Writeup: Magnet User Summit DFIR CTF 2019-Basic Desktop

The recent Magnet User Summit DFIR CTF Challenge was released to the public. I also took this opportunity to get familiar with the Magnet AXIOM software.

I jump in and out of using AXIOM and my go-to open source tools on this one just out of habit, but both are able to solve these challenges.

Link to CTF: https://mus2019.ctfd.io/
Other Parts:
- Mobile
- Activity
- Secret Project

Desktop Hash 2

What is the SHA1 Hash of the Desktop Image?

Answer: a20c2f43a80ddcad35b958b701a6cdd4b67e535c

We can use the FTK Imager case file (MUS-CTF-19-DESKTOP-001.E01.txt) to quickly get the answers for these first couple of questions. You can also use ewfinfo on the .e01 file.

Desktop Examiner 2

Who acquired the Desktop image?

Answer: M Powers

Desktop VSN 2

What is the Volume Serial Number of the Desktop’s OS volume?

Answer: CCEE-841B

OS Volume information

Timezone 2

What is the timezone of the Desktop.

Answer: Pacific Standard Time

The registry key that provides this info is in:

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\TimeZoneInformation

You can either use the inbuilt AXIOM artifacts or carve them out yourself.

AXIOM Timezone Information

Install 2

Which user installed Team Viewer?

Answer: Administrator

The TeamViewer_Setup.exe file was located in the Administrator’s Download folder.

For this question, I extracted the MFT from the image and used sleuth kit binaries. 1126400 = offset of volume, 0–128–6 = inode of MFT.

icat -o 1126400 MUS-CTF-19-DESKTOP-001.E01 0–128–6 > mft.raw

I then parsed the raw file with MFTECmd.exe (a tool by Eric Zimmerman).

UTC Offset 2

What was the timezone offset at the time of imaging?

Answer: UTC-7

Pacific Daylight Time (PDT) is 7 hours behind UTC. See the previous question regarding timezones.

How Many Times 2

At least how many times did the teamviewer_desktop.exe run?

Answer: 3

The User Assist registry hive is a common place to look for run count however this didn’t work because the user may have not interacted with this binary through the GUI. The other common place is the prefetch files. The prefetch for teamviewer_desktop had 3 entries.

OS Install Date 2

When was the Windows OS installed?

Answer: 28/07/2018 7:27am

The following registry key value is the epoch time of when Windows OS was installed:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate

1532762873 (epoch time) is equivalent to: 07/28/2018 @ 7:27am (UTC)

File Name 5

What is the name of the file associated with MFT entry number 102698?

Answer: TeamViewer_Setup.exe

Please see previous question for how the MFT was parsed.

Sequence Number 5

What is the MFT sequence number associated with the file “\Users\Administrator\Desktop\FTK_Imager_Lite_3.1.1\FTK Imager.exe”?

Answer: 4

Using the same method as above. The second column contains the the MFT sequence numbers.

USN 5

Which file name represents the USN record where the USN number is 546416480?

Answer: TransportSecurity~RF134e6674.TMP

IP 5

What is the IP address of the Desktop?

Answer: 64.44.141.76

The IP can be found in the following registry key. The system registry hive was removed from the volume using similar methods to the MFT and parsed with RECmd.exe (by Eric Zimmerman). This can still be seen in the AXIOM registry viewer however.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces

Who Shut it Down 5

Which User Shutdown Windows on February 25th 2019?

Answer: Administrator

In the System Windows Event Log, the event id for a shutdown is:1074. The discrepancy in time can be accounted by converting the time zones from mine.

icat -o 1126400 MUS-CTF-19-DESKTOP-001.E01 83666–128–4 > system.evtx
Event Log Explorer

Sha What 5

What is the SHA1 hash of the c:\users\selmabouvier\appdata\local\packages\microsoft.microsoftedge_8wekyb3d8bbwe\tempstate\downloads\megasyncsetup (1).exe file?

Answer: 082129a2b431f36a194f2594e3987e31b22dc5ea

The Amcache hive is the first place to look for hashes of binaries.

Execute Where 5

After looking at the TEAMVIEWER_DESKTOP.EXE prefetch file, which path was the executable in at the time of execution?

Answer: \VOLUME{01D4264BEE777579-CCEE841B}\PROGRAM FILES (X86)\TEAMVIEWER\TEAMVIEWER_DESKTOP.EXE

I jumped back into the MFT file I had open to find the location of the exe.

File Name 2 10

What is the file name that represented MFT entry 60725 with a sequence number of 10?

Answer: telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64–5f64bebb-ac28–4cc7-bd52–570c8fe077c9–7717.json.new

If you look at the MFT entry 60725 from the output before, the current sequence number is 15. We will have to use the UsnJrnl to see the past sequence number for this MFT record.

I used UsnJrnl2Csv to parse the file

To get to the next stages you may have noticed looking around that there are some some suspicious files on the desktop and OneDrive.

Check out the links at the top for the next sections.

@zdayone1