Category : Endpoint Forensics
LEVEL : Medium
Challenge Download Link : https://cyberdefenders.org/blueteam-ctf-challenges/enroll/62
Instructions:
- Unzip the challenge (pass: cyberdefenders.org)
- Load the AD1 image in FTK imager latest Windows version.
Scenario
Karen is a security professional looking for a new job. A company called “TAAUSAI” offered her a position and asked her to complete a couple of tasks to prove her technical competency. As a soc analyst Analyze the provided disk image and answer the questions based on your understanding of the cases she was assigned to investigate.
Tools:
First of all we need to dump some important registry hives :
- SAM
- SOFTWARE
- SECURITY
- SYSTEM
Now load these hives into Registry Explorer :
Q1-What is the administrator’s username?
- Go to SAM > Domains > Account > Users :
- Or go to root/user :
THE ANSWER : KarenQ2-What is the OS’s build number?
- Go to SOFTWARE > Microsoft > Windows NT > CurrentVersion
THE Answer : 16299Q3-What is the hostname of the computer?
- Go to SYSTEM > ControlSet001 > Control > ComputerName
THE Answer : TOTALLYNOTAHACKQ4-A messaging application was used to communicate with a fellow Alpaca enthusiest. What is the name of the software?
- Go to Software > Microsoft > Windows > CurrentVersion > App Paths
OR
THE Answer : skypeQ5-What is the zip code of the administrator’s post?
- Go to root > Users > Karen > AppData > Local > Google > Chrome > User Data > Default > Web Data :
THE Answer : 19709Q6-What are the initials of the person who contacted the admin user from TAAUSAI?
- First go to root > Users > Karen > AppData > Local > Microsoft > Outlook and dump the outlook folder :
- Now open “klovespizza@outlook.com” file with Kernel OST Viewer
- Go to the first Alpaca Activists email :
THE ANSWER : MSQ7-How much money was TAAUSAI willing to pay upfront?
- Take a look at the other mails :
THE Answer : 150000Q8-What country is the admin user meeting the hacker group in?
- Check the other mails :
- Now go to google maps and search with this coordinates :
THE Answer : EgyptQ9-What is the machine’s timezone? (Use the three-letter abbreviation)
- Go to SYSTEM > ControlSet001 > Control > TimeZoneInformation :
THE ANSWER : UTCQ10-When was AlpacaCare.docx last accessed?
- Go to root > AlpacaCare.docx and look at file details :
THE ANSWER : 03/17/2019 09:52 PMQ11-There was a second partition on the drive. What is the letter assigned to it?
- Go to System > MountedDevices :
THE ANSWER : AQ12-What is the answer to the question Company’s manager asked Karen?
- Back again to mails :
THE ANSWER :TheCardCriesNoMoreQ13-What is the job position offered to Karen? (3 words, 2 spaces in between)
- Check the other mails :
THE ANSWER : Cyber Security AnalystQ14-When was the admin user password last changed?
- Use RegRipper to analyses SAM file :
THE ANSWER : 03/21/2019 19:13:09Q15-What version of Chrome is installed on the machine?
- Go to Software > Microsoft > Windows > CurrentVersion > Uninstall :
THE ANSWER : 72.0.3626.121Q16-What is the HostUrl of Skype?
- Go to root > SkypeXXX > Zone.Identifer :
THE ANSWER : https://download.skype.com/s4l/download/win/Skype-8.41.0.54.exeQ17-What is the domain name of the website Karen browsed on Alpaca care that the file AlpacaCare.docx is based on?
- Go to root and dump AlpacaCare.docx :
- Now open the docx file :
THE ANSWER : palominoalpacafarm.comTHE END
BY : Ahmed Nasser
