Karen is a security professional looking for a new job. A company called "TAAUSAI" offered her a position and asked her to complete a couple of tasks to prove her technical competency.
open the file using FTK Imager and go to the path: root>Users
Answer: Karen
Q2 What is the OS's build number?
go to the path: root>windows>config, and scroll down till find SOFTWARE
Export the file then open it in the registry editor, file>load hive
then scroll down the path: SOFTWARE>Microsoft>Windows NT>CurrentVersion
the Build number would be on the right side
Answer:16299
Q3 What is the hostname of the computer?
go to the path: root>windows>config, and scroll down till find SYSTEM
Export the file then open it in the registry editor, file>load hive
then scroll down the path: SYSTEM>ControlSet001>Control>ComputerName>ComputerName
the hostname would be on the right side
Answer:TOTALLYNOTAHACK
Q4 A messaging application was used to communicate with a fellow Alpaca enthusiest. What is the name of the software?
​
Answer:skype​
Q5 What is the zip code of the administrator's post?
to find the Zip code it would be at the database so we need to read the web data, go to the path: root>Users>Karen>App Data>Local>Google>chrome>User Data>Default
Export the file and then open it by any SQL reader, I used DB browser(SQL Lite)
Answer: 19709
Q6 What are the initials of the person who contacted the admin user from TAAUSAI?
now we need to find email files and read the messages.
​
Export the mail file and open it by any ost reader, I used vMail ost.
sort the messages from the earlier
Answer:MS
Q7 How much money was TAAUSAI willing to pay upfront?
from the previous mail screenshot reply
Answer:150000
Q8 What country is the admin user meeting the hacker group in?
from the previous mail screenshot reply the destination is "27°22’50.10″N, 33°37’54.62″E"
using Google Earth it is EGYPT!
Answer: EGYPT
Q9 What is the machine's timezone? (Use the three-letter abbreviation)
from the Q3 file, go to the path: SYSTEM>ControlSet001>Control>TimeZoneInformation
Answer: UTC
Q10 When was AlpacaCare.docx last accessed?
Search for AlpacaCare.docx and look at the time modified.
Answer: 03/17/2019 09:52 pm
Q11 There was a second partition on the drive. What is the letter assigned to it?
from the Previous file at Q3 search for system>mountedDevices
there is A , C , D try it
Answer: A
Q12 What is the answer to the question Company's manager asked Karen?
again from the email file at Q
Answer: TheCardCriesNoMore
Q13 What is the job position offered to Karen? (3 words, 2 spaces in between)
again from the email file at Q6
Answer: cyber security analyst
Q14 When was the admin user password last changed?
go to the same path as at Q2: root>windows>config
but this time we would open the file by RegRipper 3.0
search for Karen as he is the admin and look Pwd Reset Date
Answer: 03/21/2019 19:13:09
Q15 What version of Chrome is installed on the machine?
we would use SOFTWARE file from Q2
then open it by Registry editor, then go to the path: WOW6432Node>Microsoft>Windows >CurrentVersion>Uninstall>Google Chrome
Answer: 72.0.3626.121
Q16 What is the HostUrl of Skype?
to know the host url we have to search in the web history file
so go to the path: root>Users>Karen>App Data>Local>Google>chrome>User Data>Default ,
and export the HISTORY file
then open it by SQL lite and search for the link that hosts Skype program file
