#MVS2020CTF Write-Up (Windows)

Here we have the Windows questions and solutions that were part of the 2020 Magnet Virtual Summit CTF.  Again keeping with the theme of using #OpenSource or free software, I used Autopsy to process the forensic image, and also used UnFurl, IrfanView, StegHide, OpenStego, and CyberChef to help with other questions.  As you will see below I did not find all of the solutions, but I hope the information I provide is helpful to anyone who have never tried a CTF or is new to DFIR. 

• Begin Exam Try 2

When did the windows image acquisition start?

Answer in YYYY-MM-DD HH:MM:SS

So initially I believe this question asked who the examiner was, and after 10-15 minutes of digging around for the solution (Expecting to find it in the DFA_Windows.E01.txt), I reloaded my browser and saw the "Try 2".  So looking at the same text file, we find that the "Flag" is 2020-04-22 17:55:30.  This is documented under Image Information, as the Acquisition Started Time Stamp, which needed to be converted from Wed Apr 22 17:55:30 2020 to the Flag Format provided.

• Call Me Maybe?

What is the user's phone number? (Format: 555-555-5555)

After processing the Windows Image using Autopsy, I looked in the Web Form Autofill results, where the flag of 802-265-5115 was located.

• Feelin' Lucky?

How many people won Quarterly Drawing 31?

 1
 10
 100
 1,000
 10,000
 100,000

This was a multiple choice question, but I didn't find the solution. 

• Update the Résumé

When did the user start working in their current position?

(Example: flag<July 1776>)

This was another question that I did not solve, despite going through User Documents, Keyword Searches, Filtering by File Type looking for a CV or Resume.  After reading over the write-up by @KevinPagano3 on stark4n6.com, the solution required combining the Chrome Login artifact for a LinkedIn account along with some OSINT to find the flag of July 2014.

• Another day, another dollar

How many times did Warren sign in to his machine?

This flag was found in the Autopsy Extracted Content, under Operating System User Account, then looking at the Username Warren.  When you scroll down the count with the most recent accessed date can be seen as 24.

• Hash Crash

What is the earliest created file associated with the following MD5: 3d908e1b40140c1e0167603ffca07701

For this flag, I created a new Hashset within Autopsy and the files with the MD5 hash show up under Hashset Hits under the name of the name of the Hashset.  Flag is AccessMUISet.msi as the created date is the earliest.

• Sticky Situation

How many dollars does the user CURRENTLY owe from gambling? Format 99,900

I did not find the flag for this question.

• Money, money, money, Money!

How many dollars to directly buy in to the tournament on Sunday?

This flag was found using a keyword search in Autopsy for "tournament".  A link in the Chrome History shows a website URL for a Poker Tournament.  A quick copy/paste of the URL into a browser brings us to a website where the buy in for Sunday Tournaments is shown as $162.

• Sorry, eh?

When was the image downloaded from www.sciencenews.org viewed? Format MM/DD/YYYY HH:MM:SS (24 hour clock) ex 05/12/2020 17:45:00

Searching for the URL produced the the data associated with the download, but those times were not accepted as the flag.  I later found again from the write-up by @KevinPagano3 that the time of opening was from the LNK file associated with the downloaded file.  Half Credit doesn't get any points in a CTF.

• Stay PAWsitive

What is the name of the movie written in the text file within a PNG?

I spent quite a bit of time on this question, as I was certain based on the "PAW" clue that the flag could be found within the /Users/Warren/Documents/Cats directory.  All three files were named with "motivational" phrases, and the actual images were motivational memes, which matched the clue in the question.  Only one of the files was a .PNG and it was also much larger than the other files.  After exporting the file I used Steghide, a steganography tool, but had no luck. I then imported the file into CyberChef and again had no luck.  I then tried Steghide again, using various passwords that were in the E01, which all yielded nothing.

I then started to discuss the CTF with @Evandrix who had completed all of the questions.  He then pointed me towards a tool called OpenStego, which immediately without a password extracted the text file, revealing the flag of Godzilla. 

• What happens when you text and drive?

Name the bug check code in the most recent Windows crash (Blue Screen)

I did not find the Flag for this question.

• You're GUIDing, right?

What is the GUID for the application that was last used to access C:\Users\Warren\Documents?

I did not find the Flag for this question.

• Poker, I don't even...

How many total seconds did the user spend on the page when they searched for quick online poker? format: x.xxx

At first I thought this would be a straight forward solution.  Using a keyword search in Autopsy for "quick online poker" yielded several results and I focused on the results that were an exact match and couldn't find anything related to the time spent on the page.  As the #MVS2020 sessions continued, I attended the "Ask Us Anything" Session, where there was a discussion about a tool called UnFurl.  I downloaded the tool and setup all of the requirements (there is also a online/web version available).  I continued to focus on the exact match of the term, but still was not able to find the correct flag.  Again I discussed the CTF with @Evandrix who suggested that I look at the other results for the search, which led me to the flag of 6.294. 

Overall a great experience, which tested my knowledge on particular artifacts, and allowed me to add to my toolbox of free and open-source tools. 

