Posts

Showing posts with the label artifact

TryHackMe | DFIR: An Introduction WriteUp

Image
  Introductory room for the DFIR module Link - https://tryhackme.com/room/introductoryroomdfirmodule What does DFIR stand for? Digital Forensics and Incident Response DFIR requires expertise in two fields. One of the fields is Digital Forensics. What is the other field? Incident Response. Complete the timeline creation exercise in the attached static site. What is the flag that you get after completion? At what stage of the IR process are disrupted services brought back online as they were before the incident? recovery At what stage of the IR process is the threat evicted from the network after performing the forensic analysis? eradication What is the NIST-equivalent of the step called “Lessons learned” in the SANS process? Post-incident Activity That’s it! See you in the next Room :)

TryHackMe | Windows Forensics 1 Walkthrough

Image
Introduction to Windows Registry Forensics Link - https://tryhackme.com/room/windowsforensics1 What is the most used Desktop Operating System right now? Microsoft Windows What is the short form for HKEY_LOCAL_MACHINE? HKLM What is the path for the five main registry hives, DEFAULT, SAM, SECURITY, SOFTWARE, and SYSTEM? C:\Windows\System32\Config What is the path for the AmCache hive? C:\Windows\AppCompat\Programs\Amcache.hve What is the Current Build Number of the machine whose data is being investigated? 19044 Which ControlSet contains the last known good configuration? 1 What is the Computer Name of the computer? THM-4n6 What is the value of the TimeZoneKeyName? Pakistan Standard Time What is the DHCP IP address 192.168.100.58 What is the RID of the Guest User account? 501 When was EZtools opened? 2021–12–01 13:00:34 At what time was My Computer last interacted with? 2021–12–01 13:06:47 What is the Absolute Path of the file opened using notepad.exe? C:\Program Files\Amazon\Ec2ConfigSe...

Eonrec