This video provided a walkthrough for the “unattended” challenge from TryHackMe, which focuses on Windows forensics.
The challenge revolves around investigating suspicious activity reported by a newly hired employee, who noticed a suspicious janitor near his office. The task is to examine whether any activity occurred on the employee’s computer between 12:05 p.m. and 12:45 p.m. on November 19, 2022.
Computer Forensics Study Notes
Investigation Process:
Autopsy reveals that the contents of the text file were exfiltrated to Pastebin. The investigator finds the Pastebin URL and retrieves the string that was copied there.
Initial Investigation:
It is discovered that someone accessed the computer during the specified timeframe.
Using the registry Explorer tool, the video explores how to trace user search activity on Windows Explorer.
The intruder searched for “Continental” and PDF files.
Internet Activity:
The video uses the “Autopsy” tool to investigate web activity, identifying a file downloaded from the internet by the intruder.
It walks through how to find the file using web history in the Autopsy tool, focusing on the THM Fedora user and the downloaded executable file.
Timeline Analysis:
The timeline and properties of the downloaded file are checked to determine when it was downloaded.
The registry is used to track when a PNG file was opened after the executable file download.
Data Exfiltration:
A text file was created on the desktop, and the investigation shows how often it was opened.
The analysis uses jump lists in Windows to extract the file’s last access and modification times.
Pastebin Activity:
Offensive security is primarily focused on breaching systems, which can be done by exploiting vulnerabilities, misconfigurations, or weaknesses in access control policies. Red teams and penetration testers are experts in this area of offensive security.
On the other hand, defensive security works in contrast to offensive security, with two main objectives:
- Preventing intrusions from happening.
- Detecting intrusions when they occur and responding effectively.
Blue teams play a key role in the defensive security field.
Room Answers | TryHackMe Unattended
What file type was searched for using the search bar in Windows Explorer?
.pdf
What top-secret keyword was searched for using the search bar in Windows Explorer?
continental
What is the name of the downloaded file to the Downloads folder?
7z2201-x64.exe
When was the file from the previous question downloaded? (YYYY-MM-DD HH:MM:SS UTC)
2022-11-19 12:09:19 UTC
Thanks to the previously downloaded file, a PNG file was opened. When was this file opened? (YYYY-MM-DD HH:MM:SS)
2022-11-19 12:10:21
A text file was created in the Desktop folder. How many times was this file opened?
2
When was the text file from the previous question last modified? (MM/DD/YYYY HH:MM)
11/19/2022 12:12
The contents of the file were exfiltrated to pastebin.com. What is the generated URL of the exfiltrated data?
What is the string that was copied to the pastebin URL?
ne7AIRhi3PdESy9RnOrN