"U.S. Asia Cup" 4th China Electronic Data Forensics Competition-Qualification Competition
I TEL15543132658 I am the same as wechat, welcome to communicate more, if there are any shortcomings in wp, please add and discuss!
This competition consists of 1 chapter, 50 small questions, 118 minutes of competition time, and a total of 100 points
single choice
1. Victor’s laptop has been forensically obtained and made into a forensic image file (Forensic
Image), which of the following is its MD5 hash value? (2 points)
A.FC20782C21751AB76B2A93F3A17922D0
B. 882114D62E713DEA34C270CF2F1C69D2
C. A0BB016160CFB3A0BB0161661670CFB3
D. 917ED59083C8B35C54D3FCBFE4C4BB0B
E.FC20782C21751BA76B2A93F3A17922D0
Analysis: direct analysis by the master of forensics
2. Based on the Forensic Image, how many hard disk partitions are there in the original notebook? (2 points)
A. 1
B. 2
C. 3
D. 4
E. 5
Analysis: direct analysis by the master of forensics
3. Can you find the starting logical block address (LBA) in the hard disk operating system partition? (Answer format: Sector, Sector)
(2 points)
A. 0
B. 2408
C. 1048576
D. 62916608
E. 32213303296
Analysis: winhex direct view
4. Can you find the physical size (byte) of the hard disk operating system partition? (2 points)
A. 62709760
B. 62910464
C. 104857600
D. 32107397120
E. 32210157568
Analysis: winhex direct view
5. What is the file system of the operating system partition? (2 points)
A. FAT32
B. EXFAT
C. NTFS
D. EXT3
E. HFS+
Analysis: direct analysis by the master of forensics
6. Operating system partition, each cluster (Cluster) contains how many sectors (sectors)? (2 points)
A. 2
B. 4
C. 6
D. 8
E. 16
Analysis: winhex direct view
7. In the operating system partition, what is the starting physical sector of $MFT?
(2 points)
A. 62,919,936
B. 67,086,648
C. 68,942,784
D. 69,208,064
E. 79,865,960
Analysis: winhex direct view
8. Please find the system file "SOFTWARE". What is the installation date of the operating system? (Answer format
- "Universal Coordinated Time": YYYY-MM-DD HH:MM UTC) (2 points)
A. 2018-10-25 08:08 UTC
e.g. 2018-10-25 08:09 UTC
C. 2018-10-25 08:10 UTC
D. 2018-10-25 08:11 UTC
E. 2018-10-25 08:12 UTC
Analysis: direct analysis by the master of forensics
9. What is the unique identifier (SID) of the user "victor"? (Answer format: RID) (2 points)
A. 1001
B. 1002
C. 1003
D. 1004
E. 1005
Analysis: direct analysis by the master of forensics
10. What is the unique identifier (SID) of the user "Lily"? (Answer format: RID) (2 points)
A. 1001
B. 1002
C. 1003
D. 1004
E. 1005
Analysis: direct analysis by the master of forensics
11. When was the last time Victor changed the system login password? (Answer format - "local time": YYYY-MM-DD HH:MM
+8) (2 points)
A. 2018-11-01 16:08 +8
B. 2018-11:01 14:15 +8
C. 2018-10-26 17:00 +8
D. 2018-10-25 08:08 +8
E. 2018-10-25 16:08 +8
Analysis: direct analysis by the master of forensics
12. When was the last time Lily changed the system login password? (Answer format - "local time": YYYY-MM-DD HH:MM
+8) (2 points)
A. 2018-11-01 03:02:01 +8
B. 2018-11:02 11:13:33 +8
C. 2018-10-26 17:00:45 +8
D. 2018-10-30 12:30:40 +8
E. 2018-10-27 12:08:37 +8
Analysis: direct analysis by the master of forensics
13. How many times did Victor log into the system in total? (2 points)
A. 3
B. 16
C. 33
D. 36
E. 45
Analysis: direct analysis by the master of forensics
14. Which of the following accounts has been disabled? (2 points)
A. Administrator
B. victor
C. Lily
d.simon
E. None of the above
Analysis: direct analysis by the master of forensics
15. Which of the following account systems has the lowest authority? (2 points)
A. Administrator
B. victor
C. Lily
d.simon
E. Same permissions as above
Analysis: direct analysis by the master of forensics
16. Which of the following accounts has ever logged into the system remotely? (2 points)
A. Administrator
B. victor
C. Lily
d.simon
E. Remote login has been disabled
Parse:
17. The version of the hard disk operating system? (2 points)
A. Windows 7 Enterprise (32 位)
B.Windows 7 Enterprise (64th)
C.Windows 7 Professional (32nd)
D. Windows 7 Professional (64 位)
E. Windows 7 Ultimate (64bit)
Analysis: direct analysis by the master of forensics
18. What is the latest service pack (Service Pack) version number of the operating system? (2 points)
A. Service Pack 1
B. Service Pack 2
C. Service Pack 3
D. Service Pack 4
E. Service Pack 5
Analysis: direct analysis by the master of forensics
19. Which of the following is victor's default printer? (2 points)
A. HP OfficeJet 250 Mobile Series
B. CutePDF Writer
C. Microsoft XPS Document Writer
D. PDF Complete
E.AL-M2330
Analysis: In the simulation system, find the default printer in the control panel under the Victor user
20. At 2018-10-31 08:29:32 +8, which of the following files was used by account simon? (2 points)
A. Microsoft store.url
B. and.jpeg
C. Reddy Resume.doc
D. grocerylistsDOTorg_Spreadsheet_v1_1.xls
E. InvoiceTemplate.docx
Parsing: It is obtained by performing a real-time search on the options.
