'1. 'Document the Readme and all forensics questions: Ensure that you have created a good record of what the readme is telling you, and what the forensics questions are asking for. MAKE SURE YOU HOLD ON TO THIS. Your documentation will not only help you during the competition, but can also help you prepare for future images.

2. Search for forensics questions answers: I like to do this first because sometimes the forensics questions deal with malware, incorrect settings, or other items you would change. If you remove malware that the forensics question is asking you about, you're not going to be able to find the answer. This is an easy way to earn points.

3. Go through the User Accounts section of the Control Panel: Look through all of the users. Make sure that they are at the level that they need to be at, are adhering to password policies, and are actually supposed to be there. Disable the guest account unless the readme specifically tells you not to.

4. Set the security policies in secpol.msc: Go through secpol.msc and set the Password and Audit log settings. They should look something like this:

  • Enforce Password History: 5 passwords remembered
  • Maximum Password Age: 30 to 90 days
  • Minimum Password Age: 5 days
  • Minimum Password Length: 8 characters
  • Password must meet complexity requirements?: Yes
  • Store passwords using reversible encryption?: No.

You should also go through and turn on auditing for failed and successful log-ons while in secpol.msc.

5. Enable UAC (User Account Control): Turning UAC up to the highest level is generally a good practice and will earn you points in most cases.

6. Enable Windows Firewall: Turning on the Windows Firewall is a requirement in most images. The level of protection for your system may vary, and some exceptions in the firewall may apply. Be sure to check that the firewall is still up periodically after you do it the first time.

8. Check the Windows Scheduled Tasks: If you've been experiencing any unexplained settings changing, pop-ups, or any other odd behavior, check the Scheduled Tasks. Look for anything that runs suspicious programs, opens error messages, etc. This is tedious, but is a good way to earn some extra points. Figuring out how often the nuisance occurs is a good way to nail down exactly what scheduled task is causing your problem.

9. Look at Windows features in Programs and Features: Look for anything that you know that your computer shouldn't have. Telnet is usually a no-no, but sometimes the Readme tells you to leave it on, or even enable it. Make sure your computer isn't running a web server if it shouldn't be.

10. Look for junk programs, malware, and hacking tools: The Programs and Features section of the control panel will display a list of programs that are installed. This is a good place to find programs that you can install for some extra points. Tools like JRT and PC Decrapifier help expedite this process, but there's no alternative to looking for yourself.

11. Ensure that all required programs are running correct versions: Note that the latest version is not always the correct version. The readme will usually tell you what version of a program to have.

12. Enable Antivirus Software: Free antivirus software like AVG or Avast will do, but it has to be a free trial version for the competition. Scanning the system with MalwareBytes is a good idea, too.

13. Use Process Explorer to see what's running on your computer: I could write an article just about this. Look for anything suspicious. Remove. Repeat.

14. Use Autoruns to see what's running when you first start up your computer: This will get a autorun

15. Make sure any important Windows Updates and Patches are installed: This can be a long and tedious process, so see what you can bring in on removable media to help speed up the process.

16. Verify that your browser is in good, working, uncluttered order: Make sure that there are no unauthorized add ons, plug-ins, un-needed toolbars, etc. The process for removing these items varies by browser.

17. Make sure your image doesn't contain any unauthorized media files: Things like .mp3, .mov, have to go. Using the Windows search bar (*.mp3 searches the selected area for .mp3 files) is a good place to quickly find these media files.

18. Use netstat -a to look for unauthorized ports: Netstat -a in the command prompt will show you all of the entries and exits going through your computer. Check iana's list of common ports to help decide what you should keep.

19. Go through everything more than once, and document everything: Going back through and making sure everything is exactly how you left it and how you want it is a good way to find errors that you might have missed. Documenting everything helps identify errors that you may have caused.


Community content is available under CC-BY-SA unless otherwise noted.