Bottom Line Up Front (BLUF):

TheDarkOverlord uses Windows (unknown if it is a VM), artifacts indicate files were exfiltrated from the victim in a way that maintained original timestamps, and file artifacts suggest the contents are authentic.

Background:

If you you work in cybersecurity and haven’t heard of TheDarkOverlord (TDO) yet, you might actually be living under a rock. While I have not spent much time analyzing previous TDO hacks, there is a clear track record of successful hacks. TDO grabbed my attention today when I saw TDO had released a VeraCrypt container of documents. I just blogged about VeraCrypt the other day.

TDO released a torrent for zip file containing five containers (“Layer_#.container”) and a preview container (“Preview_Documents.container”). The zip file warrants further analysis (I think there are some oddities to it), but this post is focused on VeraCrypt.

Accessing and Imaging the Volume

On Twitter – a place full of many confused people – there was confusion as to how to access the contents of the container. To do this you must use VeraCrypt. Launch the application, click on “Select File”, and select the “Preview_Documents.container”. Then you will click “Mount”, and you will see a password prompt as well as several options.

The password to the container – as released by TDO – is

*CZ4=I{YZ456zGecgg9/cCz|zNP5bZ,nCvJqDZKrq@v?O5V$FezCNs26CD;e:%N^

If you simply want to open up the container and look at the contents, that is all you need. If you’d like to do some forensics on it, though, then I recommend the following (keeping in mind I am using a Linux host):

At the same menu, select Options, check “Mount volume as read-only”, and check “Do not mount” at the bottom. We do this to avoid tampering with the contents of the volume.

Once mounted, you can use lsblk to identify where the VeraCrypt volume is mounted (for me: /dev/dm-1). At this point you have the volume mounted as a decrypted read-only container. This means we can use forensics tools just as if it were a regular thumb drive or SD card connected to the system. I suggest using dd to create an image of the decrypted container:

sudo dd if=/dev/dem-1 of=decrypted.preview.container status=progress


I also recommend hashing the file and the device with md5sum, sha1sum, and sha256sum to ensure your copy worked appropriately. Here are the hashes I had:

md5: 3f9f348561fd7681477fb01eb6a9bf6e
sha1: f6e1aee283baa4d4fb278c7c1797fa5c1ca1d3b6
sha256: 2c11ae5e0c812468980fe0fb3add8801eb10799af69eb6c2e5206def292131c7

Now the fun can begin!

Analysis

There are a lot of different tools that can be used, but I’m going to keep it simple and use the command line SleuthKit tools. Maybe I’ll use TimeSketch with Skadi if more container passwords are released.

NOTE: Full output from some of these tools can be sizeable, so I trimmed output as needed.

I like to use fsstat to get the lay of the land before diving into a device:

>fsstat decrypted.preview.container 
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: FAT16

OEM Name: MSDOS5.0
Volume ID: 0xea72980e
Volume Label (Boot Sector): NO NAME    
Volume Label (Root Directory):
File System Type Label: FAT16   

Sectors before file system: 0

File System Layout (in sectors)
Total Range: 0 - 19967
* Reserved: 0 - 1
** Boot Sector: 0
* FAT 0: 2 - 40
* FAT 1: 41 - 79
* Data Area: 80 - 19967
** Root Directory: 80 - 111
** Cluster Area: 112 - 19967

Nothing terribly interesting stands out – we see the file system is FAT16, but that is regular behavior from VeraCrypt when creating a FAT volume of this size (~10MB).

Next we use the tool “fls” with the tool “mactime”.

