Previous: Cipher | Windows Server | iOS 16 iPhone
As conference season ramps up we have more CTF competitions to play! Jessica Hyde and the students from the Champlain DFA group created another one for the Magnet Virtual Summit (and the in-person summit coming up in April 2023). The fun part of these are that we always get something new. This post for instance we will dive into a Windows 11 image. Let's get started.
Tools Used:
Evidence: PC-MUS-001.E01
Gmail? Outlook? Yeah, right.. (5 points)
What non-standard email service has the user used previously?
Based off the title, we aren't looking for Gmail or Outlook (company) email services. In AXIOM we can look at Refined Results > User Accounts (pulled from Chrome Logins) to see that Michael Borchardt had Protonmail address.
Figure 1: Protonmail via Chrome Login
This is also confirmed through Chrome via Autofill and Web History.
Two different versions, twice the emulation power! Makes sense to me!
The user installed and ran a mobile device emulation program on their system. Which 2 versions of this software did the user install? (Format: SoftwareName V1/V2)
I saw some interesting discrepancies across the 3 tools. Autopsy failed to pulled any install details from the NTUSER.DAT hive. KAPE/RECmd was missing some entries which through off the results (working on finding the issue currently). I ended up going into AXIOM and finding the answer quickly.
Under the Application Usage > Installed Programs section we can see that BlueStacks has two entries pulled from two locations:
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BlueStacks_nxt
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Uninstall\BlueStacks X
Figure 2: Installed Programs via AXIOM
The answer was "BlueStacks 5/X".
LITEning fast write speeds! (5 points)
The user's system is equipped with a 256GB NVMe SSD. What is the make and model of this drive?
Some times a quick keyword search is best. Looking at the title of the question if you use "LITE" in AXIOM, you get an Identifiers - Device with the answer. It should be "LITEON CA1-8D256-HP".
Figure 3: Identifiers - Device in AXIOM
It looks like if we dig into the SYSTEM registry hive we could find it.
Really...? Plaintext...? (10 points)
The user frequently accesses a Chrome Remote Desktop virtual machine. What password is used to log into this VM?
From just briefly viewing the folder structure of the E01 image, there was a text file on the Desktop of the user "borch". The file in question is "Employee Logins.txt" and the answer was ",a]JEU0yG^+]2O]" because Google VM would be associated with Chrome Remote Desktop.
Figure 4: Employee Logins.txt file in Autopsy
Why was 6 afraid of 7? Because 7 can unarchive virtual drives! (10 points)
Within the past 2 years, a popular unarchiving program gained the ability to unarchive VHDX virtual disk images. What version of the program was this upgrade implemented?
I took a stab in the dark and just went to Google. I assumed 7Zip because I couldn't think of any other unarchiving application that is popular. Sure enough, they implemented VHDX support in version "21.07".
Figure 5: Google search for 7-Zip VHDX support
We're not in Kansas anymore... (25 points)
The user has established an RDP connection to one destination more than any other. What is the Geolocation of this destination? (Format: City, ST)
In AXIOM you can navigate down to the Connected Devices > Remote Desktop Protocol section. If you scroll over to and sort the Destination IP Address column we can see that there were only two different IP addresses.
Figure 6: RDP Destination IPs in AXIOM
We can see a bunch more connections to IP 34.162.97.100 more than the other. A quick Google search results in plenty of IP lookup sites. We can the IP belongs to a Google datacenter in "Columbus, OH".
Figure 7: IP address lookup results
Make sure to keep some tabs on that SysAdmin from Southern California (25 points)
The user visited the Mastodon page of one user more than any others on the platform. What is the full legal name of the user Michael visited?
Starting with a quick search for Mastodon in AXIOM resulted in narrowing down the scope to mostly Chrome artifacts. Viewing the Chrome Web Visits, we see there was only one profile that was accessed.
Figure 8: Mastodon Chrome Visit profile
If we go to that URL and take a look at the contact info, they had their LinkedIn profile attached which belonged to "Armin Briegel".
Figure 9: Mastodon profile visited
We have a History of attracting some sizeable donors with our projects (25 points)
Michael used PowerShell to clone a particular GitHub utility. What is the account name of one of this repo's most prominent sponsors?
