What is the AD1 file?
AD1 filename suffix is mostly used for Forensic Toolkit FTK Imager Image files. Forensic Toolkit FTK Imager Image format was developed by AccessData Group, LLC..AD1 files are supported by software applications available for devices running Windows.
HINT: the AD1 file format does not directly support autopsy. So check their setup guide before you start
Q1__) What is the hostname of the victim machine?
HINT : windows →system32 → config → SYSTEM → CurrentControlSet001 → Control → ComputerName
ANS : WIN-NF3JQEU4G0T
Q2___)What is the messaging app installed on the victim machine?
HINT : Users →Semah → Check Downloads /AppData
ANS : Whatsapp
Q3___) The attacker tricked the victim into downloading a malicious document. Provide the full download URL.
HINT : Users →Semah →AppData →whatsapp →Databases →msgstore.db(Export it )Open the file in whatsapp viewer .check the msg
Q4___) Multiple streams contain macros in the document. Provide the number of the highest stream.
HINT : go to FTK imager →open the user folder semah → download →export the doc
use oldedump.py to find the largest macro stream
ANS : 10
Q5__)The macro executed a program. Provide the program name?
HINT : use olevba
Here it useses the characterstring obfuscation.
use the — deobf
Read the article