https://cfreds.nist.gov/all/NIST/DataLeakageCaseDownload the first three files, as shown below, with filenames ending in ".001", ".002", and ".003".
The files total approximately 5 GB in size, so the download may be slow.
https://7-zip.orgDownload and install 7-Zip.
When the extraction is done, you'll have a file named cfreds_2015_data_leakage_pc.dd that is approximately 21 GB in size.
F 221.1: Verifying the Hash (5 pts)
If you don't have Hashcalc installed, get it here:https://www.slavasoft.com/hashcalc/Run HashCalc on the cfreds_2015_data_leakage_pc.dd file. This will take several minutes. Verify that the hashes match the image below.The flag is covered by a green rectangle in the image below.
Enter a Case Name of F221.
Click the Next button.
Click the Finish button.
At step 2. Select Data Source Type, click "Disk Image or VM File", as shown below.
Click the Next button.
At step 3. Select Data Source, click the Browse button. Navigate to the cfreds_2015_data_leakage_pc.dd. Click it and click the Open button.
Change the Time Zone to "(GMT-5:00) America/Toronto". as shown below.
Click the Next button.
At step 4. Configure Ingest, clear all the check marks except "Recent Activity", as shown below.
Click the Next button.
It takes a minute or so to prepare the data.
At step 5. Add Data Source, click the Finish button.
The progess of the processing is shown at the bottom right. In the image below, the processing is 18% done.
Wait until the processing is done.
Use the Artifacts to find the answers to the questions below.
F 221.2: Most Recently Installed Program (5 pts)
What is the name of the most recently installed program?The flag is covered by a green rectangle in the image below.
F 221.3: Most Recent Document (5 pts)
What is the name of the most recently accessed document?The flag is covered by a green rectangle in the image below.
F 221.4: 59 Times (5 pts)
What program was run 59 times, as recorded in the Prefetch folder? (Autopsy calls this "Run Programs") What is the name of the most recently accessed document?The flag is covered by a green rectangle in the image below.
F 221.5: Search (5 pts)
What suspicious web search was performed, covered by a green rectangle in the image below?
Posted: 9-29-22
Image for flag 221.4 updated 10-28-22
Title changed and video added 3-20-23