Digital Forensics Challenge 2021 Writeup (205 — Diagnosis)

Williams Kosasi
11 min readSep 16, 2021

This is the writeup I submitted for problem 205 on Digital Forensics Challenge 2021 held by Korea Institute of Information Security & Cryptology (KIISC). My team name is trying2learn and the score I got from this problem is 160 out of 200. This writeup was posted here after the deadline of this problem for fair competition.

Instructions

Description
Analyze the given file and answer the question.
Questions
1. On which system was the given file collected? (Model name) (10 points)
2. What is the time zone of the operating system installed on the system? (10 points)
3. What search engines did the user visit and what queries did the user entered using the Edge browser? (30 points)
4. List all programs installed on “2021–07–28” (UTC+0). (30 points)
5. List all wireless networks connected to the system. (50 points)
— SSID
— Authentication Algorithm
— AP Manufacturer
— AP Model Name
6. Identify the information of the external storage device mounted at “J:\”. (70 points)
— Manufacturer
— Model
— Serial Number
— Volume Serial Number
— Volume Creation Time
— FileSystem
— Connected Date/Time
— Disconnected Date/Time
File Given
Diagnosis.7z

Tool Used

DB Browser for SQLite, HxD Hex Editor, and DCode are the tools that will be used to answer this problem.

Answer

To analyze the given file, we need to extract Diagnosis.7z file. After extracting the file, we will find a folder named ProgramData. Next, we must find the artifact inside this folder that can help us solve these problems. After analyzing the folder, we found an artifact named “EventTranscript.db” located in ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db. This artifact can be used to help us solve the problems. We can use DB Browser for SQLite tool to help us open this file. After opening the tool, we can go to Open Database -> browse for EventTranscript.db. We will focus on a table named events_persisted. We can see that there is a column named payload from this table, so all the payloads were recorded here.

To find the system that collected this file, we can look at any payload exist in events_persisted table. We will try to look at the first row and see the payload in JSON mode. From this payload, we can see that there is information about “ext”. Inside “ext”, we can see that the operating system used is Windows and the version is 10.0.19043.1110.amd64fre.vb_release.191206–1406. We can also see that the device class is Windows.Desktop, the device manufacturer is LG Electronics, and the model is 17ZD90N-VX7BK. So, the model name of the system that collect this file is 17ZD90N-VX7BK. This information is shown in Figure 1.

Figure 1. Snippet of “ext” from the first payload in JSON mode from events_persisted table on EventTranscript.db.

First Problem Solved

As shown in Figure 1, we can also see that there is information regarding the time zone inside “loc”. So, the time zone of the operating system installed on the system is UTC+9.

Second Problem Solved

Next, we need to find the search engine that the user visited and the queries that the user entered using the Edge browser. This is something related to browsing history. If we look at tag_description table on EventTranscript.db, we can see that browsing history tag_id is “1”. From EventTranscript.db, we can also see that there is a table named event_tags that has full_event_name_hash and tag_id columns. On events_persisted table, there is a column named full_event_name_hash too. So, we can make a query that can show all payloads related to browsing history on Edge browser from events_persisted table. The query is as follows:

select events_persisted.payload from events_persisted join event_tags on events_persisted.full_event_name_hash = event_tags.full_event_name_hash where event_tags.tag_id=1 and events_persisted.payload LIKE ‘%edge%’

There will be 2374 rows shown as result. After analyzing the payloads, there are 7 payloads with full_event_name “Aria.218d658af29e41b6bc37144bd03f018d.Microsoft.WebBrowser.HistoryJournal.HJ_HistoryAddUrl”. These payloads interest us because it contains the queries that the user entered. We will view these payloads in JSON mode again and look at the “navigationUrl” on “data” because “navigationUrl” value is the query that the user entered. Below are the queries that the user entered.

1. https://www.bing.com/search?q=itunes&form=WNSGPH&qs=SW&cvid=0a7eac91c4df4ff68c64e4f42efe7e84&pq=itunes&cc=KR&setlang=ko-KR&nclid=CE795B408A5C29096A162D75A8006CFA&ts=1627303523490&nclidts=1627303523&tsms=490&wsso=Moderate

2. https://www.bing.com/search?q=%ec%95%84%ec%9d%b4%ed%8a%a0%ec%a6%88&filters=dtbk:%22MCFvdmVydmlldyFvdmVydmlldyE2ZWYwMWUzYi03YzBlLWQ4YWItYWI5ZS03MmM2NDZiZjIxYTM%3d%22+sid:%226ef01e3b-7c0e-d8ab-ab9e-72c646bf21a3%22+tphint:%22f%22&FORM=DEPNAV

