Information: A user reported strange computer activity to their support staff. Support was so good that the first thing they did was to snap a memory image before the computer was rebooted. Once the technical staff acquired the memory, they were also able to grab an image of the system partition. Your goal is to find answers to the questions below.
Rules: Use whatever tools you want. Sometimes it takes a combination of tools to find what you need.
7zip File link: https://drive.google.com/open?id=0B2p_OxQeXHAjTEM0MW9EU3cza00 It’s around 5 gig.
7zip pass: Ch4ll3ng3
Note: Everything on the disk prior to 2017 was not created by me.
1. Find information about the system from the images. What OS? Patch Level?
2. List all running processes from memory. Can you get their privileges? Anything out of the ordinary? What process(s) do you think the attacker using?
3. Can you find a list of auto start services from memory?
4. Can you get Internet and search history from memory and disk? What was the victim doing before the attack? Can you extract that data?
5. Can you get any PCAP from memory?
6. Were any files created during or after the attack? Can you view and extract them? What other information can you get out?
7. Can you recover any deleted files?
8. Were there any users created, and can you get the access rights of all users?
9. Can you dump any password hashes, and can you crack any of the passwords?
10. How did this system get popped? Recreate the story. Include the attack vector and any supporting evidence.
11. What was the vulnerable software and what exploit(s) did the attacker use?