Operation NightWing - The Trade at Hollow Pine

Browser lacks capabilities required to play.

Upgrade or switch to another browser.

Loading…

<a href="https://csilinux.com" target="_blank"><img src="https://downloads.csilinux.com/images/CSI-Back.jpg" width="100%"></a> CSI Linux is a focused Linux distribution for digital forensics and was developed as an open source 'theme park' for the cyber security industry. It has tons of capabilities for investigations, analysis and response! CSI Linux is available in a Virtual Machine Appliance, so you can isolate your evidence to minimize cross-contamination. It is also available in a Bootable Triage disk image (restore to an external/internal SSD/HDD/USB drive) and a pre-built workstation that you can use as a daily driver. Here is what is contained in CSI Linux: Online Investigations (OSINT, SOCMINT, Recon, Dark Web) <ul> <li>Advanced Web Scraping Tools: Specialized utilities for harvesting information from websites and social media platforms, essential for Open Source Intelligence (OSINT) and Social Media Intelligence (SOCMINT).</li> <li>Domain Reconnaissance Utilities: Features that allow investigators to perform thorough analyses of domain names, DNS records, and associated IP addresses.</li> <li>Dark Web Explorers: Dedicated search engines and crawling tools to navigate Tor, I2P, and Lokinet safely, facilitating dark web investigations.</li> <li>Automated Report Generation: The platform may offer the capability to automatically compile gathered information into comprehensive reports for easier analysis and presentation.</li> </ul> Computer Forensics <ul> <li>File System Analysis: Advanced tools for analyzing various types of file systems, including NTFS, FAT, HFS+, and EXT4.</li> <li>Data Carving Utilities: For retrieving deleted or hidden data from storage devices.</li> <li>Timeline Analysis: Tools that compile events into a timeline, making it easier to understand actions taken on a system before, during, and after an incident.</li> <li>Steganography Detection: Utilities for detecting hidden data in image and audio files, a common technique used to conceal malicious activities or sensitive data.</li> </ul> Incident Response <ul> <li>Incident Dashboard: A centralized dashboard that can aggregate various logs and metrics in real-time for monitoring and quick response.</li> <li>Forensic Imaging: Tools to make bit-by-bit copies of compromised systems for in-depth analysis without affecting the original evidence.</li> </ul> Threat Hunting <ul> <li>Network Traffic Analysis: Deep packet inspection tools to analyze network traffic for malicious activities.</li> <li>Threat Intelligence Feeds: Integration with various threat intelligence feeds for up-to-date information on new kinds of attacks and vulnerabilities.</li> </ul> Malware Analysis <ul> <li>Sandbox Environments: A secure environment for detonating and studying malware to understand its behavior, characteristics, and impact.</li> <li>Static and Dynamic Analysis Tools: Utilities for both static code analysis and dynamic runtime analysis of malware.</li> <li>Decompilers and Debuggers: Tools for reversing malware code, making it easier to understand its functionality and origin.</li> </ul> Documentation and Legal Compliance <ul> <li>Document Templates: Ready-to-use templates for legal and procedural documents such as Chain of Custody forms, Missing Persons reports, Non-Disclosure Agreements (NDAs), Network Authorization forms, Preservation Letters, and Mutual Legal Assistance Treaties (MLAT).</li> </ul> You can download CSI Linux at: <a href="https://csilinux.com" target="_blank">CSILinux.com</a> <<return>>

<a href="https://csilinux.com" target=_blank><img src="https://downloads.csilinux.com/images/CSI-Back.jpg" width=100%></a> CSI Linux: Digital Forensics Evolved CSI Linux stands at the pinnacle of digital forensics platforms. Crafted with precision and designed for both novices and professionals, it offers a robust environment where evidence preservation and deep forensic analysis converge. The platform encapsulates the entirety of the investigative process, providing users with cutting-edge tools and utilities. CSI Linux doesn't just represent a platform; it's the evolution of computer forensics in the digital age. Echothis Labs: The Nexus of Knowledge Beyond just tools and platforms, the journey into digital forensics demands comprehensive education and hands-on experience. Enter the Echothis Labs, a beacon for those who seek to elevate their skills and knowledge in the realm of online investigations. Founded under the aegis of CSI Linux, Echothis Labs offers meticulously curated courses that delve deep into the intricacies of digital forensics. Students learn not just the techniques but the ethics, the strategies, and the critical thought required in real-world investigations. More than just a training environment, the Echothis Labs is a crucible where knowledge meets practice. Through rigorous training modules, practical exercises, and expert guidance, the Echothis Labs shapes the next generation of forensic investigators. And for those who desire to showcase their mastery, the Echothis Labs offers select certifications, revered badges of expertise in the forensic community. Acknowledgements Special thanks to every developer, instructor, and student who is a part of CSI Linux and Echothis Labs. Your collective efforts and commitment have made this journey possible. Together, we not only uncover the truths hidden in the digital realm but also uphold justice in our increasingly connected world. <<return>>

