Case Overview:

The SOC team got an alert regarding some illegal port scanning activity coming from an employee's system. The employee was not authorized to do any port scanning or any offensive hacking activity within the network. The employee claimed that he had no idea about that, and it is probably a malware acting on his behalf. The IR team managed to respond immediately and take a full forensic image of the user's system to perform some investigations.

There is a theory that the user intentionally installed illegal applications to do port scanning and maybe other things. He was probably planning for something bigger, far beyond a port scanning!

It all began when the user asked for a salary raise that was rejected. After that, his behavior was abnormal and different. The suspect is believed to have weak technical skills, and there might be an outsider helping him!

Your objective is to analyze the image and to either confirm or deny this theory.

 

Supportive Tools:

# Question Weight Solved
1 What is the computer name of the suspect machine? 25 180

2 What is the computer IP? 25 167

3 What was the DHCP LeaseObtainedTime? 25 138

4 What is the computer SID? 50 153

5 What is the Operating System(OS) version? 50 162

6 What was the computer timezone? 50 144

7 How many times did this user log on to the computer? 50 161

8 When was the last login time for the discovered account? 50 134

9 There was a “Network Scanner” running on this computer, what was it? And when was the last time the suspect used it? 75 121

10 When did the port scan start and end? 75 122

11 How many ports were scanned? 75 143

12 What ports were found "open"? 75 140

13 What was the version of the network scanner running on this computer? 100 149

14 The employee engaged in a Skype conversation with someone. What is the skype username of the other party? 75 141

15 What is the name of the application both parties agreed to use to exfiltrate data and provide remote access for the external attacker in their Skype conversation? And when did the suspect run it? 100 108

16 What is the Gmail email address of the suspect employee? 100 149

17 It looks like the suspect user deleted an important diagram after his conversation with the external attacker. What is the file name of the deleted diagram? 100 129

18 The user Documents' directory contained a PDF file discussing data exfiltration techniques. What is the name of the file? 100 138

19 What was the name of the crypto payment application possibly used by the suspect employee to transfer funds for the external attacker? 150 81

20 What are the serial numbers of the two identified USB storage? 150 133

21 One of the installed applications is a file shredder. What is the name of the application? 150 122

22 How many prefetch files were discovered on the system? 150 123

23 How many times was the file shredder application executed? 150 128

24 Using prefetch, determine when was the last time ZENMAP.EXE-56B17C4C.pf was executed? 150 117

25 LNK file analysis shows that a JAR file for an offensive traffic manipulation tool was executed. What is the absolute path of the file? 150 123

26 The suspect employee tried to exfiltrate data by sending it as an email attachment. What is the name of the suspected attachment? 150 132

27 Shellbags shows that the employee created a folder to include all the data he will exfiltrate. What is the full path of that folder? 150 124

28 The user deleted two JPG files from the system and moved them to $Recycle-Bin. What is the file name that has the resolution of 1920x1200? 200 114

29 Provide the name of the directory where information about jump lists items (created automatically by the system) is stored? 200 122

30 Using JUMP LIST analysis, provide the full path of the application with the AppID of "aa28770954eaeaaa" used to bypass network security monitoring controls. 200 121