tag:blogger.com,1999:blog-91824081158181279012024-03-05T05:12:59.256-05:00DFIR_300DFIR/OSINT Tools, CTF Write-ups, and other Technology Related Info DFIR_300http://www.blogger.com/profile/05165365281946383442noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-9182408115818127901.post-10428561508941920942021-08-26T20:06:00.000-05:002021-08-26T20:06:10.822-05:002021 Crack Me If You Can Contest Write-Up<p>Once again KoreLogic hosted the Crack Me If You Can password cracking contest during DEFCON 29. I participated in the Street Division as a solo entry. Password cracking is something that I have developed a passion for over the past 5-6 years after realizing that so many in the forensic world struggle with it. I found a ton of great resources such as the thesis and dissertation by Dr. Matthew Weir (<a href="https://diginole.lib.fsu.edu/islandora/object/fsu%3A175769" target="_blank">Using Probabilistic Techniques to Aid in Password Cracking Attacks</a>) and prior contest write-ups by <a href="https://twitter.com/CynoPrime" target="_blank">@Cyno-Prime</a>, <a href="https://twitter.com/John_Users" target="_blank">@John_Users</a>, and <a href="https://twitter.com/hashcat" target="_blank">@hashcat</a>. The YouTube videos posted from the Password Village from DEFCON 28 are a great resource, especially "<a href="https://www.youtube.com/watch?v=v4MVrPJPg6w" target="_blank">Lets crack rockyou.txt, without using rockyou.txt</a>". I decided this year I would attempt with a single machine with the goal of showing that for certain tasks, the hardware isn't as important as the intelligence, strategy and/or methodologies. </p><p>Let's start with the hardware, which was a 7 year old gaming laptop, running Windows with a GeForce GTX860M, and a fresh install of Hashcat 6.2.3. Since the rules are clearly laid out that duplicate cracks are not to be submitted, I needed to brush up on creating a workflow to not only properly form my crack submissions, but also to remove the previous cracks. While I am sure there is an easier way to handle this task, I used a combination of the --show function within Hashcat to create the submission and then used the --left Hashcat function, to create a new hash file that only contained the remaining hashes to continue cracking. Once I had my cracks in a text file, I used the find/replace feature within Notepad++, along with some GREP, to properly form the final submission text file. I know this is somewhere that I can improve my efficiency by using a Linux OS and some CLI Tools, to eliminate the extra steps of using the Notepad++ GUI. </p><p>Moving on to the strategies and methodologies, I started with the History_6 hashes, identified the hashes as NTLM and launched a plain brute force attack, which started cracking right away. While that was running in the background, I grabbed the History_5 hashes, which were also NTLM. This initially made me think that there was some kind of a trick coming, as this was the first time I have participated in the contest that the hash type wasn't mixed. I then went back to read the scenario, and immediately remembered the Password Village talk from DEFCON 28 by <a href="https://twitter.com/crackmeifyoucan" target="_blank">@Minga</a> called <a href="https://www.youtube.com/watch?v=7FGY6k5wMtk" target="_blank">"Result of Longer Passwords in Real World Application"</a>. During this talk, Minga explained how as corporate password policies evolve, the user typically keeps their passwords similar while still complying with the policy. This was a huge guess early on, and figured I would commit to this strategy as long as I didn't see anything in the cracks showing a more efficient cracking strategy. Since History_4 and History_3 wouldn't be released until later in the contest, I would have a few hours to crack and analyze to see if the methodology would benefit me in the long run. </p><p>As I began to look at the cracks, I saw several patterns that I wanted to exploit early on, so I stopped the straight brute force attack and started with various mask attacks. Some of the patterns I saw were, digits at the front, digits at the end, all lower, uppercase first character, and all digits, so I played around with several mask variations on both the History_6 and History_5 files and immediately began to see massive increased results, which was not surprising. A blind brute force should never be used as the only strategy, as that relies on luck alone, and password cracking requires some strategy and intel to be really effective. I continued with the various masks and then started to notice some of the core words such as numbers, names, cities, and books/chapters of the bible. With this realization and following the strategy that this contest was based around "users" who had an evolving password policy, I created a fresh wordlist, using all of the previous cracks as a base wordlist.</p><p>Once the History_4 and History_3 were released and I realized they were all NTLM, there was no need to keep them separate, they could all be combined into a single file. This made my work flow more efficient, as I didn't need to run each mask attack 4 times to cover each of the files, I would just run it on a single combined file. Suddenly I realized I had been missing out on a huge strategy and benefit, and I couldn't believe that I was so focused on the masks that I had forgotten about the --loopback function to load the found cracks back into the attacks. I also realized that I had not used any rules, which was also a huge oversight, as the tunnel vision had set in on the masks and patterns.</p><p>After the realization of all the missed/forgotten functions within Hashcat, I took a step back and re-evaluated my strategy, moving back to basics. When dealing with password cracking, I typically start with wordlists, so I of course started with Rockyou. As I organized my wordlists, I found a directory that I had created called Korelogic_Lists. This directory contained several wordlists that I had downloaded several years ago from the KoreLogic website. These lists included cities, female names, male names, places, books of the bible, months, numbers as words, and sports teams. This was a treasure trove, which by the way is still available on the <a href="https://contest-2010.korelogic.com/wordlists.html" target="_blank">2010 - Crack Me If You Can Contest page</a>. I combined all of these into a single wordlist, made sure that I was tracking which rules I had used, and started to run through the hashes. The cracks were flying by, and I had definitely found a great resource that I couldn't believe I had overlooked earlier. </p><p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgblTHxvaKAr4D1abXG4GV_g91OxtWEOrQ_aZgZKGfb0hpiGuMy25RiMox8O-rxBrY2LHR5sWiphWYf66zVmKK6FNBzTKMrvz4Y4a1udjqxT67jYSe8cdqOjHMrOQoXKjg9O5YeCAKRNk3y/s1516/CMIYC_Submission_Chart.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="691" data-original-width="1516" height="183" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgblTHxvaKAr4D1abXG4GV_g91OxtWEOrQ_aZgZKGfb0hpiGuMy25RiMox8O-rxBrY2LHR5sWiphWYf66zVmKK6FNBzTKMrvz4Y4a1udjqxT67jYSe8cdqOjHMrOQoXKjg9O5YeCAKRNk3y/w400-h183/CMIYC_Submission_Chart.PNG" title="Scoreboard" width="400" /></a></div><div><br /></div>As you can see in the chart above, once I started to use the --loopback function, as well as rules (instead of masks) and the wordlists that were created around the analysis of the previous cracks, I was able to make quite a bit of progress. This is definitely where better hardware would have helped, as I realized way too late into the contest some basic strategies had been overlooked. <div><br /></div><div>Overall the contest was a test of my capabilities, but more importantly really fun. Hopefully next year I can either join a team, or assemble one as having more than one persons strategy would be beneficial. Hopefully this helps out others in the DFIR community that struggle with password cracking, and shows that while dedicated hardware can be helpful, the core methodologies and intelligence for password structure makes cracking much more efficient.</div><div><br /></div><div>A huge thanks to the <a href="https://twitter.com/passwordvillage" target="_blank">@passwordvillage</a> and KoreLogic for putting on the contest each year and to <a href="https://twitter.com/grifter801" target="_blank">@Grifter801</a> and <a href="https://twitter.com/defcon" target="_blank">@defcon</a> for the contests area. Congrats to all the other participants, especially Team <a href="https://twitter.com/hashcat" target="_blank">@Hashcat</a> on their win. Never stop learning and always ask questions.