Well, hello and welcome to the second episode for Season 1 of #ForensicMania.
Today we are looking at answering the ‘Misc’ section of questions from the 2018 MUS CTF, putting our four tools head-to-head with some analysis work.
Why are we doing this? To give you, the reader, a view on how different commercial tools compare with digital forensic analysis.
To recap, in Episode 1 – Processing we processed our evidence file with the four tools, after which the scoring looked as follows: Axiom took a narrow lead with 10 coins, while Blacklight was chomping at its heels with 9. In third place was EnCase with 7 coins and bringing up the rear of the pack was FTK with 5.
Sidenote_ Check out Craft Beer Forensicator @kevinpagano3 (https://www.stark4n6.com/2019/02/ctf-review-magnet-user-summit-2018-part.html) who did a writeup of the CTF with free tools.
Scoring
“How will the scoring work this round” I hear the masses scream from the districts. For the ‘Misc’ section, we have 2 coins up for grabs for each question, that is, if the tool gets to the correct answer with an acceptable amount of effort, 2 coins are awarded. However, if the tool hides the answer under a rock, but you can still get to it, or if the answer is only halfway there, only 1 coin will be awarded. Finally, 0 coins for wrong answers.
This means we have a total of 22 coins up for grabs in this round.
So… will Axiom keep it’s narrow lead or trip over its connections? Does Blacklight know how to spell Shimcache? Can EnCase parse web histories? And FTK, will it fly, or just try to sell me Quin-C instead?
So many questions, so little time. Let’s dig in!
Question 1
Timezone: What is the system’s timezone set to?
Correct Answer: Mountain Standard Time
AXIOM
Axiom parses this key as an Operating System artifact:
Coins: 2
Blacklight
Under Blacklight’s “System” section, open the registry sections and it shows you the “TimeZoneInformation” registry key:
Coins: 2
EnCase
Following processing, EnCase has a ‘Case Analyzer’ option which provides various reports about artifacts identified. One of these shows the Time Zone:
Coins: 2
FTK
Navigate to the System hive in the folder structure, right-click to open with Registry Viewer, hit the ‘Common Areas’ toggle, and Bob’s your uncle:
However, this is an obvious artifact that could be shown more easily to the investigator in the ‘System Information’ tab, than having to open it with Registry Viewer first.
Coins: 1
Question 2
File Sequence Number: What is the MFT file sequence number for the Python27\python.exe file? [This is not the MFT entry number]
Correct Answer: 1
AXIOM
Axiom does not parse MFT file sequence numbers.
Coins: 0
BlackLight
Blacklight shows the correct value in the “Data Structure” view for the file:
Coins: 2
EnCase
EnCase doesn’t parse the $MFT. However, if you’ve attended EnCase training at some stage, you would’ve probably have received an EnScript (“NTFS Single MFT Record & Attributes”) that will do this for you. Unfortunately, as this isn’t included as stock with EnCase, it doesn’t exist for most users (and it’s also not available in the Guidance App store).
Coins: 0
FTK
FTK doesn’t parse MFT file sequence numbers.
Coins: 0
Question 3
FileName Lookup: What is the name of the file that has MFT entry of 86280?
Correct Answer: $USNJrnl.
AXIOM
in the ‘File System’ view, you can filter on ‘MFT record number’ to get to the desired file:
Coins: 2
Blacklight
Blacklight allows you to filter all files based on “File System ID”, which is the MFT Record Number:
Coins: 2
EnCase
EnCase shows the ‘MFT record number’ in the columns under the label ‘File Identifier’. So just show all files, and sort according to the ‘File Identifier’ to get to the answer:
Coins: 2
FTK
You can get to this quite easily by listing all entries and sorting according to MFT Record Number in the columns.
