Stark 4N6

Monday, August 3, 2020

My First SANS DFIR Summit Experience
August 03, 20200 Comments

This would have been the first year I would have made the trip down to Austin, Texas for the SANS DFIR Summit, but the pandemic really screwed that one up (hopefully next year). Despite the conference going virtual, it went off without too many hitches. There were so many incredible talks from Ryan Benson's on Unfurl, to David Cowen and Matt Seyer's on real time USN/log analysis, to Sarah and Andrew Konunchuk repping Bloomsburg University to fullest in their eDiscover/DFIR discussion. I know I'm leaving out so many others but they were all really incredible. The recordings will eventually be on the SANS YouTube page for those who missed out.

The discord channel was a lively subgroup of supposedly about 20,000 registered attendees. I hope to see that platform utilized more in upcoming conferences for people to interact with both the speakers and other attendees. I can't forget to mention the hilarious dad jokes in between presentations, Heather Mahalik rounded up some of the best here.


I'm still reeling a week later after the awesome opportunity to not to only attend but participate in the the summit. My good friend Brian Moran invited me to participate in DFIR Olympics, which ended up being a hilarious rap battle between contestants, with the ringer being int80 from Dual Core!

WHO THE FRICK IS LANCE?!?

The main DFIR Summit ended with the always entertaining 4Cast Awards from Lee Whitfield, congrats to all the winners as well as Rob Lee for being inducted into the Hall of Fame! See the results video below.

 
The week after the summit, I was able to moderate and take the FOR585 Smartphone Analysis course. I would highly encourage anyone to apply to be a moderator for any SANS training courses as you get to take the course at a discounted rate, including all the materials and a cert attempt, as well as create a rapport with instructor and the students. Day 6 was the capstone project which my team presented and won the challenge coin for the course.

Speaking of challenge coins, I partook in the SANS Summit NetWars competition and ended up squeaking out a 5th place in the veteran solo category for another lethal forensicator coin. The best part is I was able to use the techniques learned in class and apply them directly to the CTF.


What an incredible experience my first official SANS DFIR Summit was. I'm already looking forward to Austin in 2021!

Monday, June 8, 2020

Magnet Virtual Summit 2020 CTF (Windows)
June 08, 20200 Comments

Previous: Egg Hunt | iOS | Memory | Android


The last part of Magnet Virtual Summit CTF once again proved that not everything can be automatically parsed by the tools, you have to dive into the artifacts a bit to pull out the proper answers.

Windows

Begin Exam Try 2 (5)

When did the windows image acquisition start?


Answer in YYYY-MM-DD HH:MM:SS


Go to where we have the evidence stored and there is a text document for the output of FTK Imager. We can see the acquisition started on 2020-04-22 17:55:30.


Call Me Maybe? (5)

What is the user's phone number? (Format: 555-555-5555)


The first thing that came to mind when looking for a phone number was Google Autofill. We got lucky and the user Warren had it saved under his profile. His number is 802-265-5115.


Feelin' Lucky? (5)

How many people won Quarterly Drawing 31?


 1

 10

 100

 1,000

 10,000

 100,000


A quick search for “Quarterly Drawing 31” reveals a Vermond 2nd Chance Lottery ticket. If we Google the lottery, we can see from the history of the lottery draw, they had 100 winners for that drawing.

Update the Résumé  (5)

When did the user start working in their current position?


(Example: flag<July 1776>)


From Chrome Login artifacts we can see the user accessed his LinkedIn account using a Gmail account.


A quick search and a hint of location information, we can see Warren started working at Mallie Sae on July 2014.

Another day, another dollar (10)

How many times did Warren sign in to his machine?


AXIOM parses this from the SAM file, we can see Warren logged in 24 times.


Hash Crash (10)

What is the earliest created file associated with the following MD5: 3d908e1b40140c1e0167603ffca07701


Using FTK Imager I created a full file hash list for the E01 image. There were only two hits for that MD5 hash. Doing a search of each file name, AccessMUISet.msi had a created date 4 hours before 3a7a1c9.msi.


Sticky Situation (10)

How many dollars does the user CURRENTLY owe from gambling? Format 99,900


Hunting in the documents folder for the user we can see a loan sheet:


C:\Users\Warren\Documents\Loan Tracking\LoanBook4.xlsx


We can add the amount due minus the amounts paid and see that he still owes $16,080.

 

Money, money, money, Money! (25)

How many dollars to directly buy in to the tournament on Sunday?


A quick search for “tournament” yielded one rebuilt webpage for us to browse and see pulled from WebCache. The answer was 162 dollars.

Sorry, eh? (25)

When was the image downloaded from www.sciencenews.org viewed? Format MM/DD/YYYY HH:MM:SS (24 hour clock) ex 05/12/2020 17:45:00


A quick keyword search for www.sciencenews.org we see one image was downloaded.

Since we want to know when the file was actually viewed we can look at LNK files for the poker.jpg.

