Memory Forensics – RansomCare Investigation Case 1

Posted on 21 May 2023 by [email protected]

In this case you are required analyze a memory dump of a Windows 10 system that has been hit with RansomCare.

  • E01 for the Memory Dump could be found: here
  • Find RansomCare’s code, dump it. and explain what happened to the victim system.

    • Continue reading

Posted in Anti-Forensics, Challenges, Cyber 5W, DFIR, Forensics, Investigations, Malware | Tagged , , , , , , , , | Comments Off on Memory Forensics – RansomCare Investigation Case 1

Challenge #9 – Encrypt Them All Case

Posted on 27 March 2023 by [email protected]

In this case you are required to decrypt all the data and files that have been encrypted using different crypto methods.

E01 for the drive could be found: here
#1: Lost in Space:
We noticed that the whole communication started with a README file within the users documents directory. Unfortunately, this file seems to be encrypted with AES and we do not have the password to decrypt it. You would either need to search the cache for the communication or try to recover the file before it was encrypted. It seems this file leads to the solution of our next requirement.
Continue reading

Posted in Anti-Forensics, Challenges, DFIR, Forensics, Investigations, Windows | Tagged , , , , , , | Comments Off on Challenge #9 – Encrypt Them All Case

Challenge #8 – NTFS File System Case

Posted on 27 March 2023 by [email protected]

In this case you are required to find all the data and files that have been hidden using some of the NTFS file system capabilities.

– E01 for the drive could be found: here
– There are 5 hidden things for you to find!
– Explain how these files were hidden
Continue reading

Posted in Challenges, DFIR, File Systems, Forensics, Investigations, Windows | Tagged , , , , , , , | Comments Off on Challenge #8 – NTFS File System Case

Challenge #7 – SysInternals Case

Posted on 27 March 2023 by [email protected]

The user downloaded what they thought was the SysInternals tool suite, double-clicked it, but the tools did not open and were not accessible. Since that time, the user has noticed that the system has “slowed down” and become less and less responsive.
Continue reading

Posted in Challenges, DFIR, Forensics, Investigations, Malware | Tagged , , , , , , | Comments Off on Challenge #7 – SysInternals Case

Prevent Windows Reboots on Expired VMs

Posted on 15 August 2021 by [email protected]

Sometimes you have one of those VMs that you downloaded from Microsoft and then you used it for some testing. Now, after a certain amount of time, the free license given will expire and what will happen, is the VM will start to automatically shutdown I think after an hour. So how do we prevent this from happening?

The solution is easy:
1. Download SysInternals
2. Start a privileged cmd.exe
3. Navigate to SysInternals directory and run PsExec as following:
psexec64.exe -i -d -s cmd.exe
Continue reading

Posted in Security, Virtualization, Windows | Tagged , , , , , , , | Comments Off on Prevent Windows Reboots on Expired VMs