The Objective #
I was given a forensic hard drive image allegedly belonging to a “Rebel malware writer.” The goal was clear: figure out what their newest malware does, capture any outbound messages it sends, and pull out every useful piece of intelligence hiding on that drive.
Tools Used #
| Tool | Purpose |
|---|---|
| Autopsy | Disk image analysis and artifact extraction |
| 7-Zip | Extracting the hard drive image from the archive |
| Wireshark | Capturing and analyzing live network traffic |
| Sysinternals (TCPView, Process Monitor) | Real-time process and network monitoring |
| VeraCrypt | Decrypting the hidden encrypted volume |
Phase 1 - Verifying Integrity #
Before touching anything, I verified the MD5 hash of the provided zip file against the expected checksum. Both matched perfectly — confirming zero tampering or corruption during transfer. This is a non-negotiable first step in any forensic workflow.
Phase 2 - Disk Image Analysis with Autopsy #
After extracting the image with 7-Zip, I loaded it into Autopsy as a new case with a Disk Image data source and ran a full ingest scan across all modules.
What Stood Out #
Three shortcut files immediately caught my attention in the Recent Documents section:
final-form.lnkobiwan.lnkobiwan2.lnk
Each .lnk file is a Windows shortcut pointer. Tracing them back revealed they linked to three Python scripts: obiwan.py, obiwan2.py, and final-form.py.
Deleted Files #
Two of the three Python source files had been deliberately wiped — obiwan2.py and final-form.py both showed a Path ID of -1, confirming deletion. Only obiwan.py survived with an intact Path ID of 3011.
Executed Programs #
The Run Programs section flagged two compiled executables — final-form.exe and obiwan2.exe with .pf (prefetch) artifacts proving they had been actively run on the machine.
File Locations #
- Python source files:
Documents and Settings/Administrator/My Documents/code/ - Compiled executables:
Documents and Settings/Administrator/My Documents/code/dist/
I was able to extract obiwan.exe and obiwan2.exe from the dist/ directory for further analysis.
Phase 3 - Hunting for Hidden Encryption #
Two artifacts in Autopsy’s Analysis Results section raised flags:
-
VeraCrypt Setup - Found under
Encryption Programs > veracrypt.exe. This suggested something on the drive had been encrypted. I extracted and installed it on my forensic machine. -
A suspicious
.mp3file - UnderEncryption Suspected, a file namednot-the-droids-youre-looking-for.mp3stood out immediately. Every other file in the same directory was a playable MP3, this one was not. Crucially, it had no Zone Identifier, meaning it was never downloaded from the internet. It was created locally by the user. This was clearly a disguised encrypted container.
Phase 4 - Running the Malware Under Wireshark #
With Wireshark listening, I executed each binary and monitored all outbound traffic.
obiwan.exe - Traffic Capture #
The executable made HTTP requests to:
https://www.umd.edu/help-me-obiwan-kenobi/https://www.umd.edu/youre-my-only-hope/
Star Wars references - playful, but not the payload. These appeared to be decoy or beacon requests.
obiwan2.exe - The Real Payload #
This binary was far more interesting. Its requests hit:
www.umd.edu/this-is-not-even-my-final-formwww.umd.edu/All-your-base64-are-belong-to-uswww.umd.edu/cjJkMiBpcyB0aGUga2V5
The second URL was the breadcrumb: “All your base64 are belong to us”, a direct hint that the third URL contained Base64-encoded data.
Decoding the Key #
Running cjJkMiBpcyB0aGUga2V5 through a Base64 decoder gave:
r2d2 is the key
The decryption key was r2d2.
Phase 5 - Decrypting the Hidden Volume #
Armed with the key, I used VeraCrypt to mount not-the-droids-youre-looking-for.mp3 as an encrypted volume. After expanding the volume and entering the password r2d2, it decrypted successfully - revealing three files inside, including a folder containing what the malware had been referencing all along.
Phase 6 - Running final-form.exe #
With the decrypted volume mounted, I executed final-form.exe under Wireshark. It sent requests to:
/We-have-the-blue-prints-to-the-Death-Star/We-will-defeat-Darth-Vader
These weren’t random strings. The mounted volume contained a folder with the blueprints of the Death Star, the very data the malware was designed to exfiltrate.
Summary of Findings #
| Finding | Detail |
|---|---|
| Malware binaries | obiwan.exe, obiwan2.exe, final-form.exe |
| Exfiltration method | HTTP requests to external URLs carrying encoded intelligence |
| Hidden key | r2d2 — Base64-encoded inside obiwan2.exe’s network traffic |
| Encrypted container | not-the-droids-youre-looking-for.mp3 (VeraCrypt volume disguised as audio) |
| Stolen data | Death Star blueprints stored inside the decrypted volume |
| Deleted evidence | obiwan2.py and final-form.py were wiped to cover tracks |
Key Takeaways #
Encryption doesn’t mean invisibility. The malware author used VeraCrypt to hide the payload, but the decryption key was leaked through the malware’s own network traffic — a critical operational security failure.
File extensions lie. The encrypted volume was disguised as an .mp3 file. Always validate files by their actual content, not their extension.
Network traffic is gold. Running the executables under Wireshark was what cracked the case open. The Base64-encoded URL in obiwan2.exe’s traffic was the single biggest intelligence breakthrough in this investigation.
Deleted files leave traces. Even though source files were wiped, Autopsy’s artifact analysis — prefetch logs, shortcut files, and path metadata exposed exactly what had been deleted and when.
This project was a fantastic end-to-end exercise in digital forensics: from image verification and disk analysis, through live malware execution and traffic capture, all the way to cryptographic decryption and data recovery. If you have questions or want to discuss the methodology, feel free to reach out.