A Note From Joe: Hey everyone, I just want to take a moment and point out that my blog is not intended to only focus on TheDarkOverlord (TDO) and their shenanigans. It just so happens TDO’s activity is an interesting and timely topic for me to examine. I have other, non-TDO posts in the works!
Bottom Line Up Front (BLUF):
Layer2 contains many hidden files, tucked away in emails as attachments (.WDN, .WDM) and in the thumbs.db file. Carving these files grows the total container content to over 10,000 files.
Much to my surprise, TheDarkOverlord released the password to their Layer 2 VeraCrypt container earlier this morning (January 9th, 2019). I am surprised because their Bitcoin wallet is hovering around 3.3btc – which is around $13,000, a far cry from the $50k stated in their “Crypto-Cash for Crypto-Cache” post. I wonder how this will affect their funding structure in the future? Since they are not receiving the funds they demanded – from the victim or from the public – will TDO simply begin releasing content every few days?
This VeraCrypt file – “Layer_2.container” – is the third of six for which TDO has released keys.
- Preview_Documents.container (10MB)
- Layer_1.container (75MB)
- Layer_2.container (3.4GB) <—As of 9 January 2019, we are here
- Layer_3.container (4.8GB)
- Layer_4.container (1.4GB)
- Layer_5.container (300MB)
With this in mind, today I will be looking at Layer_2.container.
An Autopsy of Thumbs(.db)
Tucked inside of Layer2 is a thumbs.db file. As you might suspect, this file is created by Windows to cache thumbnails of files. The cool part? The thumbnails remain after the files are long gone.
Looking at the modified time we can see that this Thumbs.db is from 2011 – meaning it was likely made long before TheDarkOverlord came along. Analysis of the content of the Thumbs.db could reveal details about where/how TheDarkOverlord acquired the cache. So if we wanted to extract files from Thumbs.db, how would we do it?
Mark McKinnon made some nifty Autopsy plugins, including a thumbs.db processing module. Going to “Tools”->”Python Plugins” in Autopsy shows a Windows folder; copying + pasting modules into this directory will integrate them into Autopsy. Check out the documentation if you need more detail.
Then we can go to our Data Sources, right click, select “Run Ingest Modules” and select “Thumbs.db Parser Module”. After clicking finish the parser will run.
This module will place extracted thumbnails in the ModuleOutput directory (underneath the directory where you are storing your Autopsy case).
So I know what you’re thinking – are there files here that aren’t in the three containers we have seen so far? Well, that would ruin all the fun, wouldn’t it?
WDN/WDM Email Carving – A Quick & Dirty Approach
Also in this cache are a slew of .WDN and .WDM files. These are some sort of Worldox e-mail format. Well, let’s say you are someone that is just itching to have a look at the content but you don’t know how to read these files. I recommend a simple foremost command to extract the content:
cat *.WDN|foremost -o <outputdir> - This command carved over 1,000 .htm files
cat *.WDM|foremost -o <outputdir> - This command carved over 2,000 JPGs and 1,100 PDFs
This simple command will run all WDN/WDM files in the directory through foremost, a file carver. It is not the prettiest command (you won’t know which content is carved from which parent file), but it is a quick way to run foremost against a long list of files.
In this post I wanted to share some methods for extracting out new details from the data. Folks seem to be inundated with content, but I often find the most interesting content is a bit deeper than surface level. Enjoy!