Magnet User Summit CTF 2019- Walk through — Part 2

7 min readApr 20, 2019

It took me some time to work on the second section of MUS CTF 2019. Few mistakes were made because of copy paste and ended up spending hours to figure out and took longer routes for arriving at the right solution.

We also have a hard stop of 30 days because the license of Magnet Axiom expires after that.

Learned a lot of good ways to figure out the answers though!. Lets get started!

Activity

Q1. How many files were downloaded from the magnetic4nsics Sharepoint?

I switched over to Artifacts view in Magnet Axiom and clicked on web related tab. The tool had sorted the artifacts group based on their types (cookies,downloads and History). Based on the above types i was able to find two artifacts related to Download one in Chrome and another one in Edge.

Answer: 2

Q2. Whats the name of the archive that was retrieved from the sharepoint?

The above screenshot highlights the archive that was downloaded from magnetic4nsics.com and it was downloaded to D: Drive

Answer: OneDrive_1_3–18–2019.zip

Q3. On March 18th 2019 at 18:58:21 Selma saw a Windows popup notification. What type of notification was it?

My first go to stop was to filter out the windows event logs from Artifacts view and filter it by the time given above. I got two hits for the SID associated with Selma.

So i quickly jumped to conclusion that the answer is push notification. The answer that i entered was not accepted. So i exported the log out and opened it in native event viewer from windows.

Based on the above Screenshot i answered it as toast which was accepted by the CTF system.

Answer: Toast

Q4. Which was retrieved from the sharepoint first?

a. OneDrive_1_3–18–2019.zip

b. README

If you refer my screenshots for Q1, you will find the timestamps where readme file was downloaded was prior to the archive was contacted.

Answer: README

Q5. At 6:35PM on the 18th of March, Selma logged into her account on the Desktop. What method of did she use to access the Desktop?

a. Windows RDP

b. TeamViewer

c. VNC

I switched to security event logs from Axiom view and filtered out the logs for the specified time. I could only find Logon type 11 at the said time and not logon type 10 which would indicate it was Remote Desktop protocol. To double check i also viewed the Remote services Operational logs to verify and did not find any fruitful outcome.

I found logon type 7 and 5 which are related to Unlock and Service. So i ruled out RDP from the above List.

Then i proceeded to research on TeamViewer related artifacts where i found the following link from systoolgroup which helped me to answer this one.

The link highlighted that the primary artifacts are listed under the following folders:

C:\Program Files\Teamviewer & C:\Users\[username]\Appdata\Roaming\Teamviewer\MRU\RemoteSupport

Connections_incoming.txt
TeamViewerX_Logfile.log (X indicates the version of Team viewer)

The file under User folder was not found in our case. I did not make the effort to mount VSS snapshots to check if the user folder had the required file.

I opened the connections_incoming.txt and found a logon timestamp within the mentioned time frame. Also the last written time under user hive of Selma Bouvier corresponds close to the above mentioned timestamps.

Selma Bouvier — TeamViewer Registry Hive

I also tried to verify if there are any VNC software under HKLM\SOFTWARE\ but did not find any.

Answer: TeamViewer

Q6. What was the host name of the machine Selma used to remote into the Desktop at 6:35PM on the 18th of March?

If you look at the above Connections_incoming.txt screenshot you will find the answer as JHYDE-SP

Answer: JHYDE-SP

Q7. How many unique machines accessed the Desktop via TeamViewer?

a.6

b.2

c.4

d.3

The distinct number of desktop names which are captured under Connections_incoming.txt is the answer for the above challenge.

Answer: 3

Q8. What is the volume serial number of the volume the sharepoint archive was placed on (format: decimal number)?

I ended up working a lot on this challenge as i was copy pasting my output with space and took so many options and finally found the solution was right in front of me the whole time.

Alright Let me narrate how i did that, the question is about the volume name where OneDrive_1_3–18–2019.zip was placed. If you look at my screenshot it was placed in Drive D:

So i started to get all link files where the extension name was ending with .txt and used KAPE module options to parse the output. The recent folder under Selma Appdata had this artifact.

Since the question specifically asks us to enter the format in Decimal number, I opened the default Windows Calculator in Programmer mode and copied the VSN in to HEX format. The decimal output gave me the required option.

I copied the Decimal equivalent ‭2935122090‬ and entered in to the output box which was not accepted since i had a space in the front.

Other options that i tried….

I copied the Supersecretstuff.vhd under Selma’s Desktop and attached the VHD to disk management option. The volume was bitlocker protected. I then embarked my journey to look for any key that could indicate if bitlocker was cached somewhere. Then i found a paper which mentioned that bitlocker key could be retrieved from memory if present in hiberfil.sys which stores a copy of memory when you hibernate the machine. The acquired image did not have the required file.

The question also only had 2 tries to get to the right answer. So I created so many dummy Login accounts to increase my number of tries. Finally in one of the attempts i thought if was leaving some extra space between the answers. Voila!, there what a stupid mistake it was. But it gave me so many options to arrive at this problem.

Answer: 2935122090‬ (Dont leave any extra space in front :P)

Q9. Again, on the 18th of March at 18:08:57, another notification was given. What did this notification say?

I approached this question the same way i solved Q3, I filtered the push notification event window to 18:08:57 of March, 18th.

I tried pasting the above line which was not accepted by the challenge system. I tried to see if the tracking id 329 is logged somewhere which could give detailed output of what the actual notification was. I looked for detailed KB around 3052 — Event ID this did not give me any fruitful results.

I went on to ask the lords of google to show some relevant pages. I typed windows toast notifications artifacts and windows toast notifications forensics.

The top results were leading me to a linkedin Slide share results. It had an incredible amount of artifacts which are related to Windows 10. I also had a look at the Packt book for windows forensics cookbook which had a detailed explanation. The other list of pages that i encountered were from hecfblog and Yogesh khatri’s page. After going through all those pages i understood that the output of toast notifcations are stored under an sqlite Database.

An excerpt from the book Windows Forensics cookbook:

Details of notifications are stored in the following location:
\Users\Username\AppData\Local\Microsoft\Windows\Notifications
The name of the database will differ depending on the build version of Windows 10 installed on the machine. From Anniversary onwards, they are stored in wpndatabase.db; before that, they can be found in appdb.dat

I grabbed the file wpndatabase.db from Selma’s user folder and opened it using sqlite DB.

The file had an id where i filtered it to 329 based on the windows event log that i have mentioned above.

Answer: You are now syncing “OneDrive — Magnetic4nsics”

Q10. How many bytes total were sent out on the network via the Team Viewer Service?

While viewing the artifacts window under Magnet Axiom, i found an artifact names SRUM Network usage. The file was parsing the required data from SRUBD.dat. I filtered the output based on the application name teamviewer_Service.exe