Reading Time : 2min

Cyberdefenders Insider Forensics Walkthrough


Challenge/Competition: Insider link

By: Champlain College Digital Forensics Association link


Scenario

After Karen started working for ‘TAAUSAI,’ she began to do some illegal activities inside the company. ‘TAAUSAI’ hired you to kick off an investigation on this case.

You acquired a disk image and found that Karen uses Linux OS on her machine. Analyze the disk image of Karen’s computer and answer the provided questions.

Setup

Open FTK Imager and add “AD1” image as an evidence Item “File>Add Evidence Ite…>Image File

Walkthrough

Q1: What distribution of Linux is being used on this machine?

Ans:  kali

Detail: by going inside the boot directory we can see system files.

Q2: What is the MD5 hash of the apache access.log?

Ans:  d41d8cd98f00b204e9800998ecf8427e

Detail: inside /var/log/apache2 select access.log, under file properties pane we can see the MD5 hash of selected file.

Q3: It is believed that a credential dumping tool was downloaded? What is the file name of the download?

Ans:  mimikatz_trunk.zip

Detail: under user root/Downloads we can see credential dumping software.

Q4: There was a super-secret file created. What is the absolute path?

Ans:  /root/Desktop/SuperSecretFile.txt

Detail: file was not availabe in the image but by looking at .bash_history under root user directory we can see the path of the file.

Q5: What program used didyouthinkwedmakeiteasy.jpg during execution?

Ans:  binwalk

Detail: again in .bash_history we can find the answer.

Q6: What is the third goal from the checklist Karen created?

Ans:  profit

Detail: we can find the checklist at root/Desktop/checklist

Q7: How many times was apache run?

Ans:  0

Detail: All the log files inside /var/log/apache2 were empty, it only means that apache was never ran.

Q8: It is believed this machine was used to attack another. What file proves this?

Ans:  irZLAohL.jpeg

Detail: the Jpeg image file inside root user folder shows screenshot of attacker’s desktop where we can see that attacker is logged into the computer of another user “Bob”.

Q9: Within the Documents file path, it is believed that Karen was taunting a fellow computer expert through a bash script. Who was Karen taunting?

Ans:  Young

Detail: inside file “root/Documents/myfirsthack/firstscript_fixed” we can see the sentence “Heck yeah! I can write bash too Young”

Q10: A user su’d to root at 11:26 multiple times. Who was it?

Ans:  postgres

Detail: by looking inside auth.log, we can see that at march 20 at 11:26 it was user postgres who su’d to root multiple times.

Q11: Based on the bash history, what is the current working directory?

Ans:  /root/Documents/myfirsthack/

Detail: according to .bash_history this was the last time user used change directory “cd” command.