>fls -r -p -m / decrypted.preview.container |mactime -d -z utc >> decrypted.preview.container.mactime

Date,Size,Type,Mode,UID,GID,Meta,File Name
Xxx Xxx 00 0000 00:00:00,1024,..c.,d/dr-xr-xr-x,0,0,3,"/$RECYCLE.BIN"
Xxx Xxx 00 0000 00:00:00,129,..c.,r/rr-xr-xr-x,0,0,517,"/$RECYCLE.BIN/desktop.ini"
Xxx Xxx 00 0000 00:00:00,433664,..c.,r/rrwxrwxrwx,0,0,581,"/Preview_Documents/00010873.DOC"
Xxx Xxx 00 0000 00:00:00,588800,..c.,r/rrwxrwxrwx,0,0,582,"/Preview_Documents/00014645.PPT"
Xxx Xxx 00 0000 00:00:00,768512,..c.,r/rrwxrwxrwx,0,0,583,"/Preview_Documents/00017494.DOC"
Xxx Xxx 00 0000 00:00:00,46592,..c.,r/rrwxrwxrwx,0,0,584,"/Preview_Documents/00036132.DOC"
Xxx Xxx 00 0000 00:00:00,196433,..c.,r/rrwxrwxrwx,0,0,585,"/Preview_Documents/00036309.pdf"
Xxx Xxx 00 0000 00:00:00,188944,..c.,r/rrwxrwxrwx,0,0,586,"/Preview_Documents/00036315.TIF"
Xxx Xxx 00 0000 00:00:00,171757,..c.,r/rrwxrwxrwx,0,0,587,"/Preview_Documents/00036319.tif"
Xxx Xxx 00 0000 00:00:00,246644,..c.,r/rrwxrwxrwx,0,0,588,"/Preview_Documents/00036754.tif"
Xxx Xxx 00 0000 00:00:00,631506,..c.,r/rrwxrwxrwx,0,0,589,"/Preview_Documents/00036826.pdf"
Xxx Xxx 00 0000 00:00:00,146838,..c.,r/rrwxrwxrwx,0,0,590,"/Preview_Documents/00036859.tif"
Xxx Xxx 00 0000 00:00:00,310265,..c.,r/rrwxrwxrwx,0,0,591,"/Preview_Documents/00037655.pdf"
Xxx Xxx 00 0000 00:00:00,67584,..c.,r/rrwxrwxrwx,0,0,592,"/Preview_Documents/00051250.DOC"
Xxx Xxx 00 0000 00:00:00,82944,..c.,r/rrwxrwxrwx,0,0,593,"/Preview_Documents/00052249.DOC"
Xxx Xxx 00 0000 00:00:00,54784,..c.,r/rrwxrwxrwx,0,0,594,"/Preview_Documents/00081012.DOC"
Xxx Xxx 00 0000 00:00:00,80838,..c.,r/rrwxrwxrwx,0,0,595,"/Preview_Documents/00081025.pdf"
Xxx Xxx 00 0000 00:00:00,35840,..c.,r/rrwxrwxrwx,0,0,596,"/Preview_Documents/00081026.DOC"
Xxx Xxx 00 0000 00:00:00,69632,..c.,r/rrwxrwxrwx,0,0,597,"/Preview_Documents/00135791.MSG"
Xxx Xxx 00 0000 00:00:00,240128,..c.,r/rrwxrwxrwx,0,0,598,"/Preview_Documents/00135796.MSG"
Xxx Xxx 00 0000 00:00:00,602624,..c.,r/rrwxrwxrwx,0,0,599,"/Preview_Documents/00135811.MSG"
Xxx Xxx 00 0000 00:00:00,1024,..c.,d/drwxrwxrwx,0,0,6,"/Preview_Documents"
Xxx Xxx 00 0000 00:00:00,541696,..c.,r/rrwxrwxrwx,0,0,600,"/Preview_Documents/00135820.MSG"
Xxx Xxx 00 0000 00:00:00,648192,..c.,r/rrwxrwxrwx,0,0,601,"/Preview_Documents/00135836.MSG"
