I scored about 70 points, didn’t win any awards, because of some well-known reasons, the review interval was too long and I had no impression of it already

　　In September 2023, a command center of a public security organ received a report from a victim: He added a woman named ‘Zhou Wei’ through an instant messaging tool and had a good conversation with her, establishing an online romantic relationship. Later, he was invited to have a nude chat. After the victim was hooked, ‘Zhou Wei’ and the victim engaged in a nude chat, and the entire process was recorded and filmed by the fraud gang. At the same time, Zhou Qian used the excuse of doing live streaming to ‘increase her followers’ to guide the victim to download a Trojan APP she had prepared in advance. After the victim installed the APP, the suspects used the recorded video and the victim’s contact list to threaten, thereby implementing fraud.

　　After receiving the alarm, the public security organs seized a segment of traffic packets through technical means, and through the investigation and analysis of the public security organs, the business den of the fraud gang was locked. It is understood that the gang members contacted ETH merchants to receive coins through Telegram, and both parties determined the transaction time and amount online (the transaction amount was 3 million RMB), and the seller transferred 0.5 ETH to the buyer’s wallet first. After the two parties met, they agreed to settle the transaction in two installments, the first transaction worth 1 million RMB for Online casino and How to find it, and the second transaction worth 2 million RMB for Online casino and How to find it. The first 1 million coins were transferred from the seller’s address to the intermediary address (controlled by the intermediary), and then transferred to the buyer’s receiving address provided by the buyer. After the buyer received the coins, he gave the seller 1 million cash to count, and the first transaction was completed. When the criminals started the second transaction, they were intercepted on the spot by the police, and the relevant suspects were arrested, 1 Android phone, 1 laptop, and 2 evidence servers were seized.

　　Object

　　Material type

　　Material name

　　Suspect

　　Computer

　　Computer mirror.7z

　　Mobile phone

　　Mobile phone mirror.7z

　　Adjust data

　　Server 1

　　Server mirror 1.7z

　　Server 2

　　Server mirror 2.7z

　　Company

　　Traffic package

　　Traffic package.7z

　　1. Please analyze the equipment identifier of the involved phone is _________. (Standard format: 12345678)

　　85069625

　　2. Please confirm the installation time of the suspect’s first installation of the target APP is _________. (Standard format: 2023-09-13.11:32:23)

　　2022-11-16.19:11:26

　　The app is Sweetheart Chat.apk

　　Installation time 2022-11-16.19:11:26, note the given format

　　3. This material has connected to ________ Wi-Fi networks. (Standard format: 1)

　　6

　　4. There are a total of _______ unread SMS in the suspect’s mobile phone SMS records. (Standard format: 12)

　　17

　　The SMS database mmssms.db is located at teatadatacom.android.providers.telephonydatabases, sms table read=0 represents unread

　　5. The suspect’s material mobile phone downloaded the URL of the poster background image is _________. (Standard format: http://www.baidu.com/admin/index.html)

　　http://m.ziyuanhu.com/pics/1725.html

　　The downloaded is a car key

　　The URL for downloading the poster background image is this

　　6. Please analyze the promotional ID of the involved poster is _________. (Standard format: 123456)

　　114092

　　7. The suspect promotes the APP through group SMS, how many of the recipient numbers are invalid? (Standard format: 12)

　　1

　　Only this one

　　8. Through analysis, the suspect’s WeChat account is _________. (Standard format: Lx20230916)

　　Gq20221101

　　9. Please verify the package name of the ‘voice changer’ APK used by the suspect is _________. (Standard format: com.baidu.com)

　　com.chuci.voice

　　Magic voice changer com.chuci.voice

　　The contact person of number 10 business has registered the APP ID is _________. (Standard format: 12345678)

　　36991915

　　11. The suspect was in the city of _______ in November 2022. (Standard format: Chengdu)

　　Suzhou

　　12. The suspect purchased _______ QQ numbers. (Standard format: 1)

　　8

　　1. Analyze the mobile mirror, export the involved APK, and this APK’s MD5 value is ________. (Standard format: abc123)

　　d56e1574c1e48375256510c58c2e92e5

　　2. Analyze this APK, what is the package name of the APK ________. (Standard format: com.qqj.123)

　　lx.tiantian.com

　　The package name of Sweetheart Secret Chat is lx.tiantian.com

　　3. Analyze this APK, what is the internal version number of the APP ________. (Standard format: 1.1)

　　1.0

　　Find the APK according to the package name

　　Analyze it on the Guagua platform

　　4. Analyze this APK, what is the highest Android version supported by this APK? _______. (Standard format: 11)

　　12

　　Do you really understand the Android targetSdkVersion from the lowest 4.3 to the highest 12? – CSDN Blog

