Writeup: Magnet User Summit DFIR CTF 2019-Activity

The recent Magnet User Summit DFIR CTF Challenge was released to the public. I also took this opportunity to get familiar with the Magnet AXIOM software.

Link to CTF: https://mus2019.ctfd.io/
Other Parts:
- Mobile
- Basic-Desktop
- Secret Project

Activity

This is a part ties into the MUS-CTF-19-DESKTOP-001.E01 evidence file provided.

Sharepoint 1 5

How many files were downloaded from the magnetic4nsics Sharepoint?

Answer: 2

One was the OneDrive zip from the Edge browser, and the other was a README file from the Chrome browser.

Sharepoint 2 5

Whats the name of the archive that was retrieved from the sharepoint?

Answer: OneDrive_1_3–18–2019.zip

Notify 5

On March 18th 2019 at 18:58:21 Selma saw a Windows popup notification. What type of notification was it?

Answer: toast

The notification database is located in the path below. From there the timestamps needed to be converted from the FILETIME Windows format to UTC.

C:\Users\SelmaBouvier\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db

Sharepoint 4 5

Which was retrieved from the sharepoint first?

Answer: Readme

18/03/2019 6:45:37 PM — Onedrive
14/03/2019 7:52:37 PM — Readme

Remote 5

At 6:35PM on the 18th of March, Selma logged into her account on the Desktop. What method of did she use to access the Desktop?

Answer: Teamviewer

I first looked in the RDP event logs but couldn’t find an entry. Next was to the Teamviewer logs (quick google told me where to look). This confirmed there was a connection by Selma.

Host Name 5

What was the host name of the machine Selma used to remote into the Desktop at 6:35PM on the 18th of March?

Answer: JHYDE-SP

See above.

Unique Access 5

How many unique machines accessed the Desktop via TeamViewer?

Answer: 3

See above.

Sharepoint 3 10

What is the volume serial number of the volume the sharepoint archive was placed on (format: decimal number)?

Answer: 2935122090

The file was on the D: drive. LNK Files are a good source of finding volume serial number. The serial number AEF2-68AA needs to be converted from hex to decimal.

Notify 2 10

Again, on the 18th of March at 18:08:57, another notification was given. What did this notification say?

Answer: You are now syncing “OneDrive — Magnetic4nsics”

I converted the goal time to 131974061370000000. The notification closest to this time.

You are now syncing “OneDrive — Magnetic4nsics”
You can edit files in “OneDrive — Magnetic4nsics”. Click here to view your files.

Bytes Sent 10

How many bytes total were sent out on the network via the Team Viewer Service?

Answer: 95681804

The SRUM (System Resource Usage Monitor) monitors desktop application programs, services, windows apps and network connections. It’s saved in the file at C:\Windows\system32\sru\SRUDB.dat (using this tool to parse it by Mark Baggett). I just needed to export it and add up the bytes sent in excel.

teamviewer_service.exe

I’ll continue to slowing work away at these challenges when I get some more free time.

@zdayone1