# You need to decode timestamp value
\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
What is the computer SID?
# SID end with 1001 RID
\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
What is the Operating System(OS) version?
# You can easily view in registry explorer
\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
What was the computer timezone?
# Check timezone information registry path, and search on google
SYSTEM\ControlSet###\Control\TimeZoneInformation
How many times did this user log on to the computer?
# Download https://github.com/keydet89/RegRipper3.0 and grep user information.
rip.exe -r "<SAM-file-path>" -a
When was the last login time for the discovered account? Format: one-space between date and time
There was a “Network Scanner” running on this computer, what was it? And when was the last time the suspect used it? Format: program.exe,YYYY-MM-DD HH:MM:SS UTC
When did the port scan end? (Example: Sat Jan 23 hh:mm:ss 2016)
How many ports were scanned?
What ports were found "open"?(comma-separated, ascending)
What was the version of the network scanner running on this computer?
The employee engaged in a Skype conversation with someone. What is the skype username of the other party?
What is the name of the application both parties agreed to use to exfiltrate data and provide remote access for the external attacker in their Skype conversation?
What is the Gmail email address of the suspect employee?
It looks like the suspect user deleted an important diagram after his conversation with the external attacker. What is the file name of the deleted diagram?
The user Documents' directory contained a PDF file discussing data exfiltration techniques. What is the name of the file?
What was the name of the crypto payment application possibly used by the suspect employee to transfer funds for the external attacker? (two words space separated)
What are the serial numbers of the two identified USB storage?
One of the installed applications is a file shredder. What is the name of the application? (two words space separated)
How many prefetch files were discovered on the system?
How many times was the file shredder application executed?
Using prefetch, determine when was the last time ZENMAP.EXE-56B17C4C.pf was executed?
LNK file analysis shows that a JAR file for an offensive traffic manipulation tool was executed. What is the absolute path of the file?
The suspect employee tried to exfiltrate data by sending it as an email attachment. What is the name of the suspected attachment?
Shellbags shows that the employee created a folder to include all the data he will exfiltrate. What is the full path of that folder?
The user deleted two JPG files from the system and moved them to $Recycle-Bin. What is the file name that has the resolution of 1920x1200?
Provide the name of the directory where information about jump lists items (created automatically by the system) is stored?
Using JUMP LIST analysis, provide the full path of the application with the AppID of "aa28770954eaeaaa" used to bypass network security monitoring controls.
# Download https://github.com/keydet89/RegRipper3.0 and grep user information.
rip.exe -r "<SAM-file-path>" -a
# Regripper to NTUSER.dat
# rip.exe -r "<NTUSER.dat-path>" -a > result.txt
zenmap.exe,2016-06-21 12:08:13 UTC
# C:\Users\Hunter\.zenmap and you will see recent_scan.txt. It point C:\Users\Hunter\Desktop\nmapscan.xml
# Open xml file with https://codebeautify.org/xmlviewer
# You will see number of service in xml file
,49999-50003,50006,50300,50389,50500,50636,50800,51103,51493,52673,52822,52848,52869,54045,54328,55055-55056,55555,55600,56737-56738,57294,57797,58080,60020,60443,61532,61900,62078,63331,64623,64680,65000,65129,65389" protocol="tcp" numservices="1000" type="syn"></scaninfo>
<verbose level="1"></verbose>
<debugging level="0"></debugging>
<output type="interactive">
# Count open port in xml file
22,80,9929,31337
\Users\Hunter\.zenmap\zenmap_version
7.12
# Analyse with sqlite browser
\Users\Hunter\AppData\Roaming\Skype\hunterehpt\main.db
linux-rul3z
# You can see answer by viewing their messages
teamviewer
# You can see answer by viewing account table
ehptmsgs@gmail.com
# \Users\Hunter\Documents\Outlookfiles\backup.pst and Open with https://www.sysinfotools.com/recovery/pst-file-viewer.php. ANd then find the image in trash.
home-network-design-networking-for-a-single-family-home-case-house-arkko-1433-x-792.jpg
# I am so lazy to type file name:)
# No normal program like jetico, truekey, USBpcap. But only we are interesting is jetico. And we find BCwipe
# You need to analyse uninstall.log file in this directory
Crypto swap
# After viewing hint, it said "MSDN is your frined"
# I google it "MSDN usb serial registry"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\<hardware id>\<instance id>\Device Parameters
07B20C03C80830A9, AAI6UXDKZDV8E9OU
# So simple
Jetico BCWipe
# I transfer prefetch folder to my linux machine.
find . -type f -name "*.pf" | wc -l
# hint said "https://www.sans.org/security-resources/posters/windows-forensic-analysis/170/download"
# You can use both PECmd(https://github.com/EricZimmerman/PECmd) or winprefetchview (https://www.nirsoft.net/utils/win_prefetch_view.html)
5
# I ready read and noted some article from elearn forensics, 'https://app.gitbook.com/@hnl/s/elearn-forensics/windows-forensics/location-collection#jumplists'
# %APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations
# %APPDATA%\Microsoft\Windows\Recent\CustomDestinations
automaticDestinations-ms
# you need to go %USERPROFILE%\AppData\Microsoft\Windows\Recent\CustomDestinations
# you will see AppId 'aa28770954eaeaaa'
# Analyse with JMPList explorer
C:\Users\Hunter\Desktop\Tor Browser\Browser\firefox.exe