In part 1 we broke down the answers to the Miscellaneous category .As we continue on through the Magnet User Summit 2018 CTF we now get to the Anti-Forensics section.In this section I got to use some different free tools as well as some tried and true along the way to answer the questions.
1. Wiping App: Which application was used to wipe files on the compromised system?
In the SOFTWARE registry file we can see a list of installed applications in:
Microsoft\Windows\CurrentVersion\App Paths
The only one that sticks out is Eraser, which is the answer.
2. User that Wiped: What is the name of the user account that performed the wiping? [use a name not a SID]
We found the Eraser installer in the downloads folder for user "itsupport". This doesn't mean this account ran it but gave us a clue to who to look at first. When we parse the NTUSER.DAT file using RegRipper, we can pull out the appcompatflags showing that Eraser.exe was run
We found the Eraser installer in the downloads folder for user "itsupport". This doesn't mean this account ran it but gave us a clue to who to look at first. When we parse the NTUSER.DAT file using RegRipper, we can pull out the appcompatflags showing that Eraser.exe was run
This date and time was corroborated by the prefetch file of the Eraser.exe as well so we can determine that "itsupport" ran the executable.
3. Data Written: How much data did the wiping utility write to disk? [answer in bytes]
Now that we know Eraser was run we can look at the SRUM (System Resource Utilization Monitor) log found here:
C:\Windows\System32\sru\SRUDB.dat
We can parse this file using SRUM Dump. We want to look at the Application Resourch Usage tab, and since we know that Eraser was run on April 26th at approximately 6:40pm UTC, we can date filter and filter on the executable name. The only entry that matches is:
We can see the ForegroundBytesWritten column shows how many bytes were written to disk, 27394048.
4. Browser to Download Wiper: What browser was used to download Eraser? [Just the name, no versions]
This one was fairly easy even though I sort of stumbled upon it. Parsing the NTUSER.DAT file for "itsupport" using RegRipper we can see that the Eraser installer was executed. In UserAssist we see that it resided under a Microsoft Edge temp folder, probably set to run after download instead of saving.
1524767943|REG|||[Program Execution] UserAssist - C:\Users\itsupport\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\Eraser 6.2.0.2982.exe (1)
5. Wiped File Names: List 5 original wiped file names. [comma separated]
There were a ton of file names that could have worked for this. What we need to do first is parse the $J file of USNJrnl. I used MFTECmd as this has a switch for it and runs super fast. After it was parsed to CSV I threw that into TimelineExplorer. We can filter down to the date of execution 4/26/2018 and scroll down to the approximate time of 18:41 and we will see some interesting activity.
If you filter the column "Update Reasons" with Rename, you will get a list of old and new file names.
Some sample answers are:
ProjectU.exe
CustomStruct.py
c_test.py
update.sample
exclude
master
remotes
origin
heads
info
hooks