Case 001 - Szechuan Sauce
I'm aiming to tackle this CTF with both open source and commercial software. Volatility for the memory analysis, Wireshark for the PCAP analysis, Magnet AXIOM for the entire case, and if I have time, Autopsy as well. This is an ongoing project which is time intensive.
This write-up assumes you have a forensic workstation with Volatility installed in a working manner. https://dfirmadness.com/the-stolen-szechuan-sauce/
Analysts are presented with the following files.
case001-pcap.zip
DC01-autorunsc.zip
DC01-E01.zip
DC01-memory.zip
DC01-pagefile.zip
DC01-ProtectedFiles.zip
DESKTOP-E01.zip
DESKTOP-SDN1RPT-autrunsc.zip
DESKTOP-SDN1RPT-memory.zip
Desktop-SDN1RPT-pagefile.zip
DESKTOP-SDN1RPT-Protected Files.zip
Questions to Answer / Goals
What malicious IP Addresses were involved?
Were any IP Addresses from known adversary infrastructure?
Are these pieces of adversary infrastructure involved in other attacks around the time of the attack?
Did the attacker access any other systems?
How?
When?
Did the attacker steal or access any data?
When?
What was the network layout of the victim network?
What architecture changes should be made immediately?
Did the attacker steal the Szechuan sauce? If so, what time?
Did the attacker steal or access any other sensitive files? If so, what times?
Finally, when was the last known contact with the adversary?
This is a long string, so we'll set $DC01 to /mnt/c/DF/CTF/DFIRMadness/EvidenceFiles/DC01-memory/citadeldc01.mem
First, obtain a profile using kdbgscan as we'll rely on this later on when running other commands.
From this we can identify the most appropriate profile suggestion based on the kernel debug header, identify the number of processes running and loaded modules. If kdbgscan returned 0 values, it would not be an appropriate profile. I personally prefer to use instantiated profiles which containing a specific build number. Volatility modules/plugins work nicely with specified builds. For example, if we run hivelist using Win2012R2x64 instead of Win2012R2x64_18340, it does not contain any results. The latter shows our required hives.
Q 1. We can obtain this from the memory dump from DC01. Our results above suggest the most appropriate profile is Windows Server 2012 R2, but let's see how we can confirm that with registry artefacts. Since Windows 2000, operating system information is stored in the registry at the following location; HKLM\Software\Microsoft\Windows NT\CurrentVersion. Armed with that location and an OS profile from Volatility, we can query the registry and print the following keys;
We don't want to dump the SOFTWARE hive itself (we would use hivedump for that). We just want to query the current values.
InstallDate is in epoch timestamp (number of seconds since 01/01/1970). Converted = GMT: Thursday, September 17, 2020 4:43:59 PM
While we have the profile up and running, we'll query current processes to identify anything suspicious.
Client interview identified compromised systems were located in 10.42.0.0 (client said 'something something', but it's this CIDR).
Remove references to IPv6
We identify the following connections from local processes to remote hosts;
IP information
(We can check this IP against our captured PCAP shortly).
Q 2. What’s the Operating System of the Desktop?
For this we'll use Magnet Forensics' AXIOM. We've already created a case and ingested our E01, memory dumps, and PCAP files. For information on how to create a case and add data plesae see Magnet CTF Week 0.
As you can see, AXIOM makes light work of processing images and presenting information in a single pane of glass. On the left hand side under 'Operating System', select 'Operating System Information'. Clearly this has been identified as Windows 10 Enterprise, build 19041. On the right hand side we have a tonne of information which has been extracted from the registry and parsed. If required, we could export a copy of both the SYSTEM and SOFTWARE registry hives to verify and validate the information being presented, however that is outside the scope of this guide.
Q 3. What was the local time of the Server?
This question itself is a bit ambiguous. Time at the point of the breach? Of the acquisition? At shutdown? For this, we'll look at local time zone information and also the last modified file on the file system (lastalive0.dat).
Back to artefacts. Bottom left hand corner, we can see Timezone Information.
We can see a wealth of information regarding AXIOM's data source. This shows the timezone was UTC -8:00 Pacific Time.
Last updated