Category: Endpoint Forensics
Level : Medium
Challenge Download Link : https://cyberdefenders.org/blueteam-ctf-challenges/enroll/33
Instructions:
Uncompress the challenge (pass: cyberdefenders.org)
A windows forensics challenge prepared by Champlain College Digital Forensics Association for their yearly CTF.
Windows Image Forensics Case created By AccessData® FTK® Imager 4.2.1.4
Acquired using: ADI4.2.1.4
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Information for F:\DFA_Windows\DFA_SP2020_Windows:
Physical Evidentiary Item (Source) Information:
- [Device Info]
- Source Type: Physical
- [Drive Geometry]
- Cylinders: 6,527
- Heads: 255
- Sectors per Track: 63
- Bytes per Sector: 512
- Sector Count: 104,857,600
[Physical Drive Information]
- Drive Interface Type: lsilogic [Image]
- Image Type: VMWare Virtual Disk
- Source data size: 51200 MB
- Sector count: 104857600[Computed Hashes]
- MD5 checksum: e5fe043aa84454237438cdb2b78d08b3
- SHA1 checksum: ada83cd44e294ab840fa7acd77cf77e81c3431b3
Tools:
First of all We need to dump some important registry hives :
- SAM
- SECURITY
- SOFTWARE
- SYSTEM
Now load these hives into Registry Explorer :
Q1-What is the current build number on the system?
- Go to Software\Microsoft\Windows NT\CurrentVersion :
THE ANSWER : 16299Q2-How many users are there?
- Go to /Root/Users as you can see there is 6 users :
- Or Go to SAM\Domains\Account\Users , and count the users :
THE ANSWER : 6Q3-What is the CRC64 hash of the file “fruit_apricot.jpg”?
- First we need to find that file
- Go to root/Users/hansel.apricot/Pictures/saved Pictures :
- Now dump this picture and go to this site to calc the hash :
الجواب: ED865AA6DFD756BFQ4-What is the logical size of the file “strawberry.jpg” in bytes?
- Go to root/Users/suzy.atrawberry/Pictures :
- Now look at file properties :
THE ANSWER : 72448Q5-What is the processor architecture of the system? (one word)
- Go to System\ControlSet001\Control\Session Manager\Environment :
الجواب: AMD64Q6-Which user has a photo of a dog in their recycling bin?
- Now we need to check the recycling bin to find that photo
- After some search i found that photo :
- Now look at photo properties :
الجواب: هانسيل.المشمشQ7-What type of file is “vegetable”? Provide the extension without a dot.
- After some time i found that file .
- Go to root/Users/miriam.grapes/Pictures/vegetable :
- Now open the file and check the magic number
- Now go here and search with the magic number :
THE ANSWER : 7ZQ8-What type of girls does Miriam Grapes design phones for (Target audience)?
- We need Check miriam Firefox browser history
- Open Users\miriam.grapes\AppData\Roaming\Mozilla\Firefox\Profiles\9far2v52.default-release\places.sqlite in any SQlite database viewer :
- Dump this file and open it with SQLite :
THE ANSWER : VSCOQ9-What is the name of the device?
- Go to System\ControlSet001\Control\ComputerName\ComputerName
THE ANSWER : DESKTOP-3A4NLVQQ10-What is the SID of the machine?
- Go to SAM\Domains\Builtin\Aliases
- As we know The SID of a User is actually the SID of the machine + a four-digit number which is the RID of the user.
- So the SID is S-1–5–21–2446097003–76624807–2828106174
THE ANSWER : S-1-5-21-2446097003-76624807-2828106174Q12-How many super secret CEO plans does Tim have?
(Dr. Doofenshmirtz Type Beat)
- No go to root/Users/
tim.apple/Documents/secret.odt and dump the file :
- Now open the word file :
- IF we change the page color another secret will appares
THE ANSWER : 4Q13-Which employee does Tim plan to fire?
(He’s Dead, Tim. Enter the full name — two words — space separated)
- Form Q12 the answer is Jim Tomato :
THE ANSWER : Jim TomatoQ14-What was the last used username?
(I didn’t start this conversation, but I’m ending it!)
