DiskFiltration

Tech THM discovered a data leak and suspects Liam, a recently terminated system engineer. He had access to the leaked data, frequently stayed late without reason, and was seen near the critical server room taking photos. An investigation into his workstation suggests he had help from an external party .

What is the serial number of the USB device Liam used for exfiltration?

 now we can look at the “USB Device Attached” to get the serial number of the USB that already parsed out from SYSTEM registry hive (USBSTOR key) right here.
 
the first setp is showing the USB Devices , the last one is in 2025-02-03 10:03:49 UTC	can see the ID there 

Now we can examine the "USB Device Attached" section to retrieve the USB device's serial number, which has already been extracted from the SYSTEM registry hive .

What is the profile name of the personal hotspot Liam used to evade network-level detection?

To see the profile we have to search in SOFTWARE registry hive ...

To identify the network profile, we need to examine the SOFTWARE registry hive, specifically the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles key. There, the ProfileName reveals that Liam used his iPhone during this activity.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles

---

What is the name of the zip file Liam copied from the USB to the machine for exfiltration instructions?

After navigating to the Desktop of the Administrator user, we identified a ZIP file located in that directory. Notably, the ZIP file shares the same name as the suspicious folder previously found in the “Recent Documents” list, confirming that this is the file relevant to our investigation.

The name of the ZIP file that Liam copied from the USB device to the machine for exfiltration instructions is ............. [ .ZIP ]
inside that : .pdf | .exe | ***

---

What is the password for this zip file?

Recall that we discovered the file Pass.txt in the Administrator’s Documents folder. Upon inspection, we determined that the password contained in this file can be used to unzip the ZIP archive, confirming that we have identified the correct file.

Time to reveal the external entity helping Liam! Who is the author of the PDF file stored in the zip file?

I examined the files using exiftool. From the PDF metadata,and I was find the author

What is the correct extension of the file that has no extension in the zip folder?

Using exiftool on the confidential file revealed that it is actually an image, and we also discovered a hidden flag within the comment metadata.

It looks like Liam searched for some files inside the file explorer. What are the names of these files? (alphabetical order)

Regarding “searching” there is a registry key that stores the search keywords:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery

To access this, we need to examine the Administrator user’s NTUSER.DAT registry hive. In this key, we found two stored keywords its the answer

1 Then 0

What are the names of the folders that were present on the USB device? (alphabetical order)

Returning to “Recent Documents” we observed two additional folders accessed on the E drive, which corresponds to the USB device that was mapped to the system

The external entity didn't fully trust Liam for the exfiltration so they asked him to execute file_uploader.exe, through the instructions in PDF. When was this file last executed and how many times was it executed? (YYYY-MM-DD HH:MM:SS, number of execution times)

First, I used exiftool on the file, which revealed no useful information except that it appears to be a Python compiled binary based on the icon

Execution evidence can be found in the “Run Programs” section, which parses prefetch files. It shows the file was executed twice

Liam received a hidden flag inside a file (in the zip folder) from the external entity helping him. What was that?

The purple line

It seems like Liam caused one last damage before leaving. When did Liam delete "Tax Records.docx"? (YYYY-MM-DD HH:MM:SS)

Actual path (not visible in Windows Explorer), and its not in deleted files

I exported Usn Journal file out

C:\$Extend\$UsnJrnl\$J

Then MFTECmd tool, parse the data to CSV file to read it

Then I was use MFTECmd.exe -f $UsnJrnl_$J --csv meow to parse the artefact

![[Screenshot 2025-06-29 155623.png]]

Then put the CSV file inside Timeline Explorer ... and filter the "Tax Records.docx" file

After filtering files by the .docx extension, I took the latest timestamp because that is likely when the agent deleted the file.

Which social media site did Liam search for using his web browser? Likely to avoid suspicion, thinking somebody was watching him. (Full URL)

Reviewing the “Web History” shows that Liam visited *********, but only the default homepage without navigating to any other pages.

What is the PowerShell command Liam executed as per the plan?

Finally, since the last objective is to retrieve all network shares and Liam was using PowerShell, we can examine the PowerShell ConsoleHost to find the commands executed by the Administrator user.

Happy investigation . . .

Alpha