# HireMe CyberDefenders Analyze the provided disk image and answer the questions based on your understanding of the cases she was assigned to investigate.

**Link :** [**https://cyberdefenders.org/blueteam-ctf-challenges/62**](https://cyberdefenders.org/blueteam-ctf-challenges/62) \ 1\. What is the administrator's username? ----------------------------------------- The fastest way is to list the Users directory of the Second Partition

you can also check **Registry hives which are located under "\Windows\System32\config"** **and Check the "SAM\Domains\Account\Users"** \ **Ans : Karen** ### 2. What is the OS's build number? Registry hives are located under "\Windows\System32\config" Export Software hive Then Check "Microsoft\Windows NT\CurrentVersion" . click export files

Then import it at registry editor

Check "Microsoft\Windows NT\CurrentVersion"

**Ans : 16299** ## 3. What is the hostname of the computer? we have to export the **System** registry from FTK Imager & upload it in the Registry editor just like the Software registry\

**then Check "ControlSet001\Control\ComputerName\ComputerName"**

**Ans : TOTALLYNOTAHACK** ### 4. A messaging application was used to communicate with a fellow Alpaca enthusiest. What is the name of the software? in FTK Imager we find out that the messaging application

another way to find it we can **Analyze SOFTWARE registry by loading it in registory editor .** لإhen Check keys listed under the "Microsoft\Windows\CurrentVersion\App Paths" which stores informations about all the installed applications.

**Ans : skype** ### 5. What is the zip code of the administrator's post? To get this informations we have to check the file which stores Browser data and history . The location of this file is “**\[root]\Users\Karen\AppData\Local\Google\Chrome\User Data\Default\Web Data**”.

**Ans : 19709** ### 6. What are the initials of the person who contacted the admin user from TAAUSAI? **To get it we can Check outlook artifacts.** **in "\[root]\Users\Karen\AppData\Local\Microsoft\Outlook\\"**

**Export & and open it in Ost veiwer**

Micheal Scotch **Ans : MS** ### 7. How much money was TAAUSAI willing to pay upfront? check more mails

**Ans : 150000** ### 8. What country is the admin user meeting the hacker group in? After check more mails I found that

The location is “**27**°**22**'**50.10**″**N**, **33**°**37**'**54.62**″**E** ” I searched for it

**Ans : Egypt** ### 9. What is the machine's timezone? (Use the three-letter abbreviation) We can check System hive again in registry editor which store in store in the "**ControlSet001\Control\TimeZoneInfor**

**Ans : UTC** ### 10. When was AlpacaCare.docx last accessed? go to the docx file in FTK Imager then From **File access properties** **Check the accessed date**

**Ans : 03/17/2019 09:52 PM** ### 11. There was a second partition on the drive. What is the letter assigned to it? we find out that the second partition of the drive is store in the “**SYSTEM\MountedDevices”** registry.

**Ans : A**
### 12. What is the answer to the question Company's manager asked Karen? we can back to mails list

by investigate the mails i found it **Ans : TheCardCriesNoMore** ### 13. What is the job position offered to Karen? (3 words, 2 spaces in between) check the next mail

**Ans : cyber security analyst** ### 14. When was the admin user password last changed? That's stored in the SAM registry so we have to analyze the “**SAM**” registry. that by saved it ,

and export the SAM registry file in regripper

**Ans : 03/21/2019 19:13:09** ### 15. What version of Chrome is installed on the machine? \ here we use Software hive infoormations about last google chrome version is stored in "**SOFTWARE\WOW6432Node\Microsoft\Windows \CurrentVersion\Uninstall\Google Chrome"**.

**Ans** : **72.0.3626.121** ### 16 : What is the HostUrl of Skype? location which store download URL is “**History**”. So, we extract History from the FTK imager Location of History is: "\[root]\Users\Karen\AppData\Local\Google\Chrome\User Data\Default\History"

Then open it using SQLite3.

**Ans :** [**https://download.skype.com/s4l/download/win/Skype-8.41.0.54.exe**](https://download.skype.com/s4l/download/win/Skype-8.41.0.54.exe) ### 17. What is the domain name of the website Karen browsed on Alpaca care that the file AlpacaCare.docx is based on? we can export the AlpacaCare.docx file then analyze it.

Then We can view the file with Libreoffice

The hyperlink used in website is "palominoalapacafarm.com". **Ans: palominoalpacafarm.com** Thaaaaaannnnnkkkk UUUUUUU for reading 🥰

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xmedhat.gitbook.io/whoami/writesup/hireme-cyberdefenders.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.