Intro to digital forensics, rapid traige examination and analysis

During our examination of the USN Journal within Timeline Explorer, we observed “uninstall.exe”. The attacker subsequently renamed this file. Use Zone.Identifier information to determine its new name and enter it as your answer. any hints on this one

did you solve it bro? i am struck too

no its not :unamused:

stuck as well.

parse the MFT open it in time line viewer and look for the zoneID for uninstall.exe, then there is a file name column that will show the original file name.

thanks, i have done that already, i am at last module in soc analyst, appreciate your response

1 Like

To determine the new name of the “uninstall.exe” file, check the Zone. Identifier information linked to it in Timeline Explorer. Look for any renaming events associated with the file.
Is it useful for you?

1 Like

You need to define a new file name “uninstall.exe” using the information from Zone.Identifier. It is important to extract this information and continue the analysis without discussing the methods for obtaining it.

1 Like

saw those clues in the timeline explorer but still can’t find the new name in mft explorer

Managed to solve?
Do you have any idea how to do this?

Well, I got stuck there for a while. Let me help you to get out there:

:information_source: Make sure to parse to csv the $MFT File, don’t spend a lot of time analyzing $J (USN).

Using the Time Explorer, instead of filter by the Entry ID, do it by the file name (uninstall.exe). You will notice a couple of downloads of the file with ZoneIdentifier 3.

From there, just analyze the File Name column, good luck! :slight_smile:

1 Like

i saw several. like discord.exe, and other but all are wrong. any hint.

Ine other Question, the DRP host is so slow. When I try to click or type some letter it needs more then 3seconds for one click :frowning:
someone has an aproch to speed this up?

one day later, works as expected.

solution, i quite simple, read the instruction careful, use the PS script, search with the Timeline Explorer for the uninstall.exe and then have a look to the “FileName” Column