Room Banner

Disk Analysis & Autopsy

Ready for a challenge? Use Autopsy to investigate artifacts from a disk image.

medium

45 min

Room progress ( 0% )

To access material, start machines and answer questions login.

Task 1Windows 10 Disk Image

In the attached VM, there is an Autopsy case file and its corresponding disk image. After loading the .aut file, make sure to re-point Autopsy to the disk image file.


Ingest Modules were already ran for your convenience.

Your task is to perform a manual analysis of the artifacts discovered by Autopsy to answer the questions below.

This room should help to reinforce what you learned in the Autopsy room. Have fun investigating!

RDP Machine Details:

  • IP: MACHINE_IP
  • Username: administrator
  • Password: letmein123!
Answer the questions below
What is the MD5 hash of the E01 image?

What is the computer account name?

List all the user accounts. (alphabetical order)

Who was the last user to log into the computer?

What was the IP address of the computer?

What was the MAC address of the computer? (XX-XX-XX-XX-XX-XX)

What is the name of the network card on this computer?

What is the name of the network monitoring tool?

A user bookmarked a Google Maps location. What are the coordinates of the location?

A user has his full name printed on his desktop wallpaper. What is the user's full name?

A user had a file on her desktop. It had a flag but she changed the flag using PowerShell. What was the first flag?

The same user found an exploit to escalate privileges on the computer. What was the message to the device owner?

2 hack tools focused on passwords were found in the system. What are the names of these tools? (alphabetical order)

There is a YARA file on the computer. Inspect the file. What is the name of the author?

One of the users wanted to exploit a domain controller with an MS-NRPC based exploit. What is the filename of the archive that you found? (include the spaces in your answer) 

Created by

User avatar
tryhackme
User avatar
Kalighost404
User avatar
Aashir.Masood

Room Type

Free Room. Anyone can deploy virtual machines in the room (without being subscribed)!

Users in Room

37,066

Created

1534 days ago

Ready to learn Cyber Security? Create your free account today!

TryHackMe provides free online cyber security training to secure jobs & upskill through a fun, interactive learning environment.

Already have an account? Log in

We use cookies to ensure you get the best user experience. For more information contact us.

Read more