# Evaluation Task :( ## Q1. Name of the computer. **DESKTOP-G5R87FV** load the eo1 file in ftk,from partition 2 Windows/system32/config extracted all registry files. loaded the system registry in Eric Zemmerman registry exploarer looked at bookmark and checked the computer name ![](https://i.imgur.com/hd7jWSC.png) ## Q2. Name of the primary user. **snoop(snooptastic461@gmail.com)** loaded the software registry file in reg exploarer checked current version and profile list ![](https://i.imgur.com/xtt79MW.png) ![](https://i.imgur.com/wDPNAG8.png) ## Q3. What OS and version is being used? ```OS-Windows 10 Pro , version - 2009 , Display Version - 21H2``` In software registry key path Microsoft\Windows NT\CurrentVersion ![](https://i.imgur.com/F8eH9Sw.png) ## Q4. What is the nickname of the primary user? **snoop** From Sam registry(SAM\Domains\Account\Users) ![](https://i.imgur.com/2RSS3C1.png) ## Q5. What Time Zone is this computer running on? **Central Standard Time** system registry - ControlSet001\Control\TimeZoneInformation ## Q6. What activity does the user seem to be planning? ``` Art Heist "the met, gonna drop in through glass over the american wing. 2 weeks from today, 1am. meet at corner circled on the map stratto you've got security speeddemon you'll handle get away crimsoncrusader, we'll contact you after its done to get rid of it" ``` C:\Users\snoop\OneDrive\Documents\info.txt ## Q7. What items might the user be targeting? Provide in format (Title, Date, Accession Number) ## Q8. Where are these items located? (Building Name) **Metropolitan Museum of Art(metmuseum)** The Metropolitan Museum of Art, 5th Avenue, New York, NY - Google Maps ![](https://i.imgur.com/IyDRqvV.png) ## Q9. Who might the items be given to for selling? ## Q10. What items does the user need for this activity? ``` Tools? https://www.amazon.com/Black-Vinyl-Disposable-Gloves-Large/dp/B08WJQB7GR/ref=sr_1_5?crid=3MJ9WSPPO7AXR&keywords=latex+gloves&qid=1647986053&sprefix=latex+glove%2Caps%2C338&sr=8-5 https://www.amazon.com/fuinloth-Balaclava-Protector-Motorcycle-Tactical/dp/B086Z2WR6Y/ref=sr_1_2_sspa?crid=SIBU6SQCEXZD&keywords=ski+mask&qid=1647986119&sprefix=ski+mask%2Caps%2C311&sr=8-2-spons&psc=1&spLa=ZW5jcnlwdGVkUXVhbGlmaWVyPUExQjBPMzk5V1c4NExIJmVuY3J5cHRlZElkPUEwMzMwMTc2Wkw0UEROUVNDRVU4JmVuY3J5cHRlZEFkSWQ9QTA0NDY1MDMyOU9YVTRYRVhJSEdLJndpZGdldE5hbWU9c3BfYXRmJmFjdGlvbj1jbGlja1JlZGlyZWN0JmRvTm90TG9nQ2xpY2s9dHJ1ZQ== https://www.amazon.com/dp/B09W5SRPMS/ref=sr_1_4_sspa?crid=2GEMIZQ93VV9H&keywords=lock+picking+kit&qid=1647987289&sprefix=lock+picking+kit%2Caps%2C70&sr=8-4-spons&psc=1&spLa=ZW5jcnlwdGVkUXVhbGlmaWVyPUEyQjZXUk9KNlRFQ1BMJmVuY3J5cHRlZElkPUEwMDQxMTk1MUI0SklJQ1lHTjFJMCZlbmNyeXB0ZWRBZElkPUEwODY0Nzk0M1RSMFdGVFkxQ0IxSiZ3aWRnZXROYW1lPXNwX2F0ZiZhY3Rpb249Y2xpY2tSZWRpcmVjdCZkb05vdExvZ0NsaWNrPXRydWU= https://www.amazon.com/Forensics-Dummies-Douglas-P-Lyle/dp/1119608961/ref=sr_1_1?crid=3R15M6HBTS82X&keywords=crime+for+dummies&qid=1647987396&sprefix=crime+for+dummies%2Caps%2C65&sr=8-1 https://www.amazon.com/GINEE-Carabiner-Grappling-Descender-Abseiling/dp/B0896TH33V/ref=sr_1_3_sspa?crid=BHNU5VAGX4NP&keywords=climbing%2Brope&qid=1647987544&sprefix=climbing%2Brope%2Caps%2C75&sr=8-3-spons&spLa=ZW5jcnlwdGVkUXVhbGlmaWVyPUExT0JGSkJaMUQ3M1cwJmVuY3J5cHRlZElkPUEwODgwMjI2MUpFM0dKUkdCNDIwSSZlbmNyeXB0ZWRBZElkPUEwOTQzNjQ1MkRVOFBVOU5TQzZWRiZ3aWRnZXROYW1lPXNwX2F0ZiZhY3Rpb249Y2xpY2tSZWRpcmVjdCZkb05vdExvZ0NsaWNrPXRydWU&th=1&psc=1 https://www.amazon.com/SZCO-Supplies-Grappling-Hook-Cord/dp/B015X1O65K/ref=sr_1_3?crid=36SZFTT0VV45U&keywords=grappling+hook&qid=1647987703&sprefix=grappling+hook%2Caps%2C81&sr=8-3 ``` Initially I Extracted `Batman.7z` from Onedrive Document but it was password protected. There was key.png in the same directory Using zsteg on it i got the password. Using that password extracted Batman.7z ## Q11. Where is the group meeting? **Near 940 Park Ave,New York,USA** ![](https://i.imgur.com/MZidNMh.png) ## Q12. Who is the user thinking about working with? ``` steve romoli aka stratto becca colburn aka speeddemon ryan cooper aka crimsoncrusader ``` Found from deleted files `peoplefinder.txt` ## Q13. What is the password? **Dr.Phil** ![](https://i.imgur.com/WUY07fW.png)
Last changed by  
Goutham Rajesh
60

Read more

This-file-hides-something

Challenge Description There is an emergency regarding this file. We need to extract the password ASAP. It's a crash dump, but our tools are not working. Please help us, time is not on our side. PS: Flag format is not standard. Challenge File Writeup We are given with a elf file . We need to extract the memory image out of it and analyse with volatility .

2/13/2022
Crack 1t

Challenge Description Can you crack this bafe38f09170ebc16dad1bbf11fe55a4 Write Up Its a md5 hash you can crack it using hashcat tool or use any online website that can crack md5 hash here i have used crackstation website Flag inctfj{Hackerboy}

12/30/2021
RAW

Challenge Description Gary loves music. He tries to imagine while listening to music (2930x2930) :) -Challenge File Write Up From the challenge name it gives us a hint to change the extension of file to raw Now try to open the raw file in any image editor or online image editor that can open raw file with the given size. Here I have opened it in photoshop

12/30/2021
Journey to the Center of the Earth

Challenge Description Can you dig down to the center of the Earth? -Challenge File Write Up This is easy challenge just we need to unzip 50 zip files Can solve this challenge by writing a script in any programming language. #!/bin/bash

12/19/2021
Read more from Goutham Rajesh
Published on HackMD