John Doe was accused of doing illegal activities. A disk image of his laptop was taken. Your task is to analyze the image and understand what happened under the hood.
Information
Category Name: AfricanFalls
Files: c48-Africanfalls.zip 672 MB
My Recommendations
This is my personal preference, I like being organized and deleting a folder when I’m done with it.
mkdir Documents/CyberDefenders/AfricanFalls && cd Documents/CyberDefenders/AfricanFallsDownload it from the Cyber Defenders and verify the file with sha1sum:
sha1sum /path/to/c48-Africanfalls.zipSHA1: 475b5c8c679ef034541edbd761faad5b5441656e.
Then extract it with the provided the password
Run it with:
wine '.wine/drive_c/Program Files/AccessData/FTK Imager/FTK Imager.exe'
Once it’s installed, select: Add Evidence item and select DiskDrigger.ad1. Then, open the “tree” and rich click on ‘[root]’ and select “Export Files” and chose the WD as the export destination. To make CLI navigation easier, let’s rename the file. You can also delete the .ad1 file at this point:
mv '[root]' root
rm DiskDigger/DiskDrigger.ad
Walkthrough
1. What is the MD5 hash value of the suspect disk?
There is a text file associated with the ad1 archive that contains this information:
cat DiskDrigger/DiskDrigger.ad1.txt
Answer: 9471e69c95d8909ae60ddff30d50ffa1
2. What phrase did the suspect search for on 2021-04-29 18:17:38 UTC?
(three words, two spaces in between)
Most likely the suspect used a Web Browser. To view what what potential browser was used, list the contents of the User’s App Data
ls -la root/Users/*/AppData/*
Since Chrome is installed, copy the History Database to your WD and open it:
cp root/Users/*/AppData/Local/Google/Chrome/*/Default/History History.db && sqlitebrowser History.db
The timestamps are in WebKit format, to convert them we can pass the following SQL command:
SELECT datetime(last_visit_time/1000000-11644473600, "unixepoch") as last_visited, url, title, visit_count FROM urls;
Answer: password cracking lists
3. What is the IPv4 address of the FTP server the suspect connected to?
John Doe has used Filezilla, and listing FileZilla’s directories shows a filezilla.xml file. Its contents contains user configurations/history:
cat root/Users/*/AppData/*/FileZilla/filezilla.xml
Answer: 192.168.1.20
4. What date and time was a password list deleted in UTC? (YYYY-MM-DD HH:MM:SS UTC)
First, listing the contents of the RecycleBin shows 2 text files in the Recycle Bin of the User with RID of 1001.
ls -la root/\$Recycle.Bin/*
Printing the contents of both text files, to make sure it’s a password list:
cat root/\$Recycle.Bin/*/\$IW9BJ2Z.txt
cat root/\$Recycle.Bin/*/\$RW9BJ2Z.txt
Andrea Fortuna comes to my rescue (as usual!). When a file gets trashed, it kind of gets “split”. The file starting with $I is the metadata, it contains the original file path, the filename and when it was trashed. The file starting with $R is the contents of the file. If we want to know when the time the file was deleted, we need to focus on the $I file. There are two ways to find the time. The easy way, is with exiftool:
exiftool root/\$Recycle.Bin/*/\$IW9BJ2Z.txt
The File Modification Time is 2021-04-29 14:22:17 (18:22:17 in UTC).
Otherwise, you can do this manually:
xxd root/\$Recycle.Bin/*/\$IW9BJ2Z.txt
The selected value is our timestamp. Copy it and remove the spaces. Then, from the terminal launch python3 (just type python3 and hit enter). I found this script that does the job for Windows timestamps, and edited for our value:
from __future__ import division
import struct
import sys
from binascii import unhexlify
from datetime import datetime, timedelta
ts = "e0910896243dd701"
nt_timestamp = struct.unpack("
This will print the converted timestamp in UTC: Thu Apr 29 18:22:17 2021
Answer: 2021-04-29 18:22:17 UTC
5. How many times was Tor Browser ran on the suspect's computer? (number only)
Using Prefetch Run Counts:
prefetchruncounts.py root/Windows/Prefetch
cat Prefetch_run_count.csv | grep "TOR"
##Returns one value for Tor's Installation .exe
cat Prefetch_run_count.csv | grep "FIREFOX"
##Returns nothing
There is only one record for Tor’s Installation, and none for Firefox (Some Tor prefetch files contain “Firefox”). John installed Tor and never used it.
