Evidence Link: userbss.ad1
whoami? - 5 points
Question: What is the SID for the user "chick"?
In AXIOM go to the Operating System > User Accounts - Windows parsed artifacts to see that “chick” had a SID of S-1-5-21-493923485-410185161-2094537482-1001.
Figure 1: SID info for “chick” via AXIOM
You could also view this in the ProfileList key in the SOFTWARE registry hive.
[root]\Windows\System32\config\SOFTWARE
SOFTWARE\Microsft\Windows NT\CurrentVersion\ProfileList
Figure 2: SID info for “chick” via registry
Goodbye! - 5 points
Question: When was the last logoff time for the user "chick"? (YYYY-MM-DD HH:MM:SS)
In AXIOM, we can look at the Windows Event logs for User events. We then want to filter on event ID 4634 which relates to log offs. If we sort by timestamp and scroll to the last entries we can see that user “chick” logged off last at 2024-11-24 17:36:55.
Figure 3: Windows Event logs for log off events
These can be parsed from the source file:
[root]\Windows\System32\winevt\Logs\Security.evtx
In the Zone - 5 points
Question: What is the host URL that crow.jpg was downloaded from?
First we need to locate the crow.jpg file, which is the easy part. You can find the file still in the Downloads folder under the user “chick” profile at path:
[root]\Users\chick\Downloads\crow.jpg
The hint here is zone which is a reference to the Zone.Identifier, a small alternate data stream that will typically show the URL of where a download came from.
Figure 4: crow.jpg Zone.Identifier in FTK Imager
The URL was https://www.treehugger.com/thmb/EmZOvx28sGNqCtDqQQBMGv-aezM=/4288x2848/filters:fill(auto,1)/__opt__aboutcom__coeus__resources__content_migration__mnn__images__2019__10__american-crow-portrait-01-b3f0cfbdbf164de59831c9725bfdbf67.jpg.
Sweet Find - 5 points
Question: What popular game was installed on the computer?
In AXIOM you can look at the Application Usage > Installed Programs artifacts and look through the list. There is only one game which is Candy Crush Saga.
Figure 5: Installed Programs via AXIOM
Buried Treasure - 5 points
Question: On what social media platform did Mary look at a Burlington news account?
A quick keyword search for “Burlington” shows hits parsed in Edge web history. If you look you can see Mary visited X sites for Burlington Free Press.
Figure 6: Edge web history for “Burlington” via AXIOM
Follow the Thread - 5 points
Question: Where did Mary look for help with her coding questions?
Another quick keyword search for “coding” leads to more Edge history hits. This time Mary was navigating Reddit for help.
Figure 7: Edge web history for “coding” via AXIOM
Venomous Variables - 5 points
Question: What language was Mary's first program written in?
It seemed a bit obvious from the title but just to be sure since you only had one attempt to get it correct, we can look at Mary’s installed programs and see Python was there.
Figure 8: Python via Install Programs in AXIOM
We can also find a .py script in the base of the “chick” user folder called “import random.py”.
Account Registration - 10 points
Question: What is the creation date for Mary’s user account? (YYYY-MM-DD HH:MM:SS)
From Windows Event Logs we can filter down to event ID 4720. This shows that Mary’s account was created on 2024-09-24 15:11:51.
Figure 9: Windows Event log entry for account creation via AXIOM
It's History Now - 10 points
Question: What was the name of the geocache that was completed?
Keyword searching for “geocache” leads to results in Edge web history. We can see one visit showed a cache called “Something’s Fishy”.
Figure 10: Edge web history for “geocache” via AXIOM
Here’s what the page looks like:
Figure 11: Something’s Fishy geocache
Where did it go? - 10 points
Question: What file was an anti-forensics tool used on?
There were plenty of clues that SDelete was present on the system. It was downloaded via Edge and subsequently had entries in Shim Cache, UserAssist as well as PowerShell History. It was in the console host history file where we saw it was utilized to delete the file “success.txt.txt”.
Figure 12: PowerShell History logs for sdelete
Used by only the PROs - 10 points
Question: What email service is Mary using other than gmail?
Web history from Edge again is the helper here. We see plenty of activity using Proton Mail.
Figure 13: Edge web history for Proton Mail via AXIOM
If you don't choose, I'll choose for you - 10 points
Question: What is the default browser set as?
You can find this easy under Operating System > Default Browser in AXIOM. This default was Edge.
Figure 14: Default Browser via AXIOM
You could manually pull it from the NTUSER.DAT registry file under the UserChoice key.
