Thursday, 30 January 2014

Nullcon HackIm 2014 Forensics-1

This was the main hunt for me in HackIm.. Downloaded a 2GB image file and got started with a tool called autopsy..

link for image :

autopsy download link :

Question : Please download the HackIM image to solve all the forensics level challenges.

Checksum for the HackIM image:
MD5: 71d16cda80ef801d33286825aaf70033
SHA1: 62bbd7babaa409991f7ab1cdb12ac70518dbaffa

Password to extract HackIM image is: "synergyNull2014sdf"

The Client complained that whenever he boots up the machine, all files in his document folder automatically gets deleted. Can you identify the culprit executable process doing this?

Well technically i only know that boot files are in system32 folder.In autopsy you can see the recent accessed while loking at it i also found files required for other challenges.
Now after trial and error i found somewer below in the same recent files folder Ntbackup.exe and it was the flag.

There is an another method also if you have created a virtual box (.vmx) ..
In Windows 7 if  files are being deleted and we want to track this, we need to turn on the Audit object access policy in Local Security Policy.

FLAG : Ntbackup.exe


  1. do you link or mirror to download HackIM images ?
    ty before

    1. You can get it from here :


enter valid comments.Suggestions are most welcome and would be interested in correcting my mistakes.