Saturday, January 8, 2022

Digital Forensics Professional - INE Lab 15 สอบ (ECDFP)

Digital Forensics Professional - INE Lab 15 สอบ (ECDFP)

วันนี้จะมาเตรียมสอบ  ECDFP  โดยการฝึกทำ LAB  Digital Forensics Professional - INE  Course

ขั้นแรกคือ การเข้าไปทำ LAB  โดย VPN 

TASK 6 : ANALYZING JUMP LISTS 

Tool 

  • Shellbags Explorer

questions:

1. To what file or application does this jump list point to?

2. Can you identify the exact location of the target?

3. What is the target creation date?

4. Can we identify the hostname of the system from a Jumplist, if “YES,” what is it then?

5. Is this target pinned to the Windows taskbar or not?

6. Locate the jump list that is related to an Nmap activity, and then locate the target.

7. How can we know when the port scan task was performed? Any ideas?

8. Locate the jump lists that have pointers to folders. There should be three folders in it (Outlook, Desktop, and Exfil). Can you verify their creation dates with the information you retrieved from the UsrClass.dat (Shellbags), and are they identical?

9. Did you find any jump list for URLs?

10. What URLs has the user opened?


Digital Forensics Professional - INE Lab 15 สอบ (ECDFP)

Select the jump list for the AppID that starts with  3f1ed.

1. To what file or application does this jump list point to?

Answer: it points to the Welcome.docx file.

2.Can you identify the exact location of the target?

Answer: yes, it is.

C:\Users\Hunter\Documents\Welcome.docx

Digital Forensics Professional - INE Lab 15 สอบ (ECDFP)

3.What is the target creation date?

Answer: it was created at 2016-06-21 12:27:37, which was found in the TargetCreationDate field.

Digital Forensics Professional - INE Lab 15 สอบ (ECDFP)


4.Can we identify the hostname of the system from a Jumplist, if “YES,” what is it then?

Answer: since it was on the C:\ and we found that the NetworkShareInfo.NetworkShareName property holds \\4ORENSICS\Users; this means the hostname is most probably 4orensics.

Digital Forensics Professional - INE Lab 15 สอบ (ECDFP)


5.Is this target pinned to the Windows task bar or not?

Answer: I don’t think so because the “Pinned count” holds the value 0,


6.Locate the jump list that is related to an Nmap activity, and then locate the target.

Answer: the jump list “ccb236c4222b614” is the one, as it refers to the nmap scanning report we found.

Digital Forensics Professional - INE Lab 15 สอบ (ECDFP)

7.How can we know when was the port scan task performed? Any ideas?

Answer: the jump list for the nmap scan report was created at 2016-06-21 12:13:57,

Digital Forensics Professional - INE Lab 15 สอบ (ECDFP)

8. Locate the jump lists that have pointers to folders. There should be three folders in it (Outlook, Desktop, and Exfil). Can you verify their creation dates with the information you retrieved from the UsrClass.dat (Shellbags), and are they identical?

 Answer: Yes, the Jump List with the AppID “f01b4d95cf55d32a” had them.

The first directory “Exfil” was created on: 2016-06-21 09:37:36

The second directory “Desktop” was created on: 2016-06-21 08:37:46

The third directory “Outlook” was created on 2016-06-21 13:14:25

Digital Forensics Professional - INE Lab 15 สอบ (ECDFP)

9.Did you find any jump list for URLs?

Answer: Yes, it contained two URLs.

Digital Forensics Professional - INE Lab 15 สอบ (ECDFP)

10.What URLs has the user opened?

Answer: they were http://www.metasploit.com/ and https://www.kali.org/


อ่านเพิ่มเติม: Digital Forensics Professional - INE Lab 3 สอบ (ECDFP)

                eLearnSecurity Certified Digital Forensics

                Jump list


Reference ine.com

หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น ช่วยเตือนความจำ

* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ

#WINDOWSFORENSIC #COMPUTERFORENSICS #DFIR #FORENSICS #DIGITALFORENSICS #COMPUTERFORENSIC #INVESTIGATION #CYBERCRIME 

No comments:

Post a Comment