<br /><p><br /></p></div>DFIR_300http://www.blogger.com/profile/05165365281946383442noreply@blogger.com2tag:blogger.com,1999:blog-9182408115818127901.post-57092556073377436382020-07-21T06:00:00.002-05:002020-07-21T10:24:49.631-05:00Unsupported Artifacts and How to Deal with them<div>This blog post will provide a look into dealing with valuable artifacts that are identified, but aren't supported by any of your commercial tools. This provides a great opportunity to contribute to an open source project such as <a href="https://github.com/abrignoni/iLEAPP" target="_blank">iLEAPP</a> by <a href="https://www.twitter.com/AlexisBrignoni" target="_blank">@AlexisBrignoni</a> and Yogesh Khatri (<a href="https://twitter.com/swiftforensics" target="_blank">@SwiftForensics</a>). <br /></div><div><br /></div><div>Like so many of you, the first place I look when my extractions finish parsing is the installed applications. Funny enough this workflow was covered by <a href="https://www.twitter.com/HeatherMahalik" target="_blank">@HeatherMahalik</a> and <a href="https://www.twitter.com/mattforensic" target="_blank">@mattforensic</a> on their podcast, <a href="https://www.twitter.com/carved_from" target="_blank">Carved from Unallocated</a>. I want to start off by getting a better idea of what applications are on the device. While checking out the installed applications on a recent extraction, I came across the Ookla Speed Test Application. I had never seen the application before, but I was familiar with the web version, which is commonly used to check download and upload connection speeds. This is where my curious nature took over, so I started to dig around to see what data was contained in the databases for the application. I also found it was not parsed by the commercial tool I had used. To my surprise it was a goldmine of artifacts that would be extremely helpful for this particular case, and likely many others. </div><div><br /></div><div>After participating in the 2020 Magnet Forensics Virtual Summit CTF, I became quite familiar with the capabilities of DB Browser for SQLite. So I exported the speedtest.sqlite database for the Ookla Speed Test Application and went to work. While inspecting the contents of the database, I found the most valuable information in the table called ZSPEEDTESTRESULT. This table contained data related to Date, Time, Internal IP Address, External IP Address, Cellular Carrier, ISP, WIFI SSID, Device Make/Model, Latitude/Longitude, and Accuracy related to the Lat/Long data. Some might be wondering why this is so valuable, but when was the last time you had an artifact for a phone that had a date/time stamp to go along with the IP Address that the device was connected to. Not just the internal IP Address, but the external IP Address. So now we have an IP Address to plot on our timeline, but that's not all, we also have GPS Data. We can now plot the GPS, with a date and time, and the external IP Address. Imagine the uses for this type of information in intellectual theft cases where the suspect checks upload speeds prior to exfiltrating the data or CSAM where the suspect checks their download speeds at a local free wifi spot.</div><div><br /></div><div>Let's dig deeper into how helpful some of the other data might be. The device make/model could be helpful, since the data is stored in an unencrypted backup, and can be restored, connecting multiple devices, again via IP Address and GPS Location data. The SSID can be searched through Wigle.net to try and locate a unique SSID. <br /></div><div><br /></div><div>Now that we have located the data, it was time to perfect our SQLite queries to parse the data that we want to use. With a little bit of extra time we are able to build a device make/model conversion into the query. After we have our SQLite query built and we are happy with the data output, we then check out the videos on YouTube by @AlexisBrignoni which provide step by step instructions on creating new artifacts for iLEAPP. <br /></div><div><br /></div><div>Creating the new artifact was quite the adventure, but a very rewarding process. I sent countless messages to @AlexisBrignoni, trying to perfect the script so that the application artifacts could be parsed by iLEAPP and presented in the report it generates. After I was able to get the scripts to run properly, I needed to confirm the data. So I used my test device, which is an iPhone SE, running iOS 13.5.1, to download the Ookla Speed Test Application and ran a few network checks. I noted my external IP Address, the SSID I was connected to, as well as my location. I then conducted a iTunes Backup of my test device. After reading the blog post by @AlexisBrignoni, which covers normalizing the iTunes Backups with the help of the script created by Edward Greybeard (<a href="https://github.com/edward-greybeard/iOS-UNF">https://github.com/edward-greybeard/iOS-UNF</a>). Now with the iTunes Backup normalized, I was able to validate the all of the data from my test device including the data related to the GPS Location Data, External IP Address, and SSID. <br /></div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDnLpM7qyAB1Fevww8eZTjFS6T3DAlcTBiYqnodMhwtPsbpQwzeTIBY1m-2K3BMtgAZytBX12qNeB2eyEjaDWt6wDgrnBZUrv-eMQjc8WHMS_Rlbvxj1qiZpYZT1I8HzAsaXvU99qjjWjl/s1112/Screen+Shot+2020-06-22+at+3.11.38+PM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="320" data-original-width="1112" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDnLpM7qyAB1Fevww8eZTjFS6T3DAlcTBiYqnodMhwtPsbpQwzeTIBY1m-2K3BMtgAZytBX12qNeB2eyEjaDWt6wDgrnBZUrv-eMQjc8WHMS_Rlbvxj1qiZpYZT1I8HzAsaXvU99qjjWjl/s320/Screen+Shot+2020-06-22+at+3.11.38+PM.png" width="320" /></a></div><div><br /></div><div><br /></div><div>The new artifact was merged into the main Github repository for iLEAPP and is now available for everyone to use. <br /></div><div><br /></div><div>A huge thanks to @AlexisBrignoni for all his work on iLEAPP and for all of his help getting the scripts right to add the new artifact. <br /></div><div><br /></div><div><br /><a href="https://github.com/abrignoni/iLEAPP" target="_blank"><font color="#000000"></font></a></div>DFIR_300http://www.blogger.com/profile/05165365281946383442noreply@blogger.com0tag:blogger.com,1999:blog-9182408115818127901.post-56218275053243836592020-06-19T15:06:00.000-05:002020-06-19T15:06:05.511-05:00#MVS2020CTF Write-Up (iOS)<div>Here is the last Write-Up for the #MVS2020CTF. During the live competition, I wasn't aware of any "free" tools to analyze iOS systems, so I fell back on Cellebrite PA and was able to find several flags quite easily. After the live event, I found out about <a href="https://www.github.com/abrignoni/iLEAPP" rel="nofollow" target="_blank">#iLEAPP</a> by <a href="https://www.twitter.com/AlexisBrignoni" target="_blank">@AlexisBrignoni</a> and re-processed the iOS data. This allowed me to try out a new tool and gave me an opportunity to validate the flags found with PA and iLEAPP, since both tools were generating the same answers. This post will focus on the flags found with iLEAPP to continue with the #OpenSource theme for the #MVS2020CTF. I will have a more detailed post in the coming weeks regarding creating new artifacts for iLEAPP and ALEAPP (the Android parsing tool by @AlexisBrignoni). Without further delay here are the flags that I was able to find. <br /></div><div><br /></div><div>Once again a huge thanks to the folks at Magnet Forensics for putting on a great virtual summit and for putting together a CTF that focused on finding some pretty unique artifacts as flags and encouraged the use of #OpenSource tools.</div><div><br /></div><div><ul style="text-align: left;"><li><b>Account Scout</b></li></ul><div style="margin-left: 40px; text-align: left;">What's the Apple ID email associated with this device<br /></div><br /><div style="margin-left: 40px; text-align: left;">Flag should look like: flag<sally@mail.com> (Don't include flag<>)</div><div style="margin-left: 40px; text-align: left;"><br /></div><div style="margin-left: 40px; text-align: left;"><i>After running the iOS extraction through iLEAPP, we open the main index file for the full report. Looking at the Accounts - Account Data we see the flag for the Apple ID as abrunswick8675309@gmail.com.</i></div><div style="margin-left: 40px; text-align: left;"><i><br /></i></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfi5rlUE7MKzd8-zzE5uP_ngpwCkvbDvBVHBoKzr0fQb9xOWj7Kcs9I0Rp1dnWs0R50Y_3Ki5pEZxeC3fzFfFYaS4Zeec_5GBBB97pyP3wVs-n6ubUi4LtIHw63MZl1NDJUiVJZe92ZhkP/s1902/AccountScout.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="619" data-original-width="1902" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfi5rlUE7MKzd8-zzE5uP_ngpwCkvbDvBVHBoKzr0fQb9xOWj7Kcs9I0Rp1dnWs0R50Y_3Ki5pEZxeC3fzFfFYaS4Zeec_5GBBB97pyP3wVs-n6ubUi4LtIHw63MZl1NDJUiVJZe92ZhkP/s320/AccountScout.PNG" width="320" /></a></div><div style="text-align: left;"><br /></div><ul><li><b>What's in the toolbox?</b></li></ul><div style="margin-left: 40px; text-align: left;">What tool was used to perform the acquisition on this device? Note: You only have 1 attempt<br /></div><br /><div style="margin-left: 40px; text-align: left;"> EnCase<br /> Magnet Axiom<br /> Mobile Evidence Acquisition Toolkit<br /> Cellebrite</div><div style="margin-left: 40px; text-align: left;"><br /></div><div style="margin-left: 40px; text-align: left;"><i>Based upon the inclusion of the MEAT Log, the flag for this question is Mobile Evidence Acquisition Toolkit.</i><br /></div><br /><ul style="text-align: left;"><li><b>I would walk 3,264 miles just to hack you tonight</b></li></ul><div style="margin-left: 40px; text-align: left;">What is the name of this user's favorite city in Apple Maps?</div><div style="margin-left: 40px; text-align: left;"><br /></div><div style="margin-left: 40px; text-align: left;"><i>The flag for this question was Loserville, but I don't remember where I found this flag. I found this early on before I decided to start a blog and started documenting the process of where the flags were found.</i><br /></div><br /><ul style="text-align: left;"><li><b>Not a HIPAA Violation</b></li></ul><div style="margin-left: 40px; text-align: left;">What medication is this user currently on?</div><div style="margin-left: 40px; text-align: left;"><br /></div><div style="margin-left: 40px; text-align: left;"><i>This flag can be found searching "Medical" in Cellebrite to get the Medications; however it could also be found with a search of "Medical" in Windows Explorer, which brings you to private\var\mobile\Library\MedicalID\MedicalIDData.archive. Open this file in Notepad ++ and you see that the medication is Lysergic Acid Diethylamide.