// Wait for the DOM to be ready $(document).one(":passagerender", function() { // Hide the Save button $("#menu-item-save").hide(); // Hide the Load button $("#menu-item-load").hide(); });

<a href="https://echothislabs.com" target=_blank>Echothis Labs and CSI Linux</a>

<<set $creditson to 1>> <<set $csilinuxto to 0>> <<set $chain=0>> <<set $evidence=0>> <<set $chat=0>> <<set $email=0>> <<set $phone=0>> <<set $geo=0>> <<set $ans1 = "">> <<set $ans2 = "">> <<set $ans3 = "">> <<set $return = "">>

<<if $creditson>> <<link "Credits" "Credits">><</link>> <</if>> <<if $csilinux>> <<link "CSI Linux" "CSI Linux">><</link>> <</if>> <a href="https://downloads.csilinux.com/files/Operation-NightWing_The-Trade-at-Hollow-Pine.pdf" target="_blank">Download the Lab Guide</a> <a href="https://digitalcorpora.s3.amazonaws.com/corpora/scenarios/2019-owl/owl.zip" target="_blank">Evidence Files</a> <a href="https://downloads.csilinux.com/files/Owlfile-Case-Data.7z" target="_blank">Pre-Indexed Case</a> <<link "Related Courses" "Courses">><</link>>

<div style="position:sticky; top:0; z-index:999; background:#000; padding:10px;"> <video src="http://downloads.csilinux.com/files/simulations/video/Nightwing-parts-1.mp4" controls style="width:100%; max-height:360px;"></video> </div> Prologue As the city exhales the last remnants of daylight, the streets twist and morph under the weight of neon reflections, a kaleidoscope of filth and fluorescence. The skyline hums with artificial life, but the true pulse of Aviary City is found in its darkest corners, where the light doesn’t reach and the desperate come to feast on the rot. Tonight, that rot takes the shape of an unseen transaction, a thing spoken about only in whispers, where the currency isn’t just money but silence, secrecy, and something far more delicate: living creatures with wings of gold and eyes that see too much. At the very edge of the First Ward, tucked between a shuttered pawn shop and a nightclub that never truly closes, The Owls Roost looms like a decayed beast, its mouth forever open, swallowing the damned and the reckless whole. The music seeps from its guts, a relentless thrum of bass-heavy Techno Trance that rattles through bones and brick, pulsing like a dying heartbeat. Inside, the air is thick with sweat, expensive cologne, and something else, something raw and almost metallic, like the scent of fear lingering too long on the skin. This is a place where hands shake under the cover of dim back rooms, where secrets pass like folded bills, and where, if you know who to ask, you can buy things that should never be for sale. Somewhere in this web of sin and circuitry, Sarah McAvoy waits. She is not the apex predator here, no, she is something smaller, something nervous, a rodent skittering along the edges of a much larger game. She is a buyer, not a seller, and that distinction is important. She does not capture. She does not smuggle. She does not stain her hands with the real work. But she wants what they have, what they steal, what they mutilate, what they strip from the wild and chain to the cold walls of their trade. She wants an owl. The seller? No one knows, not yet. The Owl Trafficking Syndicate OTS operates in layers, like a carcass picked clean by a hundred unseen beaks, each one taking its turn, each one nameless and disposable. They do not advertise. They do not trust. The only certainty is that someone, somewhere, has agreed to make the sale. McAvoy has been careful, except for one person, no direct messages, no phone calls, only encrypted whispers passed through Owlscape, the augmented reality game that, to the untrained eye, is just another digital escape for those who can’t handle the real world. For insiders, it's a black-market network masked by pixels and quests, where reality blurs and real deals hide beneath layers of code. For months, the Owl Protection Organization (OPO) has been watching, tracking, and waiting. They have followed the fragments of chatter scattered across dark web forums, decrypted strings of text that vanish seconds after they appear. They know an exchange is coming. They know McAvoy will be there. And they know, if they can just pull the right thread, just trace the right transaction, they might finally unravel the whole damn thing. [[Proceed to Briefing|Briefing]]

