DFIR : Zero To Hero Series : Case-0

To help folks (🕵️) who are just starting their journey in DFIR field we are starting one “DFIR Zero To Hero Series” in which we will provide an Investigation scenario. Additionally we will also provide a write-up for the Investigation scenario where we will share our approach.

Case Background:

New employee recently joined the company as a Web Developer. Company suspect that newly joined employee has used Remote Access Tools and thus wants to verify the use of same and also want to check what other activities suspected employee has performed. Any employees who join as web developers, the company allows them to use different software like XAMPP, Sublime Text Editor [As most of the time company use PHP & JavaScript for web development] but they are not allowed to use any Remote Access Tools and other software that does not align with job description. So, the company has provided the disk image for the suspected machine and has asked you to do Forensic analysis.

Let’s see what approach i will take if this case is assigned to me for investigation.

Initial Thoughts

So based on the case background we need to do the following things.

Check if the suspect has used any remote access tools

Check for the installations of the different software that does not align with the JD


  1. First thing first we will do triage image using the tool of your choice, here I am using KAPE.
  2. For Remote Access Tools execution we will check Prefetch files, Amcache, & Event Logs.
  3. For Installations of different software we will look into the Events Logs.

Triage Part:

Let’s start with KAPE Triage. First mount the drive using arsenal image mounter. we will utilize KAPE CLI for acquisition of Event Logs, MFT, USNJrnl, Amcache, Prefetch.

kape.exe --tsource “D:” --tdest “C:\Collection\Target” --target EventLogs,EvidenceOfExecution,FileSystem
Kape Collection

Let’s check collected data

Now let’s parse acquired data using KAPE. (eric zimmerman tools)

kape.exe --msource "C:\Collection\Target" --mdest "C:\Collection\Module" --module MFTECmd,AmcacheParser,EvtxECmd,PECmd


So based on case background we need to look for remote access tools so we can search for tools like Anydesk, Teamviewer, Getscreen.me, screenconnect, UltraVNC, AnyViewer.

We can start with prefetchfile analysis. One can ask why prefetch-file first ? so simple answer is.

Prefetch doesn’t exist unless something has run at least once

  1. So let’s open Parsed prefetch file output using Timeline Explorer.
  2. In Executable Name field let’s search for different remote access tools.

Here we go 😎 we found ANYDESK.EXE entry in prefetch entries.

Exercise For You

Since we found instances of remote access tool (Anydesk) we can check other artifacts like Amcache & Eventlogs to make Timeline of events.

Same way we can check Eventlogs to answer is there any software was installed by suspect or not.

You can share your writeups, thoughts related to this “DFIR Zero To Hero series” over email (upadhyayraj007@gmail.com).



Pursuing M. Tech. in Cyber Security and Incident Response. #LoveToPlayCTF #infosec #cybersecurity

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Raj Upadhyay

Pursuing M. Tech. in Cyber Security and Incident Response. #LoveToPlayCTF #infosec #cybersecurity