Hunter - Windows Image Forensics

What is the computer name of the suspect machine?

# Load SYSTEM hive in registry explorer
c:\Windows\System32\config\SYSTEM

What is the computer IP?

\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces

What was the DHCP LeaseObtainedTime?

# You need to decode timestamp value
\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces

What is the computer SID?

# SID end with 1001 RID
\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

What is the Operating System(OS) version?

# You can easily view in registry explorer
\SOFTWARE\Microsoft\Windows NT\CurrentVersion\

What was the computer timezone?

# Check timezone information registry path, and search on google
SYSTEM\ControlSet###\Control\TimeZoneInformation

How many times did this user log on to the computer?

# Download https://github.com/keydet89/RegRipper3.0 and grep user information.
rip.exe -r "<SAM-file-path>" -a

When was the last login time for the discovered account? Format: one-space between date and time

# Download https://github.com/keydet89/RegRipper3.0 and grep user information.
rip.exe -r "<SAM-file-path>" -a

There was a “Network Scanner” running on this computer, what was it? And when was the last time the suspect used it? Format: program.exe,YYYY-MM-DD HH:MM:SS UTC

# Regripper to NTUSER.dat
# rip.exe -r "<NTUSER.dat-path>" -a > result.txt
zenmap.exe,2016-06-21 12:08:13 UTC

When did the port scan end? (Example: Sat Jan 23 hh:mm:ss 2016)

# C:\Users\Hunter\.zenmap and you will see recent_scan.txt. It point C:\Users\Hunter\Desktop\nmapscan.xml
# Open xml file with https://codebeautify.org/xmlviewer

How many ports were scanned?

# You will see number of service in xml file
,49999-50003,50006,50300,50389,50500,50636,50800,51103,51493,52673,52822,52848,52869,54045,54328,55055-55056,55555,55600,56737-56738,57294,57797,58080,60020,60443,61532,61900,62078,63331,64623,64680,65000,65129,65389" protocol="tcp" numservices="1000" type="syn"></scaninfo>
    <verbose level="1"></verbose>
    <debugging level="0"></debugging>
    <output type="interactive">

What ports were found "open"?(comma-separated, ascending)

# Count open port in xml file
22,80,9929,31337

What was the version of the network scanner running on this computer?

\Users\Hunter\.zenmap\zenmap_version
7.12

The employee engaged in a Skype conversation with someone. What is the skype username of the other party?

# Analyse with sqlite browser
\Users\Hunter\AppData\Roaming\Skype\hunterehpt\main.db
linux-rul3z

What is the name of the application both parties agreed to use to exfiltrate data and provide remote access for the external attacker in their Skype conversation?

# You can see answer by viewing their messages
teamviewer

What is the Gmail email address of the suspect employee?

# You can see answer by viewing account table
ehptmsgs@gmail.com

It looks like the suspect user deleted an important diagram after his conversation with the external attacker. What is the file name of the deleted diagram?

# \Users\Hunter\Documents\Outlookfiles\backup.pst and Open with https://www.sysinfotools.com/recovery/pst-file-viewer.php. ANd then find the image in trash.
home-network-design-networking-for-a-single-family-home-case-house-arkko-1433-x-792.jpg

The user Documents' directory contained a PDF file discussing data exfiltration techniques. What is the name of the file?

# I am so lazy to type file name:)

What was the name of the crypto payment application possibly used by the suspect employee to transfer funds for the external attacker? (two words space separated)

# No normal program like jetico, truekey, USBpcap. But only we are interesting is jetico. And we find BCwipe
# You need to analyse uninstall.log file in this directory
Crypto swap

What are the serial numbers of the two identified USB storage?

# After viewing hint, it said "MSDN is your frined"
# I google it "MSDN usb serial registry"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\<hardware id>\<instance id>\Device Parameters
07B20C03C80830A9, AAI6UXDKZDV8E9OU

One of the installed applications is a file shredder. What is the name of the application? (two words space separated)

# So simple
Jetico BCWipe

How many prefetch files were discovered on the system?

# I transfer prefetch folder to my linux machine.
find . -type f -name "*.pf" | wc -l

How many times was the file shredder application executed?

# hint said "https://www.sans.org/security-resources/posters/windows-forensic-analysis/170/download"
# You can use both PECmd(https://github.com/EricZimmerman/PECmd) or winprefetchview (https://www.nirsoft.net/utils/win_prefetch_view.html)
5

Using prefetch, determine when was the last time ZENMAP.EXE-56B17C4C.pf was executed?

# WinPrefetchView.exe /folder C:\Users\hnl\Desktop\Prefetch (False Result)
# PECmd.exe -f "Prefetch\ZEnxxxxxxx.pf" (True Result)
06/21/2016 12:08:13 PM

LNK file analysis shows that a JAR file for an offensive traffic manipulation tool was executed. What is the absolute path of the file?

# export \Users\Hunter.
LECmd.exe -f "Hunter” --all --csv output
C:\Users\Hunter\Downloads\burpsuite_free_v1.7.03.jar.lnk

The suspect employee tried to exfiltrate data by sending it as an email attachment. What is the name of the suspected attachment?

# outlook
Pictures.7z

Shellbags shows that the employee created a folder to include all the data he will exfiltrate. What is the full path of that folder?

C:\Users\Hunter\Pictures\Exfil

The user deleted two JPG files from the system and moved them to $Recycle-Bin. What is the file name that has the resolution of 1920x1200?

Pictures\Private\ws_Small_cute_kitty_1920x1200.jpg

Provide the name of the directory where information about jump lists items (created automatically by the system) is stored?

# I ready read and noted some article from elearn forensics, 'https://app.gitbook.com/@hnl/s/elearn-forensics/windows-forensics/location-collection#jumplists'
# %APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations
# %APPDATA%\Microsoft\Windows\Recent\CustomDestinations
automaticDestinations-ms

Using JUMP LIST analysis, provide the full path of the application with the AppID of "aa28770954eaeaaa" used to bypass network security monitoring controls.

# you need to go %USERPROFILE%\AppData\Microsoft\Windows\Recent\CustomDestinations
# you will see AppId 'aa28770954eaeaaa'
# Analyse with JMPList explorer
C:\Users\Hunter\Desktop\Tor Browser\Browser\firefox.exe