<div style="position:sticky; top:0; z-index:999; background:#000; padding:10px;"> <video src="http://downloads.csilinux.com/files/simulations/video/Nightwing-parts-2.mp4" controls style="width:100%; max-height:360px;"></video> </div> Briefing by Chief of Police Rowan Hargrave Location: ACPD Headquarters, Briefing Room – 0800 Hours Chief of Police Rowan Hargrave steps to the front of the dimly lit briefing room, his expression as sharp as the talons of a great horned owl. His presence alone commands the attention of every officer and forensic analyst in the room. “Good morning, everyone. Let’s get right to it. The Owl Trafficking Syndicate (OTS) has been tightening its grip on this city for too long. Every trade they make isn’t just a transaction, it’s a life stolen, a creature ripped from the wild and condemned to a cage. Their operations stretch beyond Aviary City, but today, we’ve taken a step toward tearing a hole in their network. Early this morning, a warrant was executed against Sarah McAvoy. She was taken into custody without incident, and her Nexus 5 Android smartphone and Windows 10 PC were seized. Lab technicians have already imaged both devices, preserving the data for forensic analysis. Now, it’s up to us to dig through the evidence. McAvoy is not a smuggler, not a trafficker, she’s the buyer. But don’t mistake that for innocence. She’s been in this game long enough to know how it works. She knew where to go, how to pay, and how to cover her tracks. That makes her dangerous. But more importantly, it makes her a direct link to the seller. If we can trace her communications, follow the money, and decrypt her messages, we can uncover who’s supplying her, and stop them before the next sale is made. We have reason to believe McAvoy initially connected with the seller through the augmented reality game ‘Owlscape’, which serves as a covert communication hub for traffickers and buyers. While the game masks hidden transactions under the guise of ordinary player interactions, our analysis confirms that McAvoy and the seller transitioned their conversation to personal devices after making initial contact. The bulk of their communication, including transaction details and logistics, was found on McAvoy’s Nexus 5 smartphone. If we can identify these messages, find the meeting location, and trace the seller’s identity, we may not just confirm McAvoy’s last purchase, we might intercept the next deal before it happens. Time is against us, and if this seller is still active, we need to move fast. Your job is clear: go through the data, reconstruct her movements, and uncover the seller. We need browser histories, chat logs, cryptocurrency transactions, location metadata, anything that connects her to a supplier. Detective Peregrine, you’ll be leading the investigation. Work closely with our forensic examiner. McAvoy has tried to hide her tracks, make sure she failed. This is more than one arrest. This is our chance to take the fight to the people running this operation. McAvoy is off the board, but the seller is still out there. Find them. Let’s bring them down… Dismissed.” [[Accept the Mission|Objective]]

<div style="position:sticky; top:0; z-index:999; background:#000; padding:10px;"> <video src="http://downloads.csilinux.com/files/simulations/video/Nightwing-parts-3.mp4" controls style="width:100%; max-height:360px;"></video> </div> Objective The room hums with quiet tension as the briefing concludes, the weight of the operation settling over you like a dense fog. Detective Leila Peregrine gives a curt nod, her sharp gaze already calculating the next move. Across the table, a digital forensics kit waits, sterile, cold, filled with the tools that will carve through the layers of deception like a scalpel through rotting flesh. The weight of the case sits heavy, not just in the air but in the knowledge that this is it, the moment where whispers become evidence, where ghosts take form in the circuitry of machines. You are the forensic examiner assigned to Operation NightWing: The Trade at Hollow Pine. The evidence before you is more than just a collection of files and data fragments, it is the tangled remains of a hidden transaction, a silent conspiracy written in ones and zeroes, buried beneath encryption and deception. The suspect, Sarah McAvoy, was meticulous, careful enough to leave no fingerprints on the crime itself, but no one operates in the digital world without leaving a shadow behind. Your job is to find hers. Two devices, a Nexus 5 Android smartphone and a Windows 10 HP laptop, have been seized following McAvoy’s apprehension. These are the keys to the door she’s tried to keep locked. Within them, scattered among browser caches, chat logs, emails, and metadata, lies the truth. Truth isn’t just about finding what’s there, it’s also about knowing what’s missing. Deleted files. Corrupted timestamps. Disguised metadata. McAvoy has tried to cover her tracks, but no one erases everything. The remnants will betray her, and it’s up to you to make them speak. Detective Peregrine tells you that your investigation must establish the following: <ul> <li>Who is the seller? Somewhere in McAvoy’s communications, behind firewalls of obfuscation, is the identity of the one supplying the owls.</li> <li>Where and when was the transaction set to take place? If the deal is still in motion, you may not just be reconstructing the past, you may be racing against time.</li> <li>What was the agreed-upon price? Was this about money, or is there another currency at play?</li> <li>How was the exchange confirmed? Cryptocurrency transactions? Coded messages? The breadcrumbs are there, scattered in dark-web transactions, private forums, and the hidden corridors of Owlscape.</li> <li>Identify and document any content related to owls. Images, videos, smuggler manifestos, anything that connects McAvoy to the trade.</li> </ul> This is more than an investigation. This is a dismantling. Each recovered artifact is another nail in the coffin of the Owl Trafficking Syndicate (OTS), another crack in the foundation of their network. They think they’re untouchable, wrapped in layers of anonymity and digital sleight of hand, but they’ve made one fatal error: they left a trail, and you are the one who will follow it to the end. You are given the Chain of Custody for the evidence files along links to grab the forensic images. Time is against you. McAvoy is only the buyer, her hands never touch the cages, never hear the screams. But the seller? The seller is still out there. And if you don’t find them fast enough, another rare owl will vanish into the void, another life sold in the dark. [[Begin Examination|Examination]]

