2012 National Gallery DC Attack (Digital Corpora)

The 2012 National Gallery DC scenario spans approximately 10 days and encompasses two distinct yet intertwined story arcs. The scenario is centered around an employee at the National Gallery DC Art Gallery. Criminal plans for both theft and defacement are discussed amongst actors during the scenario, and evidence may remain across the digital devices they used. The scenario is terminated upon suspicious activity being reported to law enforcement at which point certain devices are seized and network traffic logs are requested. The scenario materials can be used as both teaching material and for forensics research. Like the 2009-M57-Patents scenario, images were taken at the end of every day of the scenario. The materials include disk images of hard drives and both logical and physical images of mobile devices. Network captures were performed using the SSLstrip tool, allowing for capture files to be available with and without encrypted SSL traffic. Alex, a wealthy businessman with Krasnovian ties contacts Carry, a Krasnovian supporter in the US. Alex is seeking to embarrass America and damage public relations by defacing Foreign Art, belonging to Majavia and currently on display in the National Gallery during the month of July. Alex knows Carry through her Krasnovian parents, who also have strong anti-American sentiment. Alex contacts Carry through her father and recruits her to assist with his cause. He is sending some “tourists”, Krasnovian militants, to Washington, DC to do the deed. Carry is to develop the plan to get them into the museum with the tools they need to damage the artwork. Tracy works as a supervisor at the National Gallery and is an acquaintance of Carry. Carry contacts Tracy and starts communicating small data as a back and forth under the auspices that Carry wants to organize a Flash mob at the gallery and needs a little help. Carry will give money to Tracy for this help. Items transferred are suspicious in nature but not outright illegal. Tracy’s money troubles help her overlook the suspicious nature of the requests. Subsequently, Tracy has been having an ongoing dialog with her brother about stealing specific items (Stamps) from the National Gallery. Tracy will have correspondence on her work computer, personal phone, and home computer relating to her conspiracy to have some valuable items stolen. Carry is technically savvy in that she knows about steganography tools and encryption. She hides many of her correspondence in steg files and encrypted files. She purchases a tablet computer and sets it up to use her catsumtwelve email account dealings with Alex, setting up the the flash mob, Carry is interested in security, schedules, events, and locations where art will be displayed. Unfortunately for everyone involved, Joe, Tracy’s ex-husband, installed a key logger onto her computer prior to the divorce to monitor Terry, discovers the conspiracy to commit theft and turns her into the police. This reveals the contact between Tracy and Carry leading to Carry’s Tablet and phone being seized as well revealing the separate defacing plot.