Solving HireME Challenge with ArtiFast Windows
13/10/2021 Wednesday
In this blog post, we will be solving a challenge designed by Cyber Defenders using ArtiFast Windows. In this challenge, a security professional is joining a new company and was assigned a task to demonstrate her technical expertise (full scenario).
Artifacts Covered in this Challenge:
- Registry Artifacts → Computer Name, Installed Programs, System Information, Timezone Information and User Accounts.
- OS Artifacts → Link File.
- Web Activity Artifacts → Chrome Browser.
Walkthrough:
First you need to download the AD1 image (17.2 GB) and convert it to E01. Then, create your case using
ArtiFast Suite by clicking on Case menu on the upper-left corner of the window, then New.
After you have created your case and added the image for investigation, at the Artifacts Selection phase,
you have the option to select all artifacts or utilize the search bar/category menu to find and select specific artifacts by name or category.
Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via "Artifact
View" or "Timeline View", with indexing, filtering, and searching capabilities. Below is the solution to the
challenge, solved using ArtiFast Windows.
Q&As:
- What is the OS's build number?
The answer can be found in System Information artifact under the Registry category. The OS's build
number is 16299.
- What is the hostname of the computer?
The answer can be found in Computer Name artifact under the Registry category. The hostname of the
computer is TOTALLYNOTAHACK.
- A messaging application was used to communicate with a fellow Alpaca enthusiest. What is the name of the software?
The answer can be found in Installed Programs artifact under the Registry category. As seen in the
figure below, Skype version 8.41 was installed on the device.
- What is the zip code of the administrator's post?
The answer can be found in Chrome Autofill artifact under the Web Activity category. The zip code of
the administrator's post is 19709 .
- What are the initials of the person who contacted the admin user from TAAUSAI?
The answer can be found in Outlook PST/OST artifact under the Email category. As seen in the figure
below, Micheal Scotch contacted the admin user for a job offer. Thus, the initials are MS.
- How much money was TAAUSAI willing to pay upfront?
The answer can also be found in Outlook PST/OST artifact under the Email category. As seen in the
figure below, TAAUSAI is willing to pay $150,000 USD .
- What country is the admin user meeting the hacker group in?
The answer can be found in Outlook PST/OST artifact as well. One of the
emails contained the GPS coordinates for the location.
As seen in the figure below, these coordinates refer to Desert Breath which is located in the Egyptian desert. Thus,
the answer is Egypt.
- What is the machine's timezone? (Use the three-letter abbreviation)
The answer can be found in Timezone Information artifact under the Registry category. The machine's
timezone is UTC.
- When was AlpacaCare.docx last accessed?
To find AlpacaCare.docx, switch to file view and then, navigate to the root directory. As can be seen in the figure below,
the file was last accessed at 03/17/2019 21:52:20.
- There was a second partition on the drive. What is the letter assigned to it?
The answer can be found in Link File artifact under the OS category. The letter assigned to the
second partition is A.
- What is the answer to the question Company's manager asked Karen?
The answer can be found in Outlook PST/OST artifact. The answer to the question is TheCardCriesNoMore.
- What is the job position offered to Karen? (3 words, 2 spaces in between)
The answer can also be found in Outlook PST/OST artifact. As can be seen in the figure below,
the position offered is cyber security analysts.
- When was the admin user password last changed?
The answer can be found in User Accounts artifact under the Registry category. The password was last
changed on 03/21/2019 19:13:09.
- What version of Chrome is installed on the machine?
The answer can be found in Installed Programs artifact under the Registry category. Chrome version
72.0.3626.121 was installed on the machine.
- What is the domain name of the website Karen browsed on Alpaca care that the file AlpacaCare.docx is based on?
The answer can be found in Chrome Downloads artifact under Web Activity category.
For more information or suggestions please contact: radhwan.alshammari@forensafe.com
