INTRODUCTION TO DIGITAL FORENSICS - Practical Digital Forensics Scenario

Hello

i am stuck in this exercise:

Investigate the USN Journal located at “C:\Users\johndoe\Desktop\kapefiles\ntfs%5C%5C.%5CC%3A$Extend$UsnJrnl%3A$J” to determine how “advanced_ip_scanner.exe” was introduced to the compromised system. Enter the name of the associated process as your answer. Answer format: _.exe

i parsed the Journal to CSV file. i can see the advanced_ip_scanner.exe.

also ran this powershell:

  • Run these commands in powershell:
  • python C:\Users\johndoe\Desktop\files\USN-Journal-Parser-master\usnparser\usn.py -f ‘C:\Users\johndoe\Desktop\kapefiles\ntfs%5C%5C.%5CC%3A$Extend$UsnJrnl%3A$J’ -o C:\Users\johndoe\Desktop\usn_output.csv -c
  • $time1 = [DateTime]::ParseExact(“2023-08-10 09:00:00.000000”, “yyyy-MM-dd HH:mm:ss.ffffff”, $null)
  • $time2 = [DateTime]::ParseExact(“2023-08-10 10:00:00.000000”, “yyyy-MM-dd HH:mm:ss.ffffff”, $null)
  • Import-Csv -Path C:\Users\johndoe\Desktop\usn_output.csv | Where-Object { $.‘FileName’ -match ‘.exe$|.txt$|.msi$|.bat$|.ps1$|.iso$|.lnk$’ } | Where-Object { $.timestamp -as [DateTime] -ge $time1 -and $_.timestamp -as [DateTime] -lt $time2 }

i cant figure out.

any hint

Did you manage to find the answer? If so, any hints?

i find the answer trying one by one all .exe process. the process happen before the advanced_ip_scanner.exe. i know this is not a good answer but i couldnt figure out in another way.

Good. I’ve completed that too

For those facing this challenge, the answer is pretty well known and you encounter this exe throughout the module. It start with “RUN*****.EXE”

2 Likes

how did you find it?

I think this is the way, but instead of checking every process, there’s actually only one process running before the file creation.

advanced.zip was created at 9:20:04.
advanced_ip_scanner.exe was created at 9:20:26.

Checking the memory with Volatility, you can see that there’s only one process running in that interval of time

  • 7148 588 explorer.exe 0x800ae0d4b080 48 - 1 False 2023-08-10 00:30:56.000000 N/A
    ** 3648 7148 rundll32.exe 0x800ae16c6080 4 - 1 False 2023-08-10 09:15:14.000000 N/A
    ** 892 7148 chrome.exe 0x800ae10d2080 42 - 1 False 2023-08-10 09:32:30.000000 N/A