06-15-2025, 08:41 AM
(A Journey into Digital Forensics Through Deception, Destruction, and Discovery)
⸻
? Chapter 1: The Midnight Call
11:47 PM – I received a call from an old client, this time not for a routine review or training, but for a serious incident.
“We lost all the R&D data for our new product line. It seems someone intentionally erased the hard drive and the backup. The director is furious. Can you come right away?”
I nodded, grabbed my specialized bag: the forensic hard drive, the Autopsy copyright dongle, write blocker, flashlight, and a packet of instant coffee.
⸻
? Chapter 2: Cold Air-Conditioned Room, Hot Hard Drives
When I arrived, the room was dark and cold, and the server drive smelled faintly of ozone.
The suspect hard drive – number 12 – was placed separately in an anti-static box.
“I found it wiped yesterday around 3am. But no one was on duty. The camera logs are missing.”
I used a write blocker to connect the drive to the forensic machine.
The data had been “zeroed out” – meaning the entire sector had been overwritten with byte 00.
But luckily: not the entire drive, just a major portion. I decided to use photorec and then bulk_extractor to start scanning each sector.
⸻
? Chapter 3: Blood in the Log
After almost 2 hours of extracting data from the remaining part, I recovered some hidden logs: SRUM (System Resource Usage Monitor) - few people know that it saves the machine's activities for a long time.
Including:
• Specific command line launch time: cipher /w:C:\
• Executor: account "qa-dev1"
• From there, I traced the entire command line chain: a USB plugged in 2 minutes ago, the D drive mounted.
I started to see the scenario more clearly:
• A person with elevated privileges
• Accessing the R&D system
Using the encryption script to quickly overwrite the data and then removing the USB
⸻
? Chapter 4: Ghost in VPN
Watching from account qa-dev1, I analyzed the VPN logs. There was a connection from an IP address in Central Europe, which did not match this employee's address.
I asked to check qa-dev1's workstation. The employee was... on a 3-day vacation to Da Lat.
Analyzing his memory dump, I found:
• Remote access tool (AnyDesk) running in the background
• Small executable file called update_vpn_svc.exe - a lightweight RAT backdoor
And more: the keepalive.log file records a strange IP address - similar to the VPN IP address mentioned above
It seems that someone used the QA account, combined with a long-installed Trojan - to attack the company itself.
⸻
? Chapter 5: The Man in the Shadows
I analyzed the timeline in more depth. In the last 6 weeks, the update_vpn_svc.exe software was installed after QA borrowed a USB from an external partner to "copy the test library".
The USB - the silent killer - is back once again.
⸻
? Chapter 6: The Last Wall
I had to run Plaso to reconstruct the detailed timeline: every login, USB insertion, script execution. After almost 12 hours, I built the big picture:
1. Backdoor secretly installed 6 weeks ago via USB.
2. Attacker was patiently observed via AnyDesk.
3. Waited until QA was on vacation - attacked via VPN.
4. Accessed R&D server, downloaded data via SMB.
5. Finally: used encryption to destroy the drive and hide the traces.
⸻
⚖️ Final Chapter: Justice and Reform
The company reported to the investigation agency. We extracted all the IOCs, wrote a 50+ page report of findings, including:
• Forensic images of hard drive 12
• IOCs: IP, file hash, backdoor, script deletion
• Detailed timeline
• Key vulnerabilities: no USB monitoring, no 2FA for VPN enabled, no regular remote tool checks
⸻
✅ Message from hard drive 12
“The bad guys don’t have to be good. They just have to be patient.
And if you don’t look at the usage logs, they’ll disappear like water – until it’s too late.”
⸻
? Chapter 1: The Midnight Call
11:47 PM – I received a call from an old client, this time not for a routine review or training, but for a serious incident.
“We lost all the R&D data for our new product line. It seems someone intentionally erased the hard drive and the backup. The director is furious. Can you come right away?”
I nodded, grabbed my specialized bag: the forensic hard drive, the Autopsy copyright dongle, write blocker, flashlight, and a packet of instant coffee.
⸻
? Chapter 2: Cold Air-Conditioned Room, Hot Hard Drives
When I arrived, the room was dark and cold, and the server drive smelled faintly of ozone.
The suspect hard drive – number 12 – was placed separately in an anti-static box.
“I found it wiped yesterday around 3am. But no one was on duty. The camera logs are missing.”
I used a write blocker to connect the drive to the forensic machine.
The data had been “zeroed out” – meaning the entire sector had been overwritten with byte 00.
But luckily: not the entire drive, just a major portion. I decided to use photorec and then bulk_extractor to start scanning each sector.
⸻
? Chapter 3: Blood in the Log
After almost 2 hours of extracting data from the remaining part, I recovered some hidden logs: SRUM (System Resource Usage Monitor) - few people know that it saves the machine's activities for a long time.
Including:
• Specific command line launch time: cipher /w:C:\
• Executor: account "qa-dev1"
• From there, I traced the entire command line chain: a USB plugged in 2 minutes ago, the D drive mounted.
I started to see the scenario more clearly:
• A person with elevated privileges
• Accessing the R&D system
Using the encryption script to quickly overwrite the data and then removing the USB
⸻
? Chapter 4: Ghost in VPN
Watching from account qa-dev1, I analyzed the VPN logs. There was a connection from an IP address in Central Europe, which did not match this employee's address.
I asked to check qa-dev1's workstation. The employee was... on a 3-day vacation to Da Lat.
Analyzing his memory dump, I found:
• Remote access tool (AnyDesk) running in the background
• Small executable file called update_vpn_svc.exe - a lightweight RAT backdoor
And more: the keepalive.log file records a strange IP address - similar to the VPN IP address mentioned above
It seems that someone used the QA account, combined with a long-installed Trojan - to attack the company itself.
⸻
? Chapter 5: The Man in the Shadows
I analyzed the timeline in more depth. In the last 6 weeks, the update_vpn_svc.exe software was installed after QA borrowed a USB from an external partner to "copy the test library".
The USB - the silent killer - is back once again.
⸻
? Chapter 6: The Last Wall
I had to run Plaso to reconstruct the detailed timeline: every login, USB insertion, script execution. After almost 12 hours, I built the big picture:
1. Backdoor secretly installed 6 weeks ago via USB.
2. Attacker was patiently observed via AnyDesk.
3. Waited until QA was on vacation - attacked via VPN.
4. Accessed R&D server, downloaded data via SMB.
5. Finally: used encryption to destroy the drive and hide the traces.
⸻
⚖️ Final Chapter: Justice and Reform
The company reported to the investigation agency. We extracted all the IOCs, wrote a 50+ page report of findings, including:
• Forensic images of hard drive 12
• IOCs: IP, file hash, backdoor, script deletion
• Detailed timeline
• Key vulnerabilities: no USB monitoring, no 2FA for VPN enabled, no regular remote tool checks
⸻
✅ Message from hard drive 12
“The bad guys don’t have to be good. They just have to be patient.
And if you don’t look at the usage logs, they’ll disappear like water – until it’s too late.”