I'm aiming to tackle this CTF with both open source and commercial software. Volatility for the memory analysis, Wireshark for the PCAP analysis, for the entire case, and if I have time, Autopsy as well. This is an ongoing project which is time intensive.
This write-up assumes you have a forensic workstation with Volatility installed in a working manner.
Analysts are presented with the following files.
case001-pcap.zip
DC01-autorunsc.zip
DC01-E01.zip
DC01-memory.zip
DC01-pagefile.zip
DC01-ProtectedFiles.zip
DESKTOP-E01.zip
DESKTOP-SDN1RPT-autrunsc.zip
DESKTOP-SDN1RPT-memory.zip
Desktop-SDN1RPT-pagefile.zip
DESKTOP-SDN1RPT-Protected Files.zip
Questions to Answer / Goals
This is a long string, so we'll set $DC01 to /mnt/c/DF/CTF/DFIRMadness/EvidenceFiles/DC01-memory/citadeldc01.mem
From this we can identify the most appropriate profile suggestion based on the kernel debug header, identify the number of processes running and loaded modules. If kdbgscan returned 0 values, it would not be an appropriate profile. I personally prefer to use instantiated profiles which containing a specific build number. Volatility modules/plugins work nicely with specified builds. For example, if we run hivelist using Win2012R2x64 instead of Win2012R2x64_18340, it does not contain any results. The latter shows our required hives.
Q 1. We can obtain this from the memory dump from DC01. Our results above suggest the most appropriate profile is Windows Server 2012 R2, but let's see how we can confirm that with registry artefacts. Since Windows 2000, operating system information is stored in the registry at the following location; HKLM\Software\Microsoft\Windows NT\CurrentVersion. Armed with that location and an OS profile from Volatility, we can query the registry and print the following keys;
We don't want to dump the SOFTWARE hive itself (we would use hivedump for that). We just want to query the current values.
$ python vol.py -f $DC01 --profile=Win2012R2x64_18340 printkey -K "Microsoft\Windows NT\CurrentVersion"
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \SystemRoot\System32\Config\SOFTWARE
Key name: CurrentVersion (S)
Last updated: 2020-09-17 18:05:43 UTC+0000
[snip]
Values:
REG_SZ SystemRoot : (S) C:\Windows
REG_SZ SoftwareType : (S) System
REG_SZ RegisteredOwner : (S) Windows User
REG_DWORD InstallDate : (S) 1600361039
REG_SZ CurrentVersion : (S) 6.3
REG_SZ CurrentBuild : (S) 9600
REG_SZ RegisteredOrganization : (S)
REG_SZ CurrentType : (S) Multiprocessor Free
REG_SZ InstallationType : (S) Server
REG_SZ EditionID : (S) ServerStandardEval
REG_SZ ProductName : (S) Windows Server 2012 R2 Standard Evaluation
REG_SZ ProductId : (S) 00252-10000-00000-AA228
InstallDate is in epoch timestamp (number of seconds since 01/01/1970). Converted = GMT: Thursday, September 17, 2020 4:43:59 PM
While we have the profile up and running, we'll query current processes to identify anything suspicious.
Client interview identified compromised systems were located in 10.42.0.0 (client said 'something something', but it's this CIDR).
Remove references to IPv6
$ grep -v "dns.exe\|v6" netscan.txt
We identify the following connections from local processes to remote hosts;
0x20fc7590 TCPv4 10.42.85.10:62613 203.78.103.109:443 ESTABLISHED 3644 coreupdater.exe
0x60182590 TCPv4 10.42.85.10:62613 203.78.103.109:443 ESTABLISHED 3644 coreupdater.exe
IP information
$ whois 203.78.103.109
% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
% Information related to '203.78.96.0 - 203.78.111.255'
% Abuse contact for '203.78.96.0 - 203.78.111.255' is 'abuse@netway.co.th'
inetnum: 203.78.96.0 - 203.78.111.255
netname: NETWAY-TH
descr: Netway Communication Co.,Ltd.
descr: 72 4th Floor, Telecom Tower, Charoen Krung Road,
descr: Bangrak, Bangkok 10500,Thailand
descr: Tel (662) 639-7700 Fax: (662) 639-7706
country: TH
org: ORG-NCCL1-AP
admin-c: VR17-AP
tech-c: VR17-AP
abuse-c: AN781-AP
status: ALLOCATED PORTABLE
mnt-by: APNIC-HM
mnt-lower: MAINT-TH-NETWAY
mnt-irt: IRT-NETWAY-TH
last-modified: 2020-06-22T05:50:39Z
source: APNIC
(We can check this IP against our captured PCAP shortly).
Q 2. What’s the Operating System of the Desktop?
As you can see, AXIOM makes light work of processing images and presenting information in a single pane of glass. On the left hand side under 'Operating System', select 'Operating System Information'. Clearly this has been identified as Windows 10 Enterprise, build 19041. On the right hand side we have a tonne of information which has been extracted from the registry and parsed. If required, we could export a copy of both the SYSTEM and SOFTWARE registry hives to verify and validate the information being presented, however that is outside the scope of this guide.
Q 3. What was the local time of the Server?
This question itself is a bit ambiguous. Time at the point of the breach? Of the acquisition? At shutdown? For this, we'll look at local time zone information and also the last modified file on the file system (lastalive0.dat).
Back to artefacts. Bottom left hand corner, we can see Timezone Information.
We can see a wealth of information regarding AXIOM's data source. This shows the timezone was UTC -8:00 Pacific Time.
For this we'll use Magnet Forensics' AXIOM. We've already created a case and ingested our E01, memory dumps, and PCAP files. For information on how to create a case and add data plesae see .
