TryHackMe: Digital Forensics Case B4DM755
Walking you through the tasks !
What is Digital Forensics ?
Digital forensics is like being a detective, but instead of solving mysteries in the real world, we solve mysteries on computers and other electronic devices. We look for clues and evidence to figure out what happened.
TASK #1: Introduction
Read intro and get familiar with basics of digital forensics and cryptography with links provided
TASK #2: Case B4DM755 — Details of Crime
This is a simple task where you read the details of case and answer question which are very simple.
Q1:
Q2, Q3, Q4:
TASK #3: Practical Application of Digital Forensics Process
This task explains how to collect digital artefacts and evidence in proper way. Same as task 2 read and answer simple questions.
Q1:
Q2, Q3:
TASK #4: Case B4DM755 — At the scene of Crime
You have given a Scenario where you (DFIR First Responder) are at crime scene accompanied with the Field Operatives. Document, label, and preserve the artefact found and complete the Chain of Custody form and then transport the artefact to the Forensics Laboratory for further examination.
Q1:
Q2, Q3:
to answer these 2 question, read task #3 again. It is very simple
Hint: for q2 find answer in task3:q1 screenshot; for q3 find answer in task3:q2q3 screeshot
TASK #5: Intro to FTK Imager
It’s a forensics tool that allows forensic specialists to acquire computer data and perform analysis without affecting the original evidence, preserving its authenticity, integrity, and validity for presentation during a trial in a court of law.
Start the VM and while machine is starting you can read and get familiar with tool.
Q2:
Q3, Q5:
Q4:
After you load the evidence item. Navigate to File → Press “Detect EFS Encryption”. You will get your answer
TASK #6: Using FTK to acquire digital artefacts and evidence
- First you will learn how to create a raw image from physical drive to collect hash details.
- Then, you will mount the raw image that you created to collect evidence.
Q1:
Q2:
Once the image creation is completed, you can copy the SHA-1 hash
Q3:
Go to actual flash drive and check mark option for hidden files which will show you hidden files plus unhidden files = total files
Q4:
Compare recovered files and the files in actual flash drive (you can see in windows explorer). Recovered files - files in flash drive = Answer
Q5:
Check number of files with size 0kb
TASK #7: At Forensics Lab
Q1:
Q2:
Q3, Q4:
Run exiftool 👇using cmd to get answert
Q5:
Again use exiftool using cmd this time with “warehouse.pdf” file
Q6:
If you use the exiftool to check operations.xlsx file you will see its a zip file type👇. Once you rename the file to .zip you see the contains. In there you will notes.txt, if you open that you will see a suspicious email.
Q7, Q8, Q9:
Check notes.txt file you will answers there.
Q10:
Open the pandorasbox.zip with the password you found from Q9. Then open python file “main.py” with notepad you will the answer.
Q11:
Open File “UTCL…” under MUST_CLEAN folder
Q12:
If you open the “DONOTOPEN” file with notepad. You will get the FLAG.
TASK #8: Post Analysis of Evidence to Court Proceedings
Its a simple task where you read about the Phases of Investigation and answer straightforward question.
Thank you ! I hope you enjoyed the walk-through. Cheers !
Happy Hacking :-)
More Write-ups:
Enjoy this story? Support me as a writer on Medium! 📚 For just $5/month, you’ll get unlimited stories.
Plus, when you sign up through my link, I earn a little commission! 💙 Your support means everything! 🙏