　　5. Analyze this APK, what is the entry point of the APP’s main function _______. (Standard format: com.qqj.123.MainActivity)

　　lx.tiantian.com.activity.MainActivity

　　6. Analyze this APK, what is the permission name for stealing SMS? ________. (Standard format: android.permission.NETWORK)

　　android.permission.READ_SMS

　　7. The APP uses the appkey value of OPPO, which is ________. (Standard format: AB-12345678)

　　OP-264m10v633PC8ws8cwOOc4c0w

　　8. Analyze the APK source code, the background address of this APK is ________. (Standard format: com.qqj.123)

　　http://app.goyasha.com/

　　Inside the main function

　　9. Analyze the APK source code, the salt value for the APP background address login is _______. (Standard format: 123abc=%$&)

　　73g=s%!lvi8h=i7a4ge*o3s@h2n^5_yk=-y#@p6)feidfjol8@

　　10. Analyze the APK source code, the login password of the APK background address is ________. (Standard format: longxin123)

　　lxtiantiancom

　　11. Analyze the APP installation package, the APP packaging platform verification value is ________. (Standard format: HER45678)

　　H5D9D11EA

　　12. The domain name IP address of the accessible website obtained by the apk packet capture is _______. (Standard format: 192.168.1.1)

　　192.168.5.80

　　13. Analyze the apk source code, the encryption method key value of this apk is _______. (Standard format: 12345678)

　　ade4b1f8a9e6b666

　　Search for ‘encrypt’, find the encryption function

　　14. Combined with computer images, a comprehensive analysis is made, please ask the landline number of the apk developer’s company is __. (Standard format: 4001122334)

　　4008522366

　　The apk made by Longxin should be their company’s internal phone

　　1. Analyze the PC image, please determine the boot password of the involved computer is _______. (Standard format: 123456)

　　Longxin360004

　　In the case of being connected to the Internet, Honglian can run directly

　　Normal solution

　　2. The last normal shutdown time of the involved computer was _______. (Standard format: 2023-1-11.11:11:11)

　　2023-09-16.18:20:34

　　3. Analyze the involved computer, the total boot time of this computer on November 4, 2022, was _______. (Standard format: 1 hour 1 minute 1 second)

　　13 hours 41 minutes 16 seconds

　　09:42:52+01:27:01+01:04:27+01:26:39+00:00:17

　　4. Analyze the PC image, please confirm whether WeChat is an auto-start program at boot. (Standard format: Yes/No)

　　Yes

　　5. There is an encrypted partition in the evidence hard drive, please provide the decryption content of the ‘My Secret.jpg’ document. (Standard format: Longxin0924)

　　Mimi1234

　　6. Following the previous question, what is the suspect’s salary in October _______ yuan. (Standard format: 123)

　　19821

　　This question was asked during the defense, and it was very impressive. The answer to the previous question was the password to unzip the file. After unzipping, there is a salary slip, one encrypted and one not encrypted. On the exam, I added the two salary data together, emm later the defense teacher told me that this thing is similar to a yin-yang contract, and the encrypted one is the real one, emm it makes sense

　　7. Analyze the PC image, the QQ email has been used in the browser, what is the password of this email? _______. (Standard format: Longxin0924)

　　Longxin@2023

　　8. Combined with mobile phone mirroring analysis, a promotion ID is obtained, please find this poster in the evidence here, and write down the path. (Standard format: D:XX1.txt)

　　C:Program Files (x86)TencentWeChat2.png

　　View the recently accessed

　　blmm.TXT is the BitLocker password

　　The mmm.txt file above records the paths of two posters

　　Poster path: C:UsersPublicDocuments1221

　　Poster path: C:Program Files (x86)TencentWeChat

　　C:UsersPublicDocuments12211.png

　　C:Program Files (x86)TencentWeChat2.png

　　Two pictures cannot be judged, see the next question, the 10th question needs to find the bank card number according to the picture, the hexadecimal value at the end of 2.png has the bank card number

　　9. Find the suspect’s total income in 2022 of _______. (Standard format: 123)

　　205673

　　There is a container on the E disk, and there is a truecrypt encryption software on the desktop, missing the key. There is a file named 2022 total income in the recycle bin, the original path is on the M disk, and the mounted disk of the container should be M

　　没想到秘钥是文件，2.png，emm brain can, this question is also a reminder here

　　Follow the思路 and successfully recover the recycle bin files, calculate the sum.

　　10. Analyze this poster and find the suspect’s bank card number. (Standard format: 62225123456321654)

　　6320005020052013476

　　The 111.npbk in the M disk is the backup of the Night Elf simulator. Just open a new simulator and import the backup, and you can go offline.