<<set $csilinux = 1>><div style="position:sticky; top:0; z-index:999; background:#000; padding:10px;"> <video src="http://downloads.csilinux.com/files/simulations/video/Nightwing-parts-4.mp4" controls style="width:100%; max-height:360px;"></video> </div> Evidence Breakdown As you start the forensic examination, both buyer and seller remain hidden behind layers of digital anonymity—encrypted channels, aliases, dark-web platforms. Yet every interaction, search query, and exchanged file leaves forensic breadcrumbs. It’s up to you to decide where to focus first. Choose your next step: * [[View Chain of Custody|ChainOfCustody]] * [[Review Evidence Breakdown|EvidenceBreakdown]] * [[Chat Metadata|ChatMetadata]] * [[Email Headers|EmailHeaders]] * [[Phone Number Correlation|PhoneCorrelation]] * [[Geo-Location Data|GeoLocation]] <<if $chain and $evidence>> <<link "Proceed to the Evidence Examination" "TheExam">><</link>> <</if>>

<<set $chain to $chain + 1>> <object data="https://downloads.csilinux.com/files/simulations/Operation%20NightWing%20-%20The%20Trade%20at%20Hollow%20Pine%20-%20CoC.pdf" type="application/pdf" width="100%" height="800px" > <div> Your browser doesn’t support embedded PDFs. <a href="https://downloads.csilinux.com/files/simulations/Operation%20NightWing%20-%20The%20Trade%20at%20Hollow%20Pine%20-%20CoC.pdf"> Download the PDF </a>. </div> </object> Before you even lay a finger on that hard drive, USB stick, or mysterious data packet, pump the brakes and reach for the Chain of Custody document. This isn’t just paperwork, it’s your investigation’s DNA, the unbroken link that proves every byte of evidence in your hands is the same byte that left the scene. <ol> <li><h3>Verify Every Detail:</h3> Cross-check the make, model, serial numbers, timestamps, and packaging notes against what’s recorded on the form. A single mismatch; say, a wrong date or a missing seal number—can let defense attorneys tear your case apart like so much old parchment. By confirming that each entry matches reality, you’re ensuring no one can claim evidence was swapped, tampered with, or “magically” appeared after the fact. </li> <li><h3>Own Your Moment: </h3>When you write your name, badge number, and timestamp in your section, you’re not just filling in blanks, you’re raising your hand and swearing under procedural oath that you accept responsibility for everything beneath your watch. From the instant you sign it, that item is your ward: any damage, loss, or gap in documentation becomes your problem to explain. </li> <li><h3>Build an Unbroken Chain: </h3>Think of the Chain of Custody like a baton in a relay race. Each time evidence changes hands, collector to courier, courier to lab technician, lab technician to analyst, the transfer must be documented, sealed, and witnessed. A well-maintained chain shows exactly when evidence moved, who touched it, and under what conditions, creating a clear audit trail that stands up in court. </li> <li><h3>Why It Matters: </h3>Judges and juries love tangible, untampered proof. The Chain of Custody is your ticket to admissibility. Skip or skimp on it, and you risk having critical evidence thrown out, and with it, the entire case could collapse. In the harsh light of cross-examination, that form will be your shield, demonstrating that every digital artifact you present is legitimate, intact, and forensically sound. </li> <li><h3>Best Practices:</h3><ul> <li>Seal Integrity: Always use tamper-evident bags or tamper-proof tape, and note seal numbers on the form.</li> <li>Detailed Descriptions: Describe the evidence in enough detail that nobody’s left guessing which device you mean.</li> <li>Witness Signatures: Whenever possible, have a second pair of eyes sign off on transfers.</li> <li>Digital Logs: If your lab uses an electronic chain-of-custody system, back it up with a printed copy.</li> </ul> </li> </ol>By treating the Chain of Custody as the cornerstone of your digital forensics workflow, you transform a simple form into a fortress of credibility. So next time you’re handed that sealed hard drive, don’t rush, verify, document, and own your link in the chain. Your case, and the truth it carries, depend on it. [[Back to Examination|Examination]]

<<set $evidence to $evidence + 1>>Evidence Breakdown 📱 Nexus 5: This forensic image captures web searches, chat logs, images, and location data related to the owl trade. Investigators must analyze the device to uncover buyer and seller communications, illicit media, and any attempts to obscure evidence. Key Digital Clues: <ul> <li>Web History: Find browser evidence related to owls</li> <li>Communications: Identify buyer/seller metadata</li> <li>Images: Locate owl photos; check tampered metadata</li> <li>Owl Data: Discover documents or manifestos</li> <li>Locations: Pinpoint agreed meeting spots</li> </ul> 💻 Windows 10 PC: The PC image contains finalized communications, transaction confirmations, and supporting documents. Analysts should focus on emails, chat records, file metadata, and browser history to tie McAvoy to the illegal purchase. Key Digital Clues: <ul> <li>Web History: Browser evidence of owls</li> <li>Communications: Emails and chats connecting parties</li> <li>Images: Owl-related files; metadata integrity</li> <li>Owl Data: Smuggler manifestos and attachments</li> <li>Locations: Metadata revealing exchanges</li> </ul> [[Back to Examination|Examination]]

<<set $chat to $chat + 1>>Chat evidence provides critical visibility into suspects' communications, network relationships, and coded exchanges, making it invaluable for establishing timelines and uncovering hidden connections. Disclaimer: The following checklist outlines common geo-location evidence to search for, but you may not find every piece of expected data in every investigation. Chat Metadata Analysis <ul> <li>Examine timestamps in Musical.ly and Pidgin chat logs to determine conversation chronology.</li> <li>Identify recurring aliases across platforms to reveal patterns.</li> <li>Correlate chat app usernames with known suspects.</li> <li>Search for key discussion topics: "owl," "trade," "drop-off locations," and payment details to surface relevant conversations.</li> <li>Review media attachments and shared links within chats to uncover hidden files or coded messages.</li> <li>Analyze exported chat log metadata for signs of tampering or timestamp manipulation.</li> <li>Map participant networks by examining group chat membership, forwarded messages, and invite links.</li> <li>Cross-reference chat exchanges with email, SMS, and AR game logs for timeline consistency.</li> </ul> [[Back|Examination]]

<<set $email to $email + 1>>Email evidence provides critical insights into communication flows, sender authenticity, and metadata, making it a cornerstone in digital forensic investigations. Disclaimer: The following checklist outlines common geo-location evidence to search for, but you may not find every piece of expected data in every investigation. Email Header Forensics <ul> <li>Extract IP traces and originating servers from Gmail headers to identify the true source of messages.</li> <li>Compare timestamps with chat logs and other artifacts to build a consistent timeline across communications.</li> <li>Analyze reply-to, from, and forwarding fields to uncover hidden aliases and intermediary addresses.</li> <li>Inspect DKIM, SPF, and DMARC results within headers to detect spoofing or unauthorized senders.</li> <li>Review header routing paths (Received: fields) to trace message hops across mail servers and networks.</li> <li>Examine Message-ID structures for signs of tampering or reuse across multiple emails.</li> <li>Correlate subject lines and thread IDs to group related messages and reconstruct conversation threads.</li> <li>Parse X-Headers (custom or proprietary) for application-specific metadata or logging identifiers.</li> </ul> [[Back|Examination]]

