A windows forensics challenge prepared by Champlain College Digital Forensics Association for their yearly CTF.
Information
Category Name: CorporateSecrets
Files: c17.zip 720 MB
–> CorprateSec.ad1 774.3MB
My Recommendations
This is my personal preference, I like being organized and deleting a folder when I’m done with it.
mkdir Documents/CyberDefenders/CorporateSecrets && cd Documents/CyberDefenders/CorporateSecrets
Download it from the Cyber Defenders and verify the file with sha1sum:
sha1sum /path/to/c17.zipSHA1: b9987d61b1f3db1732eb3e9b31f31ae18a982df4.
Then extract it with the provided the password
Run it with:
wine '.wine/drive_c/Program Files/AccessData/FTK Imager/FTK Imager.exe'
Select: Add Evidence item and select CorprateSec.ad1. Then, select File, “Export Files” and chose the Working Directory as the export destination.
I recommend to rename the folders to make them more CLI-friendly:
mv 'DFA_SP2020_Windows.E01_Partition 2 [50649MB]_NONAME [NTFS]' Part2
mv Part2/['root'] Part2/root
Walkthrough
1. What is the current build number on the system?
Using RegRipper:
rip.pl -r Part2/root/Windows/System32/config/SOFTWARE -p winver
Answer: 16299
2. How many users are there?
Using RegRipper:
rip.pl -r Part2/root/Windows/System32/config/SAM -p samparse | grep Username
The Usernames that have four digits in the brackets are current users. The usernames with five digits are System users. They are not considered users per-se. Therefore, there are six users on the computer.
Answer: 6
3. What is the CRC64 hash of the file “fruit_apricot.jpg”?
We can merge the commands as there seems to be only one file named “fruit_apricot.jpg“. 7z (pre-installed in REMnux/SIFT) can calculate the CRC64 hash of a file:
find . -name "fruit_apricot.jpg" -exec 7z h -scrcCRC64 {} \;
Answer: ED865AA6DFD756BF
4. What is the logical size of the file "strawberry.jpg" in bytes?
One line with bash:
find . -name "strawberry.jpg" -exec ls -la {} \;
Answer: 72448
5. What is the processor architecture of the system?
Using RegRipper:
rip.pl -r Part2/root/Windows/System32/config/SYSTEM -p processor_architecture
Answer: AMD64
6. Which user has a photo of a dog in their recycling bin?
We can find photos in the Recycling Bin by using find:
find Part2/root/'$Recycle.Bin'/ -name "*.jpeg" -o -name "*.jpg" -o -name "*.png"
Files in the recycling bin that start with $I contain the metadata for the trashed file, files starting with $R are the actual file. We can open $RGETALS.jpg to double check:
display Part2/root/'$Recycle.Bin'/S-1-5-21-2446097003-76624807-2828106174-1005/'$RGETALS.jpg'
It is a picture of a dog!
The long string between Recycle.bin and the file is the user’s SID, the last four numbers is the user’s RID. In Question 2, we saw that the user with RID 1005 is hansel.apricot
Answer: hansel.apricot
7. What type of file is "vegetable"? Provide the extension without a dot.
The question implies there is only one file named “vegetable“, so we can merge our commands:
find . -type f -name "vegetable" -exec file {} \;
The file is a 7-zip archive_data, version 0.4, its extension is “.7z”.
Answer: 7z
8. What type of girls does Miriam Grapes design phones for (Target audience)?
We can grep for ‘target audience’ in Miriam Grapes’ user directory:
grep -r -i -l 'target' Part2/root/Users/miriam.grapes
This returns mostly entries in Firefox. We can copy the ‘places.sqlite’ database, which contains browsing history, to examine further:
find Part2/root/Users/miriam.grapes -name 'places.sqlite' -exec cp "{}" . \;
sqlitebrowser places.sqlite
In the moz_places table, we can see that miriam.grapes did some market research on ‘vsco girls’
Answer: vsco
9. What is the name of the device?
Using RegRipper:
rip.pl -r Part2/root/Windows/System32/config/SYSTEM -p compname
Answer: DESKTOP-3A4NLVQ
10. What is the SID of the machine?
In Question 6, the RecyleBin directory contained folders with the SID of each user.
The SID of a User is actually the SID of the machine + a four-digit number which is the RID of the user.
Without going into the registry, it’s confirmed that the SID of the machine is S-1-5-21-2446097003-76624807-2828106174.