3. https://www.bing.com/newtabredir?url=https%3A%2F%2Fwww.apple.com%2Fkr%2Fitunes%2F

4. https://www.apple.com/kr/itunes/

5. https://www.microsoft.com/ko-kr/p/itunes/9pb2mz1zmb1s?cid=appledotcom&rtc=1

6. https://support.microsoft.com/ko-kr/topic/windows-%EA%B8%B0%EB%B0%98-%ED%94%84%EB%A1%9C%EA%B7%B8%EB%9E%A8%EC%97%90%EC%84%9C-%EB%8F%84%EC%9B%80%EB%A7%90%EC%9D%84-%EC%97%AC%EB%8A%94-%EC%A4%91-%EC%98%A4%EB%A5%98-%EB%B0%9C%EC%83%9D-%EA%B8%B0%EB%8A%A5-%ED%8F%AC%ED%95%A8-%EC%95%88-%EB%90%A8-%EB%98%90%EB%8A%94-%EB%8F%84%EC%9B%80%EB%A7%90-%EC%A7%80%EC%9B%90-%EC%95%88-%EB%90%A8-3c841463-d67c-6062-0ee7-1a149da3973b

7. https://support.microsoft.com/ko-kr/silentsigninhandler

To make sure that all the queries are entered on Edge browser, we can look at each “data” -> “app” -> ”name”. If the name is msedge then it means that the query is entered using Edge browser. After checking all the payloads, it is confirmed that all the queries are entered using Edge browser. Actually, from these 7 payloads, there are also information about the “referUrl” but we won’t use this because it might not be entered by the user. From the 2374 rows, we can also see that there are payloads with full_event_name Aria.218d658af29e41b6bc37144bd03f018d.Microsoft.WebBrowser.HistoryJournal.HJ_BeforeNavigateExtended and Aria.218d658af29e41b6bc37144bd03f018d.Microsoft.WebBrowser.HistoryJournal.HJ_NavigateCompleteExtended. Both full_event_name also contains information about “navigationUrl”, but we cannot make sure that these queries are entered by the user because the queries might be the one entered automatically. For example, if we want to open a web page but the web page can only be opened if the user is logged in and we are not logged in yet then we will be taken to the login page. The query to login page is done automatically not by the user. So, the query is not entered by the user. Therefore, we will not use “navigationUrl” value from payloads with one of two full_event_name mentioned before. The queries that the user entered using Edge browser are the 7 queries mentioned before.

Third Problem Solved

Next, we need to list all programs installed on 2021–07–28 UTC+0. If we look at tag_description table, we can see that Software Setup and Inventory tag_id is “31”. So, we can make a query that can show all payloads in 2021–07–28 related to Software Setup and Inventory. The query is as follows:

select events_persisted.payload, events_persisted.full_event_name from events_persisted join event_tags on events_persisted.full_event_name_hash = event_tags.full_event_name_hash where event_tags.tag_id=31 and events_persisted.payload LIKE ‘%2021–07–28%’

As we can see from the query above, 2021–07–28 is used as filter on the payload because it can be used to only show the payloads which “time” is 2021–07–28. The “time” format is already in UTC+0.

After executing the query, there will be 20 payloads shown with full_event_name Microsoft.Windows.Inventory.Core.InventoryApplicationAdd. These payloads interest us because it can show us all the installed programs. We can look at the “data” -> “Name” of each payload to find the program name. Below is the list of all program installed on 2021–07–28.

1. HashTab 6.0.0.34

2. Microsoft.MicrosoftEdge.Stable

3. AppUp.IntelGraphicsExperience

4. Microsoft.Getstarted

5. Microsoft.Office.OneNote

6. Microsoft Visual C++ 2008 Redistributable — x64 9.0.30729.4148

7. AccessData FTK Imager

8. Microsoft Visual C++ 2019 X64 Minimum Runtime — 14.24.28127

9. VMware Player

10. Microsoft Visual C++ 2019 X64 Additional Runtime — 14.24.28127

11. Chrome

12. Microsoft Edge

13. Microsoft Visual C++ 2008 Redistributable — x86 9.0.30729.4148

14. Microsoft Visual C++ 2019 X86 Minimum Runtime — 14.24.28127

15. Adobe Refresh Manager

16. Adobe Acrobat Reader DC — Korean

17. Microsoft Visual C++ 2019 X86 Additional Runtime — 14.24.28127

18. Microsoft Teams

Both “Adobe Refresh Manager” and “Adobe Acrobat Reader DC — Korean” programs appear twice. The only different “data” is the “programInstanceId”. It shows that both payloads for each program are related to the same application. Therefore, I only wrote both programs once on above list.

