CTF on a Budget - Magnet User Summit 2019 (Part 3) - Activity

Part 1 - Desktop

For part 3, we will look at the activity portion that focuses on Sharepoint, network sessions, and notification popups.


1. Sharepoint - How many files were downloaded from the megnetic4nsics Sharepoint?
Parsed from the Chrome Downloads we can see one document was downloaded from the Sharepoint site.
In the Edge downloads we can see one zip folder was downloaded from the Sharepoint.
So we can infer that 2 files total were downloaded.

2. Sharepoint 2 - Whats the name of the archive that was retrieved from the sharepoint?
The name found in the previous question would be “OneDrive_1_3-18-2019.zip”.

3. Notify - On March 18th 2019 at 18:58:21 Selma saw a Windows popup notification. What type of notification was it?First we export the wpndatabase.db file from the following location:

We can then open the file with DB Browser for SQLite and run a simple query on the Notification table (thanks Yogesh!).

SELECT type, case ArrivalTime
when 0 then ''
else datetime((ArrivalTime/10000000) - 11644473600, 'unixepoch')
end AS ArrivalTime
From Notification
order by ArrivalTime desc

The results show that it was type “toast” for that date/time.

4. Sharepoint 4 - Which was retrieved from the sharepoint first?
From the previous questions we can see the date/times of when the files were download.

README came first on 3/14/2019 and followed by OneDrive_1_3-18-2019.zip on 3/18/2019.

5. Remote - At 6:35PM on the 18th of March, Selma logged into her account on the Desktop. What method of did she use to access the Desktop?
Filtering down to the day and the approximate time, we can see in the prefetch that TeamViewer was run right around the time period.

6. Host Name - What was the host name of the machine Selma used to remote into the Desktop at 6:35PM on the 18th of March?
Knowing that TeamViewer was used, we can find a connections log in the Program Files folder.

When opening the log, we see a list of connections, with hostnames and date/time stamps of connecting. The answer is “JHYDE-SP”.

7. Unique Access - How many unique machines accessed the Desktop via TeamViewer?
In that same "Connections_incoming.txt" log file, we can tell that there are 3 unique machines that connected. It appears that some sort of GUID is shown in column A.

8. Sharepoint 3 - What is the volume serial number of the volume the sharepoint archive was placed on (format: decimal number)?
Since we know the name of the file “OneDrive_1_3-18-2019.zip”, we can do a quick keyword search for it and look at LNK files to find the VSN.

The catch here is that it is displayed in hex so we can convert it to the preferred format of decimal (2935122090).

9. Notify 2 - Again, on the 18th of March at 18:08:57, another notification was given. What did this notification say?
Using the same file from Q2, we use the following query:

SELECT payload, case ArrivalTime
when 0 then ''
else datetime((ArrivalTime/10000000) - 11644473600, 'unixepoch')
end AS ArrivalTime
From Notification
order by ArrivalTime desc

The payload dumps out to be:

In the CDATA tag we see the message You are now syncing "OneDrive - Magnetic4nsics".

10. Bytes Sent - How many bytes total were sent out on the network via the Team Viewer Service?
You need to first dump the SRUDB.DAT file found within System32:

Once exported we can use Nirsoft’s NetworkUsageView to open and filter on Team Viewer Service, and export the associated entries to CSV. Once we open that, we can calculate the sum of the Bytes Sent to be 95681804.

(A sample of the output in NetworkUsageView)