Cellebrite CTF 2021 - Marsha's PC

Previous: Heisenberg's Android | Beth's iPhone | Marsha's iPhone

Marsha's PC had the most questions out of them all but probably the easiest one.

Evidence: https://d17k3c8pvtyk2s.cloudfront.net/CTF21/CTF21_Marsha_PC_Physical_DC_2021-07-29.zip.001
https://d17k3c8pvtyk2s.cloudfront.net/CTF21/CTF21_Marsha_PC_Physical_DC_2021-07-29.zip.002
https://d17k3c8pvtyk2s.cloudfront.net/CTF21/CTF21_Marsha_PC_Physical_DC_2021-07-29.zip.003
https://d17k3c8pvtyk2s.cloudfront.net/CTF21/CTF21_Marsha_PC_Physical_DC_2021-07-29.zip.004
https://d17k3c8pvtyk2s.cloudfront.net/CTF21/CTF21_Marsha_PC_Physical_DC_2021-07-29.zip.005

Password: 02DB2ECE91DB67E8FA939FC3DC15D16B

Backup and syncing data (10 points)

Were any backups located on the PC? If so, what is the name of the device that was backed up?

If we mount the E01 image we can navigate to the following path to see the iTunes backup:

C:\Users\marsh\Apple\MobileSync\Backup

We can open up the Info.plist file from the base of the backup folder to see what the name of the device is. As we can see below it was "Marsha's iPhone".

Figure 1: Info.plist

User Activity (10 points)

When did Marsha last change the password on her PC? (The answer must be shown as YYYY-MM-DD HH:MM:SS)

For password change information we want to pull the SAM file from the path:

C:\Windows\System32\config\SAM

Loading it into Eric Zimmerman's RegistryExplorer we can look at the users bookmark and see the last password change was on 2021-03-23 19:22:12.

Figure 2: SAM registry file in RegistryExplorer

Settings and Notifications (10 points)

What is Marsha's timezone set to on her PC? (Make sure your answer says THIS STANDARD TIME. The word "time" must be in your answer.)

Let's pull the SYSTEM registry hive from:

C:\Windows\System32\config\SYSTEM

Load this into RegistryExplorer and look at the TimeZoneInformation bookmark for the answer, Pacific Standard Time.

Figure 3: SYSTEM registry TimeZoneInformation in RegistryExplorer

Application Analysis (10 points)

Marsha searched for anti-forensic methods on her PC. What did she search for other than "how to wipe my data" in regards to securing her phone?

A quick and dirty way to pull web history is by mounting the E01 image with Arsenal Image Mounter and then running Nirsoft's Browser History View. We can then save the results out to a CSV and load into Eric Zimmerman's TimelineExplorer to filter. We can used "Google Search" as a title filter and see that Marsha searched for "encrypt my fone".

Figure 4: Browser history filtered in TimelineExplorer

Device Connections (10 points)

What was the drive letter associated to the media from which Digital Collector was run? (Make sure the form is as follows h:\)

There are two locations that this answer can be pulled out of. The first is from User Assist  which is pulled from the NTUSER.DAT at the path:

C:\Users\marsh\NTUSER.DAT

You can utilize your favorite forensics tool to pull out the UserAssist info but I used KAPE/RECmd to get the report. Opening the report in TimelineExplorer we can filter the "Program Name" column for DigitalCollection and see that it was run from the D:\ drive.

Figure 5: UserAssist execution of DigitalCollector

We can also get this answer from the Windows Timeline artifacts. The file of interest can be collected from:

C:\Users\marsh\AppData\Local\ConnectedDevicesPlatform\a68d86f38faa7208\ActivitiesCache.db

Once again we can parse this with KAPE/WxTCmd and open the ActivityOperations report in TimelineExplorer. We can filter on the "Executable" for DigitalCollector and again see it was found on the D:\ root.

Figure 6: Windows Timeline parsed

Device Identification (10 points)

Which operating system is running on Marsha's PC?

Let's look at the SOFTWARE registry file from:

C:\Windows\System32\config\SOFTWARE

We will load it up into RegistryExplorer and navigate to:

ROOT\Microsoft\Windows NT\CurrentVersion

Looking for the ProductName value, we can see the computer was running Windows 10 Pro.

Figure 7: ProductName from SOFTWARE registry file 

User Activity (20 points)

Some computers have settings to force password resets. Marsha's PC does not have this rule set. Which user key stores this information?

Once again we'll load up the SAM registry file into RegistryExplorer. We can navigate to the following:

ROOT\SAM\Domains\Account\Users

Each user on the system has their own subfolder here. Clicking through we can see that 000003E9 belonged to Marsha, as here GivenName and Surname values show. Her force password was not set.