Answer: S-1-5-21-2446097003-76624807-2828106174
11. How many web browsers are present?
We can list the contents of each users’ AppData directory to see what’s inside:
ls -la Part2/root/Users/*/AppData/*
There are entries for Mozilla Firefox, Internet Explorer, Edge and Chrome. There is also an additional web browser, in Part2/root/Program1 which is Tor. In total, there are five browsers installed.
Answer: 5
12. How many super secret CEO plans does Tim have? (Dr. Doofenshmirtz Type Beat)
Inside tim.apple/Documents directory there is a file named ‘secret.odt’
libreoffice Part2/root/Users/tim.apple/Documents/secret.odt
Only three secrets are visible, but changing the font to another color shows the last secret, which is ‘Fire Jim Tomato’.
Answer: 4
13. Which employee does Tim plan to fire?
(He’s Dead, Tim. Enter the full name – two words – space separated)
This follows Question 12, where we found that he wishes to fire Jim Tomato.
Answer: Jim Tomato
14. What was the last used username?
(I didn’t start this conversation, but I’m ending it!)
Using RegRipper:
rip.pl -r Part2/root/Windows/System32/config/SOFTWARE -p lastloggedon
Answer: miriam.grapes
?? Apparently the answer is jim.tomato
*EDIT months later, the information is actually in the Software hive, but under LastUsedUsername
regfexport Part2/root/Windows/System32/config/SOFTWARE > software.txt
cat software.txt | grep -a LastUsedUsername -B 10 -A 10
15. What was the role of the employee Tim was flirting with?
Using grep to find potential files in tim.apple’s directory:
grep -r -i -l 'flirt' Part2/root/Users/tim.apple
The matches are all in Firefox-related files, including ‘places.sqlite’. We can use strings directly on places.sqlite since the answer should be in the database:
strings Part2/root/Users/tim.apple/AppData/Roaming/Mozilla/Firefox/Profiles/d6kc02w6.default-release/places.sqlite | grep -i flirt
The last line shows that Tim searched for ‘it ok to flirt with my secretary’ in Google.
Answer: secretary
16. What is the SID of the user "suzy.strawberry"?
Referring to Question 2, suzy.strawberry’s SID is 1004.
Answer: 1004
17. List the file path for the install location of the Tor Browser.
In Question 11, we established that Tor is installed in Program1.
Answer: C:\Program1
18. What was the URL for the Youtube video watched by Jim?
Looking for the url ‘youtube.com’ in Jim’s directory:
grep -r -l "youtube.com" Part2/root/Users/jim.tomato
##Returning Chrome matches, so we can copy the History database:
find Part2/root/Users/jim.tomato -name 'History' -exec cp "{}" History-jim.db \;
sqlitebrowser History-jim.db
In the urls table, filtering the url column with ‘youtube’ returns only one row:
19. Which user installed LibreCAD on the system?
Using Bash with wild flag:
find . -name "Libre*"
In miriam.grapes’ Downloads directory there is the LibreCad installer, which means she must have been the one to install it on the System.
Answer: miriam.grapes
20. How many times "admin" logged into the system?
Using RegRipper:
rip.pl -r Part2/root/Windows/System32/config/SAM -p samparse | grep admin -A 10
The user admin logged in ten times.
Answer: 10
21. What is the name of the DHCP domain the device was connected to?
Using RegRipper:
rip.pl -r Part2/root/Windows/System32/config/SYSTEM -p ips
Answer: fruitinc.xyz
22. What time did Tim download his background image?
(Oh Boy 3AM . Answer in MM/DD/YYYY HH:MM format (UTC).)
Using find on Tim’s directory for potential file matches:
find Part2/root/Users/tim.apple -name "*.jpeg" -o -name "*.jpg" -o -name "*.png"
It returns many .pngs in OneDrive and Chrome, however there is only on .jpg file in Pictures/Saved Pictures. Using exiftool:
exiftool 'Part2/root/Users/tim.apple/Pictures/Saved Pictures/hqdefault.jpg'
The file was downloaded on 2020:04:05 at 03:49:54.
Answer: 04/05/2020 03:49
23. How many times did Jim launch the Tor Browser?
Using RegRipper:
rip.pl -r Part2/root/Users/jim.tomato/NTUSER.DAT -p recentapps
The executable is firefox.exe in Program1, where Tor Browser is installed.
