Saturday, October 16, 2021

DIGITAL FORENSICS:WINDOWS FORENSICS WORKSHOP CASE

DIGITAL FORENSICS:Windows Forensics Workshop Case

    CASE OVERVIEW: You have been given a system that has been used for some illegal activity were the user accessed confidential files that the user was not supposed to access. The system has two user accounts which are the main suspects involved in this case ("joker" and "IEUser"). You are required to provide answers to all the questions below by providing evidence (proof) with details and screenshots. Remember: SCREENSHOT OR IT DID NOT HAPPEN ;)

    All of the case files can be found here.

    They can also be found here and here too.

    To successfully solve this challenge, a report with answers to the tasks below is required:
  • What is the hash value for the given forensic image?
  • Which user account was used to access some confidential documents?
  • Explain in detail what proof do you have to support your answer?
  • Did the user access the confidential files from a local drive or network location?
    WINDOWS FORENSICS WORKSHOP CASE

  • WINDOWS FORENSICS WORKSHOP CASE

  • What proof do you have to support your answer?
  • List all the files that were accessed with full paths.
  • Provide two different evidence to prove that those files were truly accessed.
  • Which application was used to open any of the confidential document(s)?
  • The next three questions are related to the image with the text "AnotherPassword4U" found inside the user's home directory.
  • What is the full path to the files of interest?
  • What is the Volume Serial Number where the file exists?
  • What are the Modified, Accessed, and Creation (MAC) timestamps in UTC for the file?
  • The DCode.exe application was used by one of the users. Provide evidence to the next four questions below, but, be careful, this is a tricky question!!!
  • Which user do you think ran the application and what evidence do you have to support your hypothesis?
  • How many times was it used?
  • When was it last used?
  • Where was the application located (full path)?

Ref:https:acashemery 

หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น

* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ

#WindowsForensic #ComputerForensics #dfir #forensics #digitalforensics #computerforensic #investigation #cybercrime #fraud #CTF


No comments:

Post a Comment