Rapid Triage Examination and Analysis Tool

I have a problem with Question 1 on Rapid Triage Examination and Analysis Tool from Introduction to Digital Forensics. I cannot understand how I can use zone.identifier to see the rename action.

Hey, same here, I wonder why the Zone.Identifier stream should contain the new name of the file … I’ll look further soon !


I just completed this assessment, took me some time to understand the first question (other ones are straightforward).
Think about when you rename a file in NTFS, data streams like Zone.Identifier are not erased.
Search the entire MFT for a juicy Zone.Identifier stream

1 Like

Hi, I’m currently working on this section with question 1, but I’m not able to get the Zone.Identifier stream anywhere I knew. I’ve been using MFT Explorer to try find the rename record but no luck. It would be a great help if you can give a hint about what am I missing…

I am stuck on the same question, anyone got luck?

I found it using Time Explorer. In the Zone Id Contents you field you can put your own filter. There are only a few items with this field written. Try it and come back to tell me your results.

@dannyho1209 @bb0rges

1 Like

Actually I am on the second question not sure which tool did you use to generate .csv on the second question? I honestly going crazy :clown_face:

Can you clarify which question are you referring?

The Rapid Triage section contains three subsections on Windows event logs, starting with Windows Event Logs Investigation. The required command is mentioned verbatim in one of these.

1 Like

I got the question in the end :sweat_smile: Trying to figure out now VAD Analysis with Velociraptor

Very good. If you have any other question please do not hesitate to ask. I think it would be useful for everyone this post.

1 Like

Using VAD analysis, pinpoint the suspicious process and enter its name as your answer. Answer format: _.exe

For this question are we supposed to run a Hunt with Windows.VAD? like this bellow? I guess we need to change a setting on it?

(this is the wrong thread for this question as it is part of the Skills Assessment section, not Rapid Triage Examination & Analysis Tools)

I think the skill assessment indeed want us to run our own collection(s). The first task can be done simple enough by using the relevant collection artifact. Just looking at the resulting JSON data is enough for task 1 (preprocess it a bit using stuff like jq, uniq and it will be manageable), the suspicious process will be quite obvious.

Haven’t done the remaining tasks of the skill assessment yet, but my guess it their solution path will be closer to the previous sections. Bit annoying that the section’s VM doesn’t have the relevant tools on it, but at least I got a bit of exercise copying files between Linux and Windows that way again.

1 Like