The creation of a LNK file usually indicates the file first opening/viewed, which we see was 02/18/2020 21:25:36.

Stay PAWsitive (25)

What is the name of the movie written in the text file within a PNG?


Once again, the question title gives a clue. I was able to find a folder labeled “Cats” with some pictures, only one of which was a PNG file. 

I exported it out and opened it with OpenStego, a common steganography tool.

With no need for a password, the exported text file has the answer. Godzilla.

What happens when you text and drive? (25)

Name the bug check code in the most recent Windows crash (Blue Screen)


Blue screen crash logs can be located at C:\Windows\Minidump. There are two so we can export the folder and view them in the free tool from Nirsoft, BlueScreenView and see the Bug Check code was 0x0000000a for the most recent crash.

You're GUIDing, right? (25)

What is the GUID for the application that was last used to access C:\Users\Warren\Documents?


AXIOM pulls that one out fairly quickly after searching for the folder path. We can look under MRU Folder Access to find the GUID of 4ED5B83C-7A8C-4917-B107-E9FF0864EDFB.

Poker, I don't even... (50)

How many total seconds did the user spend on the page when they searched for quick online poker? format: x.xxx


A simple keyword search in AXIOM for “quick online poker” brings up 2 Chrome web history files. 


Using Ryan Benson’s awesome tool Unfurl we can try out both searches. The answer they were looking for was found for the “quick online poker tips” search, 6.294 seconds.



Friday, June 5, 2020

Magnet Virtual Summit 2020 CTF (Android)
June 05, 20200 Comments

Previous: Egg Hunt | iOS | Memory


The Android image had some of the toughest questions yet in this CTF. This section gave me fits while playing live but giving it more time to digest and think it through, came out with almost all the answers.

Android

Obfuscating Like a Pro (5)

Chester decided to use a covert app to communicate with Alan, to try to cover their tracks. What is the package name of the app? flag<com.full.package.name.here> (Do not include flag<>, just write out the package name)


Hint: https://youtu.be/wEv0zOeA2FU?t=152


Parsing the TAR file using Alexis Brignoni’s ALEAPP, we can see installed applications on the phone. The hint here helps narrow down exactly what they are looking for. Jack Ryan was chatting through a game, one of the only installed games was Chess with Friends. Since they are looking for the package name we see it here:



Com.zynga.chess.googleplay


Just another pawn (5)

What is the username for the Zynga Chess app?


I was able to find the associated login for Zynga Chess through Chrome Login in ALEAPP:



chess.master.chester


The College Lifestyle- Artic Edition (5)

Where did Chester get ramen in Norway? (Restaurant Name)


Going to DCIM folder we can see only one picture that fits.


/data/media/0/DCIM/Camera/IMG_20200309_172817.jpg


Pulling EXIF metadata shows coordinates of:



Plugging in Google Maps we can see that it was at Koie Ramen.


Blocked for security reasons! (10)

What is the name of the file that this user attached/linked and emailed to Warren?


We can do a quick keyword search on “Warren” and look at emails sent. This helped to narrow the scope down to two separate emails, both can be found parsed from the Google Takeout in AXIOM.

For some reason AXIOM didn’t strictly pull out this attachment for some reason but it was the flag:


Chestnut_CV.exe

bOat-SINT (10)

While on spring break, Chester took a photo of a famous boat. What is the boat's name (2 words, ______ ship)?


Once again we can look at the DCIM folder and see a large boat.

/data/media/0/DCIM/Camera/IMG_20200308_144240.jpg

EXIF data shows coordinates as follows:

This plots us right next to Vikingskipshuset or Viking Ship Museum in Oslo, Norway. A quick Wikipedia hunt on the museum shows the famous Oseberg ship.

Fastest Thumbs in the West (10)

How many tweets did Chester tweet?


AXIOM pulled out the user info for Chester quickly


Knowing the User ID we can check out all Tweets with 1230174369462267904 as the author:


We can see that Chester sent out 5 tweets.

It's not the heat, it's the humidity (10)

How much warmer is it going to be tomorrow in Burlington?


I somewhat stumbled upon this looking for another answer to a question but found a screen capture video that showed a Silent Notification of Google Weather. Seen below in the screenshot, we can see it will be 12 degrees warmer.


New IP Who Dis? (10)

What local port was Warren's computer listening on while connected to the IP 13.35.82.31 during the memory dump?


A quick keyword search for the IP shows a hit on the memory image under the netscan (Network Info) parse.


From the local IP address we see it was open on port 54281.

The Polar Express (10)

What train station did Chester get directions to?


A quick look at Google Maps Queries we see searches with destinations to Bergen Station.

Trans-Siberian Railway (10)

What was the path that Chesters train took?


Flag format: A to B to C would be flag<ABC>, THERE ARE MORE THAN 3 POINTS THE TRAIN WENT THROUGH


I had to snag the map key from forensic8or since I didn't save it after the CTF.


We can add the parsed Google Map Queries and Cloud Google Location History to the world map view in AXIOM to see a rough outline of location plots.