HireMe - Windows Image Forensics

What is the administrator's username?

karen

What is the OS's build number?

16299

What is the hostname of the computer?

TOTALLYNOTAHACK

A messaging application was used to communicate with a fellow Alpaca enthusiest. What is the name of the software?

skype

What is the zip code of the administrator's post?

# Check autofill
# /Users/Karen/AppData/Local/Google/Chrome/User Data/Default/Web Data
19709

What is the first name of the person who contacted the admin user?

# look outlook data
# \Users\Karen\AppData\Local\Microsoft\Outlook\klovespizza@outlook.com.ost
# https://www.nucleustechnologies.com/download-ost-viewer.php
# Send Items > first one
Micheal

How much money was TAAUSAI willing to pay upfront?

# Send Items > second one
150000

What country is the admin user meeting the hacker group in?

# You will see '27 22 50.10 n 33 37 54.62 e' in mail
# go google
egypt

What is the machine's timezone? (Use the three-letter abbreviation)

UTC

When was AlpacaCare.docx last accessed?

# A:/alphacare.docx
03/17/2019 09:52 PM

There was a second partition on the drive. What is the letter assigned to it?

# Load System Registry
A

What is the answer to the question Company's manager asked Karen?

# You will see base64 text in inbox
# Hi Karen,


# No worries, it happens! We're just happy to finally hear from you.


# So I may have lied, my manager is saying that before we can offer you a job, we need to give you a quick test. Can you tell me what the answer to the thing at the bottom is?


# VGhlQ2FyZENyaWVzTm9Nb3Jl
TheCardCriesNoMore

What is the job position offered to Karen?

Cyber Security Analyst

When was the admin user password last changed?

# ripripper to SAM
03/21/2019 19:13:09

What version of Chrome is installed on the machine?

# /Users/Karen/AppData/Local/Google/Chrome/User Data/Last Version
72.0.3626.121

What is the name of the tool Karen hopes to learn?

$ foremost AlpacaCare.docx 
Processing: AlpacaCare.docx
|foundat=docProps/app.xml �(�
foundat=docProps/core.xml �(�
foundat=Secrets.txtI love hacking. I want to learn how to use BeEF. PK
foundat=word/document.xml�}��:���
foundat=word/fontTable.xmlܔ[o� ��'�? ��5�ڬ�&M{�:�`��8$n�����6s2Ś�i3������>���i��F����I������ՔpL��0Z��^
foundat=word/media/image1.jpeg����

BeEF

What is the HostUrl of Skype?

# /root/Skype-8.41.0.54.exe/Zone.Identifier
https://download.skype.com/s4l/download/win/Skype-8.41.0.54.exe

What is the domain name of the website Karen browsed on Alpaca care that the file AlpacaCare.docx is based on?

# /Users/Karen/AppData/Local/Google/Chrome/User Data/Default/History
palominoalpacafarm.com