Professional Documents
Culture Documents
Faculty of Sciences
IT Department
Module: Project
Title
• Yessad Djaafer
1. Getting Started :
First we need to open new account in this web site https://tryhackme.com/
2. Quick Review :
We will do quick review about what we already saw in the previous lecture
So to open a new case we click on new case and then we give it a name and
a path where we are going to save it after that we write our information as we
already saw this after getting to this page
We name our host if we want or just live it on the first option which will name
the same as the source data we click next and we are going to see something
like this
Here we select the type of our data source if it's disk image we choose the first
one , if we have the Hard disk of the target machine we can go with the second
option which is faster but it's better to create an image , if we only have few
files form here and there we can click on the 3rd option and select the files that
we collected . we have Autopsy Logical Imager Results if we have one we insert
it . after that we click on next and we will saw something like this
So we choose the path of our image and the time zone of the image if we don't
know the time zone of the image then we choose +0:00 UTC . in the hash value
we write the hash value of the image so we can verify that the image didn't
modify from some one else . after that we click next and we should see
something like this :
Let's explain what does those means :
• Recent Activity : it's shows to us all the activities for example web history
the user who logged in the programs that been installed and so on
• Hash Lookup : so if we have some databases of bad hashes for example we
can add them and when he finds match up he will show to us that file
• File Type Identification: with this we can a file type and when ever he finds
a match up it's will shows us that file
• Extension Mismatch Detector : this will show us any mismatch on the
extension for example if the target changed the extension of image from
.png to .txt this will detected
• Embedded File Extractor : this will decompose the zip files and will show
them to us
• Picture Analyzer : it will analyze the pictures and will show to us the
camera setting , the program that been used to modify the image the time
stamp of the image …
• Keyword Search : if we have some keyword that we want to search about
it we can add them and he can find them to us
• Central Repository : this will show to us any files that been seen in other
cases for example , if we have 3 cases and we are doing investigation on
them if he find filles that are exist in case 1 and we are in case 2 it's will
notify us , it's important specially when we are doing investigation on
related cases
• PhotoRec Carver : it will recover any deleted file not just photos
• Virtual Machine Extractor : will show to us any virtual machine he may find
in the disk and if he find one it will treat it like spirited disk
• Data Source Integrity : since we added the hash value of our image , so
basically what this going to do it will recalculate the hash value of this
image and if he find a mismatch on the hashes that' means that the image
it's been modified
• Yara Analyzer : so if we have some Yara script of a malware that we
suspect that's exist in our machine we can added it and if he find some
program with that Yara script will tell us
3. Start of Investigation
Now we start the investigation , so we are going to our remoted machine that I
showed you how to start it previously in tryhackme web site and we click on
Autopsy inside the Remoted Desktop (Virtual Machine) and we lunch the
Autopsy . this time we are going to open directly a case
And then we choose the folder that exist in Desktop we the name Cases Files
and we choose Tryhackme.aut case
We will met this problem telling us that the file is missing we going to click on
yes . and choose our image which is in the same folder with our case
4. Answering the questions
Now let's answer the Questions the first question is :
• What is the MD5 hash of the E01 image?
Let's see how we can find the md5 hash of our image
We click on the Data Source and then we click on our Disk and in the bottom we
click on the File Metadata
And us you can see the md5 hash is :
3f08c518adb3b5c1359849657a9b2079
So in the same page we can find Date Accessed we can click on so he can
represent them we the last date
So The answer of the question will be :
Sivapriya
So this we go to our Disk (HASAN2.E01) and then to vol3 and then to program
files x86 and to Look@Lan we click on it and we will find something called
Irunin.ni we scroll down a little bit and we gona find LANIP which is the ip
address of the computer
The answer of the question will be :
192.168.130.216
We are going to look on bookmarks of the web and look for any location we can
find in there
The answer of the question will be :
12°52'23.0"N 80°13'25.0"E
Question number 10 :
• A user has his full name printed on his desktop wallpaper. What is the
user’s full name?
So we gona search on the images of the users and we look inside them and see
if we can find any image that contains any name inside it
To do that we click on Images/Video on the top and then we click in the name of
the users and we search one by one
The answer of the question will be :
Anto Joshwa
Question number 11 :
• A user had a file on her desktop. It had a flag but she changed the flag
using PowerShell. What was the first flag?
We are going to check which user executed the command by examining the
console host history. In this example, the history is located in the following path:
‘Users/shreya/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadLine’.
The answer is flag{HarleyQuinnForQueen}
Question number 12 :
• The same user found an exploit to escalate privileges on the computer.
What was the message to the device owner?
We will investigate the user's folders for the exploit, then examine its code to
determine the message. In this example, the exploit is located in the following
path: ‘Users/shreya/Desktop’.