Part one

　　Or

　　Starting position=Total number of sectors-the number of the second sector

　　83,886,080-81,786,880=2,099,200

　　netstat -anp

　　Check open ports, ssh to 7001, use network mirror to connect

　　32000

　　As can be seen in the figure, there are 3

　　Start the docker service, view the docker logs

　　javascript:void(0)

　　The earliest record
sports betting help and Latest Address
　　

　　192.168.99.222

　　Continue to enter docker to view the configuration

　　https://www.runoob.com/docker/docker-exec-command.html

　　192.168.1.176

　　Still use local ssh to connect to the target machine, then enter the docker container to retrieve logs

　　javascript:void(0)

　　docker logs 08 2>&1 | grep 192.168.99.222

　　Counted 18

　　Part two

　　liwente1314520

　　honglian7001

　　2020-09-22 11:04:32

　　Simulate and put it into Forensic Master

　　It feels a bit slow to calculate with Forensic Master

　　[2021-10-13 18:58]

　　Name: C:UsersAEQAQDesktop2020长安杯取证题目cowtransfer-file-d3c00cfb-3c7b-4fbb-a0df-08d120098117%2Fchangancup2020检材2.E01; Device type: Disk image; Size: 60.00 GB;

　　Sector count: 125,831,168; Calculated sector count: 125831168; Starting sector: 0; Ending sector: 125831167; Device serial number: ;

　　SHA-256 value: 2D926D5E1CFE27553AE59B6152E038560D64E7837ECCAD30F2FBAD5052FABF37

　　https://jingyan.baidu.com/article/11c17a2c4bdd46b547e39d18.htmlonline casino and The latest entrance

　　Forensic Master can directly view it

　　The earliest, 2020-09-18 17:54:58

　　There are 6 records at the back, so it’s 6 times

　　Found the IP address of the server just now

　　8091

　　Just turned off the virtual machine of the server…

　　Check netstat to see

　　www.sdhj.com

　　Oh no, he doesn’t have WeChat installed on his computer, but he saw this

　　Put it into FireEye for analysis, it’s an iOS

　　Everyone can guess Telegram blind, dealing with hc

　　Dogecoin

　　In the above figure

　　DPBEgbwap7VW5HbNdGi9TyKJbqTLWYYkvf

　　https://github.com/axcheron/pyvmx-cracker

　　First export the virtual machine, then brute force locally

　　Export email attachments, calculate sha256

　　cc7ea3ab90ab6b28417e08c715c243ce58ea76d71fd141b93f055a58e9ba561a

　　Xshell6

　　xshell decryption tool: https://github.com/dzxs/Xdecrypt

　　1. Obtain the sid

　　S-1-5-21-333529371-829162338-69828790-1001

　　2. Find the xshell configuration file directory [C]:UsershlDocumentsNetSarang Computer6XshellSessions192.168.99.3.xsh

　　kRUdH8kWXkCNsoX/rbKyZYNZVbZjflCUXXqSq3vZFg+i43BdA4S1650XfUA=

　　Decrypt Password

　　python .Xdecrypt.py -s hlS-1-5-21-333529371-829162338-69828790-1001

　　-p “kRUdH8kWXkCNsoX/rbKyZYNZVbZjflCUXXqSq3vZFg+i43BdA4S1650XfUA=”

　　qwer1234!@#$