</i></div><div style="margin-left: 40px; text-align: left;"><i><br /></i></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7tbf7NBeSfZb6p5mO0VXTwnVJ-eZIKA8lCEO21hTtSgv-tFRy2k098MKE5pmlm8xayeLU82IyBoqMMis08RVAze8PhM4DF552vyKKglsLrDFV317c22IgkVEn9keB2Xn7Tv1V6yy8Ohk3/s823/HIPAA.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="503" data-original-width="823" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7tbf7NBeSfZb6p5mO0VXTwnVJ-eZIKA8lCEO21hTtSgv-tFRy2k098MKE5pmlm8xayeLU82IyBoqMMis08RVAze8PhM4DF552vyKKglsLrDFV317c22IgkVEn9keB2Xn7Tv1V6yy8Ohk3/s320/HIPAA.PNG" width="320" /></a></div><div style="text-align: left;"><br /></div><ul style="text-align: left;"><li><b>Who am I?</b></li></ul><div style="margin-left: 40px; text-align: left;">What's the name of this device?</div><div style="margin-left: 40px; text-align: left;"><br /></div><div style="margin-left: 40px; text-align: left;"><i>So this could actually be found in multiple places in the iLEAPP report. First it can be found on the Report Home page and then the Device Details Tab as shown below. <br /></i></div><div style="margin-left: 40px; text-align: left;"><i><br /></i></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjp62NS5Vaq25QjaWQpjEPsQ84Pfb7kLsM4UC3q2sh_H29SFCfaDhmBhHp-YY6aNiUBqRZk6wdssNiqi4YQevKxhAiKlJ7G64DwISIGkmtCkWIHAHr358xro1WeQKpp1L8mbvy6BvA77e54/s1885/Home.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="763" data-original-width="1885" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjp62NS5Vaq25QjaWQpjEPsQ84Pfb7kLsM4UC3q2sh_H29SFCfaDhmBhHp-YY6aNiUBqRZk6wdssNiqi4YQevKxhAiKlJ7G64DwISIGkmtCkWIHAHr358xro1WeQKpp1L8mbvy6BvA77e54/s320/Home.PNG" width="320" /></a></div><div style="margin-left: 40px; text-align: left;"><i><br /></i></div><div style="margin-left: 40px; text-align: left;"><i>The second location within the iLEAPP Report would be under</i><i> the Data Ark Artifact along the left side of the report. The flag is Alan's Fantastical iPhone</i></div><div style="margin-left: 40px; text-align: left;"><i><br /></i></div><div style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPTOmHAf4ejZdQ7qouv0M1znl29dqIRybPU4QD1xqdNI4tRpXLuvznN4hH0mjDb0k9cbAbtokq9FjxTsbHtnURg4PMFoAS7UQJVtxnPtC78tBd-5b8dBmu-xnGYiupp4RDeCgjHNGD8v4Q/s1863/whoami.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="941" data-original-width="1863" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPTOmHAf4ejZdQ7qouv0M1znl29dqIRybPU4QD1xqdNI4tRpXLuvznN4hH0mjDb0k9cbAbtokq9FjxTsbHtnURg4PMFoAS7UQJVtxnPtC78tBd-5b8dBmu-xnGYiupp4RDeCgjHNGD8v4Q/s320/whoami.PNG" width="320" /></a></div></div><br /><ul style="text-align: left;"><li><b>Ye ole 9 to 5</b></li></ul><div style="margin-left: 40px; text-align: left;">What is the company associated with the contact "Chester Russell"?</div><div style="margin-left: 40px; text-align: left;"><br /></div><div style="margin-left: 40px; text-align: left;"><i>This was another flag that was found early on and I only found it in the Cellebrite PA Report. In the contacts section you can see that Chester Russell has the company "APT802" listed.</i><br /></div><br /><ul style="text-align: left;"><li><b>Back in my day we weren't glued to our phones</b></li></ul><div style="margin-left: 40px; text-align: left;">How many seconds did the user have Safari open between the hours of 12:00:00 and 20:00:00 on March 23rd, 2020?<br /></div><br /><div style="margin-left: 40px; text-align: left;">Only enter the number</div><div style="margin-left: 40px; text-align: left;"><br /></div><div style="margin-left: 40px; text-align: left;"><i>I did not find the flag for this question.</i><br /></div><br /><ul style="text-align: left;"><li><b>Creeper aw man</b></li></ul><div style="margin-left: 40px; text-align: left;">Looks like a MineCraft server was hosted on this device?? Find the username of a player who has joined</div><div style="margin-left: 40px; text-align: left;"><br /></div><div style="margin-left: 40px; text-align: left;"><i>For this flag it was more of a manual process. I started by using the search within Windows Explorer to look for "Minecraft" within the iOS extraction. This produced a result of a settings.ini that let me to the directory of usr\dev\cuberite\Server\Players\67\ where there was a .json file. I opened the .json file in Notepad++ using the JSON plugin and found the flag of <br /></i></div><div style="margin-left: 40px; text-align: left;"><i>"Thad_Castle_"</i></div><div style="margin-left: 40px; text-align: left;"><i><br /></i></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaeGu9NGLKiHfhdQOij8CwBwmOx3hoSVk0VLlO53OJsmPCf8ttKT5WU1R-aX6QTwTPMcb3F2n2rByWN_Rzgmwunt5blzB5Kk_YOmMGhni4iu8s80uUG38b4lKzUu6y5eoDTG0a7qSzdfiQ/s890/creeper1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="132" data-original-width="890" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaeGu9NGLKiHfhdQOij8CwBwmOx3hoSVk0VLlO53OJsmPCf8ttKT5WU1R-aX6QTwTPMcb3F2n2rByWN_Rzgmwunt5blzB5Kk_YOmMGhni4iu8s80uUG38b4lKzUu6y5eoDTG0a7qSzdfiQ/s320/creeper1.PNG" width="320" /></a></div><div style="text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhV5Y7GQ8ErTYuTEFD2xbR7tf3byCdR-hgUqEBnmf4-CrxedvNQGlZlVszBabznQmqltwcBEG3ZPrNY-Plh-LQ6bpxg8w3riFIydImue07zerqsusoQs0MKLoe9nu4fLK-m5mHNF1fcXPgc/s1129/Creeper.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="659" data-original-width="1129" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhV5Y7GQ8ErTYuTEFD2xbR7tf3byCdR-hgUqEBnmf4-CrxedvNQGlZlVszBabznQmqltwcBEG3ZPrNY-Plh-LQ6bpxg8w3riFIydImue07zerqsusoQs0MKLoe9nu4fLK-m5mHNF1fcXPgc/s320/Creeper.PNG" width="320" /></a></div><br /><ul><li><b>Hackerman</b></li></ul><div style="margin-left: 40px; text-align: left;">What is the first IP address that this user targeted via a popular hacking tool?</div><div style="margin-left: 40px; text-align: left;"><br /></div><div style="margin-left: 40px; text-align: left;"><i>I didn't find the flag for this question, but after reading other Write-Ups I see where I overlooked the bash history for the app. </i><br /></div><br /><ul style="text-align: left;"><li><b>Near Flag Communication</b></li></ul><div style="margin-left: 40px; text-align: left;">What is the Tag ID of the scanned NFC tag? Remember MC questions have a 1 attempt limit<br /></div><br /><div style="margin-left: 40px; text-align: left;"> 377EE22E104347<br /> AD2A7A3E3C63F7<br /> 96C8E50757329E<br /> E5DB5FE6A6984D<br /> 041146220F5E80<br /> 2D52E5017D690E<br /> 64DCD00FD51BFB<br /> 64DCD00FD51B03<br /> 925F65AC9786B6<br /></div></div><div><span><br /></span></div><div><div style="margin-left: 40px; text-align: left;"><i>I did not find the flag for this question.</i><br /></div><ul style="text-align: left;"><li><b>Check out my Spotify</b></li></ul><div style="margin-left: 40px; text-align: left;">This user's Spotify playlist is looking a bit suspicious..?</div><div style="margin-left: 40px; text-align: left;"><br /></div><div style="margin-left: 40px; text-align: left;"><i>So this one took up quite a bit of time, but ultimately did not find the flag with the iOS data. While searching for a different flag, I came across several Twitter Direct Message notification emails in the Google Takeout Mbox file. <br /></i></div><div style="margin-left: 40px; text-align: left;"><i><br /></i></div><div style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjiulqy49WHCZ9G65e9kJD5azb8omtU1VNX7Zxnqp1iggGvWPPK9eFoSe7zl93BqaKNx2cK078_1Rnrr83FYR9LCVJL7nT2yieLWIGdSHpNMiNWUo6rPaaDqvmm5O4hEQlmmv1d0r4xEDvH/s1780/Spotify1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="978" data-original-width="1780" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjiulqy49WHCZ9G65e9kJD5azb8omtU1VNX7Zxnqp1iggGvWPPK9eFoSe7zl93BqaKNx2cK078_1Rnrr83FYR9LCVJL7nT2yieLWIGdSHpNMiNWUo6rPaaDqvmm5O4hEQlmmv1d0r4xEDvH/s320/Spotify1.PNG" width="320" /></a></div></div><div style="margin-left: 40px; text-align: left;"><i><br /></i></div><div style="margin-left: 40px; text-align: left;"><i>There was mention of Spotify, so I started to follow the links sent in the DM email notifications and landed on a Spotify playlist. <br /></i></div><div style="margin-left: 40px; text-align: left;"><i><br /></i></div><div style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgk2nlPKL3YJ79rcPsWP2-eccZv4VNebSTlpaG9cqFBX4Ao0OsHDl3q-APz8rY0_Z7-MNcb7472ON3JIoSY8lx8xl01jj1rFUrs0XOr9GvgNBvK0Mu6v5Fo1Opk_1XvcV80nqM5TB94sXgZ/s1779/spotify3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="997" data-original-width="1779" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgk2nlPKL3YJ79rcPsWP2-eccZv4VNebSTlpaG9cqFBX4Ao0OsHDl3q-APz8rY0_Z7-MNcb7472ON3JIoSY8lx8xl01jj1rFUrs0XOr9GvgNBvK0Mu6v5Fo1Opk_1XvcV80nqM5TB94sXgZ/s320/spotify3.PNG" width="320" /></a></div><i></i></div><div style="margin-left: 40px; text-align: left;"><i><br /></i></div><div style="margin-left: 40px; text-align: left;"><i>The flag is comprised of the three songs on the playlist "</i><br /></div></div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNK0Di-JGFFkK75Gl7zXQZfrWtYrZDh9xd02YgPWfq490oZbkXWFGi6rgagNWU8sL7MEYMiMARielh1BRtDysFn-iygIOECtFOzeqnPVMwoIN49venLQRWLeonhnrTf-adazlBrxk_pG0h/s1598/Spotify2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="775" data-original-width="1598" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNK0Di-JGFFkK75Gl7zXQZfrWtYrZDh9xd02YgPWfq490oZbkXWFGi6rgagNWU8sL7MEYMiMARielh1BRtDysFn-iygIOECtFOzeqnPVMwoIN49venLQRWLeonhnrTf-adazlBrxk_pG0h/s320/Spotify2.PNG" width="320" /></a></div><div><br /><ul style="text-align: left;"><li><b>Plug it in plug it innnn</b></li></ul><div style="margin-left: 40px; text-align: left;">What is the name of the computer that was used to sync with this device?