ASPIRE CTF WEEK 3 FORENSICS

TEAM: ChasingFlags

This week was a forensics challenge and was split into two categories:

  1. Windows
  2. Mobile

Tools used:

1. Windows

a. Ftk Imager

b. Autopsy

c. Event log explorer

d. Access Data Registry Viewer

e. WinPrefetchView

f. analyzeMFT.py

2. Mobile

a. Db Browser

Skills You will Learn

1. Extracting and parsing of

a) MFT files

b) Prefetch files

2. Analysis of Windows event logs i.e security, system and application logs

3. Reading and interpreting Registry files

4. Analysis of an Android Forensic Image

First challenge

After downloading the windows challenge file, we find that it has an ad1 extension. This can be opened using either FTK Imager or Autopsy. FTK Imager was used to ingest the ad1 file. Using Autopsy required one to download and install a module AD1_Extractor so that it could work, however the results from Autopsy were unreliable compared to FTK Imager.

To identify the Computer name, the System Hive was exported from the path below.

[root]\Windows\System32\config

Then using access data registry viewer, the Computer name was found at the following registry key \SYSTEM\ControlSet001\Control\ComputerName\ComputerName

Hence the flag was Aspire{DESKTOP-M7V081J}

Another way of getting the computer name is by going into security logs and from any of the logs on the audit policy change category.

Second Challenge

The task was to find the timezone of the pc, It was found at System hive-> System\ControlSet001\Control\TimeZoneInformation. For further info check the link

The flag was Aspire{EASTERN_AFRICA_TIME}

Third Challenge

The OS build number could be found from Software hive exported from [root]\Windows\System32\Config\

The software hive was opened by access to the data registry viewer \Software\Microsoft\Windows NT\CurrentVersion

The flag was Aspire{18363}

Forth Challenge

From the same location as challenge 3, the product name was found

The flag was Aspire{WINDOWS_10_Pro}

Fifth Challenge

This was the start of mobile forensics challenges. The challenge file was a zip archive containing application data and logs retrieved from an android device.

The Device name was found at Mobile_image\Mobile_image\Live Data\device_properties.txt

Hence the flag was Aspire{Nexus 5X}

Sixth Challenge

IMEI is a 15 digit unique device identifier that precisely identifies the device with the SIM card input. By this knowledge, filtering for 15 digit numbers we find that there are 393 matches.

Looking into ‘Agent Data’, we find a matching SQLite 3 database file called agent_sim.db. Using DB Browser to open the file, we find a table called `data` and column `device_id` as the IMEI.

\Mobile_image\Mobile_image\Agent Data\agent_sim.db.

The flag was Aspire{353626075095047}

Seventh Challenge

From the same file as the sixth challenge, the mobile network provider was found.

Thus the flag was Aspire{Safaricom}

Eighth Challenge

Filtering through the files using grep, the database file containing the message was identified.

Checking through the db file using DB Browser, it had sms full path-> \Mobile_image\Mobile_image\Agent Data\agent_mmssms.db

The flag was Aspire{+254794660124}

Ninth Challenge

For international calls and messages, country codes are usually used to locate the country or area to direct the call or message. The code is identified by starting with a ‘+’ followed by the country code consisting of either digits or underscores. A filter can be done using grep together with a regular expression that matches a plus with 12–20 digit numbers. `\+[0–9]{12,20}`

‘grep -RE “\+[0–9]{12,20}” Mobile_image’

Three files match, but the most interesting one is the calllogbackup file. Using grep on the matched file, we used the same filter but include flag a so that the binary file is processed as text.

Mobile_image/adb-data/apps/com.android.calllogbackup/k/com.android.calllogbackup.data

‘grep -aE “\+[0–9]{12,20}” com.android.calllogbackup.data’

A google search of +44, reveals that its the country code for the United Kingdom.

The flag was Aspire{United Kingdom}

Tenth Challenge

In the Windows operating system, a Prefetch file is created each time an application is run. It contains information about the files loaded by the application. Thus the file that contained the browser last run-date was FIREFOX.EXE-25FC0A66.pf which is found on [root]\Windows\Prefetch\ on autopsy.

WinpreFetchView was used to view the extracted prefetch file. Information on the last run-date was found

The flag was Aspire{26–02–2021}

Eleventh Challenge

From the same file as challenge ten, the number of times the Firefox browser was run was shown.

The flag was Aspire{fifty}

Twelfth Challenge

From the same file as challenge ten we derived the browser’s executable file path

hence deriving the path C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.exe

The flag was Aspire{C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.exe}

Thirteenth Challenge

The file that contained information about the last run time of Hxd was HXD.EXE-D2964FE8.pf in the path [root]\Windows\Prefetch

Opening it with WinPrefetchView we found that it was 2.35.06PM.

The flag was Aspire{14.35.06}

Fourteenth Challenge

From the same file as challenge thirteen, the number of times Hxd was run was displayed as from the screenshot below.

Opening it with WinPrefetchView we find that it was run six times

The flag was Aspire{six}

Fifteenth Challenge

From the main mobile folder i.e. Mobile_image, I used the command

‘grep -Rinw -e “gmail”’. in Linux to search for any string in every file contained in the main folder and got successful. They were found on Mobile_image/Live Data/Dumpsys Data/notification.txt

hence flag was Aspire{cocoash100@gmail.com_lenanakami@gmail.com}

Sixteenth Challenge

The Mobile_image\Mobile_image\adb-data\apps folder is used by android to store application data, Hence we looked into it and got an interesting application i.e. com.viaforensics.android.aflogical_ose after some research on google it was discovered that it was a forensic tool

For more info visit this link

hence the flag was Aspire{aflogical ose}

Seventeenth Challenge

In Windows System registry there is a key that shows the external devices/disks that had connected to the pc i.e. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR which can be viewed using Access Data Registry Viewer

Hence the flag was Aspire{Toshiba}

Eighteenth Challenge

From the [root] a file known as $MFT(master file table) was identified.

This file contains at least one entry in the MFT for every file on an NTFS file system volume, including the MFT itself. All information about a file, including its size, time and date stamps, permissions, and data content, is stored either in MFT entries or in space outside the MFT that is described by MFT entries. Further Reading from this Link

The File was exported, and an MFT analysis tool based on python known as analyzeMFT was used to analyse the exported $MFT

The following command was run

`python2 analyzeMFT/analyzeMFT.py -f \$MFT -o resul1t.txt` saving the results into a file result.txt

Grep command was used to search for a text file on the Desktop

‘cat result1.txt | grep txt | grep Desktop’

The flag was Aspire{y0uSmArToNe}

Nineteen Challenge

The SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles contains a list of networks the pc has been connecting to.

Skimming through the list it was discovered that Network is the most common name in the networks.

The flag was Aspire{Network}

Twentieth Challenge

From System event logs the last update was found

The flag was Aspire{KB2267602}

Twenty-First Challenge

From the twentieth challenge, the date and time can be derived

The Flag was Aspire{26–02–2021_09:35:18}

References

Windows Forensic Analysis. (2021). Retrieved 3 March 2021, from https://www.sans.org/security-resources/posters/windows-forensic-analysis/170/download

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store