Saturday, December 7, 2013

Daily Blog #168: Sunday Funday 12/8/13

Hello Reader,
        It's Sunday Funday time! I hope you've been working your mental muscles and your ready to go because I have challenge for you this week. If you watched the forensic lunch this week you got to hear a series of topics, one of them might help you this week! Watch the forensic lunch here: https://www.youtube.com/watch?v=S5xP4ALhqSU

The Prize:

  • A $200 USD Amazon Giftcard that will be emailed to you

The Rules:
  1. You must post your answer before Monday 12/9/13 2AM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful 
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:
You have a Windows 2008 system with two partitions, one system and one data partition for file storage and sharing. You recovered a application compatibility cache entry showing that setmace.exe ran but don't know what was changed. You need to answer the following questions:

1. How can you detect timestamp manipulation via setmace on the system disk
2. How can you detect timestamp manipulation via setmace on the data disk
3. How can you recover what files setmace was pointed at
4. How can you recover what commands were executed