</div><div style="margin-left: 40px; text-align: left;"><br /></div><div style="margin-left: 40px; text-align: left;"><i>This flag again can be found in multiple places. One place is again iLEAPP Report Home on the Device Details Tab. The second place is the Connected Devices Report. The flag was DESKTOP-A108NFK.</i></div><div style="text-align: left;"><i><br /></i></div><div style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgH_OA7QMfwobFJuu9P-or3FXWW_1kJbS4UX054uTlSuKOVzo2SOoEJnq6tuffp6t8dMczvoMcwoE-3UI-jk5C_hgTuLJ-Tllqy84lLI-sS2FGiB5WrguMxtvoWAv83CeDuTSfshIWN2_Dh/s1895/Plugit+In.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="653" data-original-width="1895" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgH_OA7QMfwobFJuu9P-or3FXWW_1kJbS4UX054uTlSuKOVzo2SOoEJnq6tuffp6t8dMczvoMcwoE-3UI-jk5C_hgTuLJ-Tllqy84lLI-sS2FGiB5WrguMxtvoWAv83CeDuTSfshIWN2_Dh/s320/Plugit+In.PNG" width="320" /></a></div></div><div style="margin-left: 40px; text-align: left;"><br /></div><ul style="text-align: left;"><li><b>SNAP.. That's going int my cringe compilation</b></li></ul><div style="margin-left: 40px; text-align: left;">How many applications have iOS Snapshots?</div><div style="margin-left: 40px; text-align: left;"><br /></div><div style="margin-left: 40px; text-align: left;"><i>I did not find the flag for this question.</i><br /></div><br /><ul style="text-align: left;"><li><b>Spraaang Breaaaak</b></li></ul><div style="margin-left: 40px; text-align: left;">How many guests were registered in the trip to Disney?<br /></div><br /><div style="margin-left: 40px; text-align: left;">Warning: You only have 3 attempts at this</div><div style="margin-left: 40px; text-align: left;"><br /></div><div style="margin-left: 40px; text-align: left;"><i>I did not find the flag for this question.</i></div><div style="margin-left: 40px; text-align: left;"><i><br /></i></div><div style="text-align: left;">I encourage everyone to go and check out iLEAPP by Alexis Brignoni and the YouTube videos he is putting together. Get involved in the community, support and contribute to Open Source Developers, but above all get out of your comfort zone and participate in a CTF. <br /><i></i></div></div>DFIR_300http://www.blogger.com/profile/05165365281946383442noreply@blogger.com1tag:blogger.com,1999:blog-9182408115818127901.post-30093508010037806862020-06-17T14:38:00.001-05:002020-06-17T14:38:46.952-05:00#MVS2020CTF Write-Up (Windows)<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyah0BLuGUUiypql0AurEKsaYYw0OvNzfKTM7mKpA3LVGQwEhcFBmcq4xIoSj_Kr4P_lwb_zJAIp4xr2ASLH_Jk8NyL9ma2ggikz3Oly_6R4p-bUo3E-7ABVsLnm86QrHuBe9R2yZkaUHZ/s500/WIN95.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="379" data-original-width="500" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyah0BLuGUUiypql0AurEKsaYYw0OvNzfKTM7mKpA3LVGQwEhcFBmcq4xIoSj_Kr4P_lwb_zJAIp4xr2ASLH_Jk8NyL9ma2ggikz3Oly_6R4p-bUo3E-7ABVsLnm86QrHuBe9R2yZkaUHZ/s320/WIN95.jpg" style="display: none;" width="320" /></a></div><div></div><div>Here we have the Windows questions and solutions that were part of the 2020 Magnet Virtual Summit CTF. Again keeping with the theme of using #OpenSource or free software, I used Autopsy to process the forensic image, and also used UnFurl, IrfanView, StegHide, OpenStego, and CyberChef to help with other questions. As you will see below I did not find all of the solutions, but I hope the information I provide is helpful to anyone who have never tried a CTF or is new to DFIR. <br /></div><div><br /></div><div><ul style="text-align: left;"><li><b>Begin Exam Try 2</b></li></ul></div><div style="margin-left: 40px; text-align: left;">When did the windows image acquisition start?<br /></div><br /><div style="margin-left: 40px; text-align: left;">Answer in YYYY-MM-DD HH:MM:SS</div><div style="margin-left: 40px; text-align: left;"><br /></div><div style="margin-left: 40px; text-align: left;"><i>So initially I believe this question asked who the examiner was, and after 10-15 minutes of digging around for the solution (Expecting to find it in the DFA_Windows.E01.txt), I reloaded my browser and saw the "Try 2". So looking at the same text file, we find that the "Flag" is 2020-04-22 17:55:30. This is documented under Image Information, as the Acquisition Started Time Stamp, which needed to be converted from Wed Apr 22 17:55:30 2020 to the Flag Format provided. </i><br /></div><br /><ul style="text-align: left;"><li><b>Call Me Maybe?</b></li></ul><div style="margin-left: 40px; text-align: left;">What is the user's phone number? (Format: 555-555-5555)</div><div style="margin-left: 40px; text-align: left;"><br /></div><div style="margin-left: 40px; text-align: left;"><i>After processing the Windows Image using Autopsy, I looked in the Web Form Autofill results, where the flag of 802-265-5115 was located.</i><br /></div><div></div><div style="text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0EMUzlz1j1CphYXuAO1U4DBhTcW4sE37vpZwcIgahjfl8-SJzlMecdNcgYv-QwoxnKxJwqCHwTulYRDnr-Q7OQIpI1Vw_R7eUwbarDilujQzLySJBjmWl8ZqCOmneWuHqkY9jmnLUorTi/s1776/Autofill_Phone.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="991" data-original-width="1776" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0EMUzlz1j1CphYXuAO1U4DBhTcW4sE37vpZwcIgahjfl8-SJzlMecdNcgYv-QwoxnKxJwqCHwTulYRDnr-Q7OQIpI1Vw_R7eUwbarDilujQzLySJBjmWl8ZqCOmneWuHqkY9jmnLUorTi/s320/Autofill_Phone.PNG" width="320" /></a></div><div style="text-align: left;"><br /><ul><li><b>Feelin' Lucky?</b></li></ul><div style="margin-left: 40px; text-align: left;">How many people won Quarterly Drawing 31?<br /></div><br /><div style="margin-left: 40px; text-align: left;"> 1<br /> 10<br /> 100<br /> 1,000<br /> 10,000<br /> 100,000<br /></div><br /></div><div style="margin-left: 40px; text-align: left;"><i>This was a multiple choice question, but I didn't find the solution. </i><br /></div><div style="text-align: left;"><br /></div><div style="text-align: left;"><ul style="text-align: left;"><li><b>Update the Résumé</b></li></ul><div style="margin-left: 40px; text-align: left;">When did the user start working in their current position?<br /></div><br /><div style="margin-left: 40px; text-align: left;">(Example: flag<July 1776>)</div><div style="margin-left: 40px; text-align: left;"><br /></div><div style="margin-left: 40px; text-align: left;"><i>This was another question that I did not solve, despite going through User Documents, Keyword Searches, Filtering by File Type looking for a CV or Resume. After reading over the write-up by <a href="https://www.twitter.com/KevinPagano3" target="_blank">@KevinPagano3</a> on stark4n6.com, the solution required combining the Chrome Login artifact for a LinkedIn account along with some OSINT to find the flag of July 2014.</i><br /></div><br /><ul><li><b>Another day, another dollar</b></li></ul><div style="margin-left: 40px; text-align: left;">How many times did Warren sign in to his machine?</div><div style="margin-left: 40px; text-align: left;"><br /></div><div style="margin-left: 40px; text-align: left;"><i>This flag was found in the Autopsy Extracted Content, under Operating System User Account, then looking at the Username Warren. When you scroll down the count with the most recent accessed date can be seen as 24.</i></div><div style="margin-left: 40px; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnLum78vhURtMAiECeC9lofFQrB0H0Z_OdnANGls2wH9-HudbtqIeXJEvKrryjZMYRaakqGKVVY7Y1-UA7Ldgp-qHPtJz-deW0YivjrZryhBZkBKbLw0ApBUM2a9mXIbWCyCvxTYLsv07U/s1777/Another_Day_Login.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="992" data-original-width="1777" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnLum78vhURtMAiECeC9lofFQrB0H0Z_OdnANGls2wH9-HudbtqIeXJEvKrryjZMYRaakqGKVVY7Y1-UA7Ldgp-qHPtJz-deW0YivjrZryhBZkBKbLw0ApBUM2a9mXIbWCyCvxTYLsv07U/s320/Another_Day_Login.PNG" width="320" /></a></div><div style="text-align: left;"><br /></div><ul style="text-align: left;"><li><b>Hash Crash</b></li></ul><div style="margin-left: 40px; text-align: left;">What is the earliest created file associated with the following MD5: 3d908e1b40140c1e0167603ffca07701</div><div style="margin-left: 40px; text-align: left;"><br /></div><div style="margin-left: 40px; text-align: left;"><i>For this flag, I created a new Hashset within Autopsy and the files with the MD5 hash show up under Hashset Hits under the name of the name of the Hashset. Flag is AccessMUISet.msi as the created date is the earliest. </i><br /></div></div><div style="text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUMfjMMsdtH7xiKF1wG4z7EksQ9jRR-80RhiX3pxurBJlh82aQWu1NWZYwHkUbK_QHbnA5LccuUxUsXyZjjLlIi4o3ou01rDpdSuX5_leTqgL2U68XVsFblda6y0oG3HfvL1IeQ_DlaVSf/s1781/Hash_Crash.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="941" data-original-width="1781" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUMfjMMsdtH7xiKF1wG4z7EksQ9jRR-80RhiX3pxurBJlh82aQWu1NWZYwHkUbK_QHbnA5LccuUxUsXyZjjLlIi4o3ou01rDpdSuX5_leTqgL2U68XVsFblda6y0oG3HfvL1IeQ_DlaVSf/s320/Hash_Crash.PNG" width="320" /></a></div><div style="text-align: left;"><br /><ul style="text-align: left;"><li><b>Sticky Situation</b></li></ul><div style="margin-left: 40px; text-align: left;">How many dollars does the user CURRENTLY owe from gambling? Format 99,900</div><div style="margin-left: 40px; text-align: left;"><br /></div><div style="margin-left: 40px; text-align: left;"><i>I did not find the flag for this question.