DFIR

Q1: When utilizing ntdsutil.exe to dump NTDS on disk, it simultaneously employs the Microsoft Shadow Copy Service. What is the most recent timestamp at which this service entered the running state, signifying the possible initiation of the NTDS dumping process? Open the SYSTEM.evtx log and search for Event ID 7036. Use a search (Ctrl+F) for Volume Shadow Copy service events. Identify the most recent entry where the service entered the running state and note the timestamp from the: ...

Q1: IP Address of Forela-Wkstn001 What is the IP address of Forela-Wkstn001? 🔎 See Q2 for the analysis steps. Q2: IP Address of Forela-Wkstn002 What is the IP address of Forela-Wkstn002? Note: NetworkMiner requires .pcap format. Convert the file if needed: tshark -F pcap -r ntlmrelay.pcapng -w ntlmrelay.pcap Open the capture in NetworkMiner to get an overview of network activity. Both workstation IP addresses can be identified here: ...