English [Cybercamp 2015] [Forense 4.1] Write Up

Description

There was an intrusion for some time and from this computer seems to have downloaded malicious programs to do a DDoS from this pc.

Download

Question: In which directory is the downloaded program?

Resolution

We know 3 methods for mounting REGISTRY files :
– Regedit, under Windows
Forensic Registry EDitor (fred), under Linux
– chntpw, under Linux (some keys/values was empty… so it’s not the best choice!)

Regedit is a little bit tricky :
– Start menu / Execute (or Windows + R) : regedit
– Click on HKEY_USERS
– File / Load hive

We loaded the NTUSER.dat file under FORENSIC_NTUSER.dat
and the SOFTWARE file under FORENSIC_SOFTWARE.

The software has been downloaded, so we checked into the download directory of Internet Explorer:
HKEY_USERS\FORENSIC_NTUSER.dat\Software\Microsoft\Internet Explorer | Download Directory : C:\Users\almudena\Documents\$212124

SHA256(C:\Users\almudena\Documents\$212124) : 5af42e3b49c7cfc8c91f878a1005bcba3b82552176b712c75b3789def6830895

Flag is 5af42e3b49c7cfc8c91f878a1005bcba3b82552176b712c75b3789def6830895

Leave a Reply

Your email address will not be published. Required fields are marked *