<<set $phone to $phone + 1>>Phone evidence provides crucial context for real-time communications and location-based intelligence, making SMS and call logs vital in forensic investigations. Disclaimer: The following checklist outlines common geo-location evidence to search for, but you may not find every piece of expected data in every investigation. Phone Number Correlation <ul> <li>Identify SMS recipients confirming exchange details, such as keywords or references to the owl trade.</li> <li>Cross-reference phone numbers with call logs, OSINT directories, and SIM registration data to link numbers to suspects.</li> <li>Recover deleted SMS and call records using forensic tools (e.g., Cellebrite, UFED) to uncover hidden communications.</li> <li>Analyze SMS timestamps and message content for conversation threads and transaction coordination.</li> <li>Map call frequency and duration to detect unusual patterns or covert planning calls.</li> <li>Correlate cell tower data with GPS metadata to verify suspect locations during key events.</li> <li>Examine messaging app metadata (WhatsApp, Signal) for encrypted headers and contact status changes.</li> <li>Integrate phone data with chat and email timelines to build a comprehensive event chronology.</li> </ul> [[Back|Examination]]

<<set $geo to $geo + 1>>Geo-location evidence can tie suspects to specific locations, validate alibis, and reconstruct movement patterns, making it invaluable in investigations. Disclaimer: The following checklist outlines common geo-location evidence to search for, but you may not find every piece of expected data in every investigation. Geo-Location Data Review <ul> <li>Extract Google Maps history and timeline data to map buyer movements and potential meeting spots.</li> <li>Analyze GPS EXIF metadata in images and videos for precise coordinates of rendezvous locations.</li> <li>Check Wi‑Fi SSID logs and cell tower connection records to confirm device presence at exchange sites.</li> <li>Review AR game (Owlscape) geotags and in-game location caches for hidden drop-off hints.</li> <li>Correlate geo-fence alerts and geolocation-based app logs to triangulate suspect positions.</li> <li>Examine operating system location services logs (Windows Location API, Android Location History).</li> <li>Cross-reference device GPS data with third-party telemetry (e.g., ride-share pickups or delivery apps).</li> <li>Validate time-synced location data against communication timestamps for timeline accuracy.</li> </ul> [[Back|Examination]]

<div style="position:sticky; top:0; z-index:999; background:#000; padding:10px;"> <video src="http://downloads.csilinux.com/files/simulations/video/Nightwing-parts-5.mp4" controls style="width:100%; max-height:360px;"></video> </div> The Examination: Unmasking the Buyer and Seller As you start the forensic examination, both the buyer and seller remain hidden behind layers of digital anonymity, using encrypted communication channels, aliases, and dark web platforms to obscure their identities. But no matter how carefully they operate, every interaction, search query, message, and exchanged file leaves behind forensic breadcrumbs, traces waiting to be uncovered. It’s up to you, the forensic examiner, to meticulously analyze and cross-reference digital evidence from McAvoy’s Nexus 5 smartphone and Windows 10 PC. By extracting and correlating data, chat logs, metadata, financial transactions, and location history, you will begin to unmask the seller and reveal the full extent of this operation. Key areas of focus include: <ul> <li>✅ Chat Metadata (Timestamps, Usernames, Alias Tracking) <ul> <li>Examining timestamps in Musical.ly and Pidgin chat logs to determine when key conversations took place.</li> <li>Identifying usernames and aliases that may appear across multiple platforms, revealing behavioral patterns.</li> <li>Checking for duplicate or similar aliases in other communication apps, potentially linking accounts to real-world identities.</li> </ul> </li> <li>✅ Email Headers (IP Traces, Alias Analysis, Digital Fingerprinting) <ul> <li>Extracting header data from Gmail correspondence between the buyer and seller to uncover originating IP addresses.</li> <li>Comparing email timestamps to chat logs for timeline consistency.</li> <li>Analyzing reply-to fields, forwarding addresses, and email clients used to detect patterns that could expose real names or locations.</li> </ul> </li> <li>✅ Phone Number Correlation (SMS and Contact List Analysis) <ul> <li>Identifying the recipient of the buyer’s SMS message confirming the exchange details.</li> <li>Cross-referencing phone numbers with call logs, contact lists, and possible OSINT sources to establish potential matches.</li> <li>Recovering deleted SMS or call records that may indicate prior communication with the seller.</li> </ul> </li> <li>✅ Geo-Location Data (Maps History, GPS Metadata, Device Logs) <ul> <li>Extracting Google Maps location history to pinpoint the agreed-upon meeting location.</li> <li>Analyzing GPS coordinates in image metadata, which may reveal where photos of the owl were taken or sent from.</li> <li>Checking Wi-Fi and cell tower logs for signals that place the buyer or seller at a specific location during the trade.</li> </ul> </li> </ul> By methodically examining the digital evidence, you will reconstruct a timeline of events, uncover hidden connections, and compile the concrete proof needed to push the investigation forward. Once your analysis reveals enough critical evidence, law enforcement can move to secure subpoenas or warrants to obtain real-world identifiers, registered IP addresses, mobile carrier records, and financial transactions, ultimately leading to the seller’s identification, arrest, and prosecution. Every data fragment you recover is a step closer to shutting this operation down for good. * [[Start filling in your Examination Results|ExaminationResults]]

