PEOPLE'S DEMOCRATIC REPUBLIC OF ALGERIA

MINISTRY OF HIGHER EDUCATIONAND SCIENTIFIC RESEARCH

Ferhat Abbas University Sétif 1

Faculty of Sciences

IT Department

Module: Project

Title

Digital Investigation with Autopsy

Realized by: Supervised by:

• Bouzidi Aymen Mme. ALIOUAT Zibouda

• Yessad Djaafer
 1. Getting Started :
First we need to open new account in this web site https://tryhackme.com/

After creating the account we click on this link :

https://tryhackme.com/room/autopsy2ze0
We will see page like this and we click join room
After that we will see another page like this one and we click on Start Machine

Now we are ready to go .

2. Quick Review :
We will do quick review about what we already saw in the previous lecture
So to open a new case we click on new case and then we give it a name and
a path where we are going to save it after that we write our information as we
already saw this after getting to this page
We name our host if we want or just live it on the first option which will name
the same as the source data we click next and we are going to see something
like this

Here we select the type of our data source if it's disk image we choose the first
one , if we have the Hard disk of the target machine we can go with the second
option which is faster but it's better to create an image , if we only have few
files form here and there we can click on the 3rd option and select the files that
we collected . we have Autopsy Logical Imager Results if we have one we insert
it . after that we click on next and we will saw something like this
So we choose the path of our image and the time zone of the image if we don't
know the time zone of the image then we choose +0:00 UTC . in the hash value
we write the hash value of the image so we can verify that the image didn't
modify from some one else . after that we click next and we should see
something like this :
Let's explain what does those means :

• Recent Activity : it's shows to us all the activities for example web history
the user who logged in the programs that been installed and so on
• Hash Lookup : so if we have some databases of bad hashes for example we
can add them and when he finds match up he will show to us that file
• File Type Identification: with this we can a file type and when ever he finds
a match up it's will shows us that file
• Extension Mismatch Detector : this will show us any mismatch on the
extension for example if the target changed the extension of image from
.png to .txt this will detected
• Embedded File Extractor : this will decompose the zip files and will show
them to us
• Picture Analyzer : it will analyze the pictures and will show to us the
camera setting , the program that been used to modify the image the time
stamp of the image …
• Keyword Search : if we have some keyword that we want to search about
it we can add them and he can find them to us
• Central Repository : this will show to us any files that been seen in other
cases for example , if we have 3 cases and we are doing investigation on
them if he find filles that are exist in case 1 and we are in case 2 it's will
notify us , it's important specially when we are doing investigation on
related cases
• PhotoRec Carver : it will recover any deleted file not just photos
• Virtual Machine Extractor : will show to us any virtual machine he may find
in the disk and if he find one it will treat it like spirited disk
• Data Source Integrity : since we added the hash value of our image , so
basically what this going to do it will recalculate the hash value of this
image and if he find a mismatch on the hashes that' means that the image
it's been modified
• Yara Analyzer : so if we have some Yara script of a malware that we
suspect that's exist in our machine we can added it and if he find some
program with that Yara script will tell us
 3. Start of Investigation
Now we start the investigation , so we are going to our remoted machine that I
showed you how to start it previously in tryhackme web site and we click on
Autopsy inside the Remoted Desktop (Virtual Machine) and we lunch the
Autopsy . this time we are going to open directly a case

And then we choose the folder that exist in Desktop we the name Cases Files
and we choose Tryhackme.aut case
We will met this problem telling us that the file is missing we going to click on
yes . and choose our image which is in the same folder with our case
 4. Answering the questions
Now let's answer the Questions the first question is :
• What is the MD5 hash of the E01 image?
Let's see how we can find the md5 hash of our image
We click on the Data Source and then we click on our Disk and in the bottom we
click on the File Metadata
And us you can see the md5 hash is :
3f08c518adb3b5c1359849657a9b2079

Moving to the second question which is :

• What is the computer account name?
Let's see how we can find the computer account name :
We click on the Operating System Information and then we click on System and
there we find the name of the computer name

As we can see the computer name is :

DESKTOP-0R59DJ3
Moving to the third question which is :
• List all the user accounts. (alphabetical order) ?
Let's see how we can find the user accounts , so we click on Operating System
User Accounts , and there we are gona find all the users

So the answer of the question will be :

H4S4N,joshwa,keshav,sandhya,shreya,sivapriya,srini,suba

Moving to the fourth question which is :

• Who was the last user to log into the computer ?