Fourth Problem Solved

Next, we need to find all the wireless network connected to the system. If we look at tag_description table, we can see that Device Connectivity and Configuration tag_id is “11”. So, we will execute a query that can show us all payloads related to the device connectivity and configuration because the information about wireless network connected to the system will be shown too. The query is as follows:

select events_persisted.payload, events_persisted.full_event_name from events_persisted join event_tags on events_persisted.full_event_name_hash = event_tags.full_event_name_hash where event_tags.tag_id=11

There are 35665 rows as result. This will take a lot of time if we check all type of the full_event_name. So, we will modify the query a little bit to make sure that the payloads that will be shown are the payloads contain ‘SSID’. The modified query is as follows:

select events_persisted.payload, events_persisted.full_event_name from events_persisted join event_tags on events_persisted.full_event_name_hash = event_tags.full_event_name_hash where event_tags.tag_id=11 and events_persisted.payload LIKE ‘%SSID%’

Now, there are only 406 rows as result. We can analyze it faster using this query. After analyzing the result, we found payloads with full_event_name Microsoft.OneCore.NetworkingTriage.GetConnected.WiFiConnectedEvent. These payloads interest us because it shows us all the Wireless Network connected event. There are 22 payloads with this full_event_name. After analyzing all the 22 payloads, we can conclude that there are 5 wireless networks connected to the system. The list of the wireless networks is as follows:

Table 1. List of Wireless Networks connected to the system.

Both wireless network number 4 and 5 has the same SSID named “iptime” because “iptime” is free WiFi in Korea and can be found in most places. So, the system has connected to two different free WiFi because it has different AP Manufacturer and Model Name. Two payloads that show us the fifth wireless network (wireless network number 5) do not have the value of AP Manfacturer. Both payloads can only show the AP Model Name.

Fifth Problem Solved

Next, we need to find the external storage device mounted at “J:\”. Therefore, we can use “J:\” as filter on the payload column from events_persisted table to find any information related to this drive letter. The query is as follows:

select payload from events_persisted where payload LIKE ‘%j:\%’

After executing the query, there will be 3 rows shown as result. All three payloads have the same full_event_name which is Microsoft.Windows.Storage.StorageService.SdCardStatus. We can choose any of the three payloads and view it in JSON mode. There will be information about the volume name which is \\\\?\\Volume{5ef7fa9f-ee12–11eb-947e-58961d61ea8f}. From the volume name, we got the volume ID which is 5ef7fa9f-ee12–11eb-947e-58961d61ea8f. We will use this as filter on payload column from events_persisted table to find any information related to this volume ID. The query is as follows:

select payload from events_persisted where payload LIKE ‘%5ef7fa9f-ee12–11eb-947e-58961d61ea8f%’

There will be 72 rows as result. We can choose any of these payloads that contains disk ID information and look at the value because all payloads that contains disk ID has the same disk ID value. One of the full_event_name that we can look at to find the disk ID value is Microsoft.Windows.FileSystem.NTFS.Mount. The value of the disk ID is 68C652BC-96C4–3675–4A38–4E4F8558394D. This value will be used as filter on payload column from events_persisted table to find any information related to this disk ID. The query is as follows:

select payload from events_persisted where payload LIKE ‘%68C652BC-96C4–3675–4A38–4E4F8558394D%’

There will be 35 rows shown as result. From this result, we can identify some of the information of the external storage device mounted at “J:\”. Among the result, we can choose any of the payloads which full_event_name is Microsoft.Windows.Storage.Partmgr.DiskDiscovery and view it in JSON mode. There, we can see the information about the “manufacturer” (manufacturer), “model” (model), and “serial” (serial number).

· Manufacturer: SanDisk

· Model: Ultra USB 3.0

· Serial Number: 4C531001460807102273

We can also use the value of “vbr0” to find the file system used and the volume serial number. To make it easier to read, we will use HxD Hex Editor tool to help us read the “vbr0” value. We just need to copy “vbr0” value and paste it to HxD Hex Editor tool. The result is shown in Figure 2.

Figure 2. The value of “vbr0” opened using HxD Hex Editor.

We can see it clearly from 0x3 until 0x6 that the file system used is NTFS.

· File System: NTFS

After knowing the file system used, we can find the volume serial number from 0x48 until 0x4B (4 bytes little endian) which is 1A 20 0F 4E.

· Volume Serial Number: 1A20–0F4E

From the volume serial number, we can try to find the volume creation time. The tool that will be used to help us is DCode. After opening the tool, we just need to focus on Value Input box. We must change the format into Hexadecimal (Little-Endian) and input the value with volume serial number we got before. The result is shown in Figure 3.

Figure 3. Result of decoding the volume serial number into timestamp on DCode.

