Open in app

Sign in

Write

Sign in

Windows Forensics With Autopsy & Registry Explorer | TryHackMe Unattended

Motasem Hamdan
2 min readOct 14, 2024

--

This article provided a walkthrough for the “unattended” challenge from TryHackMe, which focuses on Windows forensics.

The challenge revolves around investigating suspicious activity reported by a newly hired employee, who noticed a suspicious janitor near his office. The task is to examine whether any activity occurred on the employee’s computer between 12:05 p.m. and 12:45 p.m. on November 19, 2022.

Computer Forensics Study Notes

Computer forensics notes taken from field work and combined learning experience. The booklet covers memory forensics…

buymeacoffee.com

Offensive Security Certified Professional Study Notes and Guide

This is a 1528 pages of notes that will guide and help you prepare for and pass the OSCP exam taking into account the…

buymeacoffee.com

Investigation Process:

Autopsy reveals that the contents of the text file were exfiltrated to Pastebin. The investigator finds the Pastebin URL and retrieves the string that was copied there.

Initial Investigation:

It is discovered that someone accessed the computer during the specified timeframe.

Using the registry Explorer tool, the video explores how to trace user search activity on Windows Explorer.

The intruder searched for “Continental” and PDF files.

Internet Activity:

The video uses the “Autopsy” tool to investigate web activity, identifying a file downloaded from the internet by the intruder.

It walks through how to find the file using web history in the Autopsy tool, focusing on the THM Fedora user and the downloaded executable file.

Timeline Analysis:

The timeline and properties of the downloaded file are checked to determine when it was downloaded.

The registry is used to track when a PNG file was opened after the executable file download.

Data Exfiltration:

A text file was created on the desktop, and the investigation shows how often it was opened.

The analysis uses jump lists in Windows to extract the file’s last access and modification times.

Pastebin Activity:

Offensive security is primarily focused on breaching systems, which can be done by exploiting vulnerabilities, misconfigurations, or weaknesses in access control policies. Red teams and penetration testers are experts in this area of offensive security.

On the other hand, defensive security works in contrast to offensive security, with two main objectives:

  1. Preventing intrusions from happening.
  2. Detecting intrusions when they occur and responding effectively.

Blue teams play a key role in the defensive security field.

Room Answers | TryHackMe Unattended

Room answers can be found here.

Video Walkthrough | TryHackMe Unattended

Tryhackme
Forensics
Cybersecurity
Infosec
Hacking

--

--

Motasem Hamdan

Written by Motasem Hamdan

355 Followers

Motasem Hamdan is a content creator and swimmer who creates cyber security training videos and articles. https://www.youtube.com/@MotasemHamdan

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams