Redline Info Category : Digital Forensics SHA1SUM : 7c54f50cefed2e2a8947368c0de41bbb665fe483 Published : June 2, 2023 Author : Ahmed Tammam Size : 839 MB Tags : Volatility NIDS Network Intrusion Detection System Uncompress the challenge (pass: cyberdefenders.org) Scenario As a member of the Security Blue team, your assignment is to analyze a memory dump using Redline and Volatility tools. Your goal is to trace the steps taken by the attacker on the compromised machine and determine how they managed to bypass the Network Intrusion Detection System “NIDS”.

Insider Info Category : Digital Forensics SHA1SUM : d820264d825fdaeb2146bf7b4c4e03684e700007 Published : May 25, 2021 Author : Champlain College Size : 83 MB Tags : Disk Linux FTK Kali Uncompress the challenge (pass: cyberdefenders.org) Scenario After Karen started working for ‘TAAUSAI,’ she began to do some illegal activities inside the company. ‘TAAUSAI’ hired you as a soc analyst to kick off an investigation on this case. You acquired a disk image and found that Karen uses Linux OS on her machine.

Bucket Info Category : Digital Forensics SHA1SUM : fb393619f09c8e9d7272f305329601645e5aa952 Published : Dec. 7, 2021 Author : Scott Piper Size : 356 Bytes Tags : AWS cloud IR ’log analysis' Unzip the challenge (pass: cyberdefenders.org) Instructions Use the provided credentials to access AWS cloud trail logs and answer the questions. Scenario Welcome, Defender! As a soc analyst, we’re granting you access to the AWS account called “Security” as an IAM user. This account contains a copy of the logs during the time period of the incident and has the ability to assume the “Security” role in the target account so you can look around to spot the misconfigurations that allowed for this attack to happen.

APT Style Category : forensics General description for the series As CISO, you anticipate ~ belatedly ~ the migration of user workstations in your fleet to Windows 10. To do this, you ask one of your collaborators to prepare an installation ISO and, given the importance of the harmlessness of this installation medium, you decide to test it. You observe strange behaviors on the newly installed machine… You then decide to dissect this ISO, in order to understand where these behaviors come from.

La gazette de Windows Category : Intro - forensics States It seems that a user is running suspicious Powershell scripts on his machine. Fortunately this machine is logged and we were able to recover the Powershell event log. Find what was sent to the attacker. SHA256(Microsoft-Windows-PowerShell%4Operational.evtx) = 770b92f7c98ffb708c3e364753ee4bb569ccc810dd5891cbaf1363c2063ddd78 Solve Check the integrity of the log file : 1 2 3 sha256sum Microsoft-Windows-PowerShell4Operational.evtx | grep 770b92f7c98ffb708c3e364753ee4bb569ccc810dd5891cbaf1363c2063ddd78 770b92f7c98ffb708c3e364753ee4bb569ccc810dd5891cbaf1363c2063ddd78 Microsoft-Windows-PowerShell4Operational.evtx We will use the evtx tool to parse the .

Thanks to Abyss W4tcher for his volatility install script which allows running volatility in a docker. Ransomémoire Category : forensics Ransomémoire 0/3 - Pour commencer Difficulty : ⭐ States You are preparing to analyze a memory capture and you write down some information about the machine before diving into the analysis: username, machine name, browser used. The flag is in the format FCSC{user name:machine name:browser name} where: username is the name of the user who uses the machine, machine name is the name of the scanned machine and browser name is the name of the currently running browser.