AfricanFalls - Windows Image Forensics
What is the MD5 hash value of the suspect disk?
9471e69c95d8909ae60ddff30d50ffa1What phrase did the suspect search for on 2021-04-29 18:17:38 UTC? (three words, two spaces in between)
# \Users\%userprofile%\AppData\Local\Google\Chrome\User Data\Default\History
password cracking listsWhat is the IPv4 address of the FTP server the suspect connected to?
# /[root]/Users/John Doe/AppData/Roaming/FileZilla/filezilla.xml
192.168.1.20What date and time was a password list deleted in UTC? (YYYY-MM-DD HH:MM:SS UTC)
# rifiuti-vista.exe /$Recycle.Bin/S-1-5-21-3061953532-2461696977-1363062292-1001/
2021-04-29 18:22:17 utcHow many times was Tor Browser ran on the suspect's computer? (number only)
# winprefetchview.exe /folder Y:\Prefetch
0What is the suspect's email address?
# \Users\%userprofile%\AppData\Local\Google\Chrome\User Data\Default\History
dreammaker82@protonmail.comWhat is the FQDN did the suspect port scan?
# /[root]/Users/John Doe/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadLine/ConsoleHost_history.txt
dfir.scienceWhat country was picture "20210429_152043.jpg" allegedly taken in?
# /Users/John Doe/Pictures/Contact/20210429_152043.jpg
# http://exif.regex.info/exif.cgi
zambiaWhat is the parent folder name picture "20210429_151535.jpg" was in before the suspect copy it to "contact" folder on his desktop?
# Exif Data + Shellbags
# Camera: Lg Electronics LM-Q725K, So it is LG
# Find in shellbags
# Users/Administrator/AppData/Local/Microsoft/Windows/UsrCLASS.dat
# Shellbag Explorer
CameraA Windows password hashes for an account are below. What is the user's password? Anon:1001:aad3b435b51404eeaad3b435b51404ee:3DE1A36F6DDB8E036DFD75E8E20C4AF4:::
#
AFR1CA!What is the user "John Doe's" Windows login password?
# https://miloserdov.org/?p=4129
#
PS C:\Users\hnl> Y:\x64\mimikatz.exe
.#####. mimikatz 2.2.0 (x64) #19041 May 31 2021 00:08:47
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz # lsadump::sam /system:Y:\SYSTEM /sam:Y:\SAM
Domain : DESKTOP-0J3S8C2
SysKey : ba508bdf20f883c63e72ad2c4d9f6fe2
Local SID : S-1-5-21-3061953532-2461696977-1363062292
SAMKey : da06fb9e37a128afcd210c7fcbee307f
RID : 000001f4 (500)
User : Administrator
RID : 000001f5 (501)
User : Guest
RID : 000001f7 (503)
User : DefaultAccount
RID : 000001f8 (504)
User : WDAGUtilityAccount
Hash NTLM: 69dbee1a98d4f53fbccb1fe5ce37c851
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : e9b0f8fbd777e3589bef64b8fb3c4561
* Primary:Kerberos-Newer-Keys *
Default Salt : WDAGUtilityAccount
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 4d2247927a0c04ec09b66d03e7ed55b1a0bbd45970c4eece65a6ab00e9d6859a
aes128_hmac (4096) : 5d8ecf3576c098645e45a3281ccc309d
des_cbc_md5 (4096) : 9d92adfd02cb54e5
* Packages *
NTLM-Strong-NTOWF
* Primary:Kerberos *
Default Salt : WDAGUtilityAccount
Credentials
des_cbc_md5 : 9d92adfd02cb54e5
RID : 000003e9 (1001)
User : John Doe
Hash NTLM: ecf53750b76cc9a62057ca85ff4c850e
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 7844054d945112afaa36825b3ffcedfc
* Primary:Kerberos-Newer-Keys *
Default Salt : DESKTOP-0J3S8C2John Doe
Default Iterations : 4096
Credentials
aes256_hmac (4096) : f01bca09159d454458c28dc002eb8dffe695e21c13dd670a94c62fc3249da4ad
aes128_hmac (4096) : b88e45d7cb74f3247815265956391875
des_cbc_md5 (4096) : b3d691e6dc7a9e73
OldCredentials
aes256_hmac (4096) : f01bca09159d454458c28dc002eb8dffe695e21c13dd670a94c62fc3249da4ad
aes128_hmac (4096) : b88e45d7cb74f3247815265956391875
des_cbc_md5 (4096) : b3d691e6dc7a9e73
* Packages *
NTLM-Strong-NTOWF
* Primary:Kerberos *
Default Salt : DESKTOP-0J3S8C2John Doe
Credentials
des_cbc_md5 : b3d691e6dc7a9e73
OldCredentials
des_cbc_md5 : b3d691e6dc7a9e73
ecf53750b76cc9a62057ca85ff4c850e:ctf2021Last updated
Was this helpful?