- Finding default browser and the top visited website.
- Extract timestamp, ID, Hostname of the TeamViewer FileTransfer session.
Challenge Points: 913
Challenge Solves: 15
Challenge Author: g4rud4
Download the challenge file from here
We are given with a disk dump, lets use add the data source to Autopsy. We can see that, the given dump is from Windows 10 Home system, and Owner of the system is
By checking all installed applications, we can see there are 3 web browsers(Google Chrome, Mozilla Firefox, Brave), Slack, Voice Modulator, TeamViewer, AnyDesk etc.
Answering 1st Question
- What is the default browser that the Heist leader is using on the device?
As there were 3 browsers being installed on the system. Let us check which is the default browser that user is using.
We can find that by checking the following registry key.
From the above highlighting, We get it as
ChromeHTML, which means user is using
Chrome as his default browser.
So the answer will be
Answering 2nd Question
- What is the top-visited website in the leader’s system on the default browser?
Now we know
Chrome is the default browser. Chrome stores it user data in the following folder
Users/Danial Benjamin/AppData/Local/Google/Chrome/User Data/Default/.
In that directory we can find a SQlite database named
Top Sites. This database provides us a list of top-visited websites by the user and gives a
url_rank for each site. Sorting the table(
top_sites) according to
url_rank. We can get the top visited website user visited.
As highlighted above, we can see for url_rank - 0, we have
https://www.ebay.com/. Converting it to the given format, we get
Answering 3rd Question
- When was the latest file transfer session initiated in TeamViewer?
We need to find when the file transfer session initiated in TeamViewer.
TeamViewer stores its user data, in these following locations:
Main files of interest would be
Connections.txt. These files store the incoming and outgoing connections from TeamViewer.
Here is an example representation for data found in
Img src: mii-cybersec
On comparing both files, we can have only one file transfer session in
Connection_incoming.txt. From that we can get the time initiated, TeamViewer ID, and the Hostname of the remote PC.
As highlighted above, we can see that TeamViewer ID is
920981533, Remote PC’s Hostname is
DESKTOP-S34NLCJ, and time file transfer session initiated is
20-07-2021 07:48:50 in UTC.
But for this we need only the time initiated for this question. Which is
Answering 4th Question
- What is the ID, Hostname of that file-transfer session?
We found the TeamViewer ID and hostname of the Remote PC from the previous question.
So the TeamViewer ID and Hostname are
Converting the answer in the given format we get,
Combining all answers we can get the flag.
For further queries, please DM on Twitter: https://twitter.com/_Nihith