[Cybercamp 2015] [Forense 2.3] Write UpDescription
The company of Mr. Garcia has been robbed of 74,300€ from his bank account. The theft was committed without the knowledge of Mr. García or people in charge of IT.
Some of the money has been retrieved thanks to the speed of the bank to block the target account, but Mr. Garcia is determined to know how this unfortunate incident occurred, as he invested in forming security technicians and purchasing a perimeter antivirus solution for workstations.
After the incident, we have been asked to do a forensic analysis of the machine, but unfortunately these devices have been handled incorrectly and have no value for our review. Fortunately the system administrator, before the network failure, (do not know if caused by the incident) got a file with network traffic of the same day as the theft of bank accounts.
Question: What is the name of the victim computer?
Resolution
As seen in Forense 2.1, there’s a dialog between a local host and the hacker.
Source: 172.16.65.129 (172.16.65.129)
Destination: 167.160.169.66 (167.160.169.66)
We just have to find a SMB/NetBIOS session from 172.16.65.129.
WIN-4L7NA3KIOJN
SHA256(WIN-4L7NA3KIOJN) : 80549f7634d1ed46934d69752d25aee7d8af31af9acb75ce54c358f7616f54e6
Flag is 80549f7634d1ed46934d69752d25aee7d8af31af9acb75ce54c358f7616f54e6