Xxx Xxx 00 0000 00:00:00,64512,..c.,r/rrwxrwxrwx,0,0,602,"/Preview_Documents/00135847.MSG"
Xxx Xxx 00 0000 00:00:00,1138544,..c.,r/rrwxrwxrwx,0,0,603,"/Preview_Documents/00261011.PDF"
Xxx Xxx 00 0000 00:00:00,89333,..c.,r/rrwxrwxrwx,0,0,604,"/Preview_Documents/00261094.PDF"
Xxx Xxx 00 0000 00:00:00,72704,..c.,r/rrwxrwxrwx,0,0,605,"/Preview_Documents/00261114.DOC"
Xxx Xxx 00 0000 00:00:00,309599,..c.,r/rrwxrwxrwx,0,0,606,"/Preview_Documents/00261486.PDF"
Xxx Xxx 00 0000 00:00:00,72298,..c.,r/rrwxrwxrwx,0,0,607,"/Preview_Documents/00273276.pdf"
Xxx Xxx 00 0000 00:00:00,103424,..c.,r/rrwxrwxrwx,0,0,608,"/Preview_Documents/00275455.DOC"
Xxx Xxx 00 0000 00:00:00,512153,..c.,r/rrwxrwxrwx,0,0,609,"/Preview_Documents/00276120.PDF"
Tue Oct 30 2001 17:13:32,433664,m...,r/rrwxrwxrwx,0,0,581,"/Preview_Documents/00010873.DOC"
Thu Nov 01 2001 21:23:56,768512,m...,r/rrwxrwxrwx,0,0,583,"/Preview_Documents/00017494.DOC"
Mon Nov 05 2001 20:39:16,588800,m...,r/rrwxrwxrwx,0,0,582,"/Preview_Documents/00014645.PPT"
Thu Jan 16 2003 19:26:28,46592,m...,r/rrwxrwxrwx,0,0,584,"/Preview_Documents/00036132.DOC"
Sat Jan 18 2003 01:57:44,196433,m...,r/rrwxrwxrwx,0,0,585,"/Preview_Documents/00036309.pdf"
Sat Jan 18 2003 03:59:50,188944,m...,r/rrwxrwxrwx,0,0,586,"/Preview_Documents/00036315.TIF"
Mon Jan 20 2003 19:29:16,171757,m...,r/rrwxrwxrwx,0,0,587,"/Preview_Documents/00036319.tif"
Fri Jan 24 2003 22:27:46,246644,m...,r/rrwxrwxrwx,0,0,588,"/Preview_Documents/00036754.tif"
Tue Jan 28 2003 01:13:32,631506,m...,r/rrwxrwxrwx,0,0,589,"/Preview_Documents/00036826.pdf"
Tue Jan 28 2003 19:39:28,146838,m...,r/rrwxrwxrwx,0,0,590,"/Preview_Documents/00036859.tif"
Wed Feb 12 2003 04:13:40,310265,m...,r/rrwxrwxrwx,0,0,591,"/Preview_Documents/00037655.pdf"
Fri Dec 05 2003 04:17:10,82944,m...,r/rrwxrwxrwx,0,0,593,"/Preview_Documents/00052249.DOC"
Thu Jun 10 2004 20:09:38,67584,m...,r/rrwxrwxrwx,0,0,592,"/Preview_Documents/00051250.DOC"
Sat Aug 27 2005 01:04:30,80838,m...,r/rrwxrwxrwx,0,0,595,"/Preview_Documents/00081025.pdf"
Sat Aug 27 2005 01:11:42,54784,m...,r/rrwxrwxrwx,0,0,594,"/Preview_Documents/00081012.DOC"
Sat Aug 27 2005 02:20:04,35840,m...,r/rrwxrwxrwx,0,0,596,"/Preview_Documents/00081026.DOC"
Tue Feb 20 2007 20:52:20,69632,m...,r/rrwxrwxrwx,0,0,597,"/Preview_Documents/00135791.MSG"
Wed Feb 21 2007 21:06:54,240128,m...,r/rrwxrwxrwx,0,0,598,"/Preview_Documents/00135796.MSG"
Wed Feb 28 2007 03:29:16,602624,m...,r/rrwxrwxrwx,0,0,599,"/Preview_Documents/00135811.MSG"
Thu Mar 01 2007 19:53:16,541696,m...,r/rrwxrwxrwx,0,0,600,"/Preview_Documents/00135820.MSG"
Mon Mar 05 2007 23:40:06,648192,m...,r/rrwxrwxrwx,0,0,601,"/Preview_Documents/00135836.MSG"
Wed Mar 07 2007 00:46:16,64512,m...,r/rrwxrwxrwx,0,0,602,"/Preview_Documents/00135847.MSG"
Fri May 21 2010 01:50:10,1138544,m...,r/rrwxrwxrwx,0,0,603,"/Preview_Documents/00261011.PDF"
Fri May 21 2010 21:06:12,89333,m...,r/rrwxrwxrwx,0,0,604,"/Preview_Documents/00261094.PDF"
Sat May 22 2010 00:51:26,72704,m...,r/rrwxrwxrwx,0,0,605,"/Preview_Documents/00261114.DOC"
Wed May 26 2010 01:44:36,309599,m...,r/rrwxrwxrwx,0,0,606,"/Preview_Documents/00261486.PDF"
Wed Aug 18 2010 21:16:06,72298,m...,r/rrwxrwxrwx,0,0,607,"/Preview_Documents/00273276.pdf"
Tue Aug 31 2010 18:28:10,103424,m...,r/rrwxrwxrwx,0,0,608,"/Preview_Documents/00275455.DOC"
Tue Sep 07 2010 19:48:50,512153,m...,r/rrwxrwxrwx,0,0,609,"/Preview_Documents/00276120.PDF"
Sun Dec 30 2018 05:00:00,1024,.a..,d/dr-xr-xr-x,0,0,3,"/$RECYCLE.BIN"
Sun Dec 30 2018 05:00:00,129,.a..,r/rr-xr-xr-x,0,0,517,"/$RECYCLE.BIN/desktop.ini"
Sun Dec 30 2018 05:00:00,433664,.a..,r/rrwxrwxrwx,0,0,581,"/Preview_Documents/00010873.DOC"
Sun Dec 30 2018 05:00:00,588800,.a..,r/rrwxrwxrwx,0,0,582,"/Preview_Documents/00014645.PPT"
Sun Dec 30 2018 05:00:00,768512,.a..,r/rrwxrwxrwx,0,0,583,"/Preview_Documents/00017494.DOC"
Sun Dec 30 2018 05:00:00,46592,.a..,r/rrwxrwxrwx,0,0,584,"/Preview_Documents/00036132.DOC"
Sun Dec 30 2018 05:00:00,196433,.a..,r/rrwxrwxrwx,0,0,585,"/Preview_Documents/00036309.pdf"
Sun Dec 30 2018 05:00:00,188944,.a..,r/rrwxrwxrwx,0,0,586,"/Preview_Documents/00036315.TIF"
Sun Dec 30 2018 05:00:00,171757,.a..,r/rrwxrwxrwx,0,0,587,"/Preview_Documents/00036319.tif"
Sun Dec 30 2018 05:00:00,246644,.a..,r/rrwxrwxrwx,0,0,588,"/Preview_Documents/00036754.tif"
Sun Dec 30 2018 05:00:00,631506,.a..,r/rrwxrwxrwx,0,0,589,"/Preview_Documents/00036826.pdf"
Sun Dec 30 2018 05:00:00,146838,.a..,r/rrwxrwxrwx,0,0,590,"/Preview_Documents/00036859.tif"
Sun Dec 30 2018 05:00:00,310265,.a..,r/rrwxrwxrwx,0,0,591,"/Preview_Documents/00037655.pdf"
Sun Dec 30 2018 05:00:00,67584,.a..,r/rrwxrwxrwx,0,0,592,"/Preview_Documents/00051250.DOC"
Sun Dec 30 2018 05:00:00,82944,.a..,r/rrwxrwxrwx,0,0,593,"/Preview_Documents/00052249.DOC"
