’s possible that you’re looking at a deleted file - does it have a red ‘x’ on it like the “deleted” folder in this screenshot? https://sleuthkit.org/autopsy/docs/user-docs/4.0/result-viewer-example-1.PNG
Or are you running keyword search and perhaps found the text in unallocated space?
Thank you for responding to my post. I found the file via a keyword search. There is not a red x on the file. In Autopsy the file location only shows img_F://$CarvedFiles/f0570724.
My goal is to find the file on the original laptop.
Ah that explains it. The $CarvedFiles folder is created by PhotoRec (Autopsy User Documentation: PhotoRec Carver Module) - it looks through unallocated space to find things that look like files and makes entries for them under $CarvedFiles. The name “f0570724” is also created by PhotoRec. The data you’re looking at is most likely from a file that was deleted, so you’re not going to be able to find it in the original image.
I appreciate you explaining this very much. The image I am working with is from a computer that continues to set off alerts for searching the dark web. I wanted to find the location of that file so I could determine the software that is searching the dark web. Any idea how I can find how this computer is reaching out to the dark web?
I’m assuming there was nothing suspicious under Program Run or other artifacts generated by Recent Activity? (Autopsy User Documentation: Recent Activity Module). Autopsy isn’t really designed to find malware though. You’ll probably want an incident response tool to try to figure out what’s going on.
You could try Cyber Triage - it has a free trial. https://www.cybertriage.com/
Nothing suspicious under Program Run and the Web Cache does not show any .onion domain searches during the periods of the alerts.
I am not sure how to access the recent activity as the options dialog on my screen is quite different from the one in the tutorial.
If you have Program Run and Web Cache artifacts then you ran Recent Activity. I don’t think Autopsy is going to help.
Is there any way to find the original path for the file “f0570724”?
It’s unlikely. If the directory entry for the file still existed, it probably would have shown up as a deleted file or an orphan file.
I have realized great success with THOR Lite - Nextron Systems
After updating using the utility program, I run the search with the following options: —intense —allreasons —processintegrity
This will produce many false positives, but if you have an ongoing compromise of your system, this is one of the best single-command options for finding it.