A Stamped Link - 25 points
Question: What time was the tiktok that Mary watched posted? (YYYY-MM-DD HH:MM:SS UTC)
If you solved this from the iOS phone you probably got a freebie since the answer was the same (oops!). Via Edge browser history once again, you can get the TikTok URL.
Figure 15: Edge history for Tiktok video via AXIOM
With the URL you can utilize Unfurl and extract the timestamp for the answer, 2024-11-12 22:11:09.
Figure 16: TikTok URL in Unfurl
Unravel the Mystery - 25 points
Question: What was the suggestion count when Mary was going to play a popular word-based browser game?
Maybe the wording of the question confused people because most seem stumped. If we look at Edge history again we see Mary searched for Wordle using Bing. If you take the URL into Unfurl it gives a suggestion count of 12-6.
Figure 17: Edge history for world search via AXIOM
Figure 18: Bing search for wordle in Unfurl
Login Credentials Required - 25 points
Question: What is Mary’s username on geocaching.com?
Back to you guessed it, Edge history. If we keyword filter on geocaching.com we can see an entry for when the account was getting validated. The username is in the URL which was “geomaryr”.
Figure 19: Edge history for geocaching account via AXIOM
A Shadow of the Real Thing - 25 points
Question: What is the hashed password for the user "chick"?
Another question that was tougher than the points suggested. A lot of people tried pulling the NTML hash from the user password in Windows but that wasn’t what was needed. After you do some digging you may have noticed that Kali Linux was installed via Windows Subsystem for Linux.
You can find the VHDX file of the VM at the path:
[root]\Users\chick\AppData\Local\Packages\KaliLinux.54290C8133FEE_ey8k8hqnwqnmg\LocalState\ext4.vhdx
If you mount the file, you can navigate through the directory to find the shadow file. We can see in clear text information for the “chick” account.
Figure 20: shadow file from Kali Linux
Breaking down the line
chick:$y$j9T$8bqQonXByZ9BznY3PkAVv/$fRlLkVPTrliLVAGhQRWjQd.kKDyvvjO4OaDd5zoJRt4:20038:0:99999:7:::
chick - user name
y - yescrypt (id)
j9T - parameter
8bqQonXByZ9BznY3PkAVv/ - salt
fRlLkVPTrliLVAGhQRWjQd.kKDyvvjO4OaDd5zoJRt4 - hash
So the answer should be fRlLkVPTrliLVAGhQRWjQd.kKDyvvjO4OaDd5zoJRt4.
I rate it 4 out of 10 - 25 points
Question: What was the username of the person who saw the clouds coming in at 6:30 while doing a geocache?
Back to Edge history, there was a downloaded file with a GPX extension that came from www.geocaching.com.
Figure 21: Edge history for geocaching download
The file is just XML so if you open it with a text reader you can do a search for “clouds” and find an entry posted by user “wandering4cache”.
Figure 22: GC365HN.gpx
Out of the Ordinary - 50 points
Question: What suspicious command line tool was installed on Mary’s system?
As previously found, SDelete could be the command line tool on Mary’s system but it technically isn’t installed so that wasn’t correct. Remember that Kali Linux was on this system via WSL. If we go back to the VHDX we can check out the dpkg.log file (aka Debia Package Management) at path:
Ext4.vhdx > [root]\var\log\dpkg.log
We can see that the popular tool steghide was installed.
Figure 23: Steghide install via dpkg.log
DAdataTA - 75 points
Question: What does the file sucess.txt.txt contain?
We know SDelete was run against the file so traces leftover may be slim to none on the system. Let’s dive further into the Kali Linux VM to see what else is there. Inside the home\chick folder is the .bash_history file that keeps track of commands used similar to how we saw with the PowerShell file.
Ext4.vhdx > [root]\home\chick\.bash_history
We get a glimpse of how steghide was used.
Figure 24: .bash_history from Kali Linux VM
We see that the “crow.jpg” file from earlier may have the text file of interest embedded inside. But we don’t see a password given in the history (because it doesn’t log it). Back to scouring the file system for the password.
To save you time, there was another file back in the “chick” downloads folder on Windows that was called “important.pdf”. Inside was just a plain text.
Figure 25: important.pdf
Yeah, that seems like that could be useful. So if we use steghide with the crow.jpg (I’m using an online decoder) and the password of “ihateruth” we get the success.txt.txt file back.
Figure 26: Online steghide decoder
Inside the file is just one word, “marywuzhere”.
Figure 27: Extracted text from crow.jpg