Intro to digital forensics, rapid traige examination and analysis

During our examination of the USN Journal within Timeline Explorer, we observed “uninstall.exe”. The attacker subsequently renamed this file. Use Zone.Identifier information to determine its new name and enter it as your answer. any hints on this one

did you solve it bro? i am struck too

no its not :unamused:

stuck as well.

parse the MFT open it in time line viewer and look for the zoneID for uninstall.exe, then there is a file name column that will show the original file name.

thanks, i have done that already, i am at last module in soc analyst, appreciate your response

1 Like

To determine the new name of the “uninstall.exe” file, check the Zone. Identifier information linked to it in Timeline Explorer. Look for any renaming events associated with the file.
Is it useful for you?

1 Like

You need to define a new file name “uninstall.exe” using the information from Zone.Identifier. It is important to extract this information and continue the analysis without discussing the methods for obtaining it.

1 Like

saw those clues in the timeline explorer but still can’t find the new name in mft explorer

Managed to solve?
Do you have any idea how to do this?