Sun Dec 30 2018 05:00:00,54784,.a..,r/rrwxrwxrwx,0,0,594,"/Preview_Documents/00081012.DOC"
Sun Dec 30 2018 05:00:00,80838,.a..,r/rrwxrwxrwx,0,0,595,"/Preview_Documents/00081025.pdf"
Sun Dec 30 2018 05:00:00,35840,.a..,r/rrwxrwxrwx,0,0,596,"/Preview_Documents/00081026.DOC"
Sun Dec 30 2018 05:00:00,69632,.a..,r/rrwxrwxrwx,0,0,597,"/Preview_Documents/00135791.MSG"
Sun Dec 30 2018 05:00:00,240128,.a..,r/rrwxrwxrwx,0,0,598,"/Preview_Documents/00135796.MSG"
Sun Dec 30 2018 05:00:00,602624,.a..,r/rrwxrwxrwx,0,0,599,"/Preview_Documents/00135811.MSG"
Sun Dec 30 2018 05:00:00,1024,.a..,d/drwxrwxrwx,0,0,6,"/Preview_Documents"
Sun Dec 30 2018 05:00:00,541696,.a..,r/rrwxrwxrwx,0,0,600,"/Preview_Documents/00135820.MSG"
Sun Dec 30 2018 05:00:00,648192,.a..,r/rrwxrwxrwx,0,0,601,"/Preview_Documents/00135836.MSG"
Sun Dec 30 2018 05:00:00,64512,.a..,r/rrwxrwxrwx,0,0,602,"/Preview_Documents/00135847.MSG"
Sun Dec 30 2018 05:00:00,1138544,.a..,r/rrwxrwxrwx,0,0,603,"/Preview_Documents/00261011.PDF"
Sun Dec 30 2018 05:00:00,89333,.a..,r/rrwxrwxrwx,0,0,604,"/Preview_Documents/00261094.PDF"
Sun Dec 30 2018 05:00:00,72704,.a..,r/rrwxrwxrwx,0,0,605,"/Preview_Documents/00261114.DOC"
Sun Dec 30 2018 05:00:00,309599,.a..,r/rrwxrwxrwx,0,0,606,"/Preview_Documents/00261486.PDF"
Sun Dec 30 2018 05:00:00,72298,.a..,r/rrwxrwxrwx,0,0,607,"/Preview_Documents/00273276.pdf"
Sun Dec 30 2018 05:00:00,103424,.a..,r/rrwxrwxrwx,0,0,608,"/Preview_Documents/00275455.DOC"
Sun Dec 30 2018 05:00:00,512153,.a..,r/rrwxrwxrwx,0,0,609,"/Preview_Documents/00276120.PDF"
Sun Dec 30 2018 22:44:20,1024,m...,d/drwxrwxrwx,0,0,6,"/Preview_Documents"
Sun Dec 30 2018 22:47:57,1024,...b,d/dr-xr-xr-x,0,0,3,"/$RECYCLE.BIN"
Sun Dec 30 2018 22:47:57,129,...b,r/rr-xr-xr-x,0,0,517,"/$RECYCLE.BIN/desktop.ini"
Sun Dec 30 2018 22:47:58,1024,m...,d/dr-xr-xr-x,0,0,3,"/$RECYCLE.BIN"
Sun Dec 30 2018 22:47:58,129,m...,r/rr-xr-xr-x,0,0,517,"/$RECYCLE.BIN/desktop.ini"
Sun Dec 30 2018 22:48:07,433664,...b,r/rrwxrwxrwx,0,0,581,"/Preview_Documents/00010873.DOC"
Sun Dec 30 2018 22:48:07,588800,...b,r/rrwxrwxrwx,0,0,582,"/Preview_Documents/00014645.PPT"
Sun Dec 30 2018 22:48:07,768512,...b,r/rrwxrwxrwx,0,0,583,"/Preview_Documents/00017494.DOC"
Sun Dec 30 2018 22:48:07,46592,...b,r/rrwxrwxrwx,0,0,584,"/Preview_Documents/00036132.DOC"
