It's the fifth year for Bloomsburg University's BloomCON Forensics and Cybersecurity Conference since last year's got postponed due to the pandemic. This year they pivoted to a virtual one like most others out there. The Forensics CTF competition was 10 questions and consisted of a single hard drive image and I'm always excited to try my hand at my alma mater's challenges.
Welcome to BloomCON Forensics Challenge. In this challenge you will be asked various questions regarding a raw forensics image. From there you can import the image to any forensics tool of your choice (Hint: use FTK imager and Autopsy for Free). You've been told by police that the user of this image is accused of hacking Polstra International Airport. Your job is to find any evidence supporting such a claim by answer the following questions.
What OS and specific version is running on this disk?
Pulled from the SOFTWARE registry hive, we can see that the machine was running "Windows 10 1909".
What is the computer's name?
Pulled from the SYSTEM registry hive, we can see that the computer's name was "APPLEII".
What is the user name of the primary user?
Two locations can reveal this fairly quickly. We can look at the C:\Users for hints of what user folders were created on the system or we can dive back into the SOFTWARE registry hive. As seen below "David Schwarez" was the only user folder and he was listed as the owner of the device.
What timezone is running?
Pulled from the SYSTEM registry hive once more, we can see the computer was set to the "Alaskan Standard Time" timezone.
What did the suspicious device user search for on ebay? What does it do?
Running a quick Web History parse through Autopsy we can look at what the user was searching for through Mozilla Firefox. We can see the user was searching for "USB Rubber Ducky" which is a well known keystroke injection tool from Hak5.
Are there any suspicious programs installed? What are they and what do they do?
Using the Recent Activity module from Autopsy, we can pull out Installed Applications from the SOFTWARE registry hive. We see two suspicious entries, NMAP and NPCAP, which are used for network mapping and packet capture.
What is the user's browser of choice?
What individual was the user fascinated with?
Pulling from the Firefox history we can see some searches and social media profiles for "Dr. Phil Polstra". Phil you might have a fan! :)
What is step 2?
I went down a bit of a rabbit hole on this one. I had originally found a cached webpage that had some steps for learning to fly but after further analysis it seemed like an ad and not something that would be created through the CTF.
What animal is "this cutie"?
The user had a file name this at the following path:
C:\Users\David Schwarez\Downloads\This cutie.exe
I found it odd to be an executable so a quick look at the hex for the file revealed that it appeared there was a JPEG file embedded inside or that some extra header information for an executable was added to it to mask the file. As you can see below we see the header FFD8 hex values for a JPEG (the footer FFD9 was also the end of the file).