Write Up - HackMD

# Write Up ### 1. Name of the computer. DESKTOP-G5R87FV HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName ### 2. Name of the primary user. Mark Gifford HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList ![](https://i.imgur.com/pjL2qOn.png) ### 3. What OS and version is being used? windows 10 pro version-6.3 ### 4. What is the nickname of the primary user? snoop ![](https://i.imgur.com/tzXkfaK.png) ### 5. What OS and version is being used? windows 10 pro version-6.3 ### 6. What Time Zone is this computer running on? Central standard time HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation _To answer the below questions which are based on planning and it's more like a conversation. So, I searched for any third party apps like social media but couldn't find any. And only one browser is left so gone through **WebCacheV01.dat** to analyse all the data using IE10Analyzer_ ### 7. What activity does the user seem to be planning? Planning a heist _the met, **gonna drop in through glass over the american wing.** 2 weeks from today, 1am._ found this in recycle bin(gone through recycle bin since can find few name in WebCacheV01.dat but can't find those files in those particular dir) ![](https://i.imgur.com/5JJET3Y.png) ### 8. What items might the user be targeting? Provide in format (Title, Date, Accession Number) ### 9. Where are these items located? (Building Name) american wing _the met, gonna drop in through glass over the **american wing.**_ found this in recycle bin(gone through recycle bin since can find few name in WebCacheV01.dat but can't find those files in those particular dir) ### 10. Who might the items be given to for selling? Crimsoncrusader _crimsoncrusader, we'll contact you after its done to get rid of it_ found this in recycle bin(gone through recycle bin since can find few name in WebCacheV01.dat but can't find those files in those particular dir) ![](https://i.imgur.com/KqpzBMC.png) ### 11. What items does the user need for this activity? ```Tools? https://www.amazon.com/Black-Vinyl-Disposable-Gloves-Large/dp/B08WJQB7GR/ref=sr_1_5?crid=3MJ9WSPPO7AXR&keywords=latex+gloves&qid=1647986053&sprefix=latex+glove%2Caps%2C338&sr=8-5 https://www.amazon.com/fuinloth-Balaclava-Protector-Motorcycle-Tactical/dp/B086Z2WR6Y/ref=sr_1_2_sspa?crid=SIBU6SQCEXZD&keywords=ski+mask&qid=1647986119&sprefix=ski+mask%2Caps%2C311&sr=8-2-spons&psc=1&spLa=ZW5jcnlwdGVkUXVhbGlmaWVyPUExQjBPMzk5V1c4NExIJmVuY3J5cHRlZElkPUEwMzMwMTc2Wkw0UEROUVNDRVU4JmVuY3J5cHRlZEFkSWQ9QTA0NDY1MDMyOU9YVTRYRVhJSEdLJndpZGdldE5hbWU9c3BfYXRmJmFjdGlvbj1jbGlja1JlZGlyZWN0JmRvTm90TG9nQ2xpY2s9dHJ1ZQ== https://www.amazon.com/dp/B09W5SRPMS/ref=sr_1_4_sspa?crid=2GEMIZQ93VV9H&keywords=lock+picking+kit&qid=1647987289&sprefix=lock+picking+kit%2Caps%2C70&sr=8-4-spons&psc=1&spLa=ZW5jcnlwdGVkUXVhbGlmaWVyPUEyQjZXUk9KNlRFQ1BMJmVuY3J5cHRlZElkPUEwMDQxMTk1MUI0SklJQ1lHTjFJMCZlbmNyeXB0ZWRBZElkPUEwODY0Nzk0M1RSMFdGVFkxQ0IxSiZ3aWRnZXROYW1lPXNwX2F0ZiZhY3Rpb249Y2xpY2tSZWRpcmVjdCZkb05vdExvZ0NsaWNrPXRydWU= https://www.amazon.com/Forensics-Dummies-Douglas-P-Lyle/dp/1119608961/ref=sr_1_1?crid=3R15M6HBTS82X&keywords=crime+for+dummies&qid=1647987396&sprefix=crime+for+dummies%2Caps%2C65&sr=8-1 https://www.amazon.com/GINEE-Carabiner-Grappling-Descender-Abseiling/dp/B0896TH33V/ref=sr_1_3_sspa?crid=BHNU5VAGX4NP&keywords=climbing%2Brope&qid=1647987544&sprefix=climbing%2Brope%2Caps%2C75&sr=8-3-spons&spLa=ZW5jcnlwdGVkUXVhbGlmaWVyPUExT0JGSkJaMUQ3M1cwJmVuY3J5cHRlZElkPUEwODgwMjI2MUpFM0dKUkdCNDIwSSZlbmNyeXB0ZWRBZElkPUEwOTQzNjQ1MkRVOFBVOU5TQzZWRiZ3aWRnZXROYW1lPXNwX2F0ZiZhY3Rpb249Y2xpY2tSZWRpcmVjdCZkb05vdExvZ0NsaWNrPXRydWU&th=1&psc=1 https://www.amazon.com/SZCO-Supplies-Grappling-Hook-Cord/dp/B015X1O65K/ref=sr_1_3?crid=36SZFTT0VV45U&keywords=grappling+hook&qid=1647987703&sprefix=grappling+hook%2Caps%2C81&sr=8-3 ``` Found a .7z file in OneDrive/Desktop which is password protected. Found a .png named "TheKey.png" name is quite suspicious so ran binwalk,strings etc.. found the key using **zsteg** ![](https://i.imgur.com/HBFM78e.png) ### 12. Where is the group meeting? ![](https://i.imgur.com/qtsgwkF.png) ### 13. Who is the user thinking about working with? steve romoli aka stratto becca colburn aka speeddemon ryan cooper aka crimsoncrusader The user is thinking to work with these 3 people. ### 14. What is the password? Found a .png named "TheKey.png" name is quite suspicious so ran binwalk,strings etc.. found the key using **zsteg** ![](https://i.imgur.com/HBFM78e.png)