From the result above, we can see that GPS Time (UTC) is the only one that make sense. Therefore, the most likely volume creation time is on 2021–07–06 13:41:28 UTC+0.

· Volume Creation Time: 2021–07–06 13:41:28 UTC+0

From the result we got before (35 rows shown), we can find the connected and disconnected date/time of the external storage device. The payload with full_event_name Microsoft.Windows.Storage.Classpnp.DeviceGuidGenerated indicates the connected event (external storage plugged in to the system). Meanwhile, the payload with full_event_name Microsoft.Windows.Storage.Classpnp.DeviceRemoved indicates the disconnected event. We can view the “time” on the payloads in JSON mode. Below is the list of the connected and disconnected date/time.

Table 2. List of connected and disconnected date/time of the external storage device mounted at “J:\”.

Summary:

1. The given file was collected from 17ZD90N-VX7BK model (LG Electronics) running on Windows (10.0.19043.1110.amd64fre.vb_release.191206–1406).

2. The time zone of the operating system installed on the system is UTC+9.

3. Below are the queries that the user entered using Edge browser.
· https://www.bing.com/search?q=itunes&form=WNSGPH&qs=SW&cvid=0a7eac91c4df4ff68c64e4f42efe7e84&pq=itunes&cc=KR&setlang=ko-KR&nclid=CE795B408A5C29096A162D75A8006CFA&ts=1627303523490&nclidts=1627303523&tsms=490&wsso=Moderate
· https://www.bing.com/search?q=%ec%95%84%ec%9d%b4%ed%8a%a0%ec%a6%88&filters=dtbk:%22MCFvdmVydmlldyFvdmVydmlldyE2ZWYwMWUzYi03YzBlLWQ4YWItYWI5ZS03MmM2NDZiZjIxYTM%3d%22+sid:%226ef01e3b-7c0e-d8ab-ab9e-72c646bf21a3%22+tphint:%22f%22&FORM=DEPNAV
· https://www.bing.com/newtabredir?url=https%3A%2F%2Fwww.apple.com%2Fkr%2Fitunes%2F
· https://www.apple.com/kr/itunes/
· https://www.microsoft.com/ko-kr/p/itunes/9pb2mz1zmb1s?cid=appledotcom&rtc=1
· https://support.microsoft.com/ko-kr/topic/windows-%EA%B8%B0%EB%B0%98-%ED%94%84%EB%A1%9C%EA%B7%B8%EB%9E%A8%EC%97%90%EC%84%9C-%EB%8F%84%EC%9B%80%EB%A7%90%EC%9D%84-%EC%97%AC%EB%8A%94-%EC%A4%91-%EC%98%A4%EB%A5%98-%EB%B0%9C%EC%83%9D-%EA%B8%B0%EB%8A%A5-%ED%8F%AC%ED%95%A8-%EC%95%88-%EB%90%A8-%EB%98%90%EB%8A%94-%EB%8F%84%EC%9B%80%EB%A7%90-%EC%A7%80%EC%9B%90-%EC%95%88-%EB%90%A8-3c841463-d67c-6062-0ee7-1a149da3973b
· https://support.microsoft.com/ko-kr/silentsigninhandler

4. Below is the list of all program installed on 2021–07–28.

· HashTab 6.0.0.34
· Microsoft.MicrosoftEdge.Stable
· AppUp.IntelGraphicsExperience
· Microsoft.Getstarted
· Microsoft.Office.OneNote
· Microsoft Visual C++ 2008 Redistributable — x64 9.0.30729.4148
· AccessData FTK Imager
· Microsoft Visual C++ 2019 X64 Minimum Runtime — 14.24.28127
· VMware Player
· Microsoft Visual C++ 2019 X64 Additional Runtime — 14.24.28127
· Chrome
· Microsoft Edge
· Microsoft Visual C++ 2008 Redistributable — x86 9.0.30729.4148
· Microsoft Visual C++ 2019 X86 Minimum Runtime — 14.24.28127
· Adobe Refresh Manager
· Adobe Acrobat Reader DC — Korean
· Microsoft Visual C++ 2019 X86 Additional Runtime — 14.24.28127
· Microsoft Teams

5. Below is the list of all wireless networks connected to the system.

6. Below is the information of the external storage device mounted at “J:\”

· Manufacturer: SanDisk
· Model: Ultra USB 3.0
· Serial Number: 4C531001460807102273
· Volume Serial Number: 1A20–0F4E
· Volume Creation Time: 2021–07–06 13:41:28 UTC+0
· File System: NTFS
· Below is the list of the connected and disconnected date/time.

The score I got from this problem is not perfect(160/200). That means something is wrong or missing here. So, feel free to leave any comments.

--

--

Williams Kosasi

I have so much interest in DFIR and love any challenge that is given to me.