Africa DFIR CTF 2021 — WK01

Ali Alaa
8 min readAug 9, 2023

--

Hello dudes,
I hope to find you well.

This is Ali Alaa and this is WEEK 1 writeup for Africa DFIR 2021 CTF by DFIR science.

This is a Windows forensics challenge and if you wanna find more about this topic you can try WEEK 1.

So, lets start….

**Notice load image first with Autopsy tool.

First Question: what date and time was a password list deleted in UTC? (YYYY-MM-DD HH:MM:SS)

First things first I noticed here I must change time zone from EET to UTC overall image so, lets change time zone..

Find settings icon and click it

Settings option

then find when displaying time > use another time zone > (GMT+0:00) UTC

Change time zone

Lets investigate,

Here he asked for deleted file so, lets run Recent Activity ingest module to get all activity that this user did recently.

“This allows you to see what activity has occured in the last seven days of usage, what web sites were vistied, what the machine did, and what it connected to.”

Right click data source > Run Ingest Modules > Recent Activity > Finish

I waited till process finished then all recent activity artifacts are being grouped by its category and appeared in left side tree.

Left side tree

then I can see what he deleted in Recycle bin it’s an artifact that Recent Activity extracted.

I found only one file

Deleted file

Here we go, the answer is : 2021–04–29 18:22:17 UTC

Second Question: What is the IPv4 address of the FTP server the suspect connected to?

Here I searched for any artifact for any installed program used to established connection to any FTP server.

This type of artifact fall under Recent Activity that I extracted previously.

So, lets looking for it in Installed programs

Installed programs

I found “FileZilla” and it is being used as FTP solution so, it’s a suspicious program may be used to connect FTP server.

**Notice FileZilla has some configurations files fall under every user profile folder that contains related information for servers and connections

I found all files related to “FileZilla” here then I noticed that there was a file called “recentservers.xml” which contains all data for each server that user connected to.

FTP server’s IP

Here we go, the answer is : 192.168.1.20

Third Question: What is the MD5 hash value of the suspect disk?

This is an easy one and you can use FTK Imager tool to calculate hash of image but I used Autopsy tool.

So, lets run Data source integrity Modules to verify hashes if data source associated with it or calculated them.

Right click data source > Run Ingest Modules > Data source integrity > Finish

After process finished select “Data Sources” in the tree, select your data source in the result viewer, and then open the “File Metadata” tab

MD5 Hash

Here we go, the answer is : 430d0f91dc30b6c6de407ad622f12427

Forth Question: What phrase did the suspect search for
on 2021–04–29 18:17:38 UTC? (three words)

Every search that user did using browser it stores in history and to find this artifact web search keywords from browsers history I must use recent activity modules.

This type of artifact fall under Recent Activity that I extracted previously.

So, lets see what inside “Web search

Web search table

Then I tried to find this specific data and time

Web search

Here we go, the answer is : password cracking list

Fifth Question: What country was picture “20210429_152043.jpg” allegedly taken in?

Here he asked for Geo data so, I investigated to find EXIF metadata for this image because it may contains related info for where this image was taken , kind of image and etc.

To find all metadata for all images I ran “Picture Analyzer Module” then I navigated to “EXIF metadata” tab at Analysis Results

Analysis Results

Then I searched for this image “20210429_152043.jpg”.

I opened Analysis results tab to found EXIF metadata

Geo data

I searched to find out how I can get this location and I found this site

I prompted these data to get location

Location

Here we go, the answer is : ZAMBIA

Sixth Question: How many times was Tor Browser ran on the suspect computer? (number only)

First thing came in my mind is to find any clue in “prefetch” files that indicated if “tor” ran or not ? and I used “Autopsy” tool.

This type of artifact fall under Recent Activity that I extracted previously.

In Autopsy there is a tab called “Run programs” to get all programs that were executed

Prefetch files

Unfortunately, this answer is “WRONG” but why ??

because this clue happened while “installing” tor itself not opened it.

After that I thought to find another artifact record executed programs by user and count how many time these executed ? UserAssist.

This keeps a record for all executable programs recently launched and number of executions.

This clue is found in “NTUSER.DAT” from user profile then find this

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

Last Executed

So, this program not executed by user but record “1” only when installation not execution of tor browser.

Here we go, the answer is : 0

Seventh Question: What is the suspect’s email address?

Here I opened “Web Account Type” to find out how many account he used and belong to which website.

So, After I opened it I found this

Web Accounts

After this I search for this domain with “Keyword search” to find more about this domain and here what I found artifacts in “web history

Clue

Here we go, the answer is : dreammaker82@protonmail.com

Eighth Question: What website did the suspect port scan?

This operation indicated that user may used a program/s to scan website’s ports so, I searched for these programs in “installed programs

First one
Second one

So, I thought that Nmap was the suspicious program that this user was using.

Every pentester/hacker want to used nmap as exe he used it through out cmd / powershell at this poit I tried to search for commands history like .bash_history in Linux.

I found it under this path

“%userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt”

ConsoleHost_History

It called in Windows “ConsoleHost_History”.

Commands

Here we go, the answer is : dfir.science

Ninth Question: What folder was picture “20210429_151535.jpg” in on the original device that created it?

Once I saw a “device” word , there was a connected device via USB to this machine. Maybe this device disconnected and I didn’t know about it but there is an artifact (there’re more) can inform that there was a connected device.

After the device connected the folder for device appears and leaves artifacts in Shellbags.

Shellbags are set of registry keys which contain details about a user’s viewed folder; such as its size, position, and icon.

So, here searched for this image and found metadata about this image

Device make

I open “shellbags” and I found this row in table

LG folders

Here we go, the answer is : My Computer\LG Q7\Internal storage\DCIM\Camera

Tenth Questions: The Windows password hashes for the suspect account are below. What is the user’s password?

John Doe:1001:aad3b435b51404eeaad3b435b51404e
e: 3DE1A36F6DDB8E036DFD75e8e20c4af4:::

I understood this NTLM hash from here and after read the article and understood difference between NT and LM.

aad3b435b51404eeaad3b435b51404e = LM

3DE1A36F6DDB8E036DFD75e8e20c4af4 = NT

Here I found most important hash I must focus on it is NT

The NT hash calculates the hash based on the entire password the user entered

So, I tried to crack it here

Cracked hash

Here we go, the answer is : AFR1CA!

Eleventh Question: what is the user “John Doe’s” Windows
login password?

For local hash cracking I searched for “Cracking local windows passwords” here I found an article that explained how to crack local hash with tool called “Mimikatz” and I downloaded it and I followed instructions in previous article.

After I extracted “SAM” and “SYSTEM” these are main files to extract “NTLM” with “Mimikatz” tool.

Then I opened Mimikatz tool with high privilege “admin” and I got access to a range of high privilege level areas with :

1- privilege::debug
2- token::elevate

Mimikatz’s commands

Then I used LSADUMP Module TO extract NTLM by using SAM and SYSTEM.

Command
Our user

After I got NTLM hash I used same site to crack it here

Cracked hash

Here we go, the answer is : ctf2021

At the end ,
I hope you enjoyed this writeup ❤️.

Stay in touch

LinkedIn

--

--