LM-X420xxx/G2/G3 Android Phone (MTP/download mode).īackground knowledge time, many cameras store photos in a DCIM, or a subfolder of this folder. If we look in USB Device Attached, we can see it there too: LG Electronics, Inc. Looking at the file metadata in Autopsy, we can see it was taken by an LG Electronics LM-Q725K, which is a smartphone. Zambia #9: What is the parent folder name picture “20210429_151535.jpg” was in before the suspect copy it to “contact” folder on his desktop? Clicking it brings us a map, with two pins. If we can see the command used to run nmap, we can see the FQDN.ĭfir.science #8: What country was picture “20210429_152043.jpg” allegedly taken in?Īutopsy has a Geolocation tool. One of the files is promising: /Users/John Doe/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadLine/ConsoleHost_history.txt. It returns 63 results - a lot more manageable. Port scan immediately screams nmap to me, so I’ll do a keyword search for that. I’m not going to look through all of them! There must be another way. Only one is a ProtonMail #7: What is the FQDN did the suspect port scan?Īutopsy does provide a list of URLs detected by regex, but there is over 47,000. If there’s no logs of something happening… Maybe it didn’t?Ġ #6: What is the suspect’s email address?Īutopsy has this build in search for email addresses, and it found several unique ones. Hunting around, there’s not many references to Tor Browser at all! In Autopsy’s Run Programs section there is a mention of TORBROWSER-INSTALL-WIN64-10.0, but in Installed Programs there’s no mention of Tor being installed. This was a bit of a sneaky one, and took me a while. 18:22:17 UTC #5: How many times was Tor Browser ran on the suspect’s computer? Autopsy also gives us the Time Deleted - again in PDT, so we need to add seven for the answer. The source file name is $RW9BJ2Z.txt, but the original path was C:\Users\John Doe\Downloads\10-million-password-list-top-100.txt. Precious disk image passwords ftk lord of the rings password#In that folder was a file recentservers.xmlġ92.168.1.20 #4: What date and time was a password list deleted in UTC?Īutopsy has a Recycle Bin section with a single file in it. This led me to a FileZilla configuration folder 001Win10.e01_Partition 2 _NONAME \\Users\John Doe\AppData\Roaming\FileZilla\ - FileZilla being a common FTP server. I saw we have the AppData folder for the user, which is where application settings etc are kept. I was just browsing the files, seeing what there was. Password cracking lists #3: What is the IPv4 address of the FTP server the suspect connected to? A quick Google tells us that PDT is UTC-7, though - meaning we need to look for searches taking place at 11:17:38 on the 29th. The searches have dates but they all appear to be in PDT. The text file appears to be a summary of what’s contained within the disk image, including files, dates, and hashes.ĩ471e69c95d8909ae60ddff30d50ffa1 #2: What phrase did the suspect search for on 18:17:38 UTC?Īutopsy’s Web Search section will help here. Questions #1: What is the MD5 hash value of the suspect disk? FTK Imager only allows viewing the files in the image, similar to a file explorer. This file directory can be imported into Autopsy (and most of the other tools above), allowing for analysis. ad1 into FTK Imager then Export it as files (as it’s not possible to export it as another disk image that Autopsy can open). However, FTK has an export function, so I was able to import the. ad1 file, but Autopsy cannot (nor can any of the other tools mentioned above). Precious disk image passwords ftk lord of the rings zip#zip containing two files: the image ( DiskDrigger.ad1) and a text file.įTK Imager can open the. FTK Imager), so I installed them manually. It doesn’t include all the above tools on it by default (e.g. Toolsįor this challenge I’ll use FireEye’s FLARE VM, available here: Your task is to analyze the image and understand what happened under the hood. John Doe was accused of doing illegal activities. Precious disk image passwords ftk lord of the rings windows##11: What is the user John Does Windows login password?.#10: A Windows password hashes for an account are below.#9: What is the parent folder name picture 20210429_151535.jpg was in before the suspect copy it to contact folder on his desktop?.#8: What country was picture 20210429_152043.jpg allegedly taken in?.#7: What is the FQDN did the suspect port scan?.#6: What is the suspects email address?.#5: How many times was Tor Browser ran on the suspects computer?.#4: What date and time was a password list deleted in UTC?.#3: What is the IPv4 address of the FTP server the suspect connected to?.#2: What phrase did the suspect search for on 18:17:38 UTC?.#1: What is the MD5 hash value of the suspect disk?.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |