Hello dudes,
I hope to find you well.
This is Ali Alaa and this is WEEK 1 writeup for Africa DFIR 2021 CTF by DFIR science.
This is a Windows forensics challenge and if you wanna find more about this topic you can try WEEK 1.
So, lets start….
**Notice load image first with Autopsy tool.
First Question: what date and time was a password list deleted in UTC? (YYYY-MM-DD HH:MM:SS)
First things first I noticed here I must change time zone from EET to UTC overall image so, lets change time zone..
Find settings icon and click it
then find when displaying time > use another time zone > (GMT+0:00) UTC
Lets investigate,
Here he asked for deleted file so, lets run Recent Activity ingest module to get all activity that this user did recently.
“This allows you to see what activity has occured in the last seven days of usage, what web sites were vistied, what the machine did, and what it connected to.”
Right click data source > Run Ingest Modules > Recent Activity > Finish
I waited till process finished then all recent activity artifacts are being grouped by its category and appeared in left side tree.
then I can see what he deleted in Recycle bin it’s an artifact that Recent Activity extracted.
I found only one file
Here we go, the answer is : 2021–04–29 18:22:17 UTC
Second Question: What is the IPv4 address of the FTP server the suspect connected to?
Here I searched for any artifact for any installed program used to established connection to any FTP server.
This type of artifact fall under Recent Activity that I extracted previously.
So, lets looking for it in Installed programs
I found “FileZilla” and it is being used as FTP solution so, it’s a suspicious program may be used to connect FTP server.
**Notice FileZilla has some configurations files fall under every user profile folder that contains related information for servers and connections
I found all files related to “FileZilla” here then I noticed that there was a file called “recentservers.xml” which contains all data for each server that user connected to.
Here we go, the answer is : 192.168.1.20
Third Question: What is the MD5 hash value of the suspect disk?
This is an easy one and you can use FTK Imager tool to calculate hash of image but I used Autopsy tool.
So, lets run Data source integrity Modules to verify hashes if data source associated with it or calculated them.
Right click data source > Run Ingest Modules > Data source integrity > Finish
After process finished select “Data Sources” in the tree, select your data source in the result viewer, and then open the “File Metadata” tab
Here we go, the answer is : 430d0f91dc30b6c6de407ad622f12427
Forth Question: What phrase did the suspect search for
on 2021–04–29 18:17:38 UTC? (three words)
Every search that user did using browser it stores in history and to find this artifact web search keywords from browsers history I must use recent activity modules.
This type of artifact fall under Recent Activity that I extracted previously.
So, lets see what inside “Web search”
Then I tried to find this specific data and time
Here we go, the answer is : password cracking list
Fifth Question: What country was picture “20210429_152043.jpg” allegedly taken in?
Here he asked for Geo data so, I investigated to find EXIF metadata for this image because it may contains related info for where this image was taken , kind of image and etc.
To find all metadata for all images I ran “Picture Analyzer Module” then I navigated to “EXIF metadata” tab at Analysis Results
Then I searched for this image “20210429_152043.jpg”.
I opened Analysis results tab to found EXIF metadata
I searched to find out how I can get this location and I found this site
I prompted these data to get location
Here we go, the answer is : ZAMBIA
Sixth Question: How many times was Tor Browser ran on the suspect computer? (number only)
First thing came in my mind is to find any clue in “prefetch” files that indicated if “tor” ran or not ? and I used “Autopsy” tool.
This type of artifact fall under Recent Activity that I extracted previously.
In Autopsy there is a tab called “Run programs” to get all programs that were executed
Unfortunately, this answer is “WRONG” but why ??
because this clue happened while “installing” tor itself not opened it.
After that I thought to find another artifact record executed programs by user and count how many time these executed ? UserAssist.
This keeps a record for all executable programs recently launched and number of executions.
This clue is found in “NTUSER.DAT” from user profile then find this
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
So, this program not executed by user but record “1” only when installation not execution of tor browser.
Here we go, the answer is : 0
Seventh Question: What is the suspect’s email address?
Here I opened “Web Account Type” to find out how many account he used and belong to which website.
So, After I opened it I found this
After this I search for this domain with “Keyword search” to find more about this domain and here what I found artifacts in “web history”
Here we go, the answer is : dreammaker82@protonmail.com
Eighth Question: What website did the suspect port scan?
This operation indicated that user may used a program/s to scan website’s ports so, I searched for these programs in “installed programs”
So, I thought that Nmap was the suspicious program that this user was using.
Every pentester/hacker want to used nmap as exe he used it through out cmd / powershell at this poit I tried to search for commands history like .bash_history in Linux.
I found it under this path
“%userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt”
It called in Windows “ConsoleHost_History”.
Here we go, the answer is : dfir.science
Ninth Question: What folder was picture “20210429_151535.jpg” in on the original device that created it?
Once I saw a “device” word , there was a connected device via USB to this machine. Maybe this device disconnected and I didn’t know about it but there is an artifact (there’re more) can inform that there was a connected device.
After the device connected the folder for device appears and leaves artifacts in Shellbags.
Shellbags are set of registry keys which contain details about a user’s viewed folder; such as its size, position, and icon.
So, here searched for this image and found metadata about this image
I open “shellbags” and I found this row in table
Here we go, the answer is : My Computer\LG Q7\Internal storage\DCIM\Camera
Tenth Questions: The Windows password hashes for the suspect account are below. What is the user’s password?
John Doe:1001:aad3b435b51404eeaad3b435b51404e
e: 3DE1A36F6DDB8E036DFD75e8e20c4af4:::
I understood this NTLM hash from here and after read the article and understood difference between NT and LM.
aad3b435b51404eeaad3b435b51404e = LM
3DE1A36F6DDB8E036DFD75e8e20c4af4 = NT
Here I found most important hash I must focus on it is NT
The NT hash calculates the hash based on the entire password the user entered
So, I tried to crack it here
Here we go, the answer is : AFR1CA!
Eleventh Question: what is the user “John Doe’s” Windows
login password?
For local hash cracking I searched for “Cracking local windows passwords” here I found an article that explained how to crack local hash with tool called “Mimikatz” and I downloaded it and I followed instructions in previous article.
After I extracted “SAM” and “SYSTEM” these are main files to extract “NTLM” with “Mimikatz” tool.
Then I opened Mimikatz tool with high privilege “admin” and I got access to a range of high privilege level areas with :
1- privilege::debug
2- token::elevate
Then I used LSADUMP Module TO extract NTLM by using SAM and SYSTEM.
After I got NTLM hash I used same site to crack it here
Here we go, the answer is : ctf2021
At the end ,
I hope you enjoyed this writeup ❤️.