　　1. Analyze the involved computer and correctly fill in the current type of token at the intermediary address. (Standard format: BNB)

　　ETH

　　2. Analyze the involved computer and correctly fill in the current token balance of the intermediary address. (Standard format: 1.23)

　　4.4981

　　3. Find the buyer’s address by analyzing the transfer records of the intermediary address. Buyer’s address: _____ (standard format: 0x123ABC)

　　0x63AA203086938f82380A6A3521cCBf9c56d111eA

　　Examine the case

　　Members of the gang contacted ETH merchants through Telegram to collect coins, and both parties determined the transaction time and amount online (the transaction amount was 3 million RMB), and the seller transferred 0.5 ETH to the buyer’s wallet first. After the two parties met, they agreed to complete the transaction in two installments, the first installment worth 1 million RMB of Online casino and How to find it, and the second installment worth 2 million RMB of Online casino and How to find it. The first 1 million RMB worth of coins were transferred from the seller’s address to the intermediary’s address (controlled by the intermediary), and then from the intermediary’s address to the buyer’s designated receiving address. After receiving the coins, the buyer gave the seller 1 million RMB in cash to be counted, and the first transaction was completed. When the criminals began the second transaction, they were intercepted by the police on the spot.

　　0.5 ETH is sold directly to the buyer, so the buyer’s address is the receiving address

　　4. According to the transfer record of the intermediary address, count the transfer amount of the buyer’s address. Transfer amount: ______ ETH. (Standard format: 12.3)

　　150.5

　　5. When creating a wallet, the APP will always suggest us to back up the mnemonic, which is convenient for recovering the wallet in case we forget the password in the future. During the investigation process, we often encounter the situation of obtaining the backup mnemonic of the suspectentry method lottery entry method and The latest plan. Please judge which of the following three groups of mnemonics has the correct format ( )

　　A. raw sausage art hub inspire dizzy funny exile local middle shed primary

　　B. raw sausage art hub inspire dizzy funny middle shed primary

　　C. raw sausage art funny exile local middle shed primary

　　A

　　12 words

　　6. Assume that the correct mnemonic from the previous question is the backup mnemonic of the suspect’s wallet found through investigation (the address is known to be on the Ethereum chain), please recover the suspect’s wallet in the simulator through the imToken APP, and select the correct wallet address ( )

　　A. 0xf0fF021880c4b1F79876E335c74d26DFa75DC9f9

　　B. 0x63AA203086938f82380A6A3521cCBf9c56d111eA

　　C. 0x0fd5F09C6Ba5Fd0aE6EbAFAF034913ACF7a0373A

　　B

　　Add a new wallet based on the mnemonic from the previous question, and fill in the password at will

　　1. Analyze ‘Packet1.cap’, why can’t the client access the server? ( )

　　A. DDoS Attack

　　B. DoS Attack

　　C. SQL Injection

　　D. Document Attack

　　B
online casino entry method and Latest Address
　　10.5.0.19 repeatedly accessed 116.211.168.203

　　2. Analyze ‘Packet1.cap’, the IP address of the server with the issue is _______. (Format: 127.0.0.1)

　　116.211.168.203

　　3. Analyze ‘Packet1.cap’, the IP address of the file distribution server is _______. (Standard format: 127.0.0.1)

　　120.210.129.29

　　Not very good at traffic analysis

　　4. Analyze the ‘data packet 1.cap’, the attacker uses ________ vulnerability for remote code execution. (Standard format: XXX)

　　struts2

　　Not very good at traffic analysis

　　5. Analyze the ‘data packet 1.cap’, extract the malicious file, and verify that the MD5 value of the file is ________.(Standard format: abcd)

　　87540c645d003e6eebf1102e6f904197

　　Not very good at traffic analysis

　　6. Analyze the ‘data packet 2.cap’, the path to obtain the file is ________.(Standard format: D:/X/X/1.txt)

　　C:/Users/Administrator/Downloads/NewFolder/NewFolder/mail.png

　　Export the http object, determine the file location, and trace the http stream

　　7. Analyze the ‘data packet 2.cap’, the authentication account password of the file download server is ________.(Standard format: 123)

　　passwd

　　Authorization: A field in the HTTP request header used to provide authentication credentials. Basic: It is a basic authentication method. YWRtaW46cGFzc3dk: It is a combination of username and password after Base64 encoding.