</i><br /></div><br /><ul style="text-align: left;"><li><b>Money, money, money, Money!</b></li></ul><div style="margin-left: 40px; text-align: left;">How many dollars to directly buy in to the tournament on Sunday?</div><div style="margin-left: 40px; text-align: left;"><br /></div><div style="margin-left: 40px; text-align: left;"><i>This flag was found using a keyword search in Autopsy for "tournament". A link in the Chrome History shows a website URL for a Poker Tournament. A quick copy/paste of the URL into a browser brings us to a website where the buy in for Sunday Tournaments is shown as $162.</i></div></div><div style="text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrvuIGvDqXuO42Zx4XNGzvKMaVSIDDN3SksUI3MhTdJcBSubEFri5DgiIsYzE14BvTEIarYHgiz00BV-E6mJmJmPhrxV3-iT_Ye_dDEo2GUCoL7df5ShAeccxhdCHKad6cbVrvJCwdArkG/s1203/Money%252C+Money+Money+162.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="909" data-original-width="1203" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrvuIGvDqXuO42Zx4XNGzvKMaVSIDDN3SksUI3MhTdJcBSubEFri5DgiIsYzE14BvTEIarYHgiz00BV-E6mJmJmPhrxV3-iT_Ye_dDEo2GUCoL7df5ShAeccxhdCHKad6cbVrvJCwdArkG/s320/Money%252C+Money+Money+162.PNG" width="320" /></a></div><div style="text-align: left;"><br /><ul style="text-align: left;"><li><b>Sorry, eh?</b></li></ul><div style="margin-left: 40px; text-align: left;">When was the image downloaded from www.sciencenews.org viewed? Format MM/DD/YYYY HH:MM:SS (24 hour clock) ex 05/12/2020 17:45:00</div></div><div style="text-align: left;"><br /></div><div style="margin-left: 40px; text-align: left;"><i>Searching for the URL produced the the data associated with the download, but those times were not accepted as the flag. I later found again from the write-up by <a href="https://www.twitter.com/KevinPagano3" target="_blank">@KevinPagano3</a> that the time of opening was from the LNK file associated with the downloaded file. Half Credit doesn't get any points in a CTF. </i><br /></div><div style="text-align: left;"><br /></div><div style="text-align: left;"><ul style="text-align: left;"><li><b>Stay PAWsitive</b></li></ul><div style="margin-left: 40px; text-align: left;">What is the name of the movie written in the text file within a PNG?</div><div style="margin-left: 40px; text-align: left;"><br /></div><div style="margin-left: 40px; text-align: left;"><i>I spent quite a bit of time on this question, as I was certain based on the "PAW" clue that the flag could be found within the /Users/Warren/Documents/Cats directory. All three files were named with "motivational" phrases, and the actual images were motivational memes, which matched the clue in the question. Only one of the files was a .PNG and it was also much larger than the other files. After exporting the file I used Steghide, a steganography tool, but had no luck. I then imported the file into CyberChef and again had no luck. I then tried Steghide again, using various passwords that were in the E01, which all yielded nothing. <br /></i></div><div style="margin-left: 40px; text-align: left;"><i><br /></i></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhK8RO1g1nLGVWg2ucsEawJ2mUVXKad_9YP0I_CcsKtRTwXT09iVs2fZQMcSTTcIrxexnmPLhIy-ghDHp4rv6Hn6WKkisqJRL95x02enSZ6D5xPJv-BnJGiqDHPofLbUlD82TsJN2LdeKIK/s1780/stego1.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="565" data-original-width="1780" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhK8RO1g1nLGVWg2ucsEawJ2mUVXKad_9YP0I_CcsKtRTwXT09iVs2fZQMcSTTcIrxexnmPLhIy-ghDHp4rv6Hn6WKkisqJRL95x02enSZ6D5xPJv-BnJGiqDHPofLbUlD82TsJN2LdeKIK/s320/stego1.PNG" width="320" /></a></div><div style="margin-left: 40px; text-align: left;"><br /></div><div style="margin-left: 40px; text-align: left;"><i> I then started to discuss the CTF with <a href="https://www.twitter.com/evandrix" target="_blank">@Evandrix</a>
who had completed all of the questions. He then pointed me towards a
tool called OpenStego, which immediately without a password extracted
the text file, revealing the flag of Godzilla. <br /></i></div><div style="margin-left: 40px; text-align: left;"><i><br /></i></div><div style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRSnlQAJwgYWtiMa-xh1PRzBgKkZ3CIdbvYr8eSgUoSiEKtAMebQ4QuZnYiPyR-FgAA6g8g54ACoS17DeUGz44vWWXr_sxCSbUFIbzSyX4MZ1voliBhMkI1zspUOLURUmKnyqpAwTnWJdF/s1042/stego.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="662" data-original-width="1042" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRSnlQAJwgYWtiMa-xh1PRzBgKkZ3CIdbvYr8eSgUoSiEKtAMebQ4QuZnYiPyR-FgAA6g8g54ACoS17DeUGz44vWWXr_sxCSbUFIbzSyX4MZ1voliBhMkI1zspUOLURUmKnyqpAwTnWJdF/s320/stego.PNG" width="320" /></a></div><i></i></div><br /><ul style="text-align: left;"><li><b>What happens when you text and drive?</b></li></ul><div style="margin-left: 40px; text-align: left;">Name the bug check code in the most recent Windows crash (Blue Screen)</div><div style="margin-left: 40px; text-align: left;"><br /></div><div style="margin-left: 40px; text-align: left;"><i>I did not find the Flag for this question.</i><br /></div><br /><ul style="text-align: left;"><li><b>You're GUIDing, right?</b></li></ul><div style="margin-left: 40px; text-align: left;">What is the GUID for the application that was last used to access C:\Users\Warren\Documents?</div><div style="margin-left: 40px; text-align: left;"><br /></div><div style="margin-left: 40px; text-align: left;"><i>I did not find the Flag for this question.</i><br /></div><br /><ul style="text-align: left;"><li><b>Poker, I don't even...</b></li></ul><div style="margin-left: 40px; text-align: left;">How many total seconds did the user spend on the page when they searched for quick online poker? format: x.xxx</div><div style="margin-left: 40px; text-align: left;"><br /></div><div style="margin-left: 40px; text-align: left;"><i>At first I thought this would be a straight forward solution. Using a keyword search in Autopsy for "quick online poker" yielded several results and I focused on the results that were an exact match and couldn't find anything related to the time spent on the page. As the #MVS2020 sessions continued, I attended the "Ask Us Anything" Session, where there was a discussion about a tool called UnFurl. I downloaded the tool and setup all of the requirements (there is also a online/web version available). I continued to focus on the exact match of the term, but still was not able to find the correct flag. Again I discussed the CTF with <a href="https://www.twitter.com/evandrix" target="_blank">@Evandrix </a>who suggested that I look at the other results for the search, which led me to the flag of 6.294. <br /></i></div><div style="margin-left: 40px; text-align: left;"><i><br /></i></div><div style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-LjwjMYHCHjMem7Fm6MQNN64Ly9keBkuUwnIwdzdb6ZeW-1Fc9zm2kk3e1Sdh1CvZWeCTvW4W0POcEz9yjUzPQrdF0hdVZn5gu_S_W9-lGF8twMlqbzIWrN3oUBXHOqJa83WVGAdUa9tl/s1804/unfurl.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="660" data-original-width="1804" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-LjwjMYHCHjMem7Fm6MQNN64Ly9keBkuUwnIwdzdb6ZeW-1Fc9zm2kk3e1Sdh1CvZWeCTvW4W0POcEz9yjUzPQrdF0hdVZn5gu_S_W9-lGF8twMlqbzIWrN3oUBXHOqJa83WVGAdUa9tl/s320/unfurl.png" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSK1E6LW8RjSZIj-BopwULND8oI5QGf7UaemwpSLZNDtkcnpS6pQH5nsuSOaYy_E-rTvBDw3LYkHnrNUGdJhnP4xvoF6OnVpVXOg3XVIQO13vAzlcWRAgHIdFlzEzI1kEfFNqRK1mK11bX/s708/unfurl2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="222" data-original-width="708" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSK1E6LW8RjSZIj-BopwULND8oI5QGf7UaemwpSLZNDtkcnpS6pQH5nsuSOaYy_E-rTvBDw3LYkHnrNUGdJhnP4xvoF6OnVpVXOg3XVIQO13vAzlcWRAgHIdFlzEzI1kEfFNqRK1mK11bX/s320/unfurl2.png" width="320" /></a></div><i><br /></i></div><div style="margin-left: 40px; text-align: left;"><i><br /></i></div><div style="text-align: left;">Overall a great experience, which tested my knowledge on particular artifacts, and allowed me to add to my toolbox of free and open-source tools. <br /><i></i></div><div style="margin-left: 40px; text-align: left;"><i></i><br /></div></div>DFIR_300http://www.blogger.com/profile/05165365281946383442noreply@blogger.com0tag:blogger.com,1999:blog-9182408115818127901.post-66634643875999471992020-06-05T01:42:00.000-05:002020-06-05T01:42:06.712-05:00#MVS2020CTF Write-Up (Memory)<div style="text-align: left;">This post will be short as it only covers the Memory Section of the Magnet Virtual Summit 2020 CTF and I didn't find all of the solutions. Once again this was my first time analyzing memory, and was mainly completed from notes that I had taken during the presentation by @melton_tarah, and coupling that with prior experience cracking passwords. <br /></div><div style="text-align: left;"></div><div style="text-align: left;"><br /></div><div style="text-align: left;"><u><b>Memory</b></u><br /></div><div><ul style="text-align: left;"><li>How's Your Memory? - Which memory profile best fits the system?</li></ul><div style="margin-left: 40px;"> Win8SP0x64<br /> Win7SP1x86<br /> VistaSP1x64<br /> Win7SP0x86<br /> Win10x86<br /> Win7SP1x64<br /> WinXPSP1x64<br /> Win10x64</div><div style="text-align: left;"><br /></div><div style="margin-left: 40px; text-align: left;"><i>Win7SP1x64 - The profile is found by using the imageinfo command for Volatility as seen in the image below. <br /></i></div><div style="margin-left: 40px; text-align: left;"><i><br /></i></div><div style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-3Je3eK-wHW-QRp8kPentRZxIiUHXC9VOZoJ3-kMvmpZJbypQWy3MWcY1GyME_dLHZF_xybmyI-GXBMH8N3MFFPtqRQwjY2JzTlvOFRPn0X3UNCp91NwjHVqrXjDQm9HV8lAiya9J2Dei/s1276/Profile.