Reading Time : 2min
After Karen started working for ‘TAAUSAI,’ she began to do some illegal activities inside the company. ‘TAAUSAI’ hired you to kick off an investigation on this case.
You acquired a disk image and found that Karen uses Linux OS on her machine. Analyze the disk image of Karen’s computer and answer the provided questions.
Open FTK Imager and add “AD1” image as an evidence Item “File>Add Evidence Ite…>Image File”
Q1: What distribution of Linux is being used on this machine?
Ans: kali
Detail: by going inside the boot directory we can see system files.
Q2: What is the MD5 hash of the apache access.log?
Ans: d41d8cd98f00b204e9800998ecf8427e
Detail: inside /var/log/apache2 select access.log, under file properties pane we can see the MD5 hash of selected file.
Q3: It is believed that a credential dumping tool was downloaded? What is the file name of the download?
Ans: mimikatz_trunk.zip
Detail: under user root/Downloads we can see credential dumping software.
Q4: There was a super-secret file created. What is the absolute path?
Ans: /root/Desktop/SuperSecretFile.txt
Detail: file was not availabe in the image but by looking at .bash_history under root user directory we can see the path of the file.
Q5: What program used didyouthinkwedmakeiteasy.jpg during execution?
Ans: binwalk
Detail: again in .bash_history we can find the answer.
Q6: What is the third goal from the checklist Karen created?
Ans: profit
Detail: we can find the checklist at root/Desktop/checklist
Q7: How many times was apache run?
Ans: 0
Detail: All the log files inside /var/log/apache2 were empty, it only means that apache was never ran.
Q8: It is believed this machine was used to attack another. What file proves this?
Ans: irZLAohL.jpeg
Detail: the Jpeg image file inside root user folder shows screenshot of attacker’s desktop where we can see that attacker is logged into the computer of another user “Bob”.
Q9: Within the Documents file path, it is believed that Karen was taunting a fellow computer expert through a bash script. Who was Karen taunting?
Ans: Young
Detail: inside file “root/Documents/myfirsthack/firstscript_fixed” we can see the sentence “Heck yeah! I can write bash too Young”
Q10: A user su’d to root at 11:26 multiple times. Who was it?
Ans: postgres
Detail: by looking inside auth.log, we can see that at march 20 at 11:26 it was user postgres who su’d to root multiple times.
Q11: Based on the bash history, what is the current working directory?
Ans: /root/Documents/myfirsthack/
Detail: according to .bash_history this was the last time user used change directory “cd” command.