Final Boss II - Forensic Analysis and Reverse Engineering

Final Boss II – Forensic Analysis and Reverse Engineering

In this lab, you will face a realistic attack scenario that combines post-incident forensic analysis and basic reverse engineering. A prestigious artificial intelligence company suffered a remote intrusion outside working hours, and you have been assigned as the analyst responsible for reconstructing the events and discovering what the attacker left behind.

In this lab you will learn:

• Forensic analysis based on files collected from a compromised system
• Interpretation of Windows event logs
• Basic reversing of malicious binaries
• Decoding and unlocking encrypted evidence

🌱 How to Start This Lab

👉 This challenge is solved inside a preconfigured virtual machine for forensic analysis. You do not need to access the compromised machine or use any dangerous external tools: you will analyze files already collected by an incident response team.

1. If you don't have the virtual machine yet, download it from this link:

1https://storage.googleapis.com/cybersecurity-machines/metadata-investigation-lab.ova

1. Import the virtual machine into VirtualBox.
2. Start the VM and log in as user analyst:4geeks-lab.
3. The case files are located at:

1/home/analyst/Documents/incident_dump/

📄 Instructions

During the early hours of June 12, 2025, the backup server of Quantum Forge Inc., an artificial intelligence startup, was accessed remotely by a user who should not have logged in at that time: svc-backup.

After reviewing the logs, the team detected that an external binary was downloaded and executed, and a password-protected compressed file appeared.

The cybersecurity team performed a controlled extraction of evidence from the compromised server (Windows Server) and provided you with the key information so you can perform a complete analysis in this secure lab machine (Linux).

Your Mission

1. Among the files provided, there is one that contains traces of suspicious activity... a sort of diary of what happened. If you mentally arrange the events, you will understand how it all began.

2. You will find references to processes launched by automated commands, even to software downloaded from the internet. It may not be a coincidence that a binary is also included among the files provided.

3. Exploring the executable changepass.exe could give you more than one clue. If you see a strange string with unreadable characters or with = at the end... it’s worth checking if it hides something.

4. Among the files provided, there is one that seems to be protected. What do you think you could use to open it?

5. If you succeed, inside you will find something that many seek and few find.

💡 Tips

• Logs don't lie. Carefully observe the event types and the chronological order.
• Do not run anything. The analysis is post-mortem. Use only reading tools.
• Not everything suspicious screams “malware.” Sometimes, a common process at an unusual time says it all.

When you find the flag, you will have completed one of the most realistic challenges in the lab.

Good luck, Forensic Analyst!