Sunday, January 1, 2023

Digital Forensics: Challenge #2 - User Policy Violation Case

 Digital Forensics: Challenge #2 - User Policy Violation Case

  • Challenge #2 - User Policy Violation Case

    • This is another digital forensics image that was prepared to cover a full Windows Forensics course.

    1. System Image: here
    2. Hashes & Password: here
    3. Other download URLs from (Archive.org) could be found here: here
Digital Forensics: Challenge


    You can use the image to learn the following:
    1. File Carving, Custom Carving, and Keyword Searching
    2. File System Forensics - NTFS
    3. Deep Windows Registry Forensics: System and User Hives
      • SYSTEM
      • SOFTWARE
      • SAM
      • NTUSER.DAT
      • USRCLASS.DAT
    4. Other Windows Files: LNK, Jump Lists, Libraries, etc

      1. Jump Lists

      2. Microsoft Windows Recent Items

      3. UserAssist  Applications launched via Explorer "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist"

        Digital Forensics: Challenge #2 - User Policy Violation Case
      4.  RegistryExplorer shows it has decrypted the ROT13 encryption
      5. Digital Forensics: Challenge #2 - User Policy Violation Case

    5. Application Compatibility Cache (ShimCache)

      1. Artifacts of Application Compatibility Cache

    6. Analyzing Windows Search (Search Charm)
    7. Analyzing Thumb Caches
    8. Analyzing Prefetch Files


      1. Winprefetchview , NirSoft
      2. Analyzing Prefetch Files
    9. Analyzing Recycle Bin(s)

      1. Analyzing Recycle Bin

    10. USB Forensics
    11. Events Analysis
    12. Email Forensics: Web and Outlook
    13. Browser Forensics: Internet Explorer and Google Chrome
    14. Skype Forensics  
TeamViewer log > C:\Program Files ( x86 )\TeamViewer\Connections_incoming.txt 
  • It was being operated remotely  2016/06/21 12:14:29.
Digital Forensics: Challenge #2 - User Policy Violation Case

      deleted file.
    This screenshot is from Autopsy and shows a forensic investigation of a deleted file.

    $I5Z6K8U : The highlighted ASCII text:  C:\Users\Hunter\Pictures\fakeporn

    $I1H3FM.7z is a Windows deleted-file artifact created by the Recycle Bin

    : The highlighted ASCII text:  C:\Users\Hunter\Pictures.7z


    This image covers most if not all of the recent system artifacts that you might encounter. Let me know if you need any help or if you are an instructor and want the answers to each part of the case. I will only send the answers to verified instructors.

    End of Case.


Extension Mismatch 
Extension Mismatch

Extension Mismatch



Refer:Ali Hadi

หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น

* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ

#WINDOWSFORENSIC #COMPUTERFORENSICS #DFIR #FORENSICS #DIGITALFORENSICS #COMPUTERFORENSIC #INVESTIGATION #CYBERCRIME #FRAUD #คดีอาชญากรรมคอมพิวเตอร์ #พยานหลักฐานดิจิทัล

at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

A step-by-step guide on how to perform a drive acquisition using dc3dd

A step-by-step guide on how to perform a drive acquisition using dc3dd Photo by Gemini Step 1: Identify the Target Drive Before starting, yo...

  • DIGITAL FORENSICS:How to analyze WebCacheV01.dat
    DIGITAL FORENSICS:How to analyze WebCacheV01.dat When you visit any website, a web browser writes internet history. In Internet Explorer 10 ...
  • Digital Forensics:Using FTK Imager on CLI with Mac OS, Macbook
    Digital Forensics: Using FTK Imager on CLI with Mac OS, Macbook การทำสำเนาพยานหลักฐานดิจิทัล โดยใช้โปรแกรม  FTK Imager ผ่านคำสั่ง command li...
  • DIGITAL FORENSICS: BINWALK CTF
     DIGITAL FORENSICS: BINWALK CTF วันนี้แอดมาแนะนำหลักสูตร ด้านความมั่นคงปลอดภัยไซเบอร์ (Basic Cyber security) สำหรับผู้เริ่มต้นศึกษามี Lab ให...