Sun Dec 30 2018 22:48:07,196433,...b,r/rrwxrwxrwx,0,0,585,"/Preview_Documents/00036309.pdf"
Sun Dec 30 2018 22:48:07,188944,...b,r/rrwxrwxrwx,0,0,586,"/Preview_Documents/00036315.TIF"
Sun Dec 30 2018 22:48:07,171757,...b,r/rrwxrwxrwx,0,0,587,"/Preview_Documents/00036319.tif"
Sun Dec 30 2018 22:48:07,246644,...b,r/rrwxrwxrwx,0,0,588,"/Preview_Documents/00036754.tif"
Sun Dec 30 2018 22:48:07,631506,...b,r/rrwxrwxrwx,0,0,589,"/Preview_Documents/00036826.pdf"
Sun Dec 30 2018 22:48:07,146838,...b,r/rrwxrwxrwx,0,0,590,"/Preview_Documents/00036859.tif"
Sun Dec 30 2018 22:48:07,310265,...b,r/rrwxrwxrwx,0,0,591,"/Preview_Documents/00037655.pdf"
Sun Dec 30 2018 22:48:07,67584,...b,r/rrwxrwxrwx,0,0,592,"/Preview_Documents/00051250.DOC"
Sun Dec 30 2018 22:48:07,82944,...b,r/rrwxrwxrwx,0,0,593,"/Preview_Documents/00052249.DOC"
Sun Dec 30 2018 22:48:07,54784,...b,r/rrwxrwxrwx,0,0,594,"/Preview_Documents/00081012.DOC"
Sun Dec 30 2018 22:48:07,80838,...b,r/rrwxrwxrwx,0,0,595,"/Preview_Documents/00081025.pdf"
Sun Dec 30 2018 22:48:07,35840,...b,r/rrwxrwxrwx,0,0,596,"/Preview_Documents/00081026.DOC"
Sun Dec 30 2018 22:48:07,69632,...b,r/rrwxrwxrwx,0,0,597,"/Preview_Documents/00135791.MSG"
Sun Dec 30 2018 22:48:07,240128,...b,r/rrwxrwxrwx,0,0,598,"/Preview_Documents/00135796.MSG"
Sun Dec 30 2018 22:48:07,602624,...b,r/rrwxrwxrwx,0,0,599,"/Preview_Documents/00135811.MSG"
Sun Dec 30 2018 22:48:07,1024,...b,d/drwxrwxrwx,0,0,6,"/Preview_Documents"
Sun Dec 30 2018 22:48:07,541696,...b,r/rrwxrwxrwx,0,0,600,"/Preview_Documents/00135820.MSG"
Sun Dec 30 2018 22:48:07,648192,...b,r/rrwxrwxrwx,0,0,601,"/Preview_Documents/00135836.MSG"
Sun Dec 30 2018 22:48:07,64512,...b,r/rrwxrwxrwx,0,0,602,"/Preview_Documents/00135847.MSG"
Sun Dec 30 2018 22:48:07,1138544,...b,r/rrwxrwxrwx,0,0,603,"/Preview_Documents/00261011.PDF"
Sun Dec 30 2018 22:48:07,89333,...b,r/rrwxrwxrwx,0,0,604,"/Preview_Documents/00261094.PDF"
Sun Dec 30 2018 22:48:07,72704,...b,r/rrwxrwxrwx,0,0,605,"/Preview_Documents/00261114.DOC"
Sun Dec 30 2018 22:48:07,309599,...b,r/rrwxrwxrwx,0,0,606,"/Preview_Documents/00261486.PDF"
Sun Dec 30 2018 22:48:07,72298,...b,r/rrwxrwxrwx,0,0,607,"/Preview_Documents/00273276.pdf"
Sun Dec 30 2018 22:48:07,103424,...b,r/rrwxrwxrwx,0,0,608,"/Preview_Documents/00275455.DOC"
Sun Dec 30 2018 22:48:07,512153,...b,r/rrwxrwxrwx,0,0,609,"/Preview_Documents/00276120.PDF"

