BloomCon 0x05 Forensics CTF

It's the fifth year for Bloomsburg University's BloomCON Forensics and Cybersecurity Conference since last year's got postponed due to the pandemic. This year they pivoted to a virtual one like most others out there. The Forensics CTF competition was 10 questions and consisted of a single hard drive image and I'm always excited to try my hand at my alma mater's challenges.

Evidence: https://drive.google.com/file/d/17vpWvfwE4ExthqBkqnJrzRvn9fKyrPCo/view?usp=sharing

Scenario

Welcome to BloomCON Forensics Challenge. In this challenge you will be asked various questions regarding a raw forensics image. From there you can import the image to any forensics tool of your choice (Hint: use FTK imager and Autopsy for Free). You've been told by police that the user of this image is accused of hacking Polstra International Airport. Your job is to find any evidence supporting such a claim by answer the following questions.

Question 1

What OS and specific version is running on this disk?

Pulled from the SOFTWARE registry hive, we can see that the machine was running "Windows 10 1909".

C:\Windows\System32\config\SOFTWARE

SOFTWARE\Microsoft\Windows NT\CurrentVersion

Figure 1: SOFTWARE hive with CurrentVersion key in RegistryExplorer

Question 2

What is the computer's name?

Pulled from the SYSTEM registry hive, we can see that the computer's name was "APPLEII".

C:\Windows\System32\config\SYSTEM

SYSTEM\ControlSet001\Control\ComputerName\ComputerName

Figure 2: SYSTEM hive with ComputerName key in Registry Explorer

Question 3

What is the user name of the primary user?

Two locations can reveal this fairly quickly. We can look at the C:\Users for hints of what user folders were created on the system or we can dive back into the SOFTWARE registry hive. As seen below "David Schwarez" was the only user folder and he was listed as the owner of the device.

SOFTWARE\Microsoft\Windows NT\CurrentVersion

Figure 3: Users folder in Autopsy

Figure 4: RegisteredOwner from SOFTWARE hive in RegistryExplorer

Question 4

What timezone is running?

Pulled from the SYSTEM registry hive once more, we can see the computer was set to the "Alaskan Standard Time" timezone.

SYSTEM\ControlSet001\Control\TimeZoneInformation

Figure 5: TimeZone info from SYSTEM hive

Question 5

What did the suspicious device user search for on ebay? What does it do?

Running a quick Web History parse through Autopsy we can look at what the user was searching for through Mozilla Firefox. We can see the user was searching for "USB Rubber Ducky" which is a well known keystroke injection tool from Hak5.

Figure 6: Ebay history in Firefox

Question 6

Are there any suspicious programs installed? What are they and what do they do?

Using the Recent Activity module from Autopsy, we can pull out Installed Applications from the SOFTWARE registry hive. We see two suspicious entries, NMAP and NPCAP, which are used for network mapping and packet capture.

Figure 7: Suspicious installed applications

The installer for NMAP can also be found in the Firefox downloads folder.

Question 7

What is the user's browser of choice?

We sort of answer this previously in question 5 but from the parsed Internet History, the user seemed to favor "Mozilla Firefox". It was the only product installed other than the normal Microsoft ones.

Question 8

What individual was the user fascinated with?

Pulling from the Firefox history we can see some searches and social media profiles for "Dr. Phil Polstra". Phil you might have a fan! :)

Figure 8: Firefox history searching for Dr. Polstra

Question 9

What is step 2?

I went down a bit of a rabbit hole on this one. I had originally found a cached webpage that had some steps for learning to fly but after further analysis it seemed like an ad and not something that would be created through the CTF.

Figure 9: Step 2 red herring

Further shuffling through the image, I ended up finding the answer in the Recycle Bin file $RFFQ255.txt. The answer to step 2 was "buy hardware".

Figure 10: The real Step 2

Question 10

What animal is "this cutie"?

The user had a file name this at the following path:

C:\Users\David Schwarez\Downloads\This cutie.exe

I found it odd to be an executable so a quick look at the hex for the file revealed that it appeared there was a JPEG file embedded inside or that some extra header information for an executable was added to it to mask the file. As you can see below we see the header FFD8 hex values for a JPEG (the footer FFD9 was also the end of the file).

Figure 11: "this cutie.exe" hex

I attempted to carve for pictures from it with no results. I then proceed to try and delete the 4D5A bytes from the beginning of the file but nothing seemed to worked to produce what the picture may be.

I resorted to my last play which I wasn't sure if it would work or not but tried it anyways. I exported the $UsnJrnl $J file stream from the following path:

C:\$Extend$UsnJrnl:$J

Parsing it using Eric Zimmerman's MFTECmd produced a CSV we could open with Eric's Timeline Explorer. Filtering on the file name "this cutie" we can see it originally was a .jpg file but was later changed to an .exe file.

Figure 12: Parsed $J results in Timeline Explorer

Using the Entry Number field (column 4 in the image above) we filter using 107602. The cool thing about the $J is we get the full history of the file from the creation of when it was downloaded to it's final form. We can see it started as a temp file and then renamed once the download was finalized.

Figure 13: Timeline Explore results filtered on Entry Number

Now we see the file was previously named "parma-wallaby-leaves.jpg", which could be named incorrectly to throw us off the answer but let's check. Searching for that file name we get a hit on web history downloads from Microsoft Edge, leading us to the following URL:

https://animals.sandiegozoo.org/sites/default/files/2018-07/parma-wallaby-leaves.jpg

Figure 14: Look at this cutie!

I submitted the answer "wallaby" because that's what it was. The answer provided to me was kangaroo but that seems clearly incorrect marked by the real file name from the San Diego Zoo webpage. Regardless this final question was tricky but I got to the result in the end.

Conclusion

Another simple but fun CTF in the books with another win added to my resume. Looking forward to see what the students can come up with for next years BloomCON Forensics CTF!