NETWORKING
MATH
RECONSTRUCTION
USER ACTIVITY
RANDOM SURPRISE
100
There is some VNC connectivity in this packet capture. Geographically, where is the user located?
The default port for VNC is 5901. If we filter for that port, we can find IP address 122.198.15.23 as the source. A whois lookup shows that this IP address belongs to a company in Beijing.
100
What is 11010011 in decimal numbers?
211
100
The file 'missing file extension' has lost its extension, so Windows does not know what to do with it. Fix the extension so it will work again.
Look in hex at the first few bytes, and you will see they are FF D8 FF E0, which is the header for .jpg files. Change the extension to .jpg and Windows will be able to open the file.
100
Which of the files in the C:\MyDocs\Stuff directory did the user not preview?
Cheshire-cat-5.jpg is not in the thumbs.db, so it was not previewed in Thumbnails view.
100
Which in this list is the odd one out?

Platter
Surface
Track
Cluster
Sector
Cylinder
Cluster, all the others are 'parts' of a hard disk, while a cluster is created by the Operating System
200
Spanning Tree Protocol is a protocol used by switches to determine which path is the fastest for a packet to get to its destination. If you know that for this protocol, a switch and a bridge are the same thing, what is the MAC address of the switch that is sending out this type of packets?
00-19-69-ac-bc-00
200
What is 3794812675 in binary?
Convert manually or use only commonly available Windows tools!
11100010001100000011111100000011
200
The image named 'corrupt image.jpg' can’t be opened anymore by Windows because it is damaged or corrupt. Fix it.
In your hex editor, in the first few bytes, replace DB with D8 to correct the .jpg header.
200
Here’s an INFO2 file from a recycle bin. When where the files in this recycle bin deleted?
09/05/2006 at 17:36
200
I received this email a while ago. Is it real?
1. I doubt a large company like Blizzard would use Outlook Express

X-Mailer: Microsoft Outlook Express 6.00.2900.5512

2. The link looks quite strange

http://us.battle.net.blizzard-password-us-eu.net/account/login.html?ref=https://www.worldofwarcraft.com/account/&app=wam&rhtml=true

3. The sender is in Istanbul. Blizzard is an American company.
300
A host with MAC address 00 80 2d 29 f2 04 is sending out quite some ARP requests. Why do we not see any ARP replies?
ARP requests are broadcasted to all hosts on the network. The ARP reply is only sent to the requester. If the PC that captured this network traffic is not the requester, it will not see the replies.
300
What is the physical size of a file of 3054 bytes (logical size) if we put it on a hard disk of 750 MB with a default NTFS formatted volume?
3072 bytes
300
Which USB device was last mapped to drive letter E:\ ?
Kingston DataTraveler 400 with serial number 0018F30CA1B6SK870E0500F9&0
300
When was Internet Explorer used for the last time, and how many times has it been used in total?
Look at prefetch data to find this one. 02/12/2010 15:39 was the last used time, and it was used 14 times in total
300
When was the last time someone logged into Windows on this system?
2/12/2010 15:20
400
This capture contains telnet traffic. Is it ‘normal’ telnet traffic?
The use of usernames/passwords such as ‘leet’ and ‘haxor’ are usually not ‘normal'
400
If we have a file of 3054 bytes logical size on a hard disk of 750 MB with a default NTFS formatted volume, thus 3072 bytes physical size, and we move it to a hard disk of 1 TB with a default NTFS formatted volume, what will its physical size be?
4096 bytes
400
On the front page of the website of De Tijd on 01/12/2010 there was a picture of someone shopping in a Carrefour store. Which fruit is he buying?
Bananas
400
Which was the last file this user has opened? Don’t look at the usual MAC times as they may have been tampered with.
In the Recent folder, the last opened file is C:\MyDocs\Stuff\Cheshire-cat-5.jpg
400
Where was this picture taken?
Extract the EXIF information, which contains GPS coordinates. Put them in the correct format so that Google Maps can read them, and you will end up on Kanagawa, Japan.
M
e
n
u