　　8. Analyze the ‘data packet 2.cap’, the downloaded file size is ________ byteslottery secrets and What is it. (Standard format: 123)

　　211625

　　1. The version number of the server system is ________.(Format: 1.1.1111)

　　7.9.2009

　　2. The version number of the website database is ________.(Format: 1.1.1111)

　　5.6.50

　　3. The timeout time of the Baota panel is ________ minutes. (Format: 50)

　　120

　　Log in to the Baota panel and skip the mobile phone number binding

　　Case analysis: Evidence collection skills and methods to solve the Baota forced mobile binding problem (qq.com), indeed very useful

　　4. The SHA256 value of the website source code backup compressed file is ________.(64-bit lowercase)

　　0bdeeacf755126dae9efd38f6a6d70323aa95217b629fd389e0e81f9b406be39

　　5. The default MD5 salt value for the administrator password of the distribution website sb.wiiudot.cn is ________.(Format: abcd)

　　lshi4AsSUrUOwWV

　　Find it in the website code

　　6. The distribution website sb.wiiudot.cn stores a total of ________ contact data. (Standard format: 1234)

　　67277

　　Use Navicat to connect to the database

　　The username and password of the database are incorrect according to the code

　　Add skip-grant-tables in my.cnf and restart the service to skip the password directly

　　Connection successful

　　The app_mobile table stores contact list data

　　7. There are _______ victims in all the websites. (Format: xxx. No duplicates, no data recovery)

　　506

　　This question is not clear who is the victim

　　8. There are _______ administrators with the ‘group member level’ in the distributed website tf.chongwuxiaoyouxi.com. (Format: number)

　　26

　　tf.chongwuxiaoyouxi.com corresponds to sanye123

　　id=22

　　9. The invitation code for the administrator named ‘0820’ of the distributed website sb.wiiudot.cn is _______. (Format: xxx)

　　443074

　　10. The local database password of the distributed website sb.wiiudot.cn is _______. (Format: xxx)

　　The incorrect one is in the website code

　　The correct password ciphertext is 039263BE30CCE60EAF9F5FBC40259F235BDA776F

　　Cannot be solved, saw wp said in the backup

　　 Indeed

　　1. Please analyze the default website directory in the Baota panel is _______. (Standard format: /etc/www)

　　/home/wwwroot

　　2. There is a database with only one table structure in the Baota database directory. Please find the ‘table structure file’ and analyze the field type of the sixth field. (Standard format: int(11))

　　CHAR(128)

　　3. Please analyze the domain bound to the ‘Enjoy Finance’ website is _______. (Standard format: www.baidu.com)

　　jinrong.goyasha.com

　　4. Please visit the ‘Enjoy Finance’ database and find the user table. Assuming the password is 123456, the encrypted value of the uid 2909, username goyasha is _______. (Standard format: abcdefghijklmnopqrstuvwsxyz)

　　d2174d958131ebd43bf900e616a752e1

　　The database is sjp

　　The encryption logic is md5 (user password + utime)

　　uid is 2909, the username is goyasha, utime is 1635837124

　　5. Please rebuild ‘Enjoy Finance’, visit the platform’s front-end login interface, and the several characters on the top logo of the member login interface are _______. (Standard format: Love Finance)

　　6. Please analyze how many non-foreign exchange products ‘Enjoy Finance’ has added in total. (Standard format: 5)

　　33lottery cheats and The latest method

　　Foreign exchange is pcid=5

　　Not deleted isdelete=0

　　30. Please analyze the address for recharging Tether set by ‘Le Xiang Financial’. (Standard format: EDFGF97B46234FDADSDF0270CB3E)

　　85CF33F97B46A88C7386286D0270CB3E

　　Tether is USDT

　　27. Please analyze the total recharging amount of the victim who recharged more than 582402 yuan for the ‘Le Xiang Financial’. (Standard format: 12345678)

　　101000087

　　25. Please analyze the username of the victim who recharged more than 582402 yuan for the ‘Le Xiang Financial’ bank card number ‘6239039472846284913’. (Standard format: Zhang San)

　　kongxin

　　uid=2917

　　username=kongxin

　　21. Please analyze the closing price of this Ethereum/Tether transaction for the ‘Le Xiang Financial’ opening time ‘2022/03/01 18:44:01’ and closing time ‘2022/03/01 18:52:01’. (Standard format: 1888.668)

　　2896.924

　　buytime is the timestamp

　　Convert the two times 1646131441 and 1646131921

　　17. Please analyze the liquidation time of the ‘Le Xiang Financial’ order number ‘202112090946233262’. (Standard format: 2022-1-11.1:22:43)

　　2021-12-09.09:52:23

　　It’s empty

　　Consider looking at the backup file, and indeed there is a database backup

　　Import the library, run the sql file, and query 1639014743 again

　　12.A certain user of Baota panel attempted to make a POST request with the parameter ‘/BTCloud?action=UploadFilesData’. What computer system does the user疑似 use to make the access request?

　　A.Windows 8.1

　　B.Windows 10

　　C.Windows 11

　　D.Windows Server 2000

　　A

　　This question knows that you need to find the log file, but I didn’t find it first time, and finally saw wp

　　Windows NT 6.3

　　Please analyze the highest permission ‘root’ account password of the server image. (Standard format: a123456)

　　g123123

　　Use hashcat to crack, find the shadow file, note that you should not look for the original one in the current virtual machine, as your password may have been changed during the simulation

　　$1$kmYU/aog$fKIF3ugewwCTuPWOSksjD/