Your organization experienced a security incident on May 5, 2025, when the Security Operations Center (SOC) detected suspicious activity on a company workstation. Investigation revealed that an employee had downloaded a malicious ZIP file and executed its contents.
As part of the DFIR team, you are given a forensic image of the compromised system to identify the infection vector, analyze the payload, and assess the breach. Your findings will reveal the TTPs, helping mitigate the threat and strengthen the organization’s future defenses.
To identify the origin of the malicious ZIP file, we must reconstruct the victim’s browsing and download activity. Browser history provides the most reliable evidence in this case, as it records visited URLs, timestamps, and file download references, often pointing directly to the malicious resource. Recovering the precise URL is critical for attribution and to determine whether the file was hosted on a legitimate but compromised site, a public file-sharing service, or an attacker-controlled domain.
We begin by mounting the provided .ad1 image with FTK Imager (or an equivalent forensic mounting tool) so we can read the user’s profile filesystem without modifying the evidence:
Open FTK Imager → File &