Monday, June 23, 2014

Daily Blog #365: The year of blogging complete and the stage 1 question

Hello Reader,
        Thank you to those of you have kept up for the last 365 days, it has been both challenging and rewarding to force myself to keep looking, researching, documenting and sharing what I know with all of you. I hope you found some benefit to the last year, but I have received enough personal satisfaction and knowledge to make it worthwhile regardless. I highly recommend anyone else out there who wants to push themselves forward in their understanding of all things DFIR to give the Zeltser challenge a shot.

Now for what you all came here for, the 1st stage challenge in the 5 stage Sunday Funday challenge for a free vLive class from SANS.

  • Email me your answers at dcowen@g-cpartners.com

  • The contest will run until July 6th

  • To get the 2nd stage you must successfully email me the answer to the 1st.


Stage 1 Question:
You are dealing with an attacker who has used the volume shadow service to create a a new copy of the volume and then exported the active directory database from it, a common tactic and one we use at NCCDC. If they cleared the security logs after doing this how could you recover where they logged in from.

FAQ:
1. Keep the answer to the server, no firewall logs here or SIEM accessible. The 1st stage is testing your knowledge of Windows Server 2008.
2. The attack happened a week ago
3. Keep re-reading the question if you haven't picked up the clue