Hello,
I have a problem with Question 1 on Rapid Triage Examination and Analysis Tool from Introduction to Digital Forensics. I cannot understand how I can use zone.identifier to see the rename action.
Hey, same here, I wonder why the Zone.Identifier stream should contain the new name of the file … I’ll look further soon !
Re,
I just completed this assessment, took me some time to understand the first question (other ones are straightforward).
Think about when you rename a file in NTFS, data streams like Zone.Identifier are not erased.
Search the entire MFT for a juicy Zone.Identifier stream
2 Likes
Hi, I’m currently working on this section with question 1, but I’m not able to get the Zone.Identifier stream anywhere I knew. I’ve been using MFT Explorer to try find the rename record but no luck. It would be a great help if you can give a hint about what am I missing…
I am stuck on the same question, anyone got luck?
Hello,
I found it using Time Explorer. In the Zone Id Contents you field you can put your own filter. There are only a few items with this field written. Try it and come back to tell me your results.
1 Like
Actually I am on the second question not sure which tool did you use to generate .csv on the second question? I honestly going crazy 
Hello,
Can you clarify which question are you referring?
The Rapid Triage section contains three subsections on Windows event logs, starting with Windows Event Logs Investigation. The required command is mentioned verbatim in one of these.
1 Like
I got the question in the end 
Trying to figure out now VAD Analysis with Velociraptor
Very good. If you have any other question please do not hesitate to ask. I think it would be useful for everyone this post.
1 Like
Using VAD analysis, pinpoint the suspicious process and enter its name as your answer. Answer format: _.exe
For this question are we supposed to run a Hunt with Windows.VAD? like this bellow? I guess we need to change a setting on it?
(this is the wrong thread for this question as it is part of the Skills Assessment section, not Rapid Triage Examination & Analysis Tools)
I think the skill assessment indeed want us to run our own collection(s). The first task can be done simple enough by using the relevant collection artifact. Just looking at the resulting JSON data is enough for task 1 (preprocess it a bit using stuff like jq, uniq and it will be manageable), the suspicious process will be quite obvious.
Haven’t done the remaining tasks of the skill assessment yet, but my guess it their solution path will be closer to the previous sections. Bit annoying that the section’s VM doesn’t have the relevant tools on it, but at least I got a bit of exercise copying files between Linux and Windows that way again.
1 Like
Velociraptor with Yara rules search/query will the .exe name in results folder, it starts with r
Hey, can anyone give a guide on how to complete it? This digital forensics course is super annoying and overwhelming for me.
Creating a comprehensive guide would be very time-consuming. Please provide your specific questions, and we will do our best to assist you.
thank you man. ive managed to complete it. thankfully there is a walkthrough on the internet. the module is terrifying, glad its over now
Where can I get that walkthrough?
Search for “Write Up:Introduction to Digital Forensics — Skill assessment- HTB Academy”
1 Like
Yes this tip is gold. It’s related with Windows