Introduction to Digital Forensics

Can anyone help me, and through me some hints on how to solve the skill assessments of the “Introduction to Digital Forensics”?
I gathered the logs and browsed through the “Sysmon.evtx” using PowerShell, and event viewer.
I was only able to solve the 1st question!

1 Like

For the second, you should check not only the Velociraptor outputs.
I am stuck at the 3rd, I found the registry key but it is disabled. If you can share some tips or a hint would be nice.
For the 4th, you should check the local machine.
And on the 5th you can find the answer in Velociraptor.

I finally figured them out.
For the 3rd question, check the machine itself using the “Windows Persistence Artifacts” section in “Windows Forensic Overview” as your guide.

2 Likes

Can u provide some nudge

On the Practical Digital Forensics Scenario section at question number 1, can anyone give me a hint? I dumped the memory contents on pid 6744 using the memmap plugin but still didn’t have the answer.

If you are still stuck, check other volatility plugins which could reveal valuable information. Don’t hesitate to PM me if really stuck.

Nevertheless, I’m also stuck but I found the tool from PowerSploit repository which is used but unable to validate the answer … Tried both with script full name and without extension neither works, anyone can give me a hint ?

Since someone asked hints in discord, posting here
“how “advanced_ip_scanner.exe” was introduced to the compromised system”

Hint for others: use examples from previous topic, find exploring USN. Go through findings, discord search :), note SIEM crucial thing :slightly_smiling_face: T__e
Then you need use USN example in current topic. I think it will be enough to find answer.

I finally figured “guessed” it correctly. Feel free to PM for nudges.

hi decrypto, any clues on answer format ? i figured out the process after couple of days trying , but answer is showing incorrect

Just the name no extension. Which technically they say in the description “and enter its name as your answer.”. I was trying with extensions and finally had an epiphany after a Google search on Cobalt Strike and the repo mentioned.

Would love to discuss via PM on how you found it. I went down the rabbit hole of trying to decode the encoded Powershell I found.

me too, just wasted lot of time decrypting the script (atleast learned how to decrypt :slight_smile: . I used getsids plugin which shed lights on what to look for, then a bit of google search about tools. finally made it after lots of wrong answers

1 Like

I’ll have to go back and try the getsids. It was fun decoding the Powershell but definitely a rabbit hole.

1 Like

Any hint for “advanced_ip_scanner.exe” I stuck. I got your hints but I am not able to find correct answer. I reviewed $J log using USN-Journal-Parser (usn.py).

Hi mate can you help me im stuck on the 3rd question for days now and its the only question left to complete the whole module.
Can you explain in detail how i will get to the right answer.

Thank you!! I’m still stuck on the 2nd question (only question I have left). Can you please elaborate more on what artifact I should focus on to find the C2 ( Command and control) IP address?

The question I have been struggling with is:

Visit the URL “https://127.0.0.1:8889/app/index.html#/search/all” and log in using the credentials: admin/password. After logging in, click on the circular symbol adjacent to “Client ID”. Subsequently, select the displayed “Client ID” and click on “Collected”. Initiate a new collection and gather artifacts labeled as “Windows.KapeFiles.Targets” using the _SANS_Triage configuration. Lastly, examine the collected artifacts and enter the name of the scheduled task that begins with ‘A’ and concludes with ‘g’ as your answer.

I have followed the steps of collecting and downloading the artifacts and then used the following PowerShell command to list out files and directories in the downloaded artifacts and looked at couple of csv and .json files.
Get-ChildItem -Path “C:\Users\Administrator\Downloads\H.CPCVMTIK7D3U6\E-CORP-C.e0967723979c1134” -Recurse

I am starting to wonder if I am missing something obvious or if it is like finding a needle in the haystack.

Any hints would help. Thanks in advance =))

I noticed that each time, I have done the artifacts collection process after resetting the VM and target address, my collection files are slightly different.