Answer: 2
24. There is a png photo of an iPhone in Grapes's files. Find it and provide the SHA-1 hash.
There is no png in Grapes’ files. I literally spent so much time on this, analyzing the Cache, the databases etc…
What I didn’t think of is if a jpeg/jpgs could be concealing a png, which was the case.
find Part2/root/Users/miriam.grapes -name "*.jpg" -o -name "*.jpeg"
Multiple files return. To check if they can be concealing a png, we can run this one liner:
find Part2/root/Users/miriam.grapes -name "*.jpg" -exec binwalk "{}" \;
#One match for PNG, which is Part2/root/Users/miriam.grapes/Downloads/samplePhone.jpg
We can extract the file by running:
cp Part2/root/Users/miriam.grapes/Downloads/samplePhone.jpg .
binwalk --dd=".*" samplePhone.jpg
file _samplePhone.jpg.extracted/*
File 174A is a png of an iphone:
Its sha1 hash is 537fe19a560ba3578d2f9095dc2f591489ff2cde.
Answer: 537fe19a560ba3578d2f9095dc2f591489ff2cde
25. When was the last time a docx file was opened on the device?
(An apple a day keeps the docx away. Answer in UTC, YYYY-MM-DD HH:MM:SS)
Using RegRipper:
find . -name "NTUSER.DAT"
rip.pl -r ./Part2/root/Users/tim.apple/NTUSER.DAT -p recentdocs
rip.pl -r ./Part2/root/Users/jim.tomato/NTUSER.DAT -p recentdocs
rip.pl -r ./Part2/root/Users/miriam.grapes/NTUSER.DAT -p recentdocs
rip.pl -r ./Part2/root/Users/admin/NTUSER.DAT -p recentdocs
The only hive that returns .docx is jim.tomato’s:
Answer: 2020-04-11 23:23:36
26. How many entries does the MFT of the filesystem have?
Using mftdump:
cd ~/packs/mftdump
python2.7 mftdump.py ~/Documents/CyberDefenders/CorporateSecrets/Part2/root/'$MFT' > ~/Documents/CyberDefenders/CorporateSecrets/MFT.txt
cd ~/Documents/CyberDefenders/CorporateSecrets/
cat MFT.txt | head -n 10
To count the total number of records parsed, we can print the file and pipe the output to ‘wc -l’. Before doing that, it’s important to check the file structure. Above, you can see that the first two lines are formatting lines, thus we will need to substract ‘2’ to the total number of lines:
cat MFT.txt | wc -l
##returns 219906
There are 219904 records, since 219906 – 2 = 219904.
Answer: 219904
27. Tim wanted to fire an employee because they were ......?
(Be careful what you wish for)
Using grep to find where Tim could have mentioned he wanted to fire an employee:
grep -r -i -l 'employee' Part2/root/Users/tim.apple
There are multiple matches in chrome. We can copy Tim’s Chrome History Database into the working directory, and open it with sqlitebrowser
find Part2/root/Users/tim.apple -name 'History' -exec cp "{}" Tim-Chrome.db \;
sqlitebrowser Tim-Chrome.db
In the urls table, Tim has multiple searches related to firing a ‘stinky employee’.
Answer: stinky
28. What cloud service was a Startup item for the user admin?
Using RegRipper:
rip.pl -r Part2/root/Users/admin/NTUSER.DAT -p run
Answer: OneDrive
29. Which Firefox prefetch file has the most runtimes?
(Flag format is)
Using PrefetchRunCounts :
cd ~/packs/refetchruncounts
python prefetchruncounts.py ~/Documents/CyberDefenders/CorporateSecrets/Part2/root/Windows/Prefetch
cat Prefetch_run_count.csv | grep "FIREFOX"
The prefetch file ‘FIREFOX.EXE-A606B53C.pf’ ran a total of 21 times:
Answer: FIREFOX.EXE-A606B53C.pf/21
30. What was the last IP address the machine was connected to?
From Question 21, there is only one IP Address that is registered on this device.
Answer: 192.168.2.242
31. Which user had the most items pinned to their taskbar?
The taskbar items are located in C:\Users\USERNAME\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar
find Part2/root/Users -type d -name 'TaskBar' -exec ls -la "{}" \;
One of the Users has a Firefox.lnk file in the taskbar. To find out which user it is we can do:
find Part2/root/Users -type f -name 'Firefox.lnk'
Answer: admin
32. What was the last run date of the executable with an MFT record number of 164885?
(Format: MM/DD/YYYY HH:MM:SS (UTC).)
