Insider
Always open malware in a secure environment like a VM.
Before we begin, we need to add the evidence item to FTK Imager as an image.

Q1. What distribution of Linux is being used on this machine?
We can find distribution in the
boot
directory.

Q2. What is the MD5 hash of the apache access.log?
The
access.log
for the apache is located in thevar/log/
directory.In the bottom left corner, the MD5 hash can be seen.

Q3. It is believed that a credential dumping tool was downloaded? What is the file name of the download?
We can go to the
Downloads
folder in order to check what file has been downloaded.

Q4. There was a super-secret file created. What is the absolute path?
There is a
bash_history
file in theroot
directory. It has all the commands that have been entered.

Q5. What program used didyouthinkwedmakeiteasy.jpg during execution?
This is also included in the
bash_history
file.

Q6. What is the third goal from the checklist Karen created?
In the Desktop there is a
Checklist
file which has the answer we want.

Q7. How many times was apache run?
Let's look back at the
access.log
file for apache.

We can see that the file is empty, which means that apache wasn't run at all.
Q8. It is believed this machine was used to attack another. What file proves this?
In the
root
directory there is a screenshot namedirZLAohL.jpeg
that shows the user runningaylmao.exe
. This executable generates malicious network traffic.

Q9. Within the Documents file path, it is believed that Karen was taunting a fellow computer expert through a bash script. Who was Karen taunting?
Fortunately Karen has documented her attack in the
myfirsthack
folder. Inside thefirstscript_fixed
file, we can see who she was taunting.

Q10. A user su'd to root at 11:26 multiple times. Who was it?
We can go through the
auth.log
file in order to find the user.

Q11. Based on the bash history, what is the current working directory?
If we go through the
bash_history
in a down-up manner, we can see the current working directory.

Last updated
Was this helpful?