TryHackMe: Disk Analysis & Autopsy

tryhackme Disk Analysis & Autopsy write-up

  • Name: Disk Analysis & Autopsy
  • Description: Ready for a challenge? Use Autopsy to investigate artifacts from a disk image.
  • Room:

Task 1 Windows 10 Disk Image

In the attached VM, there is an Autopsy case file and its corresponding disk image. You need to re-point Autopsy to the disk image file.

Ingest Modules were already ran for your convenience.

Your task is to perform a manual analysis of the artifacts discovered by Autopsy to answer the questions below.

This room should help to reinforce what you learned in the Autopsy room. Have fun investigating!

Answer the questions below

Load the case in Autopsy as instructed

Open Tryhackme.aut with Autopsy

It takes a few seconds for the data to load

In this step we have to open the image “HASAN2.E01”

Question: What is the MD5 hash of the E01 image?

Answer: 3f08c518adb3b5c1359849657a9b2079

Question: What is the computer account name?

Find this in “Extracted Content” > “Operating System Information” section

Answer: DESKTOP-0R59DJ3

Question: List all the user accounts. (alphabetical order)

Check the “Operating System User Account” section

Answer: H4S4N,joshwa,keshav,sandhya,shreya,sivapriya,srini,suba

Question: Who was the last user to log into the computer?

Sort by “Date Accessed”

Answer: sivapriya

Question: What was the IP address of the computer?

Check Look@LAN in Program Files(x86) files . Look@Lan is an advanced network monitor.


Question: What was the MAC address of the computer? (XX-XX-XX-XX-XX-XX)

Answer: 08–00–27–2c-c4-b9

Question: Name the network cards on this computer.

Search for the word “Ethernet” in Keyword Search

Answer: Intel(R) PRO/1000 MT Desktop Adapter

Question: What is the name of the network monitoring tool?

Answer: Look@LAN

Question: A user bookmarked a Google Maps location. What are the coordinates of the location?

Go to the “web bookmarker” section

Answer: 12°52'23.0"N 80°13'25.0"E

Question: A user has his full name printed on his desktop wallpaper. What is the user’s full name?

Joshwa has an image file in the “Images/Videos” section. Extract the file and view.

Answer: Anto Joshwa

Question: A user had a file on her desktop. It had a flag but she changed the flag using PowerShell. What was the first flag?

Check the powershell history for each user

“Users” > shreya > AppData > Roaming > Microsoft > Windows > PowerShell > PSReadLine > ConsoleHost_history.txt

Answer: flag{HarleyQuinnForQueen}

Question: The same user found an exploit to escalate privileges on the computer. What was the message to the device owner?

Go to Shreya’s Desktop files

Answer: flag{I-hacked-you}

Question: 2 hack tools focused on passwords were found in the system. What are the names of these tools? (alphabetical order)

These tools are likely to be identified by windows defender

Answer: Lazagne, Mimikatz

Question: There is a YARA file on the computer. Inspect the file. What is the name of the author?

Search “.yar” extension using Keyword Search

Answer: Benjamin DELPY (gentilkiwi)

Question: One of the users wanted to exploit a domain controller with an MS-NRPC based exploit. What is the filename of the archive that you found? (include the spaces in your answer)

Find a document about “Zerologon” in the Recent Documents section.

Answer: 2.2.0 20200918 Zerologon

by Hassan Mohammadi

thank you 🌏🔥




Computer student and interested in programming and security

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How does location tracking work on a phone?

Hacking the Matrix (part1 of 4)

Go+ NFT launched Security Detection API Service

Do You Know How Safe Your Data Is?

FUD FAQ | A Weekly Community Thread | Week 47

{UPDATE} Cricket Captain 2019 Hack Free Resources Generator

How to Protect Your NFTs and Avoid Getting Scammed

US$118,000 worth of BTC lost on Twitter 黑客通过推特窃取了118,000美元的BTC

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Hassan Mohammadi

Hassan Mohammadi

Computer student and interested in programming and security

More from Medium

Capture The Talent: Detonation write-up

Knight CTF

Simple CTF TryHackMe Writeup

Tryhackme Easy Peasy Walkthrough