[Cybercamp 2015] [Forense 4.1] Write UpDescription
There was an intrusion for some time and from this computer seems to have downloaded malicious programs to do a DDoS from this pc.
Question: In which directory is the downloaded program?
Resolution
We know 3 methods for mounting REGISTRY files :
– Regedit, under Windows
– Forensic Registry EDitor (fred), under Linux
– chntpw, under Linux (some keys/values was empty… so it’s not the best choice!)
Regedit is a little bit tricky :
– Start menu / Execute (or Windows + R) : regedit
– Click on HKEY_USERS
– File / Load hive
We loaded the NTUSER.dat file under FORENSIC_NTUSER.dat
and the SOFTWARE file under FORENSIC_SOFTWARE.
The software has been downloaded, so we checked into the download directory of Internet Explorer:
HKEY_USERS\FORENSIC_NTUSER.dat\Software\Microsoft\Internet Explorer | Download Directory : C:\Users\almudena\Documents\$212124
SHA256(C:\Users\almudena\Documents\$212124) : 5af42e3b49c7cfc8c91f878a1005bcba3b82552176b712c75b3789def6830895
Flag is 5af42e3b49c7cfc8c91f878a1005bcba3b82552176b712c75b3789def6830895