HireMe CyberDefenders
Karen is a security professional looking for a new job. A company called "TAAUSAI" offered her a position and asked her to complete a couple of tasks to prove her technical competency.
Last updated
Karen is a security professional looking for a new job. A company called "TAAUSAI" offered her a position and asked her to complete a couple of tasks to prove her technical competency.
Last updated
Analyze the provided disk image and answer the questions based on your understanding of the cases she was assigned to investigate.
Link : https://cyberdefenders.org/blueteam-ctf-challenges/62
The fastest way is to list the Users directory of the Second Partition
you can also check Registry hives which are located under "\Windows\System32\config"
and Check the "SAM\Domains\Account\Users"
Ans : Karen
Registry hives are located under "\Windows\System32\config"
Export Software hive
Then Check "Microsoft\Windows NT\CurrentVersion" .
click export files
Then import it at registry editor
Check "Microsoft\Windows NT\CurrentVersion"
Ans : 16299
we have to export the System registry from FTK Imager & upload it in the Registry editor just like the Software registry
then Check "ControlSet001\Control\ComputerName\ComputerName"
Ans : TOTALLYNOTAHACK
in FTK Imager we find out that the messaging application
another way to find it we can Analyze SOFTWARE registry by loading it in registory editor .
لإhen Check keys listed under the "Microsoft\Windows\CurrentVersion\App Paths" which stores informations about all the installed applications.
Ans : skype
To get this informations we have to check the file which stores Browser data and history .
The location of this file is “[root]\Users\Karen\AppData\Local\Google\Chrome\User Data\Default\Web Data”.
Ans : 19709
To get it we can Check outlook artifacts.
in "[root]\Users\Karen\AppData\Local\Microsoft\Outlook\klovespizza@outlook.com.ost"
Export & and open it in Ost veiwer
Micheal Scotch
Ans : MS
check more mails
Ans : 150000
After check more mails
I found that
The location is “27°22'50.10″N, 33°37'54.62″E ”
I searched for it
Ans : Egypt
We can check System hive again in registry editor
which store in store in the "ControlSet001\Control\TimeZoneInfor
Ans : UTC
go to the docx file in FTK Imager then From File access properties
Check the accessed date
Ans : 03/17/2019 09:52 PM
we find out that the second partition of the drive is store in the “SYSTEM\MountedDevices” registry.
Ans : A
we can back to mails list
by investigate the mails i found it
Ans : TheCardCriesNoMore
check the next mail
Ans : cyber security analyst
That's stored in the SAM registry
so we have to analyze the “SAM” registry. that
by saved it ,
and export the SAM registry file in regripper
Ans : 03/21/2019 19:13:09
here we use Software hive
infoormations about last google chrome version is stored in "SOFTWARE\WOW6432Node\Microsoft\Windows \CurrentVersion\Uninstall\Google Chrome".
Ans : 72.0.3626.121
location which store download URL is “History”. So, we extract History from the FTK imager
Location of History is: "[root]\Users\Karen\AppData\Local\Google\Chrome\User Data\Default\History"
Then open it using SQLite3.
Ans : https://download.skype.com/s4l/download/win/Skype-8.41.0.54.exe
we can export the AlpacaCare.docx file then analyze it.
Then We can view the file with Libreoffice
The hyperlink used in website is "palominoalapacafarm.com".
Ans: palominoalpacafarm.com
Thaaaaaannnnnkkkk UUUUUUU for reading 🥰
