Evidence File: Download from here

Answer the following questions:

Questions

  1. Which memory profile best fits the system?
  2. The user had a conversation with themselves about changing their password. What was the password they were contemplating changing too. Provide the answer as a text string.
  3. What is the md5 hash of the file which you recovered the password from?
  4. What is the birth object ID for the file which contained the password?
  5. What is the name of the user and their unique identifier which you can attribute the creation of the file document to? Format: #### (Name)
  6. What is the version of software used to create the file containing the password?
  7. What is the version of software used to create the file containing the password?
  8. What is the virtual memory address offset where the password string is located in the memory image?
  9. What is the physical memory address offset where the password string is located in the memory image?
  10. At the time of the RAM collection (20-Apr-20 23:23:26- Imageinfo) there was an established connection to a Google Server. What was the Remote IP address and port number? format: “xxx.xxx.xx.xxx:xxx”
  11. What was the Local IP address and port number? same format as part 1
  12. What was the URL?
  13. What user was responsible for this activity based on the profile?
  14. How long was this user looking at this browser with this version of Chrome? format: X:XX:XX.XXXXX Hint: down to the last second
  15. What is the IPv4 address that myaccount.google.com resolves to?
  16. What is the canonical name (cname) associated with Part 1?
  17. What is the PID of the application where you might learn “how hackers hack, and how to stop them”? Format: #### Warning: Only 1 attempt allowed!
  18. What is the product version of the application from Part 1? Format: XX.XX.XXXX.XXXXX