Writeup: Magnet User Summit DFIR CTF 2019-Activity
The recent Magnet User Summit DFIR CTF Challenge was released to the public. I also took this opportunity to get familiar with the Magnet AXIOM software.
This is a part ties into the MUS-CTF-19-DESKTOP-001.E01 evidence file provided.
Sharepoint 1 5
How many files were downloaded from the magnetic4nsics Sharepoint?
One was the OneDrive zip from the Edge browser, and the other was a README file from the Chrome browser.
Sharepoint 2 5
Whats the name of the archive that was retrieved from the sharepoint?
On March 18th 2019 at 18:58:21 Selma saw a Windows popup notification. What type of notification was it?
The notification database is located in the path below. From there the timestamps needed to be converted from the FILETIME Windows format to UTC.
Sharepoint 4 5
Which was retrieved from the sharepoint first?
18/03/2019 6:45:37 PM — Onedrive
14/03/2019 7:52:37 PM — Readme
At 6:35PM on the 18th of March, Selma logged into her account on the Desktop. What method of did she use to access the Desktop?
I first looked in the RDP event logs but couldn’t find an entry. Next was to the Teamviewer logs (quick google told me where to look). This confirmed there was a connection by Selma.
Host Name 5
What was the host name of the machine Selma used to remote into the Desktop at 6:35PM on the 18th of March?
Unique Access 5
How many unique machines accessed the Desktop via TeamViewer?
Sharepoint 3 10
What is the volume serial number of the volume the sharepoint archive was placed on (format: decimal number)?
The file was on the D: drive. LNK Files are a good source of finding volume serial number. The serial number AEF2-68AA needs to be converted from hex to decimal.
Notify 2 10
Again, on the 18th of March at 18:08:57, another notification was given. What did this notification say?
Answer: You are now syncing “OneDrive — Magnetic4nsics”
I converted the goal time to 131974061370000000. The notification closest to this time.
You are now syncing “OneDrive — Magnetic4nsics”
You can edit files in “OneDrive — Magnetic4nsics”. Click here to view your files.
Bytes Sent 10
How many bytes total were sent out on the network via the Team Viewer Service?
The SRUM (System Resource Usage Monitor) monitors desktop application programs, services, windows apps and network connections. It’s saved in the file at C:\Windows\system32\sru\SRUDB.dat (using this tool to parse it by Mark Baggett). I just needed to export it and add up the bytes sent in excel.
I’ll continue to slowing work away at these challenges when I get some more free time.