In this blog post, we will be solving a challenge designed by Cyber Defenders using the full version of ArtiFast Windows. In this case, the SOC team detected an illegal port scanning activity coming from a disgruntled employee's system who might be getting help from an outsider (full scenario). The purpose of this challenge is to analyze the image provided and confirm or deny the theory claimed. Below is the solution to the challenge, solved using the full version of ArtiFast.
The answer can be found in Computer Name artifact under the Registry category. The computer name is 4ORENSICS .
The answer can be found in Profiles List artifact under the Registry category. The computer SID is S-1-5-21-2489440558-2754304563-710705792.
The answer can be found in System Information artifact under the Registry category. The operating system version is Windows 8.1 Enterprise.
The answer can be found in Timezone Information artifact under the Registry category. The computer timezone is UTC-07:00.
The answer can be found in User Accounts artifact under the Registry category. The user Hunter logged in to the computer 3 times .
The answer can also be found in User Accounts artifact under the Registry category. The last login time for the user Hunter is at 2016-06-21 01:42:40.
The answer can be found in UserAssist artifact under the Registry category. As can be seen in the picture below, zenmap was running on the computer and the last time the suspect used it was at 2016-06-21 12:08:13.
The answer can be found within nmapscan.xml file which is located on Hunter’s desktop.
To access nmapscan.xml file, switch to file view and then, navigate to the file. By right clicking on any file, you can view it as text, image, audio, video or pdf depending on the type of the file. The file will open on the window in the rightmost side of the screen and you can extract and save these files.
The answer can also be found in nmapscan.xml file. The user Hunter used the command nmap -T4 -A -v scanme.nmap.org which means that 1000 ports were scanned.
The answer can also be found in nmapscan.xml file. As can be seen in the picture below, the ports 22, 25, 26, 80, 9929 and 31337 were found open.
The answer can also be found in nmapscan.xml file. As can be seen in the picture below, the version of the network scanner running on the computer is (7.12).
The answer can be found in Skype Text Messages artifact under Instant Messaging category. The employee exchanged several messages with a user named Linux rul3z.
The answer can also be found in Skype Text Messages artifact. As can be seen in the picture below, the employee and the external attacker agreed on using Team Viewer.
For the second part of the question, the answer can be found in UserAssist artifact under the Registry category. As can be seen in the picture below, the suspect ran Team Viewer at 2016-06-21 12:00:43.
The answer can be found in Skype Accounts artifact under Instant Messaging category. The email address of the suspect employee is ehptmsgs@gmail.com .
To find the file, switch to file view and then, navigate to the documents' directory. You can view all the pdf files by right clicking on any of them. As can be seen in the picture below, the name of the file discussing data exfiltration techniques is Ryan_VanAntwerp_thesis.pdf.
The answer can be found in USB Forensics artifact under OS category. The serial numbers of the two identified USB storage are 07B20C03C80830A9 and AAI6UXDKZDV8E9OU.
To find the application, switch to file view and then, navigate to program file (x86). As can be seen in the picture below, the name of the application is Jetico BCWipe.
As can be seen in the picture below, the number of prefetch files that were discovered on the system is (174).
The answer can be found in Prefetch artifact under OS category. The file shredder application was executed 5 times.
As can be seen in the picture below, ZENMAP.EXE-56B17C4C.pf was last executed on June 21, 2016 at 12:08:13 PM.
The answer can be found in Outlook PST/OST artifact under Email category. As can be seen in the picture below, the name of the attachment is Pictures.7z.
As indicated in the question, the answer can be found in Shellbags artifact under OS category. The full path to the folder is C:\Users\Hunter\Pictures\Exfil