TASK 3

Initial investigations reveal that someone accessed the user's computer during the previously specified timeframe.

Whoever this someone is, it is evident they already know what to search for. Hmm. Curious.

• What file type was searched for using the search bar in Windows Explorer?

  Based on the cheatsheet, the recent file search is located in

  NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery

  

  Right click to each value and click data interpreter to see more details.

  

  

• What top-secret keyword was searched for using the search bar in Windows Explorer?

  • The answer on this is the same step above. But as for curiosity and to prove my explanation above, I copied the data value of string “1” and convert it from hex to ASCII (online converter).

  

TASK 4:

Not surprisingly, they quickly found what they are looking for in a matter of minutes.

Ha! They seem to have hit a snag! They needed something first before they could continue.

• What is the name of the downloaded file to the Downloads folder?

  • We need to use autopsy for this, and load the directory “C”. Use “logical files” for this setup. After loading the files in Autopsy, go to “web downloads” section and find the downloaded files. Based on the scenario the incident happened between 12:05PM to 12:45PM. So we will use the timestamp to spot the download here.

    

• When was the file from the previous question downloaded? (YYYY-MM-DD HH:MM:SS UTC)

  • We hit 2 birds in one stone in our first answer

• Thanks to the previously downloaded file, a PNG file was opened. When was this file opened? (YYYY-MM-DD HH:MM:SS)

  • In Registry explorer, filter .png and you will see in RecentDocs

  

TASK 5:

Uh oh. They've hit the jackpot and are now preparing to exfiltrate data outside the network.

There is no way to do it via USB. So what's their other option?

• A text file was created in the Desktop folder. How many times was this file opened?

  • As per hint, we’ll gonna use JLEcmd tools for this, so run this command in cmd:

  .\\JLECmd.exe -d C:\\Users\\THM-RFedora\\Desktop\\kape-results\\C
  

  JLECmd is a tool designed to parse and analyze Jump List files on Windows systems.

  Jump Lists are Windows features that track recently or frequently accessed files and applications, like when you right-click a program on the taskbar and see a list of recent files.

  Now back to the question, when you run the command scroll down to find launchcode.txt and see the interaction count.

  

  How do I know that the launchcode.txt was the txt file asking in the question? I tried first to identify the txt file in Registry explorer before using JLECmd.

  

• When was the text file from the previous question last modified? (MM/DD/YYYY HH:MM)

  • The answer can be found in the answer above.

• The contents of the file were exfiltrated to pastebin.com. What is the generated URL of the exfiltrated data?

  • Use Web history in autopsy, and again, I use the time to search for the URL.