AfricanFalls Blue Team Lab ========================== Category: Endpoint Forensics https://cyberdefenders.org/blueteam-ctf-challenges/africanfalls/#nav-questions John Doe was accused of doing illegal activities. A disk image of his laptop was taken. Your task as a soc analyst is to analyze the image and understand what happened under the hood. Tools: ------ - [FTK Imager](https://accessdata.com/product-download/ftk-imager-version-4-5) - [Autopsy](https://www.autopsy.com/download/) - [rifiuti2](https://abelcheung.github.io/rifiuti2/) - [Browsing History View](https://www.nirsoft.net/utils/browsing_history_view.html) - [WinPrefetchView](https://www.nirsoft.net/utils/win_prefetch_view.html) - [ShellBagsExplorer](https://f001.backblazeb2.com/file/EricZimmermanTools/ShellBagsExplorer.zip) - [mimikatz](https://github.com/gentilkiwi/mimikatz/wiki) - [Metdata Extractor](http://exif.regex.info/exif.cgi) - [Online Hash Crack](https://www.onlinehashcrack.com/) - [NTLM Hash](https://hashes.com/en/decrypt/hash) # Q1 - What is the MD5 hash value of the suspect disk? -----------------------------------------------  => 9471e69c95d8909ae60ddff30d50ffa1 # Q2 - What phrase did the suspect search for on 2021–04–29 18:17:38 UTC? (three words, two spaces in between) C:\\Users\ John Doe\\AppData\\Local\\Google\\Chrome\\User Data\\Default To Show History  **DCode** for Timestamp analysis   => password cracking lists # Q3 - What is the IPv4 address of the FTP server the suspect connected to? C:\\Users\\John Doe\\AppData\\Roaming\\FileZilla\\filezilla.xml FTP server (port 21)  => 192.168.1.20 # Q4 - What date and time was a password list deleted in UTC? (YYYY-MM-DD HH:MM:SS UTC) Trong GUI của hệ điều hành Windows, việc xóa không có nghĩa là xóa vĩnh viễn mà thay vào đó là di chuyển tệp vào thư mục Thùng rác `C:\$Recycle.Bin\`. Theo mặc định, thư mục được duy trì dưới dạng tệp ẩn. Bên trong thư mục gốc, có một số thư mục được xác định bởi SID của Người dùng tùy thuộc vào số lượng người dùng cục bộ mà bạn có. Để tìm câu trả lời, hãy đến `C:\$Recycle.Bin\<SID>\`phần SID là SID của John Doe. Sau đó, hãy xem date modified của tệp `$I*****`để có câu trả lời (Đừng quên thay đổi dấu thời gian thành định dạng 24 giờ).  => 2021–04–29 18:22:17 UTC # Q5 - How many times was Tor Browser ran on the suspect's computer? (number only)  > **Note:** Windows would create a prefetch file every time you run an app for the first time. > Therer's only a prefetch file for the Setup & There is no Prefetch file for executing the TOE Browser , So the Answer is **Zero** Run this program > => 0 # Q6 - What is the suspect’s email address?  => dreammaker82@protonmail.com # Q7 - What is the FQDN did the suspect port scan? > A fully qualified domain name (**FQDN**): is the complete domain name for a specific computer, or host, on the internet. > > `C:\Users\John Doe\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\`. This file would give information about the past executed command through powershell. >  => dfir.science # Q8 - What country was picture "20210429_152043.jpg" allegedly taken in? C:\\Users\\John Doe\\Pictures\\Contact\   Dùng [https://www.itilog.com/](https://www.itilog.com/)  hoặc dùng gg map, nhập 16°00'00.0"S 23°00'00.0"E  => ZAMBIA # Q9 - What is the parent folder name picture "20210429_151535.jpg" was in before the suspect copy it to "contact" folder on his desktop? Dùng [Shellbag](https://medium.com/ce-digital-forensics/shellbag-analysis-18c9b2e87ac7) `C:\Users\John Doe\AppData\Local\Microsoft\Windows\UsrClass.dat`  => Camera # Q10 - A Windows password hashes for an account are below. What is the user's password? Anon:1001:aad3b435b51404eeaad3b435b51404ee:3DE1A36F6DDB8E036DFD75E8E2 Go to [Hashes.com](https://hashes.com/en/decrypt/hash)  => AFR1CA! # Further Readings https://medium.com/@abdelrahman.usama.au/cyberdefenders-africanfalls-blue-team-lab-walkthrough-1dfdc3099712 https://medium.com/@Ayham_Assaf/cyberdefenders-africanfalls-blue-team-challenge-6b22d1b88986 https://edscybersec.com/posts/Cyberdefenders-AfricanFalls-Write-up/