Hunter
(Write-up)
This is more like a guide to obtain the answers. I believe this way is more appropriate in the learning journey.
Overview
The SOC team got an alert regarding some illegal port scanning activity coming from an employee's system. The employee was not authorized to do any port scanning or any offensive hacking activity within the network. The employee claimed that he had no idea about that, and it is probably a malware acting on his behalf. The IR team managed to respond immediately and take a full forensic image of the user's system to perform some investigations.
There is a theory that the user intentionally installed illegal applications to do port scanning and maybe other things. He was probably planning for something bigger, far beyond a port scanning!
It all began when the user asked for a salary raise that was rejected. After that, his behavior was abnormal and different. The suspect is believed to have weak technical skills, and there might be an outsider helping him!
Supportive Tools
Image Mounting in FTK Imager
I used FTK Imager to mount the logical disk image. It is a next-next process. No hard work, just a few presses.
Questions
Questions 1 - 8, we will use registry hives acquired from Hunter.ad1 image, specifically, from this path: /Windows/System32/config.
1 - What is the computer name of the suspect machine?
Using RegistryExplorer, and loading SYSTEM hive acquired from Windows/System32/config from the image. Then, to this path \ControlSet001\Control\ComputerName\ComputerName will reveal the answer.
Answer can be obtained from ComputerName field.
2 - What is the computer IP?
Using RegistryExplorer, then to this path \ControlSet001\Services\Tcpip\Parameters\Interfaces\{}
Answer can be obtained from DhcpIPAddress field.
3 - What was the DHCP LeaseObtainedTime?
Using RegistryExplorer, then to this path \ControlSet001\Services\Tcpip\Parameters\Interfaces\{}
We find 1466475852 under LeaseObtainedTime.
Answer can be obtained after converting UNIX time to a timestamp.
4 - What is the computer SID?
Using RegistryExplorer, then to this path \SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Answer can be obtained looking at the registry key.
5 - What is the Operating System(OS) version?
Using RegistryExplorer, then to this path \SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Answer can be obtained from ProductName field.