Some of the Forensics Challenges from Hacktoberfest CTF 2020.
Loading...
Loading...
The amcache can be a pretty handy tool to help build out a timeline of execution during an investigation, and is always located in \%SystemRoot%\AppCompat\Programs\Amcache.hve what was the application
So the description for this challenge briefly explains what amcache is, and also gives a link to a file.
If you want more information on Amcache, this is a great link.
So upon research, I found RegRipper can be used to do this, however, there are plenty of other great tools out there. The one I decided to use for this challenge was AmCacheParser.
AmCacheParser runs on Windows and is basically a tool to analyse and "parse" Amcache. so the command we run this through the windows command prompt.
We run the above command in the AmcacheParser folder. To break this down we run AmcacheParser.exe taking the -f argument which tells the tool which file to take as an input, we then specify the file given which was Amcache.hve. We also need to give an output for the files, this is the --csv part of the command and we specify the folder next. This will run the tool and the output will be in the file OutputFolder, or whatever you chose to name it.
So as the above image shows, we now have a lot of Excel files to sort through, I first re-read the description to see what we needed and it led me to look in the 20201017155041_Amcache_UnassociatedFileEntries entry, which looks a bit like this:
Once here i then used the find tool (CTRL + F) to search for mpowers which was the user given to us by the description. Below are the entries for mpowers, more specifically from the full path column.
Full Path:
c:\users\mpowers\appdata\local\temp\d930e9b6-7d1b-4a5d-804e-ce667e431ff9\dismhost.exe
c:\users\mpowers\desktop\ftk imager\ftk imager.exe
c:\users\mpowers\downloads\python-3.7.0-amd64-webinstall.exe
c:\users\mpowers\appdata\local\temp\4{b04d01b2-0174-4ef5-8fb5-84584c0964f5}.be\python-3.7.0-amd64-webinstall.exe
c:\users\mpowers\appdata\local\temp\4{4a1d9cda-5382-4f04-b44d-51927f9c602a}.cr\python-3.7.0-amd64-webinstall.exe
c:\users\mpowers\desktop\sub-win-x64_104.148.109.124_5682_3262.exe
So as shown above, we have quite a lot of file paths. We were told to find what he installed, so I instantly looked deeper at the python install executables. It is very clear he installed Python on the system so i tried the flag as flag{python} and we scored the flag.
Writeup created by Chris Harris (@cjharris18)
We found some unusual activity coming from an employee's Windows 10 workstation at De Monne Financial. Our IT guy saved the memory dump to the file provided below. What was the PID of the program used
For this challenge, you get given a mem.raw file. So initially this along with the title screams memory forensics and so the main program that comes to mind is Volatility, if unfamiliar with this tool, it can be best described as a memory forensics tool to help you look at memory captures of RAM. This tool should be automatically installed on Kali, but other distros should follow install instructions found on the GitHub page (linked above).
It is worth noting I used Volatility 2 in this writeup, the syntax for Volatility 3 is similar, just replace volatility with vol3 it could also be worth noting that depending on your install, you might need to run it as volatility.py
So to start with you run the following command with a memdump/raw format, the imageinfo plugin will provide basic information on the memory capture:
Breaking this command down we have the name of the program volatility followed by -f which tells volatility to take in the file mem.raw, then as outlined above the imageinfo plugin gives us basic information on the image. I then personally followed it with > raw_imageinfo.txt just so I have it saved in a text file should i need it earlier. This is not essential, however i reccomend it, especially for when Volatility can have a lot of input, it also gives you the power of tools like grep and awk.
Then we take the profile, normally we take the first however it won't always work, luckily ,in this case, it was the first profile which is Win10x64_1734.
We then run the following command as we were told we needed the PID so automatically i decided to look at the processes, now this can be done with either the pstree plugin or the pslist plugin, the difference is mainly that pstree gives us a more visual representation of which process was launched by which, whereas pslist lists them all. I chose pstree, the command is shown below:
Breaking this down, we have the volatility -f raw.mem as I mentioned before which initialises Volatility along with specifying the file. The big difference here is that we now specify a profile as shown by the --profile=Win10x64_1734 part of our command, when we ran imageinfo we took the profile and now we need to specify it to Volatility to run further plugins. The next part of our command is pstree which as outlined above creates a tree of all processes on the system. I then also save this in a file again with > raw_pstree.txt which helps me with things like grep but also means I only need to run this command once. Below is a shortened output for the sake of the writeup:
Now if we scroll down we see the below process:
I assumed this was the process as we know it was a Windows system from the challenge description. So for the flag, we simply took the PID which was 3348, which we then submitted as the flag in the form specified which was: flag{3348}.
Writeup created by Chris Harris (cjharris).
