TryHackMe - Secret Recipe

Case Overview: Jasmine owns a famous New York coffee shop Coffely which is famous city-wide for its unique taste. Only Jasmine keeps the original copy of the recipe, and she only keeps it on her work laptop. Last week, James from the IT department was consulted to fix Jasmine's laptop. But it is suspected he may have copied the secret recipes from Jasmine's machine and is keeping them on his machine. His machine has been confiscated and examined, but no traces could be found. The security department has pulled some important registry artifacts from his device and has tasked you to examine these artifacts and determine the presence of secret files on his machine.

Link to Challenge

Tools Used:

RegRipper v.3.0 - more on RegRipper
ShellBags Explorer v.1.4.0.0
Registry Explorer v.1.6.0.0

#1: How many Files are available in the Artifacts folder on the Desktop?

Connect to the Attack Box and open the Artifacts folder on the Desktop.

#2: What is the Computer Name of the Machine found in the registry?

I ripped all registry hives through RegRipper. The Computer Name can be found in the SYTEM hive under ComputerName. Look through the report created by RegRipper.

OR Open the SYSTEM hive in Registry Explorer, type in ComputerName in the search box, click find.

Full path: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

#3: When was the Administrator account created on this machine? (Format: yyyy-mm-dd hh:mm:ss)

Account creation information, including account creation time can be found in the SAM hive.

#4: What is the RID associated with the Administrator account?

RID, or Relative Identifier, is a unique number assigned to each account or group within a domain. The Administrator RID can be found in the SAM hive under the user information for the Administrator username. It is the number enclosed in square brackets found immediately after the username and is also listed under “Embedded RID” (see screenshot for question 3).

More on this: Security identifiers | Microsoft Learn

#5: How many User accounts were observed on this machine?

User accounts are listed in the SAM report. Count them all to get the answer.

#6: There seems to be a suspicious account created as a backdoor with RID 1013. What is the Account Name?

This suspicious account can be found in the SAM report under User Information. We already know what an RID is and where it is located. Find the RID 1013, and you’ll find the answer to this question.

#7: What is the VPN connection this host connected to?

VPN connections can be found in the SOFTWARE hive. OR you can open Registry Explorer, type “VPN” in the search field, and click find.

#8: When was the first VPN connection observed? (Format: YYYY-MM-DD HH:MM:SS)

This can also be found in the SOFTWARE report generated by RegRipper.

Folders can be found by opening the UsrClass.dat folder in ShellBags Explorer.

#10: What is the Last DHCP IP assigned to this host?

You can find DHCP IP Address in the SYSTEM hive. This can be explored using Registry Explorer, or by viewing the report after ripping the hive with RegRipper.

Full path: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces

I had to use the hint to get the answer to this question. I just changed the first part to what the hint said and used the rest of the address that I found. To be honest, I am not sure why the answer is what it is.

#11: The suspect seems to have accessed a file containing the secret coffee recipe. What is the name of the file?

Recent documents are stored in the NTUSER.dat hive.

#12: The suspect ran multiple commands in the run windows. What command was run to enumerate the network interfaces?

Commands that a user has typed into the Run utility can be found in the RunMRU key. Full path: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Rip the NTUSER.dat file in RegRipper to find the answer.

More on this: Run MRU Blog (forensafe.com)

#13: In the file explorer, the user searched for a network utility to transfer files. What is the name of that tool?

Words typed into the file explorer, or Windows search box, will show up in the WordWheelQuery key. Look at the report generated after ripping NTUSER.DAT. Full path: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery

More on this: Searched Strings Blog (forensafe.com)

#14: What is the recent text file opened by the suspect?

Recently opened documents can be found in the NTUSER.dat hive.

Full path: NTUSER.DAT\Software\Microsoft\Windows \CurrentVersion\Explorer\RecentDocs

#15: How many times was Powershell executed on this host?

The number of executions, along with the last execution timestamp will be found in the UserAssist key found in the NTUSER.dat hive.

Full Path: NTUSER.DAT – SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

More on this: Digital Forensics: Artifact Profile - UserAssist - Magnet Forensics

#16: The suspect also executed a network monitoring tool. What is the name of the tool?

The network monitoring tool will be found in the same location as question 15 - in UserAssist.

#17: Registry Hives also notes the amount of time a process is in focus. Examine the Hives. For how many seconds was ProtonVPN executed?

The word "Focus" in the question is important here. Focus time can be found in the UserAssist key located in the NTUSER.dat hive. You can find the Focus Time by opening this hive in Registry Explorer. Convert the focus time into seconds and you’ll get your answer.

#18: Everything.exe is a utility used to search for files in a Windows machine. What is the full path from which everything.exe was executed?

The full path to this executable can be found in several places. I searched (CTRL+F) the SYSTEM hive report generated using RegRipper to find the answer.