- Go to SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
THE ANSWER : jim.tomatoQ15-What was the role of the employee Tim was flirting with?
- We need to Check Tim Firefox browser history
- Go to : Users\tim.apple\AppData\Roaming\Mozilla\Firefox\Profiles\9far2v52.default-release\places.sqlite , and dump this file :
THE ANSWER : secretaryQ16-What is the SID of the user “suzy.strawberry”?
- Go to SAM\Domains\Account\Users
THE ANSWER : 1004Q17-List the file path for the install location of the Tor Browser.
- First we need to dump prefetch files
- Go to root/Windows/Prefetch , and dump that folder :
- Now open this folder with WinPrefetchView :
- Now search for tor :
THE ANSWER : C:\Program1Q18-What was the URL for the Youtube video watched by Jim?
- We need to check jim chrome browser history :
- Go to \Users\jim.tomato\AppData\Local\Google\Chrome\User Data
- Now open this file with SQLite :
THE ANSWER : https://www.youtube.com/watch?v=Y-CsIqTFEyYQ19-Which user installed LibreCAD on the system?
- If we check miriam.grapes Download folder we will find libreCad installer :
THE ANSWER : miriam.grapesQ20-How many times “admin” logged into the system?
- We need to analyses the SAM file with RegRipper :
- Now open the report file :
THE ANSWER : 10Q21-What is the name of the DHCP domain the device was connected to?
- Go to System\ControlSet001\Services\Tcpip\Parameters\Interfaces :
الجواب: Fruitinc.xyzQ22-What time did Tim download his background image?
(Oh Boy 3AM . Answer in MM/DD/YYYY HH:MM format (UTC).)
- Go to root/Users/Tim.apple/Pictures/Saved Pictures/hqdefault.jpg :
(The reason i choose this photo , because it was the only photo in Tim directory)
- Now look at file properties :
THE ANSWER : 04/05/2020 03:49Q21-How many times did Jim launch the Tor Browser?
- First we need to dump Jim NTUSER.DAT file :
- Now open this file with Registry Explorer :
- now go to : Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2–4F4F-9178–9926F41749EA}\Count
THE ANSWER : 1Q24-There is a png photo of an iPhone in Grapes’s files. Find it and provide the SHA-1 hash.
- Go to \Users\miriam.grapes\Downloads\samplePhone.jpg , and dump the jpg file :
- Since he asked about PNG file not JPG we need to Extract embedded PNG image .
- I used foremost tool to extract the PNG image :
- Now calc SHA-1 hash :
الجواب: 537FE19A560BA3578D2F9095DC2F591489FF2CDEQ25-When was the last time a docx file was opened on the device?
(An apple a day keeps the docx away. Answer in UTC, YYYY-MM-DD HH:MM:SS)
- First we need to dump jim.tomato NTUSER.DAT FILE :
( I used the hint to identify which user )
- now load this hive into Registry Explorer :
- Now go to : jimNTUSE.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs :
THE ANSWER : 2020-04-11 23:23:36Q27-Tim wanted to fire an employee because they were ……?(Be careful what you wish for)
- We need to check Tim browsers history
- Go to : \Users\tim.apple\AppData\Local\Google\Chrome\User Data\Default .
- Now dump history file and open it with SQLite :
الجواب: نتنQ28-What cloud service was a Startup item for the user admin?
- First we need to dump admin NTUSER.DAT file :
- Now load that file into Registry Explorer :
- Now go to : adminNTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run
الجواب: ون درايفQ29-Which Firefox prefetch file has the most runtimes?
(Flag format is )
- Now open the prefetch files with WinPrefetchView :
- Now search with “Firefox” :
الجواب: FIREFOX.EXE-A606B53C.pf/21Q30-What was the last IP address the machine was connected to?
- Go to \SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{f2329ece-8884–4fbd-ad6e-3925da11ddd7} :
THE ANSWER : 192.168.2.242Q31-Which user had the most items pinned to their taskbar?
- After some search , i found that windows store pinned items in : \Users\username\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar.
- now go to that path to each user .
- After some time i found that the user admin had most pinned items in taskbar :
THE ANSWER : ADMINTHE AND
BY : AHMED NASSER
FOLW FOR MORE
