Home Posts Categories Tags

AfricaFalls (Disk Image Forensics)

 included in  category IT and Cyber Security
     1127 words   6 minutes 

https://cyberdefenders.org/labs/66

John Doe was accused of doing illegal activities. A disk image of his laptop was taken. Your task is to analyze the image and understand what happened under the hood.

For this challenge I’ll use FireEye’s FLARE VM, available here: https://github.com/fireeye/flare-vm

It doesn’t include all the above tools on it by default (e.g. FTK Imager), so I installed them manually.

The file provided is a .zip containing two files: the image (DiskDrigger.ad1) and a text file.

FTK Imager can open the .ad1 file, but Autopsy cannot (nor can any of the other tools mentioned above). However, FTK has an export function, so I was able to import the .ad1 into FTK Imager then Export it as files (as it’s not possible to export it as another disk image that Autopsy can open). This file directory can be imported into Autopsy (and most of the other tools above), allowing for analysis. FTK Imager only allows viewing the files in the image, similar to a file explorer.

The text file appears to be a summary of what’s contained within the disk image, including files, dates, and hashes.

9471e69c95d8909ae60ddff30d50ffa1

Autopsy’s Web Search section will help here. The searches have dates but they all appear to be in PDT. A quick Google tells us that PDT is UTC-7, though - meaning we need to look for searches taking place at 11:17:38 on the 29th.

password cracking lists

This one came from FTK Imager. I was just browsing the files, seeing what there was. I saw we have the AppData folder for the user, which is where application settings etc are kept. This led me to a FileZilla configuration folder 001Win10.e01_Partition 2 [50647MB]_NONAME [NTFS]\[root]\Users\John Doe\AppData\Roaming\FileZilla\ - FileZilla being a common FTP server. In that folder was a file recentservers.xml

192.168.1.20

Autopsy has a Recycle Bin section with a single file in it. The source file name is $RW9BJ2Z.txt, but the original path was C:\Users\John Doe\Downloads\10-million-password-list-top-100.txt. - so we know it’s this file in question. Autopsy also gives us the Time Deleted - again in PDT, so we need to add seven for the answer.

2021-04-29 18:22:17 UTC

This was a bit of a sneaky one, and took me a while. Hunting around, there’s not many references to Tor Browser at all! In Autopsy’s Run Programs section there is a mention of TORBROWSER-INSTALL-WIN64-10.0, but in Installed Programs there’s no mention of Tor being installed. And then I realised. If there’s no logs of something happening… Maybe it didn’t?

0

Autopsy has this build in search for email addresses, and it found several unique ones. Only one is a ProtonMail address.

dreammaker82@protonmail.com

Autopsy does provide a list of URLs detected by regex, but there is over 47,000. I’m not going to look through all of them! There must be another way.

Port scan immediately screams nmap to me, so I’ll do a keyword search for that. It returns 63 results - a lot more manageable. One of the files is promising: /Users/John Doe/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadLine/ConsoleHost_history.txt. This is the PowerShell history file. If we can see the command used to run nmap, we can see the FQDN.

And we can.

dfir.science

Autopsy has a Geolocation tool. Clicking it brings us a map, with two pins. One is the photo in the question.

Zambia

Looking at the file metadata in Autopsy, we can see it was taken by an LG Electronics LM-Q725K, which is a smartphone. If we look in USB Device Attached, we can see it there too: LG Electronics, Inc. LM-X420xxx/G2/G3 Android Phone (MTP/download mode).

Background knowledge time, many cameras store photos in a DCIM, or a subfolder of this folder.

If we search for DCIM, we get a Shell Bags Artifact relating to this photo: My Computer\LG Q7\Internal storage\DCIM\Camera

Camera

Anon:1001:aad3b435b51404eeaad3b435b51404ee:3DE1A36F6DDB8E036DFD75E8E20C4AF4:::

This is a pwdump hash. aad3b435b51404eeaad3b435b51404ee is the LM hash, and 3DE1A36F6DDB8E036DFD75E8E20C4AF4 is the NT one.

I put the NT hash into an online cracker, onlinehashcrack.com, and it gave us the answer.

Alternatively, you could use Hashcat to do it yourself:

hashcat.exe -m1000 -a3 "3DE1A36F6DDB8E036DFD75E8E20C4AF4"

-m1000 tells the tool it’s an NTLM hash; -a3 means brute force (i.e. try every possible combination).

To view it, once it’s finished, you need to run:

hashcat.exe -m1000 -a3 "3DE1A36F6DDB8E036DFD75E8E20C4AF4" --show

I did this on my actual laptop (not the FLARE VM), as it uses GPUs to speed up the process, and VirtualBox doesn’t have access to the host GPUs.

AFR1CA!

Autopsy has a section for Operating System User Accounts, where we can see John Doe. Unfortunately it’s not as simple as reading his password from here! However, we can see the data it’s found is from the SAM file, /Windows/System32/config/SAM.

Now it’s time for Mimikatz. The command we need is mimikatz # lsadump::sam /system:"C:\[...]\Windows\System32\config\SYSTEM" /sam:"C:\[...]\Windows\System32\config\SAM", replacing […] with wherever the file is on your system (remember we exported the image files using FTK Imager before we began).

Scrolling down, we see User : John Doe then Hash NTLM: ecf53750b76cc9a62057ca85ff4c850e.

Put this into Hashcat: hashcat.exe -m1000 -a3 "ecf53750b76cc9a62057ca85ff4c850e" then again with --show and this challenge is complete!

ctf2021

(onlinehashcrack.com did also find it)

Feel free to comment on my LinkedIn post

Updated on 2021-07-18
 CyberDefenders
Back | Home