Scenario

John Doe was accused of doing illegal activities. A disk image of his laptop was taken. Your task as a soc analyst is to analyze the image and understand what happened under the hood.

Provided Files

Questions

1. What is the MD5 hash value of the suspect disk?

The MD5 hash of the suspect disk is present in the Provided Text Document File

9471e69c95d8909ae60ddff30d50ffa1

2. What phrase did the suspect search for on 2021-04-29 18:17:38 UTC? (three words, two spaces in between)

• The question is a little big vague, and does not specify where the user searched. He might searched in Windows Explorer or in a Browser. The user used multiple browsers. We can check every artifact for each browser and check Windows Explorer artifact.
• Looking at the hint 1, they requested to check Chrome History.
• Chrome history is located in :

  %UserProfile%\AppData\Local\Google\Chrome\User Data

• In User Data, we find Default that contains a “History” database that can be opened using SQLite
• We should first right click on it and export it:

Below is the History database and contains the Keyword_search_terms:

Analyzing the keyword_search_terms database, we find the typed terms however without a time field:

• We need to correlate this table with urls tabs by crossing on the keyword_id
• The question specified the anwser is 3 words. So we only have 4 chcoices
• Trying the 4 choices, we find “password cracking lists” have a url_id 88
• Crossing with urls table, url_id 88 have a last_visit_time at “13264193858900891”

• This value is in webkit and we need to transform it to human time
• Transforming it online, we find:

Which is equivalent to 2021-04-29 18:17:38 UTC

3. What is the IPv4 address of the FTP server the suspect connected to?

Looking through Chrome history, we find the user downloaded FileZilla, which is a client used to connect to FTP servers:

Then we need to check FileZilla artifacts located in:

C:\Users\<username>\AppData\Roaming\FileZilla\

We find recentservers.xml and the IP is 192.168.1.20:

4. What date and time was a password list deleted in UTC? (YYYY-MM-DD HH:MM:SS UTC)

In Recycle Bin, there is 1 entry only, corresponding to the password list:

So the list was removed at 2025-04-29 18:22:17 UTC

5. How many times was Tor Browser ran on the suspect’s computer? (number only)

If TOR Browser was opened at least once, it should have a prefetch entry. Looking in Prefetch folder, we find no proof of execution for TOR Browser:

6. What is the suspect’s email address?

Looking through Chrome’s history database, we find the user logged in to his proton mail:

7. What is the FQDN did the suspect port scan?

Looking in ConsoleHost_History, we find PowerShell command history:

We find that the user scanned dfir.science

8. What country was picture “20210429_152043.jpg” allegedly taken in?

20210429_152043.jpg is located in pictures/contact:

We should first export it:

Then we can analyze metadata using an online exif tool, and we get the GPS position:

We then translate this GPS position to a location using any online tool and we get Zambian:

9. What is the parent folder name picture “20210429_151535.jpg” was in before the suspect copy it to “contact” folder on his desktop?

Using exiftool, we find that the picture was taken using an LG mobile phone:

I exported UsrClass.dat and UsrClass.dat.LOG1 and UsrClass.dat.LOG2:

I then opened the 3 files using Shell Bag Explorer:

We can confirm there was an LG phone connected and the files came from Camera

10. A Windows password hashes for an account are below. What is the user’s password? Anon:1001:aad3b435b51404eeaad3b435b51404ee:3DE1A36F6DDB8E036DFD75E8E20C4AF4:::

We can crack the hash on hashes.com:

11. What is the user “John Doe’s” Windows login password?

• I exported the SAM and SYSTEM registry key to able to dump the SAM
• I then dumped the SAM registry using secretsdump.py:

secretsdump.py -sam SAM -system SYSTEM LOCAL

Finally, I cracked the result on hashes.com: