Hard Drive Investigation Solution

Tim Salaudeen's photo
Tim Salaudeen
·

3 min read

This lab was provided by Security Blue Team Level 1!

I needed to select a Base Directory for the investigation, which needed to be an empty folder. I clicked on Browse, went to the Desktop, then clicked the icon in the top-right to create a new folder.

I clicked ‘Add Data Source’ in the top-left corner. When asked to select a host, I left it as the default option (first option) and clicked Next.

For Step 4 I was asked what Ingest Modules I want to run on the disk image, to help me quickly retrieve interesting information. I Clicked Deselect All, and ticked the two modules shown below.

Question 1 - What operating system (and version of OS) is the suspect laptop running?

To find the Operating System of the device I looked under ‘Data Artifacts > Operating System Information’. Scrolling to the right within the table in the left panel, I saw the OS listed as ‘Program Name’.

Question 2 - What is the hostname of the system?

On the same section as above, towards the left of the table,I saw the Hostname listed as ‘Name’.

Question 3 - Look at Web Downloads that have been retrieved from the disk image. What file was downloaded at 2013-12-18 20:05:57 GMT?

Still looking at the ‘Data Artifacts’ heading on the left panel, I was asked to investigate Web Downloads. In the table on the right I saw ‘Date Accessed’, so I needed to find the row that has the date from the timestamp in the question!

Question 4 - What is the full URL of the file that was downloaded at 2013-12-18 03:02:50 GMT?

Looking in the same location, I knew I needed to find the row in the table that matches the timestamp in the question. After finding it, I could see the full URL in the column titled ‘URL’.

Question 5 - Looking at Recent Documents, what is the full path for the file Pier.jpg?

Looking at the ‘Recent Documents’ menu item, I found the Pier.lnk file, which is used to represent Pier.jpg - I then got the file path from the ‘Path’ column.

Question 6 - Double click on vol2 to enter the virtual filesystem. Navigate to Program Files > GIMP 2. What is the file size of the directory named "lib"?

I viewed the virtual file system, as if I were on the computer itself! Double-clicked on vol2, the largest partition within the filesystem.

Moving to Program Files, GIMP 2, I could see the folder I need. The file size is shown as a column at the end of the highlighted section!

Question 7 - Go to the OS Accounts tab. When was the local administrator account last accessed? (Format: YYYY-MM-DD HH:MM:SS)

Looking under the ‘OS Accounts’ section, I saw every local user that is on this computer. At the bottom I could see the Administrator account, giving me the time it was last accessed.

#cybersecuritytechnologySecurityJavaScriptinfosec