Figure 8: 000003E9 key related to Marsha

User Activity (20 points)

On Marsha's PC, what is path for how the user landed on a directory named "DELETEME"? (Provide the full path as the user would see it. For example: c:\users\marsha\desktop\deleteme)

Shellbags are a great resource for showing what folders a user navigated through. We can first load up the UsrClass.dat from the following path into Eric Zimmerman's ShellbagsExplorer:

C:\Users\marsh\AppData\Local\Microsoft\Windows\UsrClass.dat

A quick expansion shows that the full folder path was E:\CTF2\Marsha Laptop\DELETEME.

Figure 9: UsrClass.dat opened in ShellbagsExplorer

Application Usage (20 points)

How many times was OneNote run on Marsh'a PC?

Parsing the Prefetch folder at the following path will help us get the answer:

C:\Windows\Prefetch

We'll load it up in Nirsoft's WinPrefetchView for this simple parse but Eric's PECmd commandline tool works well too. We can quickly see OneNote was run 2 times.

Figure 10: OneNote run count in WinPrefetchView

Application Analysis (20 points)

What was the high temperature provided in the Bing weather notification on Marsha's PC? (Answer must be provided as an integer ie 72)

The keyword here is notification. Windows 10 has notifications that you can find in the bottom right hand corner of the desktop near the clock. The database that stores these is found at:

C:\Users\marsh\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db

Opening the database we can go to the "Notifications" table and filter on the "Payload" column for weather. There are 4 entries we can look at. Each payload is an embedded XML file which we can export and open in a text editor. Out of them all the highest temperature I saw was 89 degrees, found in notification ID 3762.

Figure 11: Bing Weather notification from wpndatabase.db

Native Applications (20 points)

When was cmd.exe last run on Marsha's PC? Answer must be provided in YYYY-MM-DD HH:MM:SS.

Back to Prefetch we go. WinPrefetchView shows that CMD was last run on 2021-07-30 02:13:55.

Figure 12: CMD Prefetch record

User Activity (20 points)

How many times did Marsha log into her computer on July 24, 2021? (The answer must be in an integer)

First, we want to pull out the the Security.evtx file from the path:

C:\Windows\System32\config\winevt\logs\Security.evtx

The easiest way is to just load up KAPE with the mounted E01 from Arsenal Image Mounter and run Eric Zimmerman's EvtxCMD module across the Security event log. After doing so we can open the results into TimelineExplorer. We want to first filter on the day, 7/24/2021 in the "Time Created" column, reducing our total lines from 31,761 to 65,07. Next we can filter on "Event ID" looking at 4624, the ID for Logon Events (per the SANS poster). This reduces it down further to 337 lines.

Next we can filter on the "Payload" column for marsh to narrow our results to only those related to Marsha, resulting in 16 lines. We get two types of LogonType:
  • 7 = "Credentials used to unlock screen" 
  • 11 = Cached credentials used to logon
Because LogonType 7 may include unlocks and not specifically logons I pivoted to LogonType 11, which resulted in 10 lines. Viewing the "Time Created" once more, we see that each specific time is duplicated so really we get 5 logons, the answer.

Figure 13: Logons for Marsha in EventLogs via TimelineExplorer

Device Connections (20 points)

How many times was the USB with the serial number "116500000000000AABB" inserted into Marsha's PC between April 10, 2021 - Jun 18, 2021?

USB Detective does a really good job of correlated lots of artifacts into a timeline report for this. These are the files that it asks for but the easier way is to load the logical drive of the mounted E01 file.

Figure 14: USB Detective file/folder locations

The timeline report can be filtered on the serial number (some reason it was reversed but easy to find). Comparing timestamps with record numbers, I counted 10 connections.

Figure 15: USB Detective timeline report filtered

Device Connections (50 points)

When was Beth's device trusted on Marsha's PC? A trust is something the user must establish between the device and the PC. (Answer must be in YYYY-MM-DD HH:MM:SS)

When an mobile Apple device is connected and trusted, a plist file is generated at the path:

C:\ProgramData\Apple\Lockdown

Each device will get their own trusted plist. One Marsha's PC we can see two here, one for Beth's phone and one for Marsha's phone (presumed). In the contests of the plist we can see at the bottom a Wifi MAC address which correlates to the iPhone. On the iLEAPP report we can see Beth's phones address matches what is found in the b55ba243f68ecdaae6aeb982a014b9afce6f7b46.plist file.

Figure 16: iLEAPP device details for Beth's phone

Figure 17: trust certificate plist info

Now that we know that is the specific file, we can look at the creation date of the plist file and convert it to 24-hours format to get the answer,  2021-04-06 22:32:34.

Figure 18: trust certification metadata