search

AfricanFalls - Windows Image Forensics

What is the MD5 hash value of the suspect disk?

9471e69c95d8909ae60ddff30d50ffa1

What phrase did the suspect search for on 2021-04-29 18:17:38 UTC? (three words, two spaces in between)

# \Users\%userprofile%\AppData\Local\Google\Chrome\User Data\Default\History
password cracking lists

What is the IPv4 address of the FTP server the suspect connected to?

# /[root]/Users/John Doe/AppData/Roaming/FileZilla/filezilla.xml
192.168.1.20

What date and time was a password list deleted in UTC? (YYYY-MM-DD HH:MM:SS UTC)

# rifiuti-vista.exe /$Recycle.Bin/S-1-5-21-3061953532-2461696977-1363062292-1001/
2021-04-29 18:22:17 utc

How many times was Tor Browser ran on the suspect's computer? (number only)

# winprefetchview.exe /folder Y:\Prefetch
0

What is the suspect's email address?

# \Users\%userprofile%\AppData\Local\Google\Chrome\User Data\Default\History
dreammaker82@protonmail.com

What is the FQDN did the suspect port scan?

# /[root]/Users/John Doe/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadLine/ConsoleHost_history.txt
dfir.science

What country was picture "20210429_152043.jpg" allegedly taken in?

What is the parent folder name picture "20210429_151535.jpg" was in before the suspect copy it to "contact" folder on his desktop?

A Windows password hashes for an account are below. What is the user's password? Anon:1001:aad3b435b51404eeaad3b435b51404ee:3DE1A36F6DDB8E036DFD75E8E20C4AF4:::

What is the user "John Doe's" Windows login password?

PreviousPhishy -Windows Image ForensicsNextJailbroken - Mobile Forensics

Last updated