#MVS2020CTF Write-up (Android)

In May 2020, I participated in the Magnet Virtual Summit CTF Competition, which consisted of an iOS Extraction, Android Extraction, Google Takeout, Windows E01 Image, and a RAM Capture.  I would consider this my first real attempt at competitively participating in a DFIR Style CTF and I truly enjoyed each and every aspect.  Before I get into the solutions I was able to find, let me start off by saying that I enjoy learning new skills, and I am a huge fan of open source tools, and validating paid commercial tools with free tools if possible.  With that said some of the tools I used to find solutions were Volatility, Autopsy, ALEAPP, iLEAPP, Notepad++, BulkExtractor, Irfanview, unfurl, GCHQ CyberChef, DB Browser (SQLite), and Cellebrite Physical Analyzer.  Also I have to give credit to Tarah Melton (@melton_tarah) for her presentation on Memory Analysis, as I had never worked with a RAM Capture before, yet I was able to solve most of the memory based questions using notes from her session.  Also a huge thanks to @evandrix for helping confirm I was on the right path for some questions.  A great job by Jessica Hyde (@B1N2H3X) and the whole @MagnetForensics Team.  Let’s get started with the Android Section…

Android

• Just another pawn - What is the username for the Zynga Chess app?

chess.master.chester – This was found using ALEAPP under Chrome Login Data

• Obfuscating Like a Pro - Chester decided to use a covert app to communicate with Alan, to try to cover their tracks. What is the package name of the app? flag<com.full.package.name.here> (Do not include flag<>, just write out the package name) Hint: https://youtu.be/wEv0zOeA2FU?t=152

Com.zynga.chess.googleplay – This was found using ALEAPP under the Installed Apps, and could also be found in the Chrome Login Data found above.  This was based on the previous question asking for the username for the Zynga Chess App and knowing it had a chat feature.

• The College Lifestyle- Artic Edition - Where did Chester get ramen in Norway? (Restaurant Name)

Koie Ramen – Since this was an Android based question and asking for a specific location, I started in the Google Takeout Files.  After finding IMG_20200309_172817.jpg, which was a bowl of Ramen, I opened the file in IrfanView, viewed the Exif data and then viewed the Geo-Coordinates in Google Maps.  After a slight zoom you are able to see that the photograph was taken inside of Koie Ramen Restaurant.

• Blocked for security reasons! - What is the name of the file that this user attached/linked and emailed to Warren?

Chestnut_CV.exe – Was found in an email message, parsed by Autopsy, which included the file as a Google Drive Download/Access Link.

• bOat-SINT - While on spring break, Chester took a photo of a famous boat. What is the boat's name (2 words, ______ ship)?

Oseberg Ship – Was found based on the OSINT hidden in the question.  After finding the photograph of the boat (IMG_20200308_144240.jpg) in the Google Takeout, I used Google Image Search to locate the name of the ship from the Museum website, which contained a similar image. 

• Fastest Thumbs in the West - How many tweets did Chester tweet?

5 – Was found by manually digging through the Android Extraction in Windows Explorer and then viewing the database in DB Browser.  The file is located at \data\data\com.twitter.android\databases, where I looked for the largest database file which was 1230174369462267904-60.db.  I then viewed the Users Table to find Chester’s ID.  Once I had the ID I viewed the Statuses Table and filtered by Auther.id

• New IP Who Dis? - What local port was Warren's computer listening on while connected to the IP 13.35.82.31 during the memory dump?

54281 – This was found by reviewing the output of the “netscan” command on the RAM Capture in Volatility, which revealed the port number. 

• The Polar Express - What train station did Chester get directions to?

Bergen – Was found by looking in the Google Takeout under My Activity\Maps\MyActivity.html.  Once the file was opened in Firefox, ctrl F for “station” and it was listed under a Maps search for Directions To Bergen Station, Bergen, Norway on Mar 10, 2020.

• You Get a Database! And You Get a Database! - Unbeknownst to Chester and Alan, the app found in the question "Obfuscating Like a Pro" didn't store their chat logs securely. What is the chat message ID for where the target of the hack is declared?

18741612351 – Based on the information identifying the Chess app, I manually searched through the Android extraction with Windows Explorer to look at the databases.  The file was found at data\data\com.zynga.chess.googleplay\databases\wf_database.sqlite.  Reviewing the database you find the message ID where the target is Mallie Sae.

• Chess Master Chester - What was the first move made by Chester in Chester's Chess game? (Flag is in chess notation (Ex. A1-B2))

*Chess board for refrence, assume white starts on rows 7 and 8: https://www.dummies.com/wp-content/uploads/201843.image0.jpg

e2-e4 – This one gave me some trouble at first since I didn’t take the time to identify Chester’s user ID, so after several wrong guesses, I realized that Chester may not have gone first.  This was confirmed by finding that Chester is user ID 237046613 in the Users Table.  So then using the data in the moves table x1=4 y1=1, which identifies the pawn on e-2. (Looking Lower left of the chess board image 1 = 0 and a = 0 for counting purposes) then x2=4 y2=3, meaning the pawn moved forward two spaces to e-4.  This is also validated, by looking at line 3 of the moves table, and examining the data column, which displays the prev_board (naming the pieces by their first initial, and Empty spaces are identified with “e”)

• Take the Red Pill, Chester - Chester configured a moving matrix background on his phone. What did Chester set the falling speed of the characters to?

*Demonstration video located at data/media/0/AzRecorderFree

50 – Found while reviewing the installed apps in the ALEAPP report (com.gulshansingh.hackerlivewallpaper).  I then manually found in Windows Explorer the preferences stored in an .xml file located at data\data\com.gulshansingh.hackerlivewallpaper\shared_prefs.  Viewing the .xml in Notepad++ you can see the “fallin speed” value is 50.

• Best Foot Forward - What was the percentage likelihood that the Android user was walking on Fri Mar 6 2020 at 20:50:27 UTC

95 – This was found based on my prior knowledge of data stored by Google in the Takeout related to Location History.  I searched in the Takeout\Location History directory and then opened the “Location History.json” in Notepad++ with the JSON Viewer Plugin.  Then I used an online time converter to convert the Time/Date Stamp from the question into EPOCH and searched for the EPOCH value in Notepad++, which showed a confidence of 95 for Walking.