Using parseMFT.py:
parseMFT.py --csv -o mft.csv 'Part2/root/$MFT'
cat mft.csv | grep 164885
The executable is /Program Files/7-Zip/7zG.exe. To find the last run date, we can use the Prefetch_run_count.csv previously created:
cat Prefetch_run_count.csv | grep '7ZG'
The last time it ran was on 2020-04-12 at 02:32:09.
Answer: 2020-04-12 02:32:09
33. What is the log file sequence number for the file "fruit_Assortment.jpg"?
To parse the $MFT file in a more detailed/in-depth manner we can use nfts_parser:
ntfs_parser --mft 'Part2/root/$MFT'
cat mft.csv | head -n 1
By printing the header of the csv file we can figure out where the Log file sequence number is, whcih is the 5th column:
Now we can simply grep for the filename:
cat mft.csv | grep fruit_Assortment.jpg
The fifth entry is the log file sequence number, which is 1276820064.
Answer: 1276820064
34. Jim has some dirt on the company stored in a docx file.
Find it, the flag is the fourth secret, in the format of <“The flag is a sentence you put in quotes”>.
(Secrets, secrets are no fun)
find Part2/root/Users/jim.tomato -name "*.docx"
#Returns Part2/root/Users/jim.tomato/Desktop/Document1.docx
There is nothing of interest in this file. Perhaps it’s in the RecycleBin:
find Part2/root/'$Recycle.Bin' -name "*.docx"
##Returns all matches for user with RID 1003, which is jim!
##copying matches
find Part2/root/'$Recycle.Bin' -name "*.docx" -exec cp "{}" . \;
We can open the files to see if there’s anything pointing to those secrets:
libreoffice '$RQ1FSDY.docx'
libreoffice '$RK6JCRY.docx'
‘$RK6JCRY.docx’ opens normally, and is the basically the same file on jim.tomato’s Desktop. ‘$RQ1FSDY.docx’ returns an error, and libreoffice asks permission to repair the file. We can check what’s up with binwalk:
binwalk '$RQ1FSDY.docx'
So essentially, binwalk shows that the file is a zip archive, not a normal document. We can unzip it into a new directory and check its contents:
unzip '$RQ1FSDY.docx' -d RQ1
ls -la RQ1/Document1
The file ‘Content.xml’ is atypical, and shouldn’t be part of the docx file. We can check if it’s actually an xml by doing:
file RQ1/Document1/Content.xml
#Returns: RQ1/Document1/Content.xml: Microsoft Word 2007+
#We can try to open it with Libreoffice
libreoffice RQ1/Document1/Content.xml
Here are the four company secrets:
Answer: Customer data is not stored securely
35. In the company Slack, what is threatened to be deactivated if the user gets their email deactivated?
Let’s find the Slack directory first:
find . -type d -name 'Slack'
##returns ./Part2/root/Users/hansel.apricot/AppData/Roaming/Slack
grep -r -i 'deactivate' ./Part2/root/Users/hansel.apricot/AppData/Roaming/Slack
The majority of the files returned are in the CacheStorage directory. One of the log files in IndexDB is a match. The IndexDB is the best option to look for such evidence.
strings ./Part2/root/Users/hansel.apricot/AppData/Roaming/Slack/IndexedDB/https_app.slack.com_0.indexeddb.leveldb/000003.log | grep -i 'deactivate'
This doesn’t return much. If we do the same for email, there is an interesting string:
strings ./Part2/root/Users/hansel.apricot/AppData/Roaming/Slack/IndexedDB/https_app.slack.com_0.indexeddb.leveldb/000003.log | grep -i 'email'
Each message starts with ‘text”‘, we can do this little one liner to make it easier to print:
strings ./Part2/root/Users/hansel.apricot/AppData/Roaming/Slack/IndexedDB/https_app.slack.com_0.indexeddb.leveldb/000003.log | grep 'text"' > textslack.txt
cat textslack.txt
So apparently the answer is kneecaps, and those messages are from the Slack bot…
Answer: kneecaps
TLDR
– This is a complete Windows Forensics challenge that requires a good knowledge of the Windows OS.
– The last question is very hard to find, but can actually be found in the ‘matching’ pcap of the WireDive challenge.
