A windows forensics challenge prepared by Champlain College Digital Forensics Association for their yearly CTF.

Windows Image Forensics Case created By AccessData® FTK® Imager 4.2.1.4 

Acquired using: ADI4.2.1.4  

--------------------------------------------------------------

Information for F:\DFA_Windows\DFA_SP2020_Windows:

Physical Evidentiary Item (Source) Information:

  • [Device Info]  
    • Source Type: Physical
  • [Drive Geometry]  
    • Cylinders: 6,527  
    • Heads: 255  
    • Sectors per Track: 63  
    • Bytes per Sector: 512  
    • Sector Count: 104,857,600

[Physical Drive Information]  

  • Drive Interface Type: lsilogic [Image]  
  • Image Type: VMWare Virtual Disk  
  • Source data size: 51200 MB  
  • Sector count:    104857600

 

[Computed Hashes]  

  • MD5 checksum:    e5fe043aa84454237438cdb2b78d08b3  
  • SHA1 checksum:   ada83cd44e294ab840fa7acd77cf77e81c3431b3

 

Image Information

  • Segment list:  
    • F:\DFA_Windows\DFA_SP2020_Windows.E01  
    • F:\DFA_Windows\DFA_SP2020_Windows.E02  
    • F:\DFA_Windows\DFA_SP2020_Windows.E03  
    • F:\DFA_Windows\DFA_SP2020_Windows.E04  
    • F:\DFA_Windows\DFA_SP2020_Windows.E05  
    • F:\DFA_Windows\DFA_SP2020_Windows.E06  
    • F:\DFA_Windows\DFA_SP2020_Windows.E07  
    • F:\DFA_Windows\DFA_SP2020_Windows.E08  
    • F:\DFA_Windows\DFA_SP2020_Windows.E09
# Question Weight Solved
1 What is the current build number on the system? 50 68

2 How many users are there? 50 81

3 What is the CRC64 hash of the file "fruit_apricot.jpg"? 50 56

4 What is the logical size of the file "strawberry.jpg" in bytes? 50 69

5 What is the processor architecture of the system? 50 63

6 Which user has a photo of a dog in their recycling bin? 75 68

7 What type of file is "vegetable"? Provide the extension without a dot. 75 65

8 What type of girls does Miriam Grapes design phones for (Target audience)? 75 49

9 What is the name of the device? 75 59

10 What is the SID of the machine? 100 65

11 How many web browsers are present? 100 68

12 How many super secret CEO plans does Tim have? (Dr. Doofenshmirtz Type Beat) 100 56

13 Which employee does Tim plan to fire? (He's Dead, Tim. Enter the full name.) 100 61

14 What was the last used username? (I didn't start this conversation, but I'm ending it!) 100 59

15 What was the role of the employee Tim was flirting with? 100 47

16 What is the SID of the user "suzy.strawberry"? 100 63

17 List the file path for the install location of the Tor Browser. 100 67

18 What was the URL for the Youtube video watched by Jim? 100 61

19 Which user installed LibreCAD on the system? 150 63

20 How many times "admin" logged into the system? 150 59

21 What is the name of the DHCP domain the device was connected to? 150 54

22 What time did Tim download his background image? (Oh Boy 3AM . Answer in MM/DD/YYYY HH:MM format (UTC).) 150 47

23 How many times did Jim launch the Tor Browser? 150 53

24 There is a png photo of an iPhone in Grapes's files. Find it and provide the SHA-1 hash. 150 15

25 When was the last time a docx file was opened on the device? (An apple a day keeps the docx away. Answer in UTC, YYYY-MM-DD HH:MM:SS) 200 38

26 How many entries does the MFT of the filesystem have? 200 32

27 Tim wanted to fire an employee because they were ......?(Be careful what you wish for) 300 41

28 What cloud service was a Startup item for the user admin? 300 53

29 Which Firefox prefetch file has the most runtimes? (Flag format is <filename/#oftimesrun>) 350 47

30 What was the last IP address the machine was connected to? 400 41

31 Which user had the most items pinned to their taskbar? 400 48

32 What was the last run date of the executable with an MFT record number of 164885? (Format: MM/DD/YYYY HH:MM:SS (UTC).) 450 33

33 What is the log file sequence number for the file "fruit_Assortment.jpg"? 500 35

34 Jim has some dirt on the company stored in a docx file. Find it, the flag is the fourth secret, in the format of <"The flag is a sentence you put in quotes">. (Secrets, secrets are no fun) 550 25

35 In the company Slack, what is threatened to be deactivated if the user gets their email deactivated? 650 18