INTRODUCTION TO DIGITAL FORENSICS - Practical Digital Forensics Scenario

Hello

i am stuck in this exercise:

Investigate the USN Journal located at “C:\Users\johndoe\Desktop\kapefiles\ntfs%5C%5C.%5CC%3A$Extend$UsnJrnl%3A$J” to determine how “advanced_ip_scanner.exe” was introduced to the compromised system. Enter the name of the associated process as your answer. Answer format: _.exe

i parsed the Journal to CSV file. i can see the advanced_ip_scanner.exe.

also ran this powershell:

• Run these commands in powershell:
• python C:\Users\johndoe\Desktop\files\USN-Journal-Parser-master\usnparser\usn.py -f ‘C:\Users\johndoe\Desktop\kapefiles\ntfs%5C%5C.%5CC%3A$Extend$UsnJrnl%3A$J’ -o C:\Users\johndoe\Desktop\usn_output.csv -c
• $time1 = [DateTime]::ParseExact(“2023-08-10 09:00:00.000000”, “yyyy-MM-dd HH:mm:ss.ffffff”, $null)
• $time2 = [DateTime]::ParseExact(“2023-08-10 10:00:00.000000”, “yyyy-MM-dd HH:mm:ss.ffffff”, $null)
• Import-Csv -Path C:\Users\johndoe\Desktop\usn_output.csv | Where-Object { $.‘FileName’ -match ‘.exe$|.txt$|.msi$|.bat$|.ps1$|.iso$|.lnk$’ } | Where-Object { $.timestamp -as [DateTime] -ge $time1 -and $_.timestamp -as [DateTime] -lt $time2 }

i cant figure out.

any hint

Did you manage to find the answer? If so, any hints?

i find the answer trying one by one all .exe process. the process happen before the advanced_ip_scanner.exe. i know this is not a good answer but i couldnt figure out in another way.

Good. I’ve completed that too

For those facing this challenge, the answer is pretty well known and you encounter this exe throughout the module. It start with “RUN*****.EXE”

how did you find it?

I think this is the way, but instead of checking every process, there’s actually only one process running before the file creation.

advanced.zip was created at 9:20:04.
advanced_ip_scanner.exe was created at 9:20:26.

Checking the memory with Volatility, you can see that there’s only one process running in that interval of time