So in the same page we can find Date Accessed we can click on so he can
represent them we the last date
So The answer of the question will be :
Sivapriya

Moving to the fifth question which is :

• What was the IP address of the computer?

So this we go to our Disk (HASAN2.E01) and then to vol3 and then to program
files x86 and to Look@Lan we click on it and we will find something called
Irunin.ni we scroll down a little bit and we gona find LANIP which is the ip
address of the computer
The answer of the question will be :
192.168.130.216

The Sixth question is :

• What was the MAC address of the computer? (XX-XX-XX-XX-XX-XX) ?
So in the same page and under the LANIP there is LANNIC which our mac
The answer of the question will be :
08-00-27-2c-c4-b9

The seven question is :

• Name the network cards on this computer.
So we gona click on the Operating System Information and then on software
And then follow this path :
Microsoft/windows Nt / current version / Network cards / 2
After clicking on 2 you will see the name of the network card

The answer of the question will be :

Intel(R) PRO/1000 MT Desktop Adapter

Moving to the question number 8 which is :

• What is the name of the network monitoring tool?
To find the network monitoring tool which is an Application so we are going to
look under the Application that been installed and look on anything is related to
network

The answer of the question will be :

Look@LAN

The question number 9 which is :

• A user bookmarked a Google Maps location. What are the coordinates
of the location?

We are going to look on bookmarks of the web and look for any location we can
find in there
The answer of the question will be :
12°52'23.0"N 80°13'25.0"E

Question number 10 :
• A user has his full name printed on his desktop wallpaper. What is the
user’s full name?
So we gona search on the images of the users and we look inside them and see
if we can find any image that contains any name inside it
To do that we click on Images/Video on the top and then we click in the name of
the users and we search one by one
The answer of the question will be :
Anto Joshwa

Question number 11 :
• A user had a file on her desktop. It had a flag but she changed the flag
using PowerShell. What was the first flag?
We are going to check which user executed the command by examining the
console host history. In this example, the history is located in the following path:
‘Users/shreya/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadLine’.
The answer is flag{HarleyQuinnForQueen}

Question number 12 :
• The same user found an exploit to escalate privileges on the computer.
What was the message to the device owner?
We will investigate the user's folders for the exploit, then examine its code to
determine the message. In this example, the exploit is located in the following
path: ‘Users/shreya/Desktop’.

The answer is flag{I-hacked-you}

Question number 13:
• 2 hack tools focused on passwords were found in the system. What are
the names of these tools?
We will review the system's Windows Defender detection history to identify the
tools. The history can be found in the following path:
‘ProgramData/Microsoft/WindowsDefender/Scans/History/Service/DetectionHi
story’.

The answer is Lazagne,Mimikatz

Question number 14:
• There is a YARA file on the computer. Inspect the file. What is the name
of the author?
We will perform a keyword search to locate all the .yar files. To do this, enter
'.yar' in the search field and then click on the search button

The answer is Benjamin DELPY (gentilkiwi)

Question number 15:
• One of the users wanted to exploit a domain controller with an MS-
NRPC based exploit. What is the filename of the archive that you
found?
If we investigate, we can identify a known vulnerability called Zerologon, which
hackers exploit to target domain controllers. Assuming the user attempted to
exploit this vulnerability using a script, we would search for any related scripts
or archives. Checking the recent documents may provide insights, as it often
contains a history of files and folders accessed recently.

The answer is 2.2.0 20200918 Zerologon encrypted.zip