Monday, December 19, 2016

Forensic CTF: Baud.. James Baud ANSWERS

Here are the answers to the Forensic CTF. The main idea behind this scenario was to analyze a memory image that doesn't seem to work with any Volatility profile (it's 32 bit Windows 10 - who uses that?). Most of the answers can be retrieved through string searching, coreutils and pivoting off of each piece of data you get. Please send me feedback on Twitter @securitymustard. Thanks and Merry Christmas!

1. Whose computer is this evidence from? Roger Moore
2. Who is the other actor? Sean Connery
3. What email service are they using (include TLD)?  protonmail.com
4. What makes this email service difficult to analyze? encryption
5. What is the email address of the user? notroger@protonmail.com
6. What email address does he correspond with? notconnery@protonmail.com
7. What type of file is the payload? html application .hta
8. What is the first Google search the user made about the other individual? sean connery is a fake
9. What is the second Google search the user made about the other individual? sean connery scandal
10. What is the third Google search the user made about the other individual? compromising photo sean connery
11. What IP address was used by the attacker for C2? 128.199.170.85
12. What is the exact name of the payload? conneryhaters[1].hta or conneryhaters.hta
13. What is the first time the user logged into their email (MM/DD/YYYY H:MM:SS AM/PM)? 10/29/2016 10:05:47 PM
14. What is the mail server name used to send these messages?mail.protonmail.ch
15. What is the UTC time of the initial email (as stated in the email header)? October 30, 2016 2:11 AM
16. What is the email subject of the first threatening email sent by the user? 24 HOURS UNTIL THE WORLD KNOWS THE TRUTH
17. What insult does the other individual use in his response? rather cheeky fearlash bashtard

No comments:

Post a Comment