CTF on a Budget - Magnet User Summit 2019 (Part 1) - Desktop

I got the chance to partake in the Magnet User Summit CTF once again this year with much better results (see my recap). Even though I didn't get all the answers right when I did it live, going back through on a second pass gives me a chance to finish tough questions that I couldn't get. In part one we will break down the Basic - Desktop portion of the CTF.

Note: While I did use AXIOM for a good chunk of this, we were provided a license to do so. Other wise, I used only free tools to answer the questions.

Basic - Desktop

1. Desktop Hash - What is the SHA1 Hash of the Desktop Image?

Open the E01 text file associated with the imaging process. The hash will be "a20c2f43a80ddcad35b958b701a6cdd4b67e535c".

2. Desktop Examiner - Who acquired the Desktop image?

We can look in that same imaging information file to find the examiner, M Powers.

3. Desktop VSN - What is the Volume Serial Number of the Desktop’s OS volume?

When loading up the E01 file into Axiom, clicking on Operatin System > File System Information shows the VSN in the details, CCEE-841B

4. Timezone - What is the timezone of the Desktop

Also located in the Operating System section is Timezone information, it shows Pacific Standard Time:

5. Install - Which user installed TeamViewer?

In the Shimcache, we can see execution of the “TeamViewer_Setup.exe” from the path located in the Administrator’s Downloads folder.
We can also see SRUM application usage from the same folder:
It looks like the Administrator installed it.

6. UTC Offset - What was the timezone offset at the time of imaging?

Coordinating the image information Acquisition start/finish (below) with the Pacific Standard Time timezone of the drive from Q4, we can calculate that it should be UTC-7.

7. How Many Times - At least how many times did the teamviewer_desktop.exe run?

Looking at the prefetch file associated with “teamviewer_desktop.exe” we see that the executable was run 3 times.
8. OS Install Date - When was the Windows OS installed?

In the “Operating System Information” we can see when the OS was installed, 7/28/2018 on 7:27:53 AM.

9. File Name - What is the name of the file associated with MFT entry number 102698?
Since AXIOM doesn’t process MFT files, we can export the $MFT from root and parse it using Eric Zimmerman’s MFTECmd. Once the CSV is exported we can load it into Timeline Explorer, filter on “Entry Number” and see file name, "TeamViewer_Setup.exe".

10. Sequence Number - What is the MFT sequence number associated with the file "\Users\Administrator\Desktop\FTK_Imager_Lite_3.1.1\FTK Imager.exe"?

Similar to the last question, we can load the MFT report into Timeline Explorer, this time filtering on the File Name column and the answer is there in the Sequence Number, 4.

11. USN - Which file name represents the USN record where the USN number is 546416480?

Looking at the UsnJrnl artifacts, we can filter on the Update Sequence Number and see it was associated with file "TransportSecurity~RF134e6674.TMP".

12. IP - What is the IP address of the Desktop?

Under Network Interfaces, we can find the Ethernet adapter shows the IP address as

13. Who Shut it Down - Which User Shutdown Windows on February 25th 2019?

We can look at the Windows Event logs and filter on event ID 1074. This shows the following for that day:

We can then look up the user profile associated, which was the Administrator.

14. Sha What - What is the SHA1 hash of the c:\users\selmabouvier\appdata\local\packages\microsoft.microsoftedge_8wekyb3d8bbwe\tempstate\downloads\megasyncsetup (1).exe file?

We can find the file in the folder structure and export. Once exported we can drag and drop the file into Nirsoft’s HashMyFiles to find the SHA1, 082129a2b431f36a194f2594e3987e31b22dc5ea.

15. Execute Where - After looking at the TEAMVIEWER_DESKTOP.EXE prefetch file, which path was the executable in at the time of execution?

For some reason AXIOM doesn’t parse the execution path (from what I saw), so we can export the prefetch file and dump it into Nirsoft’s WinPrefetchView to see that:

The path is: 


16. File Name 2 - What is the file name that represented MFT entry 60725 with a sequence number of 10?

For this, we want to look at parsing the UsnJrnl $J file. We can export the file and parse it using MFTECmd using the $J switch. Once the CSV is exported throw it into Timeline Explorer and filter on Entry Number and Sequence Number columns. The file is "telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json.new"