21. Continuing from the previous question, what is the procedure to open the above file? (2 points)
A. Internet Explorer
B. Firefox
C. to draw
D. WPS form
E. WPS characters
Analysis: Connected to the picture above, the master of forensics directly analyzes
22. Which of the following is victor's default web browser? (2 points)
A. Internet Explorer
B. Google Chrome
C. 360 browser
D. Firefox
E. Thunder browser
Analysis: Under the Victor user of the simulation system, create a new .html file, and you can know the default browser.
23. There is a map in victor’s recycle bin, which of the following is the original file name of this map? (2 points)
A. Capture.PNG
B. Grab .PNG
C. Screenshot.PNG
D. Map.bmp
E. Map.jpg
Analysis: direct analysis by the master of forensics
24. Continuing from the previous question, what is the original storage path of the above map? (2 points)
A. C:\Users\victor\Pictures
B. C:\Users\victor\Documents
C. C:\Users\victor\Desktop
D. C:\Users\victor\Downloads
E. C:\
Analysis: direct analysis by the master of forensics
25. Find a file named "request for quotation.lnk", and indicate the target path of the LNK file?
(2 points)
A. C:\Users\victor\Pictures
B. C:\Users\victor\Documents
C. C:\Users\victor\Desktop
D. C:\Users\victor\Downloads
E. C:\
Parse: “C:\……\Desktop\request for quotation.docx”
26. Continuing from the previous question, when was the last time the above file was opened? (Answer format - "local time": YYYY-MM-DD
HH:MM:SS +8) (2 points)
A. 2018-10-29 15:11:43 +8
B. 2018-10-29 19:24:16 +8
C. 2018-10-29 15:11:42 +8
D. 2018-11-01 14:51:25 +8
E. 2018-10-29 07:11:42 +8
Analysis: direct analysis by the master of forensics
27. Continuing from the previous question, the metadata of "" records the physical address (mac address) of which of the following network cards? (2 points)
A. 00:0C:29:70:F4:47
B. 00:50:56:C0:00:13
C. 47:F4:70:29:0C:00
D.E4:A7:A0:CB:66:C7
E. 00:0C:29:70:F4:47
Analysis: Search with "request for quotation.lnk" as the keyword, and you can get the answer
28. Which of the following email sending/receiving programs does system account victor use? (2 points)
A. Outlook express
B. Lotus Note
C. Thunderbird
D. Roundcube
E. The above software is not installed
Analysis: direct analysis by the master of forensics
29. Which IP address does the system log in to the Internet? (2 minutes)
A. 10.0.4.1
B. 10.0.4.128
C. 192.168.72.2
D. 192.168.72.128
E. 192.168.72.233
Parsing: Search the options to get the answer
30. In this operating system, several USB mobile storage devices
(U disks) have been connected. Which of the following is the USB mobile storage device connected to this system? (2 points)
A. Verbatim USB Device
B. USB Mass storage USB Device
C. WD 2500BMV External USB Device
D. SanDisk Cruzer Fit USB Device
E. Seagate 250 External USB Device
Analysis: direct analysis by the master of forensics
31. In the operating system, which of the following disk partition codes (Drive Letter) has been assigned to the above-mentioned U disk? (2 points)
A. D:
B. E:
C. F:
D. G:
E. Z:
Analysis: direct analysis by the master of forensics
32. In this operating system, which of the following is the last shutdown time? (Answer format
- "Universal Coordinated Time": YYYY-MM-DD HH:MM:SS UTC) (2 points)
A. 2018-11-02 08:59:38 UTC
e.g. 2018-11-02 10:22:40 UTC
C. 2018-11-02 10:23:03 UTC
D. 2018-11-02 10:47:28 UTC
E. 2018-11-02 10:47:51 UTC
Analysis: direct analysis by the master of forensics
33. In this operating system, which of the following is the host name of the computer? (2 points)
A. VICTOR-COMPUTER
B. WORKGROUP
C. SIMON-HOME
D. VICTOR-HOME
E. LILY-HOME
Analysis: direct analysis by the master of forensics
34. Continuing from the previous question, what is the name before setting the host name of the above computer? (2 points)
A. 42P323K467-22
B. 37L4247F27-25
C. WIN-6S2GC51RGL9
D. USER-PC
E. MY-PC
Analysis: Step 1: Check the system log and find that there is a log of changing the host name
Step 2: Jump to and open the corresponding file, and find the event according to the event ID
Step 3: View event details.