Coins: 2
Question 4
FileTimestamp: What is the Standard Information Attribute’s Access timestamp of the Windows\Prefetch\CMD.EXE-89305D47.pf file? [UTC in YYYY-MM-DD hh:mm:ss format]
Correct Answer: 2018-04-26 15:48:40
The Access timestamp from the Standard Information Attribute is what is displayed by our tools. Check out more info about Standard Information Attributes here:
• https://cyberforensicator.com/2018/03/25/windows-10-time-rules/
• https://www.andreafortuna.org/cybersecurity/macb-times-in-windows-forensic-analysis/
AXIOM
Coins: 2
Blacklight
Coins: 2
EnCase
Coins: 2
FTK
Coins: 2
Question 5
VSN-C: What is the C: volumes’ serial number?
Correct Answer: 6C19-1B65
AXIOM
Shown nicely in the File System Information artifact
Coins: 2
Blacklight
So… Blacklight shows the Volume Serial Number for a specific volume in the “Details” section under “Disk View”. However, it shows the value in Big Endian (which you can then convert to Little Endian with another tool):
So, only halfway there.
Coins: 1
EnCase
When the volume is selected in the Tree view, it shows the volume serial for you:
Coins: 2
FTK
Head over to the file structure and navigate to the OS volume, and click on Properties:
Coins: 2
Question 6
YouTube Search: What term was searched in YouTube on 3/28/2018?
Correct Answer: “simpsons max power”.
AXIOM
Looking at ‘Web Related’ artifacts and applying a date filter for March 28th 2018, get’s you the answer:
Coins: 2
Blacklight
Hop on over to the “Internet” tab, and you’ll get the answer:
Coins: 2
EnCase
EnCase seems to be the tool that you hope the opposing party used when reviewing your client’s web histories… Cause there’s no way a sane person will enjoy using this for analysing internet artifacts.
I did a separate write-up about EnCase’s inability to parse Firefox histories correctly: https://www.dfir.co.za/2019/03/09/encase-you-were-hoping-to-parse-firefox/
After lodging a support ticket with OpenText, it’s been confirmed that EnCase currently can’t parse Firefox internet histories. Apparently, the upcoming release of v8.09 will have proper support.
Coins: A shocking 0
FTK
Head over to the “Internet/Chat” tab, sort by time and you get the Youtube search on the date:
Coins: 2
Question 7
Sleuthkit + PowerShell: Max Powers was playing with ways he could extract files using Sleuthkit and PowerShell. What was the exact command he used in attempting to extract the SRUM database?
Correct Answer: $inode = ifind -n /Windows/System32/sru/SRUDB.dat \\.\C: ; icat \\.\C: $inode > SRUDB.dat
For me, there’s two ways of approaching this one:
- Find the “ConsoleHost_history.txt” file which contains the PowerShell command history, and search in the file for “SRUDB.dat”.
- Search the entire case for “SRUDB.dat”, which will lead you to the “ConsoleHost_history.txt” file.
For this question we’ll go with door number 2, as I didn’t (and don’t) necessarily know this path or filename off by heart.
AXIOM
Searching for “SRUDB.dat” shows the “ConsoleHistory_history.txt” log listed as a Document artifact:
Coins: 2
Blacklight
Blacklight does not have an index search function, but only live searches. I ran a live search for ‘srudb.dat’ which took a few minutes to get to the Powershell log with the ifind command in it
Coins: 2
EnCase
Searching for “srudb.dat” in the indexed search provided a hit for the Console_history.txt file, showing the ifind command.
Coins: 2
FTK
Search for “SRUDB.dat” in FTK index search, which will get you bunch of hits, one of which is the “ConsoleHost_history.txt” file showing the command used.
Coins: 2
Question 8
Administrator Logon Count: How many times did Administrator logon to the system?
Correct Answer: 2018-04-11.
AXIOM
The ‘User Accounts’ artifact shows this for the Administrator account:
Coins: 2
Blacklight
Blacklight’s ‘Actionable Intel’ section gives you the Logon Count for each local user account:
Coins: 2
EnCase
EnCase’s ‘System Info Parser’ artifact does provide info about the local user accounts, however, there’s nothing about logon count:
You can view the SAM hive’s structure from within EnCase, but again, they want you to work for it. In order to get this value in EnCase, you need to go to offset 66-67 of the F value of the user’s subkey:
This then translates to the integer value of 14.
Again, a simple artifact that should be shown to the user in a much simpler way. I’m giving EnCase a 0 for this one, as having to highlight offsets of the F value, is just not ideal.