(Note: alternatively, you can simply run “tsk_gettimes decrypted.preview.container|mactime -d -z utc” for similar output.

You’ll see that the “c” times don’t have a real timestamp – this is because FAT doesn’t have “change times” (if this were an NTFS filesystem, the “c” times would indicate the “change” times for MFT records).

So what can we learn from this? A few things.

  1. TheDarkOverlords use a Windows PC. This means TDO isn’t creating these volumes using something like TAILS. I can’t tell at this point if it is a Virtual Machine, but the existence of “$Recycle.Bin” and “desktop.ini” are clear indicators of Windows usage. (Please note that the Recycle Bin is made on a device connected to Windows even if no files are deleted.)
  2. The file system timestamps of the original documents have been maintained. We can see this by using exiftool to compare the file system timestamps (from the timeline above) with the internal Microsoft Office file timestamps (from the exiftool output below). 
ExifTool Version Number         : 11.11
File Name                       : 00010873.DOC
Directory                       : .
File Size                       : 424 kB
File Modification Date/Time     : 2019:01:04 12:03:55-05:00
File Access Date/Time           : 2019:01:04 12:03:44-05:00
File Inode Change Date/Time     : 2019:01:04 12:03:55-05:00
File Type                       : DOC
File Type Extension             : doc
MIME Type                       : application/msword
Identification                  : Word 8.0
Language Code                   : English (US)
Doc Flags                       : Has picture, 1Table, ExtChar
System                          : Windows
Word 97                         : No
Template                        : normal.dot
Software                        : Microsoft Word 8.0
Create Date                     : 2001:10:25 20:06:00
Modify Date                     : 2001:10:30 18:13:00

(Please note: I did not maintain filesystem timestamps when I extracted this file from the container. Also, I trimmed the exiftool output to only the relevant data points.)

Microsoft Office files typically have two kinds of timestamps: file system timestamps (timestamps maintained by the file system on which the file resides), and internal timestamps (maintained inside of the files themselves).

In the exiftool output above, the file system timestamps start with “File” (“File Modification Date/Time”) and the internal timestamps do not (“Create Date”, “Modify Date”).

To maintain file system timestamps, files must remain in a compatible device. In other words, these files have always been in a volume or container of some sort – something that either has a file system (such as a hard drive or thumb drive), or maintains file system timestamps (such as zip files). For example, emailing individual files would remove all of the file system timestamps because the files would be outside of a container, while emailing a zip file would maintain the file system timestamps. This suggests TheDarkOverlords exfiltrated these files inside of a container of some sorts, such as a zip file.

  1. Notice the line “Identification: Word 8.0” in the exiftool output? That version is associated with Office 97 (reference: https://en.wikipedia.org/wiki/Microsoft_Word#Release_history ). This suggests the files are authentically from the late 2001 time frame. Please note I have not examined the versions associated with all files.
  1. The volume is 84% used. The 911_Archive VeraCrypt volume held 5 containers (named Layer_#.container) and a Preview_Documents.container. Applying the 84% usage to the other documents means the file content breaks down to:
    Layer_1.container: 63MB of documents
    Layer_2.container: 2.856GB of documents
    Layer_3.container: 4.032GB of documents
    Layer_4.container: 1.176GB of documents
    Layer_5.container: 252MB of documents
    1. What is found is just as important as what *isn’t* found. fls did not reveal any deleted files. Using blkls to collect the unallocated space only revealed garbledygook (a byproduct of being inside a VeraCrypt volume). There is no evidence files were ever deleted or removed from this volume. The volume was created, the files were copied into it, and then the volume was closed. Heck, the volume label wasn’t even edited.

    Conclusion

    So what does all of this mean?


    TheDarkOverlord is a professional, as you might have gathered from his track record. There was very little “noise” in the volume – files weren’t shuffled around and reorganized. There are no glaring artifacts that scream out TDO’s true identity.

    I am surprised that Windows was used. I expected TAILS or another Linux flavor. There are a lot of privacy implications from using Windows – even in a VM.

    File metadata suggests the files are authentic. It would be a huge amount of work to create these files out of nothingness, using outdated Office products (or modifying metadata to show that), and then match these timestamps to file system timestamps. It isn’t impossible, but I would classify it as “extremely extremely unlikely”.

    And, lastly – if and when more VeraCrypt volumes are decrypted, we will learn more about TDO’s tactics and techniques.