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="363" data-original-width="1276" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-3Je3eK-wHW-QRp8kPentRZxIiUHXC9VOZoJ3-kMvmpZJbypQWy3MWcY1GyME_dLHZF_xybmyI-GXBMH8N3MFFPtqRQwjY2JzTlvOFRPn0X3UNCp91NwjHVqrXjDQm9HV8lAiya9J2Dei/s320/Profile.PNG" width="320" /></a></div></div><div style="margin-left: 40px; text-align: left;"><i><br /></i></div><br /><ul style="text-align: left;"><li>Hash Slinging - What is the LM hash of the user's account?</li></ul></div><div style="margin-left: 40px; text-align: left;"><i>aad3b435b51404eeaad3b435b51404ee - This flag is found using the hashdump command in Volatility and then taking the hash from the Warren account. <br /></i></div><div style="margin-left: 40px; text-align: left;"><i></i><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqhVrIaLEQqODluDV545Qs2jQzfB-MfiOzDIFpmf-o4ARs6ojiIgEN6wVjEB032HuWVDR0DqzY0syOyCLBievG7MWK_isvXc2mCyFoHyg7dk5TL0yWfrWTNv2T2ce_5JqUxxLzz2hzYPTp/s1274/LM+HashDump.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="132" data-original-width="1274" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqhVrIaLEQqODluDV545Qs2jQzfB-MfiOzDIFpmf-o4ARs6ojiIgEN6wVjEB032HuWVDR0DqzY0syOyCLBievG7MWK_isvXc2mCyFoHyg7dk5TL0yWfrWTNv2T2ce_5JqUxxLzz2hzYPTp/s320/LM+HashDump.PNG" width="320" /></a></div><div><br /><ul style="text-align: left;"><li>Cache Money - What is Warren's Ignition Casino password? (Case Sensitive!!!!)</li></ul><div style="margin-left: 40px; text-align: left;"><i>WHbigboy123 - The lsadump command in Volatility revealed a password of warrenhbigboy123. I then used BulkExtractor to pull strings from the memory with the wordlist function. Once the memory sample was processed in BulkExtractor, I searched for the root word/phrase of "bigboy". This strategy which has been helpful in password cracking competitions as well as defeating encryption during investigations from password re-use paid off once again and the flag was found (as seen in the image below).</i></div><div style="margin-left: 40px; text-align: left;"><i><br /></i></div><div style="margin-left: 40px; text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjj64WEQ6zzWbCnYTV2z9Oam6Cq1j5E0rMwGgxE65vCGqMQOjrv16SSIzkz369pDUPCpy8MyIiVy4wzX0JDJ2UZiZlGGjt9MFSX7UQrlIwvAFKBAVAKfmcXj52NvtdjyE53dbPqD6vJwEyx/s1277/lsaDump.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="304" data-original-width="1277" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjj64WEQ6zzWbCnYTV2z9Oam6Cq1j5E0rMwGgxE65vCGqMQOjrv16SSIzkz369pDUPCpy8MyIiVy4wzX0JDJ2UZiZlGGjt9MFSX7UQrlIwvAFKBAVAKfmcXj52NvtdjyE53dbPqD6vJwEyx/s320/lsaDump.PNG" width="320" /></a></div><i><br /></i></div><div style="margin-left: 40px; text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyLtxrpdfABH9v0PcqciaGKF6XPziJ320yhS9ScLwBaB-HT64AqfOU-_p7j9cHNQ_lbOM66D2CdSFaPdt8QxaWAa6WWG_vQg-KMFQj_6a_Ezx8Vmk6fqEGH6AEjhnXYaELv7prMrA3ISwB/s1260/BulkExtractor.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1260" data-original-width="1075" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyLtxrpdfABH9v0PcqciaGKF6XPziJ320yhS9ScLwBaB-HT64AqfOU-_p7j9cHNQ_lbOM66D2CdSFaPdt8QxaWAa6WWG_vQg-KMFQj_6a_Ezx8Vmk6fqEGH6AEjhnXYaELv7prMrA3ISwB/s320/BulkExtractor.PNG" /></a></div><i><br /></i></div><div style="margin-left: 40px; text-align: left;"><i> </i></div><ul style="text-align: left;"><li>Never Tell Me The Odds... - It seems like Warren may have let his addictions slip into his work life... Find the program in question, recover it from memory, and give the SHA1 hash.</li></ul></div><div style="margin-left: 40px; text-align: left;"><i>I did not find this solution...</i><br /></div>DFIR_300http://www.blogger.com/profile/05165365281946383442noreply@blogger.com0tag:blogger.com,1999:blog-9182408115818127901.post-25042133269785372952020-06-04T10:50:00.001-05:002020-06-04T10:50:11.239-05:00#MVS2020CTF Write-Up (Egg Hunt)<div><span style="background-color: black;"><span></span></span>This post will cover a walk through of the solutions that I was able to find for the Egg Hunt section of the 2020 Magnet Forensics Virtual Summit CTF. This was solved using GCHQ CyberChef (https://gchq.github.io/CyberChef/). </div><div><br /></div><div><u><b>Egg Hunt</b></u></div><div><u><b><br /></b></u></div><div>NOTE: The FULL block of text below IS the puzzle, for each level, please
copy the NEW block of text located below the now decoded portion.<br /><br />Puzzle starts here (Copy ALL text below):<br /><br />Zpv
ibwf gpvoe uif CMVF fhh! Uif ofyu qjfdf pg uif qvaamf jt: Mci vojs
tcibr hvs UFSSB suu (gsqfsh kcfr = Cbwcb)... hvs bslh dwsqs ct hvs
dinnzs wg :
KK91WUvvraIuNa91paEurUvzWS9GEI5VFGPzN2qiZw4urUvzWU5zsVEuqUzzM2Iup2MurUvzWVP1sbdgNGPdqmOco2J5WR0upKTbpaJ0YHcYo29vWVJzp3SuNbJcqbquNavfWUJdrmPlN20iZw4uN2l4WVdzNUqurUXlM2guMacupLFzWVNcNVB4NGPjNxcYMaJ5rU9ho2SvWU5gpQPcqVz5rmPhNbcupLvjM2zlWU9arQ4iZwPhNbcupaT6swPzpRcuqav6qkcY<ul style="text-align: left;"><li>Quit ROMAN around and find the ONE egg - What is the color of the first egg?</li></ul></div><div style="margin-left: 40px; text-align: left;"><i><span style="background-color: white;">BLUE - By </span>taking the entire text from above and pasting it into the input field on CyberChef, and using the clue of ROMAN, I used the ROT13 decode option and began to change the number of rotations down. At 12 I could see the second line decode, so using the second clue of ONE, I went to -1 and found the answer, which would lead me to see that the second question could be decoded with a plain ROT13. </i><br /></div><div style="margin-left: 40px; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsxyBkf_7uS8JooiciJGOA_bnpuiYdqIeeC-X0eZRagOlibWl1_T3-92-kR7WypxhGb8v16l8Fstp5rc4cNPt5ZjNvy8T4eLUkCyrU8gXfkG3W-3KXIiAdqYW3G6QMbS0nb7lbxShukE5B/s1094/Egg_1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="505" data-original-width="1094" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsxyBkf_7uS8JooiciJGOA_bnpuiYdqIeeC-X0eZRagOlibWl1_T3-92-kR7WypxhGb8v16l8Fstp5rc4cNPt5ZjNvy8T4eLUkCyrU8gXfkG3W-3KXIiAdqYW3G6QMbS0nb7lbxShukE5B/s320/Egg_1.PNG" width="320" /></a></div><div style="margin-left: 40px; text-align: left;"><br /></div><div style="text-align: left;"><ul style="text-align: left;"><li>Last one there is a ROTten egg - What is the special word?</li></ul></div><div style="margin-left: 40px; text-align: left;"><i>Onion - Again using CyberChef, we use the plain ROT13 rotation to find the flag. <br /></i></div><div style="margin-left: 40px; text-align: left;"><i><br /></i></div><div style="margin-left: 40px; text-align: left;"><i></i><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidJZcXx9wr00_AKMRhb9Mn4IO9N4Cub0p2hYL0Z8OMAlaPw37JokZjayKf95KxovmbWqCnHKJfpV34HtMNCurnI5viBrAsK9E4ZgPbYLLAkpLgmv2YHnOY9jvcKeJUF4jPSv_krv2CyTqD/s1092/Egg_2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="625" data-original-width="1092" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidJZcXx9wr00_AKMRhb9Mn4IO9N4Cub0p2hYL0Z8OMAlaPw37JokZjayKf95KxovmbWqCnHKJfpV34HtMNCurnI5viBrAsK9E4ZgPbYLLAkpLgmv2YHnOY9jvcKeJUF4jPSv_krv2CyTqD/s320/Egg_2.PNG" width="320" /></a></div><div><ul style="text-align: left;"><li>Probably the most baseline egg - How is the Orange Egg encoded?</li></ul></div><div style="margin-left: 40px; text-align: left;"><i>Base64 - With the clue of "baseline" in the question, using CyberChef and selecting Base64 decode the text is decoded.</i><br /></div><div><div style="margin-left: 40px; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzSobcZ7PUDNkI2f4DePby0N57708P37N5P3oQrp9uwt0z97m4S8Mfbn9KGLgCPUvTyxZe5WBzBvE-lSPp5P50n9k_80UjapMaxa4PFkU5PsgtwBUaoYOGKF1i_EG6nyQIGaSgtu9aKogK/s1091/Egg_3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="622" data-original-width="1091" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzSobcZ7PUDNkI2f4DePby0N57708P37N5P3oQrp9uwt0z97m4S8Mfbn9KGLgCPUvTyxZe5WBzBvE-lSPp5P50n9k_80UjapMaxa4PFkU5PsgtwBUaoYOGKF1i_EG6nyQIGaSgtu9aKogK/s320/Egg_3.PNG" width="320" /></a></div><div style="margin-left: 40px; text-align: left;"><br /></div><ul style="text-align: left;"><li>Opposites Attract - What was the key used to unlock this cipher?</li></ul></div><div style="margin-left: 40px; text-align: left;"><i>magnet - This key was displayed after decoding the previous text. Once again using CyberChef, but this time using Vigenère cipher with the key of "magnet", you get the next message show in the screenshot. <br /></i></div><div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKQW39hTkrV88cP7t7qVUyxRMsACadwj8hLDjjodlPHZHUpZFRGgH30e0YabNKQpTAFt0i41C6ZYRTMw7-wvQ1BcQvkeeozXjKh1FLONKMf8zNncU9VsbfP7nbajcya0YfSMukF4Z3WQJG/s1093/Egg_4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="625" data-original-width="1093" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKQW39hTkrV88cP7t7qVUyxRMsACadwj8hLDjjodlPHZHUpZFRGgH30e0YabNKQpTAFt0i41C6ZYRTMw7-wvQ1BcQvkeeozXjKh1FLONKMf8zNncU9VsbfP7nbajcya0YfSMukF4Z3WQJG/s320/Egg_4.PNG" width="320" /></a></div><div><br /></div><ul style="text-align: left;"><li>Hey coach, I'm going to need a SUB - What is the final message of the completed egg hunt?</li></ul></div><div style="margin-left: 40px; text-align: left;"><i>bean - With only the final line of the Egg Hunt left, I continued with CyberChef and began to try different ciphers. Focusing on those that use an alphabet substitute based on the clue of "SUB". I ultimately found Atbash Cipher which revealed the final flag.</i></div><div style="margin-left: 40px; text-align: left;"><i><br /></i></div><div style="margin-left: 40px; text-align: left;"><i></i><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCX-8QPBk1Jew4rClJ6EQM3PG6nto4drpLSwhKZRmk3iRG53fADPs2fFdcBWaNFAslTAHr4B3UVRrYqfdUljbsNfle9iMnZ5W0TfAnLqD6GjNB_iyMmE0hj8H8SFRFcSseMNArJyH8VFgN/s1090/Egg_5.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="623" data-original-width="1090" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCX-8QPBk1Jew4rClJ6EQM3PG6nto4drpLSwhKZRmk3iRG53fADPs2fFdcBWaNFAslTAHr4B3UVRrYqfdUljbsNfle9iMnZ5W0TfAnLqD6GjNB_iyMmE0hj8H8SFRFcSseMNArJyH8VFgN/s320/Egg_5.PNG" width="320" /></a></div>DFIR_300http://www.blogger.com/profile/05165365281946383442noreply@blogger.com0tag:blogger.com,1999:blog-9182408115818127901.post-88678509983328593512020-06-04T00:07:00.002-05:002020-06-04T10:57:43.172-05:00#MVS2020CTF Write-up (Android)
