BTLO — Countdown
NYC Police received information that a gang of attackers has entered the city and are planning to detonate an explosive device. Law enforcement have begun investigating all leads to determine whether this is true or a hoax.
Persons of interest were taken into custody, and one additional suspect named ‘Zerry’ was detained while officers raided his house. During the search they found one laptop, collected the digital evidence, and sent it to NYC digital forensics division.
Police believe Zerry is directly associated with the gang and are analyzing his device to uncover any information about the potential attack.
Countdown utilises Autopsy: Features (sleuthkit.org) to analyse a disk image *.E01 file, created by FTK® Imager | AccessData.
1. Verify the Disk Image. Submit SectorCount and MD5
Open the FTK Imager report of Zerry01.E01 — Zerry01.txt — and locate Sector Count and MD5 Hash. The file is located at C:\Users\BTLOTest\Desktop\Investigation Files\Disk Image\Zerry
2. What is the decryption key of the online messenger app used by Zerry?
Before trying to find a decryption key, first locate and understand which online messenger apps are installed. Launch Autopsy and open the exisitng case, C:\Users\BTLOTest\Desktop\Countdown\Countdown.aut
Once the case is open, we can search for what online messenger apps are installed. There are various ways to do so — Autopsy has a Installed Programs but this doesn’t seem to show what we’re looking for, but we can search Prefetch (C:\Windows\Prefetch) to find application execution. Here, we find two potential options, SIGNAL.EXE-*.pf and SKYPEAPP.EXE-*.pf.
The question asks for a decryption key, so a quick google tells us that Signal Desktop Leaves Message Decryption Key in Plain Sight, stored in %AppData%\Signal\config.json. We can pull this out and use to unlock the SQLite database, db.sqlite, which stores user’s messages.
3. What is the registered phone number and profile name of Zerry in the messenger application used?
Export these files (C:\Users\BTLOTest\Desktop\Countdown\Export), and use SQLLiteDatabaseBrowserPortable.exe to open the db.sqlite. Ensure to insert 0x ahead of pasting the key.
To find the registered phone number and profile name, navigate to the Browse Data tab and conversations table. Scroll across to ProfileName and e164 columns, which hold the profile name and phone number. When inserting the profile name, use Win+. to bring up the emoji keyboard.
4. What is the email id found in the chat?
Navigate to the messages table, scroll across to body column for the messages, and scroll to find the email address, or filter for @.
5. What is the filename(including extension) that is received as an attachment via email?
Reading a bit more context around the conversation and paying attention to the timestamps (in epoch, so requires converting) we understand a file was sent and received around Sunday, 17 January 2021 06:20:06.140, and should have been erased around Sunday, 17 January 2021 06:27:00.662.
Several things might help us piece together what this file was, such as shellbags, amcache, appcompactcache. However searching through the Recent Documents module in Autopsy, we see evidence of the shortcut (*.lnk) to the specific file.
6. What is the Date and Time of the planned attack?
The file received appears to have been deleted, but looks to have also been erased from disk and is not present as a deleted file to restore. However, we are able to view the thumbcache file to observe the preserved thumbnail icon to see what the image was. Export /Users/Zerry/AppData/Local/Microsoft/Windows/Explorer/thumbcache_256.db, open with Thumbcache Viewer, and locate the *.png. Some interpretation is required for the time of the planned attack.
7. What is the GPS location of the blast? The format is the same as found in the evidence . [Hint: Encode(XX Degrees,XX Minutes, XX Seconds)]
To try get an idea of the target for the blast, reading back through the SIGNAL conversation gives us a starting point — there are are messages about the Tor browser as well as about the target location being discussed in a 2020 annual meeting.
Going back to Autopsy, we can find evidence of the Tor browser, with browser history within /img_Zerry.E01/vol_vol3/Tor Browser/Broswer/TorBrowser/Data/Browser/profile.default/places.sqlite
Export and open places.sqlite with SQLLiteDatabaseBrowser. Navigate to the Browse Data tab and moz_bookmarks table. We where we see evidence of browsing to rot13.com, as it is a bookmark added at at time consistent with some of the SIGNAL messages.
Investigating Tor artefacts hasn’t helped us with the GPS location of the blast, however has given us a clue of possible encoding methods which may have been used at some point.
A bit of searching throughout Autopsy takes us to /Users/Zerry/AppData/Local/Packages/Microsoft.MicrosoftStickyNotes_*/ and the plum.sqlite datebase within /LocalState/. This is consistent with the target location being discussed in a 2020 annual meeting — maybe Zerry took notes using Microsoft Sticky Notes.
The 3 plum.sqlite* files are required to be exported to open using SQLLiteDatabaseBrowserPortable so that the existing state is maintained.
plum.sqlite
plum.sqlite-shm
plum.sqlite-wal
Navigate to the Browse Data tab and notes table, where there is an ineligible string. This can be decoded using rot13 (as found through Tor history analysis) to uncover the GPS location of the blast.
Analysing the disk image Zerry.E01 has enabled us to locate and decode the SIGNAL conversation, where we could determine the date, time, location of the planned terrorist attack.
