Dr. Ali Hadi recently posted another challenge image, this one (#7) being a lot closer to a real-world challenge than a lot of the CTFs I’ve seen over the years. What I mean by that is that in the 22+ years I’ve done DFIR work, I’ve never had a customer pose more than 3 to 5 questions that they wanted answered, certainly not 51. And, I’ve never had a customer ask me for the volume serial number in the image. Never. So, getting a challenge that had a fairly simple and straight forward “ask” (i.e., something bad may have happened, what was it and when??) was pretty close to real-world.
I will say that there have been more than a few times where, following the answers to those questions, customers would ask additional questions…but again, not 37 questions, not 51 questions (like we see in some CTFs). And for the most part, the questions were the same regardless of the customer; once whatever it was was identified, questions of risk and reporting would come up, was any data taken, and if so, what data?
I worked the case from my perspective, and as promised, posted my findings, including my case notes and timeline excerpts. I also added a timeline overlay, as well as MITRE ATT&CK mappings (with observables) for the “case”.
Jiri Vinopal posted his findings in this tweet thread; I saw the first tweet with the spoiler warning, and purposely did not pursue the rest of the thread until I’d completed my analysis and posted my findings. Once I posted my findings and went back to the thread, I saw this comment:
“…but it could be Windows server etc..so prefetching could be disabled…”
True, the image could be of a Windows server, but that’s pretty trivial to check, as illustrated in figure 1.
This article has been indexed from Windows Incident Response
Read the original article: Post navigation |