<p class="MsoNormal">In May 2020, I participated in the Magnet Virtual Summit CTF
Competition, which consisted of an iOS Extraction, Android Extraction, Google
Takeout, Windows E01 Image, and a RAM Capture.<span>
</span>I would consider this my first real attempt at competitively
participating in a DFIR Style CTF and I truly enjoyed each and every aspect.<span> </span>Before I get into the solutions I was able to
find, let me start off by saying that I enjoy learning new skills, and I am a huge
fan of open source tools, and validating paid commercial tools with free tools
if possible.<span> </span>With that said some of the
tools I used to find solutions were Volatility, Autopsy, ALEAPP, iLEAPP, Notepad++,
BulkExtractor, Irfanview, unfurl, GCHQ CyberChef, DB Browser (SQLite), and
Cellebrite Physical Analyzer.<span> </span>Also I
have to give credit to Tarah Melton (@melton_tarah) for her presentation on
Memory Analysis, as I had never worked with a RAM Capture before, yet I was
able to solve most of the memory based questions using notes from her session.<span> </span>Also a huge thanks to @evandrix for helping
confirm I was on the right path for some questions.<span> </span>A great job by Jessica Hyde (@B1N2H3X) and
the whole @MagnetForensics Team.<span> </span>Let’s
get started with the Android Section…</p>
<p class="MsoNormal"></p><p class="MsoNormal"><br /></p>
<p class="MsoNormal"><u><b>Android</b></u></p>
<ul style="text-align: left;"><li>Just another pawn - What is the username for the Zynga Chess
app? </li></ul>
<p class="MsoNormal" style="margin-left: 40px; text-align: left;"><i><span></span><span></span>chess.master.chester –
This was found using ALEAPP under Chrome Login Data</i></p>
<ul style="text-align: left;"><li>Obfuscating Like a Pro - Chester decided to use a covert app
to communicate with Alan, to try to cover their tracks. What is the package
name of the app? flag<com.full.package.name.here> (Do not include
flag<>, just write out the package name) Hint: <a href="https://youtu.be/wEv0zOeA2FU?t=152">https://youtu.be/wEv0zOeA2FU?t=152</a></li></ul>
<p class="MsoNormal" style="margin-left: 40px; text-align: left;"><i><span></span><span></span>Com.zynga.chess.googleplay
– This was found using ALEAPP under the Installed Apps, and <span></span><span></span>could also be found
in the Chrome Login Data found above.<span>
</span>This was based on the previous <span></span><span></span>question asking for the username for the
Zynga Chess App and knowing it had a chat feature. </i></p>
<ul style="text-align: left;"><li>The College Lifestyle- Artic Edition - Where did Chester get
ramen in Norway? (Restaurant Name)</li></ul>
<p class="MsoNormal" style="margin-left: 40px; text-align: left;"><i><span></span><span> </span>Koie Ramen – Since
this was an Android based question and asking for a specific location, I <span></span>started in the Google Takeout Files.<span>
</span>After finding IMG_20200309_172817.jpg, which was a<span> </span><span></span>bowl of Ramen, I
opened the file in IrfanView, viewed the Exif data and then viewed the
Geo-<span></span><span></span>Coordinates in Google Maps.<span> </span>After a
slight zoom you are able to see that the photograph was <span></span><span></span>taken inside of Koie
Ramen Restaurant. </i></p>
<ul style="text-align: left;"><li>Blocked for security reasons! - What is the name of the file
that this user attached/linked and emailed to Warren?</li></ul><div style="margin-left: 40px; text-align: left;"><i><span></span><span></span>Chestnut_CV.exe – Was found
in an email message, parsed by Autopsy, which included the file <span></span><span></span>as a Google
Drive Download/Access Link.</i>
</div><ul style="text-align: left;"><li>bOat-SINT - While on spring break, Chester took a photo of a
famous boat. What is the boat's name (2 words, ______ ship)?</li></ul>
<p class="MsoNormal" style="margin-left: 40px; text-align: left;"><i><span></span><span> </span>Oseberg Ship – Was found
based on the OSINT hidden in the question.<span>
</span>After finding the <span></span>photograph of the boat (IMG_20200308_144240.jpg) in
the Google Takeout, I used Google <span></span>Image Search to locate the name of the ship
from the Museum website, which contained a <span></span>similar image.<span> </span></i></p>
<ul style="text-align: left;"><li>Fastest Thumbs in the West - How many tweets did Chester
tweet?</li></ul>
<p class="MsoNormal" style="margin-left: 40px; text-align: left;"><i>5 – Was found by
manually digging through the Android Extraction in Windows Explorer and then
viewing the database in DB Browser.<span> </span>The
file is located at \data\data\com.twitter.android\databases, where I looked for
the largest database file which was 1230174369462267904-60.db.<span> </span>I then viewed the Users Table to find Chester’s
ID.<span> </span>Once I had the ID I viewed the
Statuses Table and filtered by Auther.id</i></p><p class="MsoNormal"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIq4WQyUrZS7fbBZjuD4rZDFhzSBmDXz7P65DyRCv5wWPm7wMf7Idl6vT6jHr_rEsHahCjlZzDY1vBSy6-CmFiUPl6b4mUdUcP6ACinajCDh4mKMCgAzi5OjAZCthPbK6jgFxgEt5K_9kw/s4032/ChesterID.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="2268" data-original-width="4032" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIq4WQyUrZS7fbBZjuD4rZDFhzSBmDXz7P65DyRCv5wWPm7wMf7Idl6vT6jHr_rEsHahCjlZzDY1vBSy6-CmFiUPl6b4mUdUcP6ACinajCDh4mKMCgAzi5OjAZCthPbK6jgFxgEt5K_9kw/s320/ChesterID.jpg" width="320" /></a></div><i><br /></i><p></p><p class="MsoNormal"><i></i></p><p class="MsoNormal"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPNSEqhRWqv6K7PjBynb4DxT97W7bCAGrO1-Q44EklrnTWHshx0FVVoUiNvrHG13ZlL-9AB0i_2xcgIvwsmsVbq8qI6_nAqglAdNUTmPSAxXVi3PUTGn8MVBEBiLIDQBKHyezVdw5bLgxx/s4032/Fastest_Thumbs.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="2268" data-original-width="4032" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPNSEqhRWqv6K7PjBynb4DxT97W7bCAGrO1-Q44EklrnTWHshx0FVVoUiNvrHG13ZlL-9AB0i_2xcgIvwsmsVbq8qI6_nAqglAdNUTmPSAxXVi3PUTGn8MVBEBiLIDQBKHyezVdw5bLgxx/s320/Fastest_Thumbs.jpg" width="320" /></a></div><i><br /></i><p></p>
<ul style="text-align: left;"><li>New IP Who Dis? - What local port was Warren's computer
listening on while connected to the IP 13.35.82.31 during the memory dump? </li></ul>
<p class="MsoNormal" style="margin-left: 40px; text-align: left;"><i>54281 – This was found
by reviewing the output of the “netscan” command on the RAM Capture in
Volatility, which revealed the port number.<span> <br /></span></i></p><p class="MsoNormal"><i></i></p><div class="separator" style="clear: both; text-align: center;"><i><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlU344-BVpQ4nmuTi_c_jZ1DScf61L5soVL_sxWT318VJJOUUfPY63zNbUeaPLGm8oBnQNn9qnqoGi9eBNBqs8bTU-dFIPrxESpYpWmr4f5gEjO67EutksUA0pHa2r1wUG2Q2hGYHHkpzv/s1075/New_IP_Who_Dis.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="153" data-original-width="1075" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlU344-BVpQ4nmuTi_c_jZ1DScf61L5soVL_sxWT318VJJOUUfPY63zNbUeaPLGm8oBnQNn9qnqoGi9eBNBqs8bTU-dFIPrxESpYpWmr4f5gEjO67EutksUA0pHa2r1wUG2Q2hGYHHkpzv/s320/New_IP_Who_Dis.PNG" width="320" /></a></i></div><i><span><br /></span></i><p></p>
<ul style="text-align: left;"><li>The Polar Express - What train station did Chester get
directions to?</li></ul>
<p class="MsoNormal" style="margin-left: 40px; text-align: left;"><i>Bergen – Was found by
looking in the Google Takeout under My Activity\Maps\MyActivity.html.<span> </span>Once the file was opened in Firefox, ctrl F
for “station” and it was listed under a Maps search for Directions To Bergen
Station, Bergen, Norway on Mar 10, 2020.</i></p>
<ul style="text-align: left;"><li>You Get a Database! And You Get a Database! - Unbeknownst to
Chester and Alan, the app found in the question "Obfuscating Like a
Pro" didn't store their chat logs securely. What is the chat message ID
for where the target of the hack is declared?</li></ul>
<p class="MsoNormal" style="margin-left: 40px; text-align: left;"><i>18741612351 – Based on
the information identifying the Chess app, I manually searched through the
Android extraction with Windows Explorer to look at the databases.<span> </span>The file was found at
data\data\com.zynga.chess.googleplay\databases\wf_database.sqlite.<span> </span>Reviewing the database you find the message
ID where the target is Mallie Sae.</i></p><p class="MsoNormal"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhs_AgG4kiCxZYxhMD4TSsxBHYrFX3IkJ3557O5cTDMVoVUHkZ6PyaXqk8RYtZQqmJa35dC_hvahgIhYtm31GjY_bgW4Og1zVJC8E28vo7RVDCGlgTMFJk3uMYW__UtsNOUF9RPvZXRPuut/s4032/Mallie+Sae.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="2268" data-original-width="4032" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhs_AgG4kiCxZYxhMD4TSsxBHYrFX3IkJ3557O5cTDMVoVUHkZ6PyaXqk8RYtZQqmJa35dC_hvahgIhYtm31GjY_bgW4Og1zVJC8E28vo7RVDCGlgTMFJk3uMYW__UtsNOUF9RPvZXRPuut/s320/Mallie+Sae.jpg" width="320" /></a></div><i><br /></i><p></p>
