BloomCON 0x06 Forensics CTF

Evidence: Download

Another BloomCON has passed and another forensics CTF has been completed. Let's go through the questions and see what I came up with.

What is the name of the computer?

You can get this pretty easily multiple ways but I chose to snag it from Autopsy via the SYSTEM registry file.

ROOT\ControlSet001\Control\ComputerName\ComputerName

It's show as "DESKTOP-G5R87FV".

Figure 1: Computer Name from SYSTEM registry

What is the name of the primary user?

Pulled from the SOFTWARE registry hive in Autopsy, we see that the user's name is Mark Gifford.

Figure 2: Account name from SOFTWARE registry

What is the nickname of the primary user?

As we can see from the above screenshot, the nickname used for the account name is "snoop".

What OS and version is being used?

Pulled from the SOFTWARE key, we see the computer was running Windows 10 Pro at the following path:

ROOT\Microsoft\Windows NT\CurrentVersion

Figure 3: OS Version from Autopsy

What Time Zone is this computer running on?

More registry work coming right up. Pull the time zone from SYSTEM:

ROOT\ControlSet001\Control\TimeZoneInformation\TimeZoneKeyName

You can see that the machine was set to Central Standard Time.

Figure 4: Timezone setting from SYSTEM registry

What activity does the user seem to be planning?

From the Microsoft Edge web history we see some searches for "how to plan an art heist" via Bing.

Figure 5: Edge searches

We can also see more web history views for items found at the Met in New York City.

Figure 6: Edge web history

So the assumption is some sort of art heist is in the works.

What items might the user be targeting?
Provide in format (Title, Date, Accession Number), (Title, Date, Accession Number)

Back to the Edge web history we see some views on specific items. We find entries for the following:

Vase, 1900, 2017.162

https://www.metmuseum.org/art/collection/search/20804?searchField=All&sortBy=Relevance&high=on&ao=on&od=on&ft=*&offset=0&rpp=40&pos=4

Figure 7: Vase

Lucas van Uffel (died 1637), ca. 1622, 14.40.619

https://www.metmuseum.org/art/collection/search/436253?searchField=All&sortBy=Relevance&high=on&ao=on&od=on&ft=*&offset=0&rpp=40&pos=20

Figure 8: Lucas

Queen Mother Pendant Mask: Iyoba, 16th century, 1978.412.323

https://www.metmuseum.org/art/collection/search/318622?searchField=All&sortBy=Relevance&high=on&ao=on&od=on&ft=*&offset=0&rpp=40&pos=26

Figure 9: Mask

Each of these items also had the pictures downloaded to the computer. Because the nature of what the answer were supposed to be, I can only assume they were pulling the information straight from the webpage hits.

Figure 10: Sample art details

Where are these items located? (Building Name)

As we know from the web history and the URLs, these items are hosted at the Met aka The Metropolitan Museum of Art. 

Who might the items be given to for selling?

Browsing the file system I came across a deleted file found at the following path:

/img_BloomCON2022ForensicsChallenge.E01/vol_vol3/Users/snoop/OneDrive/Documents/info.txt

Inside we see some information about the upcoming heist:

Figure 11: Heist details

No other details were found regarding selling of the items but it appears that "crimsoncrusader" is our person.

Did you crack the password?

Of course we did but it took some effort. This is in reference to the password protected file at the following path:

/img_BloomCON2022ForensicsChallenge.E01/vol_vol3/Users/snoop/OneDrive/Desktop/batman.7z

To find the password we had to hunt a little. I knew that Steghide was utilized on the system after finding it in the Downloads folder as well as seeing some Prefetch entries of execution but alas it was all a red herring.

One small web history entry shows that the following URL was visited:

https://stylesuxx.github.io/steganography/

One file found in the OneDrive > Documents folder was a file called "TheKey.png". It seemed almost too obvious that this needed used so I tried uploading it to the site above an lo and behold, we got something back.

Figure 12: Steganography decode

Using "Dr.Phil" as the password unlocked the "batman.7z" container.

What items does the user need for this activity?

Inside the "batman.7z" folder was a text file called "batman.txt". Once using the password from the previous question, we can open the file and see a bunch of Amazon links for items that could be used for a heist scenario.

Figure 13: Item contents from "batman.txt"

Items include black vinyl disposable gloves, a balaclava, a lock picking kit, and a carabiner grappling hook cord.

Who is the user thinking about working with?

We had already found some hints at this before at the document:

/img_BloomCON2022ForensicsChallenge.E01/vol_vol3/Users/snoop/OneDrive/Documents/info.txt

Anther document found at the following path puts real names to the nicknames provided:

/img_BloomCON2022ForensicsChallenge.E01/vol_vol3/Users/snoop/peoplefinder.txt

Figure 14: Names matching nicknames in peoplefinder.txt

So the assumption is Mark was planning on working with Steve, Becca, and Ryan for this heist.

Where is the group meeting?

A picture found at the following path shows a map with a circled area. 

/img_BloomCON2022ForensicsChallenge.E01/vol_vol3/Users/snoop/Capture1.PNG

Figure 15: Map of meetup location

This is also referenced in the "info.txt" by the "meet at corner circled on the map" line. It appears they are meeting at the corner of East 81st Street and Park Avenue.

And that's another CTF write-up in the books, hope you enjoyed it and I look forward to next year's conference and competition.