Magnet User Summit CTF 2019- Walk through — Part 1
This is my take on the Magnet user Summit CTF which was recently opened for public with the images and a 30-day trial for Magnet Axiom.
I have never used Magnet Axiom ever, so bare with me if the options that i use is completely wrong or if i am going a long way to arrive at simple solutions. Feel free to add them as comments if you have a shorter version for the problem mentioned.
I would fall back to my sift workstation if i am not comfortable with options listed. Moreover there is a challenge section on mobile forensics which i have not worked on.
Lets get started!
The images are shared in Google drive and the following 3 images with acquisition summary is uploaded.
Section1: Basic — Desktop
Q1. What is the SHA1 Hash of the Desktop Image?
For this i opened the acquisition summary text file and got the SHA1 hash from it
Answer: a20c2f43a80ddcad35b958b701a6cdd4b67e535c
Q2. Who acquired the Desktop image?
Answer: M Powers
Q3: What is the Volume Serial Number of the Desktop’s OS volume?
Answer: CCEE-841B
Q4. What is the timezone of the Desktop?
Since Axiom was processing the image to pre-populate and categorize the artifacts (40% was processed at the time of writing), I Proceeded to extract the ‘system’ file from C:\Windows\System32\Config folder using FTK Imager
I also wanted to use a Windows Registry tool that can run through the hives pointed instead of using regripper commandline tool. I navigated to Eric Zimmerman’s tool-chest and downloaded Registry Explore/RECmd tool
Answer: Pacific Standard Time
Q5. Which user installed Team Viewer?
Based on the fact that Application event logs would track when MSInstaller is used, i Proceeded to check for Event ID 11707. This did not yield any results.
Then i proceeded to mount NTUser.dat (user Registry hives) which would contain this detail under NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Uninstall
Then i proceeded to look at the amcache.hve which would also hold the first time an application was run. So there i found the following hit from Magnet Axiom. They have a neat way of mounting the hives which saved me the time from copying the hive and choosing regripper plugin.
Based on the file location I chose to answer this as Administrator
Answer: Administrator
Q6. What was the timezone offset at the time of Imaging?
Answer: Active Time Bias / 60 = 420/60 = 7 (UTC-7)
Q7. At least how many times did the teamviewer_desktop.exe run?
The number of times an application executed can be tracked from the prefetch file. So from the Magnet Axiom i chose the prefetch artifact and found it was executed thrice.
Answer: 3
Q8. When was the Windows OS installed?
This can be obtained by Parsing the HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CurrentVersion\InstallDate Key and convert the unix time 0x5b5c1af9 (1532762873) (Sat, 28 Jul 2018 07:27:53 GMT)
Artifact View OS Information also captures all basic details about the Operating System
Answer: Sat, 28 Jul 2018 07:27:53 GMT
Q9. What is the name of the file associated with MFT entry number 102698?
Switch to FileSystem View in Magnet Axiom and filter by MFT Record number
Answer: TeamViewer_Setup.exe
Q10. What is the MFT sequence number associated with the file “\Users\Administrator\Desktop\FTK_Imager_Lite_3.1.1\FTK Imager.exe”?
I tried to find this using the Magnet Axiom interface but i was not able to figure this out with the available options. I switched to SIFT workstation and used filename search on the mounted image. Using the mft entry I got he Sequence number from istat command as detailed below
Answer: 4
Q11. Which file name represents the USN record where the USN number is 546416480?
Lets get the $UsnJrnl:$J file using icat command and parse it using usn.py script for getting this data.
Answer: TransportSecurity~RF134e6674.TMP
Q12. What is the IP address of the Desktop?
This is typically captured under SYSTEM hive, but Magnet axiom has a separate artifact under Operating System category which simplifies this for us
Answer: 64.44.141.76
Q13. Which User Shutdown Windows on February 25th 2019?
Lets read through the SYSTEM event logs which should give us this detail. Magnet Axiom has a easy way of sifting through event logs which has spared us some time. Event Logs 1074,6006 and 6008 can help us get our desired outcome
Answer: Administrator (based on SID)
Q14. What is the SHA1 hash of the c:\users\selmabouvier\appdata\local\packages\microsoft.microsoftedge_8wekyb3d8bbwe\tempstate\downloads\megasyncsetup (1).exe file?
I initially searched for file presence in file system but looks like the file was deleted already. So i chose to look into the amcache.hve which also logs the sha1 hash of any application executed first and its first run time. Have a look at Yogesh Khatri’s writeup or Eric Zimmermans toolset on how the artifact breakdown is achieved.
I navigated to Magnet Axiom’s Registry view and chose other hives, the application name in question was listed there. That lead me to the Sha1 hash of the file.
Answer: 082129a2b431f36a194f2594e3987e31b22dc5ea
Q15: After looking at the TEAMVIEWER_DESKTOP.EXE prefetch file, which path was the executable in at the time of execution?
I tried with prefetch view in Axiom which did not give the desired data, so i downloaded PEcmd from Eric Zimmermans toolset and extract the .pf file which got me the desired output
Answer: \VOLUME{01D4264BEE777579-CCEE841B}\PROGRAM FILES (X86)\TEAMVIEWER\TEAMVIEWER_DESKTOP.EXE
Q16. What is the file name that represented MFT entry 60725 with a sequence number of 10?
I have searched by the sequence number 10 and output for MFT Entry 10 from earlier output where i have parsed the USNJournal file.
The other way is to use ANJP tool where i give $Logfile, $MFT and $UsnJrnl:$J file as output
I then navigate to filter tab and choose the below options as filters after referring the user guide
Answer: telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64–5f64bebb-ac28–4cc7-bd52–570c8fe077c9–7717.json.new
That completes the basic Desktop section. Please feel free to leave your feedbacks as comments if you have any.
Let me work on the remaining challenges and share my solution. Thanks for reading!
