Digital Forensics Professional - INE Lab 15 สอบ (ECDFP)
วันนี้จะมาเตรียมสอบ ECDFP โดยการฝึกทำ LAB Digital Forensics Professional - INE Course
ขั้นแรกคือ การเข้าไปทำ LAB โดย VPN
TASK 6 : ANALYZING JUMP LISTS
Tool
- Shellbags Explorer
questions:
1. To what file or application does this jump list point to?
2. Can you identify the exact location of the target?
3. What is the target creation date?
4. Can we identify the hostname of the system from a Jumplist, if “YES,” what is it then?
5. Is this target pinned to the Windows taskbar or not?
6. Locate the jump list that is related to an Nmap activity, and then locate the target.
7. How can we know when the port scan task was performed? Any ideas?
8. Locate the jump lists that have pointers to folders. There should be three folders in it (Outlook, Desktop, and Exfil). Can you verify their creation dates with the information you retrieved from the UsrClass.dat (Shellbags), and are they identical?
9. Did you find any jump list for URLs?
10. What URLs has the user opened?
Select the jump list for the AppID that starts with 3f1ed.
1. To what file or application does this jump list point to?
Answer: it points to the Welcome.docx file.
2.Can you identify the exact location of the target?
Answer: yes, it is.
C:\Users\Hunter\Documents\Welcome.docx
3.What is the target creation date?
Answer: it was created at 2016-06-21 12:27:37, which was found in the TargetCreationDate field.
Answer: since it was on the C:\ and we found that the NetworkShareInfo.NetworkShareName property holds \\4ORENSICS\Users; this means the hostname is most probably 4orensics.
Answer: I don’t think so because the “Pinned count” holds the value 0,
6.Locate the jump list that is related to an Nmap activity, and then locate the target.
Answer: the jump list “ccb236c4222b614” is the one, as it refers to the nmap scanning report we found.
7.How can we know when was the port scan task performed? Any ideas?
Answer: the jump list for the nmap scan report was created at 2016-06-21 12:13:57,
8. Locate the jump lists that have pointers to folders. There should be three folders in it (Outlook, Desktop, and Exfil). Can you verify their creation dates with the information you retrieved from the UsrClass.dat (Shellbags), and are they identical?
Answer: Yes, the Jump List with the AppID “f01b4d95cf55d32a” had them.
The first directory “Exfil” was created on: 2016-06-21 09:37:36
The second directory “Desktop” was created on: 2016-06-21 08:37:46
The third directory “Outlook” was created on 2016-06-21 13:14:25
9.Did you find any jump list for URLs?
Answer: Yes, it contained two URLs.
10.What URLs has the user opened?
Answer: they were http://www.metasploit.com/ and https://www.kali.org/
อ่านเพิ่มเติม: Digital Forensics Professional - INE Lab 3 สอบ (ECDFP)
eLearnSecurity Certified Digital Forensics
Reference : ine.com
หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น ช่วยเตือนความจำ
* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ
No comments:
Post a Comment