Employee Phishing Attack | HTB Sherlocks | Hyperfiletable

In this easy Sherlocks DFIR challenge, we are provided just the MFT record to determine what happened. We make use of MFT Explorer, MFTECmd and TimelineExplorer to put the pieces together, and learn all about MFT records in the process.

My VM Build:    • How to Build an Investigation VM | Fo...  

00:00 - Intro
00:53 - Extracting the evidence and integrity checking (Q1)
02:15 - Start of MFT Analysis
02:58 - Launching MFT Explorer to save time later
03:15 - Extracting CSV using MFTECmd
04:06 - Opening TimelineExplorer
04:16 - Looking at ZoneID info (Q2, Q3, Q4, Q5, Q7, Q8)
06:58 - Looking at time in the MFT (Q8)
07:23 - A note about timestomping
08:06 - File size in TimelineExplorer
09:05 - Looking at MFT Explorer
09:30 - Looking at MFT record information
09:44 - Non-resident data (Q6, Q8)
10:52 - Resident Data (Q9)
12:09 - Counting files (Q10)
13:29 - Conclusion