Public Write-ups
  • 💻Lab Write-ups
    • Who is Space C4det
  • eJPT
    • eJPT Notes
      • Assessment Methodologies
        • Information Gathering
          • Introduction To Information Gathering
          • Passive and Active Information Gathering
        • Footprinting & Scanning
        • Enumeration
        • Vulnerability Assessment
  • Blue Team Labs Online
    • Remote Desktop Protocol (RDP)
    • 📝Phishy V1 BTLO
    • BITS (IN PROGRESS)
  • TCM Security Notes
    • TCM Security Notes
      • Viewing, Creating, and Editing Files
      • Users and Privileges
      • sudo and other commands
      • The OSI Model
      • Scripting with Bash
      • TCP, UDP, and the Three way Handshake
      • Common Network Commands
      • Installing and Updating Tools
      • IP Addresses
Powered by GitBook
On this page
  • Scenario
  • Questions
  1. Blue Team Labs Online

Remote Desktop Protocol (RDP)

PreviousBlue Team Labs OnlineNextPhishy V1 BTLO

Last updated 2 years ago

Scenario

An interplanetary illegal dealer was using a remote machine to store all his Trade secrets. Intelligence team of the solar system identified that the dealer was from Earth. When investigated, it was found that the dealer was maintaining a clean machine in his home and storing all his trade secrets in a remote machine via RDP. Unfortunately, the remote machine was destroyed. The only source of evidence we have is the forensic disk image of the clean machine. Show your forensic skills. Help the investigators in cracking the trade secrets like the dealer’s crypto wallet address, his customer details etc. Note: This is a work of fiction. Names, characters, places and incidents either are products of the author's imagination or are used fictitiously.

Questions

Question 1) Submit the USERNAME of the dealer's machine from which the forensic disk image was created (Format: username)(2 points)

💡 Answer: spiderman

To begin this question, I initiated the machine. Upon logging in, I glanced around the desktop icons looking for what I was going to look at first, since i'm not well versed in digital forensics i'm trying to improvise. I first opened up the Evidence folder and saw there was a text file named RDPCache.ad1 since this lab is about an actor storing all his trade secrets in a remote machine via RDP, this appeared interesting to me.

The text file was created by AccessData FTK imager, AccessData FTK is a computer forensics software, it scans a hard drive looking for various information. An example of what it can locate is deleted emails, it can also scan a disk for text strings to sue them as a password dictionary to crack encryption.

From looking at the text file, it seems the source disk for the information captured by the FTK comes from C:\Users\spiderman\Desktop

This tells me this is the username of the dealer's machine.