<ul style="text-align: left;"><li>Chess Master Chester - What was the first move made by
Chester in Chester's Chess game? (Flag is in chess notation (Ex. A1-B2))</li></ul>
<p class="MsoNormal" style="margin-left: 40px; text-align: left;">*Chess board for refrence, assume white starts on rows 7 and
8: <a href="https://www.dummies.com/wp-content/uploads/201843.image0.jpg">https://www.dummies.com/wp-content/uploads/201843.image0.jpg</a></p>
<p class="MsoNormal" style="margin-left: 40px; text-align: left;"><i>e2-e4 – This one gave
me some trouble at first since I didn’t take the time to identify Chester’s
user ID, so after several wrong guesses, I realized that Chester may not have
gone first.<span> </span>This was confirmed by
finding that Chester is user ID 237046613 in the Users Table.<span> </span>So then using the data in the moves table
x1=4 y1=1, which identifies the pawn on e-2. (Looking Lower left of the chess
board image 1 = 0 and a = 0 for counting purposes) then x2=4 y2=3, meaning the
pawn moved forward two spaces to e-4.<span>
</span>This is also validated, by looking at line 3 of the moves table, and
examining the data column, which displays the prev_board (naming the pieces by their
first initial, and Empty spaces are identified with “e”)</i></p><p class="MsoNormal"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhx9VbH4Bklq9VybryMdZXMwPMTaY6zwz3hyt9hFCXlYW7XSksAzRhJQJFBoeHLLJez8wcU1T1o89glfkO_vzJ1lMljxUKnNPmiKIE-rZFXHizvY7xDVGw8dpyLZFfGfSBuaFrukmZBrPsi/s4032/Chess.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="2268" data-original-width="4032" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhx9VbH4Bklq9VybryMdZXMwPMTaY6zwz3hyt9hFCXlYW7XSksAzRhJQJFBoeHLLJez8wcU1T1o89glfkO_vzJ1lMljxUKnNPmiKIE-rZFXHizvY7xDVGw8dpyLZFfGfSBuaFrukmZBrPsi/s320/Chess.jpg" width="320" /></a></div><i><br /></i><p></p>
<ul style="text-align: left;"><li>Take the Red Pill, Chester - Chester configured a moving
matrix background on his phone. What did Chester set the falling speed of the
characters to?</li></ul>
<p class="MsoNormal" style="margin-left: 40px; text-align: left;">*Demonstration video located at data/media/0/AzRecorderFree</p><div style="margin-left: 40px; text-align: left;">
</div><p class="MsoNormal" style="margin-left: 40px; text-align: left;"><i>50 – Found while
reviewing the installed apps in the ALEAPP report
(com.gulshansingh.hackerlivewallpaper).<span>
</span>I then manually found in Windows Explorer the preferences stored in an
.xml file located at
data\data\com.gulshansingh.hackerlivewallpaper\shared_prefs.<span> </span>Viewing the .xml in Notepad++ you can see the
“fallin speed” value is 50.</i></p><p class="MsoNormal"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiTR3Tbc16hEtU5JFsJHwg1VUnbhllL3VDeFtB4dLHwGLZLOV09uoR-SCO1jf0o2d9ecz91Dh7pAF5I04xq69PSaPDXuUji612GBN-wbP87vbkVQb80VSeOecuBvb24iYQ323miFi-fOeQ/s4032/Falling_Speed.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="2268" data-original-width="4032" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiTR3Tbc16hEtU5JFsJHwg1VUnbhllL3VDeFtB4dLHwGLZLOV09uoR-SCO1jf0o2d9ecz91Dh7pAF5I04xq69PSaPDXuUji612GBN-wbP87vbkVQb80VSeOecuBvb24iYQ323miFi-fOeQ/s320/Falling_Speed.jpg" width="320" /></a></div><i><br /></i><p></p>
<ul style="text-align: left;"><li>Best Foot Forward - What was the percentage likelihood that
the Android user was walking on Fri Mar 6 2020 at 20:50:27 UTC</li></ul>
<p class="MsoNormal" style="margin-left: 40px; text-align: left;"><i>95 – This was found
based on my prior knowledge of data stored by Google in the Takeout related to
Location History.<span> </span>I searched in the
Takeout\Location History directory and then opened the “Location History.json”
in Notepad++ with the JSON Viewer Plugin.<span> </span>Then I used an online time converter to convert the Time/Date Stamp from
the question into EPOCH and searched for the EPOCH value in Notepad++,
which showed a confidence of 95 for Walking. <br /></i></p><p class="MsoNormal"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTCJfKDnjhXhwYyskhZ0i6xcmN0SKZ8Sj6MyHY7KGoTLDvwvnzLCTkVjH_3cd8R-sph7uw2q8XYYx5t3FNrWIUjQOoS8GPBuDAaP42JXQuN2cTdG652V9DOFerkITLY4TqwVspN3IhjD_0/s4032/BestFoot.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="4032" data-original-width="2268" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTCJfKDnjhXhwYyskhZ0i6xcmN0SKZ8Sj6MyHY7KGoTLDvwvnzLCTkVjH_3cd8R-sph7uw2q8XYYx5t3FNrWIUjQOoS8GPBuDAaP42JXQuN2cTdG652V9DOFerkITLY4TqwVspN3IhjD_0/s320/BestFoot.jpg" /></a></div><i><br /></i><p></p>
<p class="MsoNormal"> </p>
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="false"
DefSemiHidden="false" DefQFormat="false" DefPriority="99"
LatentStyleCount="371">
<w:LsdException Locked="false" Priority="0" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 9"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="header"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footer"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index heading"/>
<w:LsdException Locked="false" Priority="35" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of figures"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope return"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="line number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="page number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of authorities"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="macro"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="toa heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 5"/>
<w:LsdException Locked="false" Priority="10" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Closing"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Signature"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="true"
UnhideWhenUsed="true" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Message Header"/>
<w:LsdException Locked="false" Priority="11" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Salutation"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Date"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Block Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Hyperlink"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="FollowedHyperlink"/>
<w:LsdException Locked="false" Priority="22" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Document Map"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Plain Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="E-mail Signature"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Top of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Bottom of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal (Web)"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Acronym"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Cite"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Code"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Definition"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Keyboard"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Preformatted"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Sample"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Typewriter"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Variable"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Table"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation subject"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="No List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Contemporary"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Elegant"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Professional"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Balloon Text"/>
<w:LsdException Locked="false" Priority="39" Name="Table Grid"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Theme"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" QFormat="true"
Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" QFormat="true"
Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" QFormat="true"
Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" QFormat="true"
Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" QFormat="true"
Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" QFormat="true"
Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" SemiHidden="true"
UnhideWhenUsed="true" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="TOC Heading"/>
<w:LsdException Locked="false" Priority="41" Name="Plain Table 1"/>
<w:LsdException Locked="false" Priority="42" Name="Plain Table 2"/>
<w:LsdException Locked="false" Priority="43" Name="Plain Table 3"/>
<w:LsdException Locked="false" Priority="44" Name="Plain Table 4"/>
<w:LsdException Locked="false" Priority="45" Name="Plain Table 5"/>
<w:LsdException Locked="false" Priority="40" Name="Grid Table Light"/>
<w:LsdException Locked="false" Priority="46" Name="Grid Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="Grid Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="Grid Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="46" Name="List Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="List Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="List Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 6"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:8.0pt;
mso-para-margin-left:0in;
line-height:107%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
</style>
<![endif]-->DFIR_300http://www.blogger.com/profile/05165365281946383442noreply@blogger.com1