August 22, 2024
For this challenge, we’ve been tasked with investigating a disk image to find evidence of a a gang’s planned attack. We’ll use Autopsy and ThumbCache Viewer to uncover the gang’s plans and target.
NYC Police received information that a gang of attackers has entered the city and are planning to detonate an explosive device. Law enforcement have begun investigating all leads to determine whether this is true or a hoax.
Persons of interest were taken into custody, and one additional suspect named ‘Zerry’ was detained while officers raided his house. During the search they found one laptop, collected the digital evidence, and sent it to NYC digital forensics division.
Police believe Zerry is directly associated with the gang and are analyzing his device to uncover any information about the potential attack.
Verify the Disk Image. Submit SectorCount and MD5(7 points)
We’ve been provided with the FTK Imager image summary in the Desktop\Investigation Files\Disk Image\ Zerry directory. We can retrieve the sector count and md5sum of the image from the summary.
We’ll confirm the image processed by Autopsy is correct by loading the case and checking the Container tab under the Zerry.E01 data source.
Before we jump into the questions, we’ll get a quick idea of what kind of idea was taking place on the device. Within the Zerry.E01 data source, the Summary -> User Activity tab gives us a list of recent programs, domains, searches, and devices.
This summary shows that the TeamViewer, Tor, Eraser, and Signal were recently executed.
What is the decryption key of the online messenger app used by Zerry?
Thanks to the Summary provided by Autopsy, we already know Zerry was using Signal.
With that knowledge, we’ll dig into Signal’s configuration files and see what we can find.
Navigating to AppData\Roaming reveals the Signal directory, where we’ll find a config file that contains a single key pair.
After a little googling, we can see that this is the decryption key used by the messenger.
Note: You can read more about this here: https://www.bleepingcomputer.com/news/security/signal-desktop-leaves-message-decryption-key-in-plain-sight/
What is the registered phone number and profile name of Zerry in the messenger application used?
Signal stores records of conversations and other data in its db.sqlite file located under AppData\Signal\sql.
We’ll export this file and load it with DB Browser for SQLite.
Change the Password type to Raw Key and enter the key. Note: You need to prepend the key with 0x
With the database loaded, we can navigate to the Conversations table and see Zerry’s username and phone number.Signal's DB
What is the email id found in the chat?
For this task, we’ll navigate to the Messages table and view the “body” field.
We can see the conversation between Tom and Zerry, including the email.
What is the filename(including extension) that is received as an attachment via email?
We can see in the conversation that a file was sent to the eekurk@baybabes.com email address via Tor.
The timestamps for the conversations are provided in Epoch time, so we’ll convert them and compare them to artifacts found in Autopsy. Note: you can use https://www.epochconverter.com/ to convert timestamps
The converted timestamp of the “yup received” message is: Sunday, January 17, 2021 6:25:16.179 AM The converted timestamp of the “Erased” message is: Sunday, January 17, 2021 6:27:00.662 AM
Let’s check the Recent Documents in Autopsy to see what we find.
The only interesting results is the ⏳📅.lnk file.
The file path for this is odd and within Zerry’s home directory.
Checking the metadata of the file we can see the various timestamps associated with it.
The timestamps look like what we’d expect, so it’s fairly safe to assume that this is indeed the file.
Note: One interesting thing about the Windows timestamps is the Created vs MFT Modified timestamp. The Created timestamp refers to when the file was created initially, regardless of when the file was placed on the host. The MFT Modified timestamp, on the other hand, refers to when the MFT record was created, thus, when the file was created on the host. In other words, the file was likely created by Tom at 6:24. The file was downloaded onto Zerry’s machine at 6:26.
We also saw this file in the Recent Files tab during our preliminary investigation with the original PNG extension.
What is the Date and Time of the planned attack?
One of the tools we’ve been provided with is Thumbcache Viewer. This tool allows us to view the thumbcache db, which may include previews of files that are no longer present on the hard drive.
Note: you can read more about thumbcache viewer here: https://thumbcacheviewer.github.io/
Note: you can read more about thumbcache forensics here: https://forensafe.com/blogs/thumbCache.html
We’ll need to export the thumbcache database files first. Thankfully the forensafe article gives us the full path to those files.
With the files exported, we can drag the database files into Thumbcache Viewer. From there we’ll save all into a new directory.
Once the files are saved, we’ll open the file explorer, navigate to the directory, and enable thumbnail previews.
With the setting enabled, we can now see all the images at a glance and spot the thumbnail of the malicious file.
What is the GPS location of the blast? The format is the same as found in the evidence. [Hint: Encode(XX Degrees,XX Minutes, XX Seconds)]
Digging around the filesystem doesn’t offer any clues to this question.
Sticky Notes can be a good source of information, however, so we’ll dig into those and see what we can find.
Note: You can read more about sticky note forensics here - https://dingtoffee.medium.com/windows-sticky-notes-forensics-80ee31ab67ef
The full path to the stickynotes database is AppData\Local\Packages\Microsoft.MicrosoftStickyNotes.[…..]\LocalState.
We’ll view the plum.sqlite database in a new window from within Autopsy.
We can see a single note was saved in the database. Given the visible patterns, this could be a form of encoding, perhaps Rot13.
Let’s copy this text into CyberChef and see what we get.
Previous post
Next post