We're going to open Autopsy and load the case file provided by TryHackMe.
Now we load the missing image, as instructed to do in the room.
We can see the data source of the .E01 image, and when we look at the metadata we get the MD5 hash of 3f08c518adb3b5c1359849657a9b2079. We can check the operating system information to find the hostname. I believe this question is worded poorly, but TryHackMe was asking for the computer's name, not a particular account name. DESKTOP-0R59DJ3. If we look at the operating system user accounts section, we can see the SAM source file list all of the user accounts on the disk. TryHackMe is not looking for the Administrator or Guest accounts, and so we will only be looking at the usernames that have been highlighted. The answer in order: H4S4N,joshwa,keshav,sandhya,shreya,sivapriya,srini,suba. Still in this section, we can sort the column by date accessed and see sivapriya was the most recent one to access the system. This question gave me a bit of a challenge. At first, I tried looking at the system information, but that turned out to be pointless. I then thought about maybe searching for registry values, but there was too much info for me to sift through, so I figured I was on the wrong path. I started doing some Google searches on utilizing Autopsy to view the host IP address, and I stumbled upon a document on exploit-db (https://www.exploit-db.com/docs/48254). In this document, one of the questions was to find the hostname, MAC address, and IP address. They talked about the irunin.ini file, which I also saw mentioned elsewhere during my Google searches. From here, I ended up searching for irunin.ini in Autopsy, and I found out that .INI files are configuration files. In this case, it lists the LANIP of 192.168.130.216 which is the information we need. More info about .INI files (https://en.wikipedia.org/wiki/INI_file). This information is also found in the same file as the above section labeled as LANNIC. 08-00-27-2C-C4-B9 Again, I was having a little trouble figuring out where to find this information. However, my thought was the registry keys. I checked online to see where exactly I can access the registry keys for the NICs, and this article was able to tell me where I needed to navigate to find the information - HTTP warning (http://what-when-how.com/windows-forensic-analysis/registry-analysis-windows-forensic-analysis-part-3/). This will be in the following path: ROOT > Microsoft > Windows NT > CurrentVersion > NetworkCards. Intel(R) PRO/1000 MT Desktop Adapter. I thought this would be Wireshark, but I guess not. By looking at the installed programs on the machine, we can go through the 41 results and find something called Look@LAN. Here's what Google says: An easy one that I didn't need to research. Autopsy shows web bookmarks. Head into that section and you can see the Google Maps bookmark. 12°52'23.0"N 80°13'25.0"E. This took me about 20 minutes to look at all the pictures. By using the Images/Video tab in Autopsy, you can check each user's Downloads. After looking through a few pictures, you'll stumble upon Anto Joshwa and their cyberpunk picture with the name in the top left corner.Q11: A user had a file on her desktop. It had a flag but she changed the flag using PowerShell. What was the first flag?
Q12: The same user found an exploit to escalate privileges on the computer. What was the message to the device owner?
Q13: 2 hack tools focused on passwords were found in the system. What are the names of these tools? (alphabetical order)
Q15: One of the users wanted to exploit a domain controller with an MS-NRPC based exploit. What is the filename of the archive that you found? (include the spaces in your answer)
This was a really fun room! This was the last room I had to complete in order to earn my certificate of completion for the Cyber Defense pathway. I have utilized Autopsy in the National Cyber League challenges as well as with labs for school. This was a great room and taught me a lot about where I can find certain information in a file system and while performing a forensic investigation. Although I had to call upon help and do some research for some of the questions, I still feel like I had a solid understanding of how to navigate through Autopsy.