<img src="https://downloads.csilinux.com/images/document_review_001.png" width=100%> Complete the following forensic challenges to proceed to the next level: Challenge 1: What two popular ecommerce sites were used to search for purchasing owls? Enter both site names below: <<textbox "$ans1" "Enter site names">> Challenge 2: What communications tool was used to communicate with the Owl Trader? Enter the tool name below: <<textbox "$ans2" "Enter the chat tool">> Challenge 3: What email client was used to send pictures of owls? Enter the email client below: <<textbox "$ans3" "Enter the email client">> <<button "Submit Answers">> <<set $ans1 to $ans1.toLowerCase()>><<set $ans2 to $ans2.toLowerCase()>><<set $ans3 to $ans3.toLowerCase()>><<set _correct to ($ans1.includes("amazon") && $ans1.includes("etsy") && $ans2 === "pidgin" && $ans3 === "gmail")>> <<if _correct>> <<goto "ExaminationResults2">> <<else>> <<goto "ExaminationResultsFail">> <</if>> <</button>>

<img src="https://downloads.csilinux.com/images/document_review_001.png" width=100%> Complete the following forensic challenges to proceed to the next level: Challenge 1: What is Owl Trader's email address? <<textbox "$ans1" "Enter email">> Challenge 2: What is Sarah McAvoy's email address? <<textbox "$ans2" "Enter email">> Challenge 3: What phone number associated with the Nexus phone? <<textbox "$ans3" "Enter numbers only">> <<button "Submit Answers">> <<set $ans1 to $ans1.toLowerCase()>><<set $ans2 to $ans2.toLowerCase()>><<set $ans3 to $ans3.toLowerCase()>><<set _correct to ($ans1.includes("layster82@gmail.com") && $ans2 === "mcavoyS87@gmail.com" && $ans3 === "13046388446")>> <<if _correct>> <<goto "ExaminationResults3">> <<else>> <<goto "ExaminationResultsFail">> <</if>> <</button>>

<img src="https://downloads.csilinux.com/images/legal_issues_001.png" width=100%>One or more answers are incorrect. Please try again. Your digital dossier hit a snag—one or more answers didn’t align with the forensic record. Each mistake is a learning point, no operative nails it on the first pass. Dive back into the case files: <<return>>

<img src="https://downloads.csilinux.com/images/document_review_001.png" width=100%> Complete the following forensic challenges to proceed to the next level: Challenge 1: What website was used that focuses on trading birds? <<textbox "$ans1" "Enter domain name">> Challenge 2: What movie franchize was searched for that contains owls? <<textbox "$ans2" "Enter movie franchize name">> Challenge 3: What is the main operating system is associated with the Nexus phone? <<textbox "$ans3" "Enter phone OS">> <<button "Submit Answers">> <<set $ans1 to $ans1.toLowerCase()>><<set $ans2 to $ans2.toLowerCase()>><<set $ans3 to $ans3.toLowerCase()>><<set _correct to ($ans1.includes("birdtrader.com") && $ans2 === "harry potter" && $ans3 === "android")>> <<if _correct>> <<goto "TheReport">> <<else>> <<goto "ExaminationResultsFail">> <</if>> <</button>>

<img src="https://downloads.csilinux.com/images/document_review_001.png" width=100%> Finalize Your Dossier Step into the command center with your evidence dossier blazing bright on your screen. Each log entry, timestamp, and geolocation pin you’ve unearthed tells the story that will topple the Owl Trafficking Syndicate. Report Requirements: <ul> <li>Case Summary: Clear overview of objectives, findings, and key events.</li> <li>Evidence Collation: Embed annotated screenshots of chat logs, email headers, and location maps.</li> <li>Timeline Visualization: Chronological list of actions with precise timestamps.</li> <li>Indicators of Compromise: Bullet-point list of aliases, IP addresses, and codewords.</li> </ul> Submission Steps: <ul> <li>Save the document as <code>NightWing_Report_[YourName].pdf</code> or <code>.docx</code>.</li> <li>Package all supporting files into a .zip archive named <code>NightWing_Evidence_[YourName].zip</code>.</li> <li>Email your package to <a href="mailto:support@csilinux.com">support@csilinux.com</a> with the subject <code>[NightWing CTF] Final Report</code>.</li> </ul> Remember: Your analysis turns data fragments into decisive action. This report is your final strike against the syndicate. Make every detail count. The investigation moves forward based on your comprehensive analysis.

