Insider
Always open malware in a secure environment like a VM.
Before we begin, we need to add the evidence item to FTK Imager as an image.
Q1. What distribution of Linux is being used on this machine?
We can find distribution in the
bootdirectory.
Q2. What is the MD5 hash of the apache access.log?
The
access.logfor the apache is located in thevar/log/directory.In the bottom left corner, the MD5 hash can be seen.
Q3. It is believed that a credential dumping tool was downloaded? What is the file name of the download?
We can go to the
Downloadsfolder in order to check what file has been downloaded.
Q4. There was a super-secret file created. What is the absolute path?
There is a
bash_historyfile in therootdirectory. It has all the commands that have been entered.
Q5. What program used didyouthinkwedmakeiteasy.jpg during execution?
This is also included in the
bash_historyfile.
Q6. What is the third goal from the checklist Karen created?
In the Desktop there is a
Checklistfile which has the answer we want.
Q7. How many times was apache run?
Let's look back at the
access.logfile for apache.
We can see that the file is empty, which means that apache wasn't run at all.
Q8. It is believed this machine was used to attack another. What file proves this?
In the
rootdirectory there is a screenshot namedirZLAohL.jpegthat shows the user runningaylmao.exe. This executable generates malicious network traffic.
Q9. Within the Documents file path, it is believed that Karen was taunting a fellow computer expert through a bash script. Who was Karen taunting?
Fortunately Karen has documented her attack in the
myfirsthackfolder. Inside thefirstscript_fixedfile, we can see who she was taunting.
Q10. A user su'd to root at 11:26 multiple times. Who was it?
We can go through the
auth.logfile in order to find the user.
Q11. Based on the bash history, what is the current working directory?
If we go through the
bash_historyin a down-up manner, we can see the current working directory.
Last updated
Was this helpful?