Coins: 0
FTK
FTK does have a ‘SAM Users’ section in their ‘System Information’ tab, but this only shows you SIDs and User Names. So, find the SAM in the tree structure. This will then show the content in readable way in the ‘Natural’ view pane, without having to open it with Registry Viewer:
Coins: 2
Question 9
Install Q: What day was the Go programming language installed on? [Answer format: YYYY-MM-DD
Correct Answer: 2018-04-11
AXIOM
This is recorded in the ‘Installed Programs’ artifact
Coins: 2
Blacklight
Blacklight did not list the Go Programming Language under it’s Application artifact:
But, you could however find it under the “Uninstall” registry key with the built in registry viewer:
Coins: 1
EnCase
EnCase lists installed software under: Artifacts > System Info Parser > Software.
However, Go was not listed by EnCase:
By manually traversing the SOFTWARE hive in EnCase, I got to the Uninstall key for Atom (based on what the other tools showed), but for the life of me I couldn’t figure out how to get actual data to be shown in EnCase for this key:
Coins: 0
FTK
The System Information tab shows this quite easily:
Coins: 2
Question 10
Who Installed Atom?: Which user installed Atom? [Answer is the complete SID not the username]
Correct Answer: “S-1-5-21-2801897208-1878083585-4182000528-1002”
For this question, I’m looking for proof that the Atom installer, AtomSetup_x64.exe, was downloaded (Chrome Web History) and that the file was executed by the user (Windows OS Artefact).
AXIOM
After searching for “Atom” in Axiom, you can get to the install file “AtomSetup-x64.exe”. In the connections view, it shows the installer being downloaded by the ‘maxpowers’ account in Chrome and then executed by the same account via the Shimcache:
In addition to the above, there is also a SRUM Application Resource Usage entry linking the installer to the profile.
To get the SID for the profile, head over to the ‘User Accounts’ tab which shows the SID for ‘maxpowers’:
Coins: 2
Blacklight
Blacklight recorded the installer being downloaded by the profile ‘maxpowers’ in Chrome:
You can then link the SID to the profile via the registry viewer:
However, there was no artifact recording AtomSetup-x64.exe being executed
Coins: 1
EnCase
I could not get to the downloading of the AtomSetup-x64.exe in it’s Chrome histories, nor any artefacts showing the execution of AtomSetup-x64.exe by ‘maxpowers’.
Coins: 0
FTK
The ‘Internet/Chat’ tab in FTK shows the ‘maxpowers’ profile downloading the setup file:
However, FTK did not have any artefacts showing the file was executed by the user profile.
The ‘Sam Users’ section then shows you SIDs mapped to usernames.
Coins: 1
Question 11
Deletion in LogFile: The $LogFile shows at LogFile Sequence Number [LSN] 4433927454 a file is deleted. What is the name of the file that was deleted?
Correct Answer: 7z.dll
AXIOM
Axiom parses the $LogFile entries, so you can search for 4433927454, which will take you to the 7z.dll entry in the ‘$LogFile Analysis’ artifact
Coins: 2
Blacklight
Blacklight did ‘parse’ the $LogFile, but not properly:
Coins: 0
EnCase
EnCase also ‘parsed’ the $LogFile, but doesn’t show LSN numbers:
Coins: 0
FTK
FTK doesn’t parse the $LogFile.
Coins: 0
And that’s it!
Scoreboard:
After a gruelling round, let’s have a look at the scoreboard for Episode 2:
Well, there you have it: Congratulations to Axiom for taking pole position once again. Taking second is BlackLight, with FTK following close behind in third.
Episode 3 coming soon!
Great job, however your “Correct answer” to Question 8 should be 14, you have it listed as a date.
Also, Regarding Question 1 and FTK, If you also go into the Registry files (Inside FTK and not Registry Viewer, normally I go into the Overview Tab, OS/File System, Windows NT Registry) and click on SYSTEM, it provides the Time Zone (However the display is normally displayed in time, such as 360 with daylight -60. I would still give it one coin because it does not represent what normal reviewer wants to see.