<video controls src="https://csilinux.com/videos/CSILinuxAcademyContentIntro.mp4" width=100% autoplay muted></video> <center><h2> <<type 60ms>>\ Operation NightWing: The Trade at Hollow Pine \<</type>> </h2>  <<set $timerMsg to "">> <<set $timedPassage to "Intro">> <<set $seconds to 8>> <<include "app_Timer">>\ </center>

<<silently>> <<repeat 1s>> <<set $seconds to $seconds - 1>> <<if $seconds gt 0>> <<if $timerMsg>> <<replace "#countdown">>$timerMsg<</replace>> <<else>> <<replace "#countdown">><</replace>> <</if>> <<else>> <<replace "#countdown">><</replace>> <<goto $timedPassage>> <<stop>> <</if>> <</repeat>> <</silently>>

<img src="https://downloads.csilinux.com/images/document_review_001.png" width=100%> //@@NOTICE@@: All parties and materials are created specifically for this emersion exercise. Any reference to or use of current events within the scenario are only to provide real-world content and is only to be researched and/or used in a passive manner. At no time should a real event, person or group be investigated beyond the context of the scenario, nor should any active techniques be used in the completion of any portion of this challenge.//\ <div>\ <h2 style="margin-bottom:0">Operation NightWing - The Trade an Hollow Pine</h2>An immersive scenario, developed by the Echothis Labs. </div>\ Step into the shoes of a forensic investigator, embarking on a mission that is a race against time where each decision made could bring success in eliminating the threat or an entire species. Do you have what it takes to navigate the intricacies of computer crime scenes, uphold the law, and ensure the safety of the majestic owl? Put your knowledge of processes and procedures to the test in a story where every choice has its consequence. Experience the intricate dance of legality, strategy, and investigation in a narrative where every decision could change the outcome. Join the Operation NightWing: The Trade at Hollow Pine, and be a part of a story bigger than oneself. Key Information!Ensure you download the "Lab Guide" and "Evidence Files" files, located on the left, before you start this. These are required to complete Operation NightWing - The Trade at Hollow Pine. If you are using Autopsy, you can download the "Pre-Indexed Case" files to save you time. If you are ready, then let's read you into the case. [[Proceed|Work]]

<a href="https://csilinux.com" target="_blank"><img src="https://downloads.csilinux.com/images/echothisbanner.png" width="100%"></a><<set $creditson to 1>><<set $restartme to 0>> Welcome to Echothis Labs Training Academy. Explore our suite of courses designed to sharpen your open-source intelligence, forensics, and covert-ops capabilities. For the full catalog, visit <a href="https://echothislabs.com/course/index.php?categoryid=all" target="_blank">Echothis Labs</a>. Certified Investigator (CSIL-CI) Dive into CSI Linux fundamentals, case management, online investigations, and advanced analysis techniques—from malware analysis to threat hunting. Perfect for budding investigative professionals. Certified OSINT Analyst (CSIL-COA) Master open-source intelligence: anonymity protocols, sock-puppet creation, digital-footprint analysis, cryptocurrency onramps, and AI-enhanced methodologies. Transform raw data into actionable insights. Certified Social Media Investigator (CSIL-CSMI) Harvest evidence across social platforms—preserve posts from YouTube, TikTok, and Twitter; extract metadata; navigate Terms of Service pitfalls; and deliver courtroom-ready SOCMINT reports. Certified Computer Forensic Investigator (CSIL-CCFI) Advance your skills in forensic imaging, deleted-file recovery, memory forensics, and system-artifact analysis across Windows, Mac, and Linux. Handle any cyber incident with precision. Certified Covert Comms Specialist (CSIL-C3S) Learn the art of digital stealth: burner-phone strategies, steganography, encrypted messaging, network pivoting, and darknet traversal. Build and protect clandestine comms channels. Certified Dark Web Investigator (CSIL-CDWI) Navigate hidden services, advanced search techniques, de-anonymization tactics, and secure crypto workflows. Extract intel from the darkest corners of the web. <<return>>