DIGITAL FORENSICS:Magnet User Summit 2019 MUS2019 DFIR CTF
You can download the evidence and a 30 day license key for Magnet Axiom here:
https://drive.google.com/drive/u/0/mobile/folders/1E0lELj9NouMwSMGZCI7lXWRqYE2uQCpW?usp=sharing
You can register for the CTF and play here:
https://mus2019.ctfd.io/
https://drive.google.com/drive/u/0/mobile/folders/1E0lELj9NouMwSMGZCI7lXWRqYE2uQCpW?usp=sharing
You can register for the CTF and play here:
https://mus2019.ctfd.io/
1. What is the SHA1 hash of the desktop post's forensic image?
If the forensic capture does not have hashes, it is not a forensic capture. We review the file MUS-CTF-19-DESKTOP-001.E01.txt and find the hash in no time.
2. Who acquired the forensic image of the desk?
The same log file of the forensic acquisition in the previous section gives us the answer.
3. What is the serial number of the OS volume of the desktop station?
The volume serial number is a hexadecimal value that is generated when the filesystem is created. The Microsoft documentation tells us that for NTFS file systems we have it in position 0x48 of the BPB (Bios Parameter Block), which is part of the boot sector. We have this sector on the disk in the $ boot (at the root of the disk). We mount the disk with FTK Imager and access the hexadecimal value:
4. What is the timezone of the desktop station?
If it is a system configuration, it has to be in the Windows registry. We mount the image with FTK Imager Lite, we extract the folder C: \ Windows \ System32 \ config (because surely we will need more). The key in question is:
5. Which user installed TeamViewer?
A quick look at C: \ Users indicates
7. How Many Times 2
At least how many times did the teamviewer_desktop.exe run?
8. What is the name of the file associated with MFT entry number 102698?
we just have to export the $ MFT and pass it through the mftdump.exe tool:
we just have to export the $ MFT and pass it through the mftdump.exe tool:
opening the .csv with MSOffice and locate the input.
12.What is the IP address of the Desktop?
To extract Registry files you must search in the directory at the path %SystemRoot%\System32\Config, right-click on the file you need them and then select the export option.
| System | HKEY_LOCAL_MACHINE\SYSTEM |
Open the following path in the Registry Editor: HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet \Services \Tcpip\Parameters\Interfaces.
13. Which User Shutdown Windows on February 25th 2019?
Windows Server Event: 1074
Event 1074 applies to the following operating systems:
- Windows Server 2008 R2 and 7
- Windows Server 2012 R2 and 8.1
- Windows Server 2016 and 10
Event ID 1074: System has been shutdown by a process/user.
โจทย์ CTF มาให้ลองเล่น เป็นโจทย์แนว forensicsและเป็นอีกครั้งที่ผมทำLab ไม่เสร็จ ขอค้างไว้แค่นี้ก่อนแล้วค่อยทยอย ทำเรื่อยๆครับ
Ref:
หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น
* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ
#WindowsForensic #ComputerForensics #dfir #forensics #digitalforensics #computerforensic #investigation #cybercrime #fraud
No comments:
Post a Comment