Introduction Following on from my last blog, I turned to the Advanced and Expert level challenges to try and uncover undoubtedly nefarious deeds. Let’s go! HR Server - Advanced Challenges Logon Event The first question asks you to name the user that logged on at a specific time (given in UTC), as well as the logon type, logon process and IP address. With all our data ingested and ready for searching in Kibana, this was reasonably straightforward.

Introduction

I’m heading to DEF CON in Vegas this year and thinking about participating in the DFIR CTF that runs at the Blue Team Village. As a bit of a warm-up, I thought I’d give last year’s DFIR CTF a crack, which is still available to play online at the time of writing - you can find details for how to sign-up and obtain the images here. Without further ado, here’s a write-up of the challenges that I’ve managed to complete so far, which I’m writing mainly so I can remember the tools and commands for next time…