Answer: 0
6. What is the suspect's email address?
In the Chrome History database, there was a record of an email. Open the urls table and filter the “title column” with @:
sqlitebrowser History.db
Answer: dreammaker82@protonmail.com
7. What is the FQDN did the suspect port scan?
To scan a port, the suspect must have used a Command Line Tool. Since the suspect is on a Windows Machine, it’s very likely he/she used PowerShell. There iss a ConsoleHost_history.txt file in the Roaming directory of PowerShell.
cat 'root/Users/John Doe/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadLine/ConsoleHost_history.txt'
The user ping’ed and nmaped “dfir.science”
Answer: dfir.science
8. What country was picture "20210429_152043.jpg" allegedly taken in?
Find the file path and execute exiftool:
find root/ -name "20210429_152043.jpg"
##Returns root/Users/John Doe/Pictures/Contact/20210429_152043.jpg
exiftool 'root/Users/John Doe/Pictures/Contact/20210429_152043.jpg' | grep "GPS"
In decimal, this value is -16.000000, 23.000000. Searching in Google Maps, the country is Zambia:
Answer: Zambia
9. What is the parent folder name picture "20210429_151535.jpg" was in before the suspect copy it to "contact" folder on his desktop?
The picture has a lot of metadata associated with it, so it was (most likely) a picture taken by the User with a personal device, which was then copied/moved/downloaded into the computer. First, finding the Camera Model Name:
exiftool 'root/Users/John Doe/Pictures/Contact/20210429_152043.jpg' | grep "Camera" -B 5 -A 5
This Camera Model is associated with the LG Q7 phone. Using the shellbags plug-in on the UsrClass.dat will tell us information about the folder’s history:
cp root/Users/John\ Doe/AppData/Local/Microsoft/Windows/UsrClass.dat UsrClass.dat
rip.pl -p shellbags -r UsrClass.dat
As you can see, the parent folder name was Camera:
Answer: Camera
10. A Windows password hashes for an account are below. What is the user's password?
Anon:1001:aad3b435b51404eeaad3b435b51404ee:3DE1A36F6DDB8E036DFD75E8E20C4AF4:::
First, we need to copy the hash and save it in a plain text document called “hash.txt”.
I kind of ? cheated? for this one. CyberDefender provides little hints in the Answer section. In this case, it showed that the answer was “A*****!”. The challenge is called AfricanFalls, so I assumed the password’s seed word was Africa. To create a custom wordlist, I used PassGen:
##CD to PassGen
source env/bin/activate
python2 passgen.py -f Africa! > wordlist.txt
python2 passgen.py -f africa! >> wordlist.txt
python2 passgen.py -f Afrika! >> wordlist.txt
python2 passgen.py -f afrika! >> wordlist.txt
deactivate
mv wordlist.txt ~/Documents/CyberDefenders/AfricanFalls/wordlist.txt
This makes it way easier to crack it with John:
john --format=nt --wordlist=wordlist.txt hash.txt
Answer: AFR1CA!
11. What is the user "John Doe's" Windows login password?
First, copy the registry hives:
cp root/Windows/System32/config/SYSTEM system.save
cp root/Windows/System32/config/SOFTWARE software.save
cp root/Windows/System32/config/SAM sam.save
cp root/Windows/System32/config/SECURITY security.save
Then dump the hashes using impacket:
secretsdump.py -sam sam.save -security security.save -system system.save LOCAL
Once the hashes are dumped, copy the actual hashes into a text file to your WD:
echo "##paste the hashes " > ~/Documents/CyberDefenders/AfricanFalls/ntlm.txt
Then, run john:
john --format=nt ntlm.txt
John cracked it in 55 seconds, John Doe’s password is ctf2021!
Answer: ctf2021
TLDR
CyberDefenders’ African Falls is a fun and challenging lab to test Windows Forensics skills. NTLM Password cracking was the hardest part, and honestly took me a while since I had never done it before.