The PowerShell history file lives typically at the following path:
C:\Users\borch\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Opening the file in a text editor, we can see only one GitHub repository was accessed, https://github.com/LSPosed/MagiskOnWSALocal. Looking down on the right side is the main sponsor which was "yujincheng08".
Figure 10: GitHub repository
Scratch that Itch.io (25 points)
The user viewed a YouTube video by the creator BenBonk surrounding video game developers. Within this video, how many developers were involved with the project?
Figure 11: YouTube Chrome History entries
After clicking through each URL, only one was a video by BenBonk, which was the "20 Game Developers Mad This Game". The answer was 20.
Figure 12: BenBonk YouTube video
The breakfast bell is ringing (50 points)
The user has been doing some research lately on fast food items. What is, according to some experts, the unhealthiest food item of the bunch?
When I read the question I knew right away I was looking for something related to Taco Bell. One entry in Chrome Web History hits on a YouTube video ranking Taco Bell items.
Figure 13: Chrome Web History for Taco Bell
If you watch the video at around the 9:42 mark the doctor says what the least healthiest item is, and that trophy goes to the "breakfast crunchwrap sausage supreme".
Figure 14: Yum...
Oh Deer...I think we're lost (50 points)
Michael lives just a mile south of a beautiful body of water. What is the name of this body of water?
When I think of locations one of the first things I go to is Chrome Autofill. People tend to keep their home, work or other addresses there so they don't have to fill them out manually each time. Autofill can be parsed from:
C:\Users\borch\AppData\Local\Google\Chrome\User Data\Default\Web Data
As we can see we get only one street in an address line:
Figure 15: Chrome Autofill address
We can see "302 Priestford Rd". Entering this into Google Maps we see only one hit matches, found in Churchville, Maryland. Since this is south of the water, if we look north just a bit we see the address is near "Deer Creek".
Figure 16: Deer Creek via Google Maps
Gotta Git going fast with some Accelrated emulation! (50 points)
In order to emulate an Android device, the user required some specialized management tools. What Android port is used by default with these services?
There are a few ways to solve this depending on what toolsets you have. The "easy" way is to look at the Installed Programs and see WSA PacMan which is a package manager application for the Windows Subsystem for Android (a new emulation system in Windows 11).
If you go to the GitHub page for WSA PacMan (also found in Chrome History), you can see some sample screenshots of the application. You can see the local host IP address along with the default port number of "58526".
Figure 17: WSA PacMan default settings
Now for the fun more interesting way. If you have the professional version of Arsenal Image Mounter, you can actually mount the E01, bypass the Windows login and get access to the settings themselves. Or if you have a Windows 11 computer you can just install WSA yourself and see what they are.
Figure 18: WSA Settings
I'm actually going to be looking further into WSA and seeing what capabilities we have as forensic examiners, because there is always more research to be done with new features.
PCA - Program Clang Assistant? (100 points)
The user has installed Android Studio with a specialized plugin dedicating to diagnosing and fixing some programming errors. When this plugin runs, what exit code is used upon completion?
This question appeared to be much more difficult than what it actually was. Originally I was diving down the route of trying to run Android Studio and the sample application that was created by the computer owner but that posed issues and no real solutions.
It was only after reading and re-reading the question title and question way too many times to count that it clicked. I tried a quick search for "clang" across the image and noticed a Prefetch hit for cland-tidy.exe.
Figure 19: Clang-tidy Prefetch entry
The other half of the clue in the title was PCA. What some may not know is that there is a new artifact of potential execution in Windows 11. Thanks to the excellent first writeup from Andrew Rathbun and Lucas Gonzalez we have a bit more details on what it entails. From the blog we can go to the folder path of:
C:\Windows\appcompat\pca
Inside are three files, but only one of interest, which was PcaGeneralDb0.txt. What we get are timestamps, executable paths, and exit codes! A quick search for "clang" shows 6 entry hits all with the exit code of "0xc0000135".
Figure 20: PcaGeneralDB0.txt clang entries
Just goes to show that any new artifact is game when it comes to CTF questions, which only drives the research and analysis further. And with that ends the write-up for the Windows 11 image.