35. Continuing from the previous question, what is the time when the host name of the above computer is set? (Answer format - "local time": YYYY-MM-DD
HH:MM:SS +8) (2 points)
A. 2018-10-24 11:07:22 +8
B. 2018-10-28 12:22:59 +8
C. 2018-10-27 13:45:18 +8
D. 2018-10-25 16:04:19 +8
E. 2018-10-25 16:07:38 +8
Analysis: As shown in the picture above: record time item
36. In this operating system, which of the following is the email account that user victor uses every day? (2 points)
E. None of the above
Analysis: direct analysis by the master of forensics
37. When did victor last change the password of the above email account? (Answer format
- "local time": YYYY-MM-DD) (2 points)
A. 2018-10-29
B. 2018-10-30
C. 2018-10-31
D. 2018-11-01
E. 2018-11-02
Resolution: Check the email details for the answer.
38. When did victor receive the ransom email? (Answer format - "local time": YYYY-MM-DD HH:MM +8)
(2 points)
A. 2018-11-02 09:09 +8
B. 2018-11-02 09:10 +8
C. 2018-11-02 10:09 +8
D. 2018-11-02 17:09 +8
E. 2018-11-02 17:10 +8
Parsing: Find the time when the relevant emails are available
39. Which of the following is the IP address of the extortion email? (2 points)
A. 10.152.64.57
B. 10.152.64.217
C. 220.246.55.13
D. 74.208.4.220
E. 10.76.45.13
Analysis: Find the relevant email to get the IP address
40. After decompressing the attachment of the extortion email, there is a virus file. What is the MD5 hash value of this file? (2 points)
A. 72596F71248531853F37D4BD15D088C4
B. 15B64B15CC5A5442196471690D4A088B
C. 67A1487E296328C9E802D50741D8DB9C
D. 72596F71248DH3S92LS7D4BD15D088C4
E.5BB71EF8E95A5249EF4C2A8CFF9A1E1C
Analysis: Calculate the MD5 value after finding the file and decompressing it
41. When was the above virus file executed by the system? (Answer format - "local time": YYYY-MM-DD HH:MM
+8) (2 points)
A.2018-11-02 14:15 +8
B.2018-11-02 17:09 +8
C.2018-11-02 17:13 +8
D.2018-11-02 17:20 +8
E.2018-11-02 17:23 +8
Parsing: Search files to get the earliest access time
42. Will this virus run automatically after restarting the computer? If so, which of the following programs does it execute? (2 points)
A. Thunder.exe
B. QyKernel.exe
C.QyClient.exe
D. javaw.exe
E. Viruses do not execute automatically
Analysis: After decompression, it is found to be a jar program, and it is judged to run through javaw.exe
43. Which of the following files is generated after the virus file is executed? (2 points)
A. E8S377N3N8UOAMS82PQJ.temp
B. tbc_stat_cache.dat
C. JNativeHook_4940080920928265976.dll
D.83aa4cc77f591dfc2374580bbd95f6ba.tmp
E. downloads.json
Analysis: Through decompilation, it is found that there are only two .class files inside, and the estimated space occupied is only a dozen K, but the jar package costs more than 200 K, but I have not found how to analyze the generated files. If the virtual machine is monitored with dynamic analysis, it is too time-consuming, and the answer may not be found. This question will not.
44. Continuing from the previous question, what is the function of the above file? (2 points)
A. Obtain camera permission
B. Track keyloggers
C. Capture browser passwords
D. Capture system login password
E. Access system partition
Analysis: use JDGUI to decompile, and get it by reading java code
45. Which of the following is a third-party input method software installed in the system? (2 points)
A. sogou pinyin
B. sogou wubi
C. Baidu Pinyin
D. QQ Pingyin
E. None of the above
Analysis: direct analysis by the master of forensics
46. Which time server does the operating system automatically synchronize with? (2 points)
A. time.nist.gov
B. time-a.nist.gov
C. time.windows.com
D. time-b.nist.gov
E. time-nw.nist.gov
Analysis: In the simulation system, just find the time setting
47. The forensic personnel arrived at the scene at 6:25 p.m. on 2018-11-02, and then which of the following evidences were collected from the system? (2 points)
A. Capture the screen
B. Backup User Data
C. Backup browsing history
D. Capture network packets
E. Make a memory image file
Analysis: Available from 48 questions.
48. After the forensic personnel arrived, which of the following software has been running in the system? (2 points)
A. wireshark.exe
B. Magnet RAM capture.exe
C. Lightscreen.exe
D. fastdump.exe
E. None of the above
Analysis: Obtained from 49 questions
49. Continuing from the previous question, which of the following files is the captured data stored in? (2 points)
A. victor_PC_networktraffic.pcapng
B. Lily_PC.networktraffice.pcapng
C. PC_ screenshot.PNG
D. victor_PC_memdump.dmp
E. Lily_PC_memdump.dmp
Parsing: Search options are available
50. Continuing from the previous question, which of the following partitions should the above files be stored in? (2 points)
A. D:
B. E:
C. F:
D. G:
E. H:
Analysis: Export shortcuts, view properties - targets.