June 12, 2023
AfricanFalls is a medium-difficulty forensics challenge. We’re given an AD1 image of a drive and tasked with the suspect’s actions. We’ll be using FTK Imager to examine the suspect’s drive and extract information such as browsing history, software execution, and more.
John Doe was accused of doing illegal activities. A disk image of his laptop was taken. Your task as a soc analyst is to analyze the image and understand what happened under the hood.
What is the MD5 hash value of the suspect disk?
First, we’ll load the image into FTK Imager, once it’s imported, right-click the .ad1 file and select Verify Drive/Image from the menu.
What phrase did the suspect search for on 2021–04–29 18:17:38 UTC? (three words, two spaces in between)
We’ll start by taking a look at what software is installed on the suspect’s device. One way to accomplish this is to check the registry on the forensic image. We’ll do this by exporting the SOFTWARE hive from the image.
Once you’ve located it, right-click the SOFTWARE file and export.
We’ll find lists of installed applications in the following keys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Among the items, in the list we can see Brave and Chrome are installed along with Edge.
We’ll start by looking into Brave’s browsing history. A quick Google tells us the history file is located in “C:\Users[username]\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\History”
The history file is a SQLite database, as we can see in the hex output. So we can load this into a program such as DB Browser for SQLite.
Unfortunately, the timestamp is encoded, after some research, and knowing that Brave is chromium based, we can conclude that it is a chromium timestamp. We can use tools like Dcode Timestamp Decoder from Digital Detective to convert the time.
Note: Be sure to set the Time Zone in Dcode to UTC.
We can take the Chromium Time values and filter for them in DB Browser, sadly there are no hits from Brave’s history, so we’ll move on and try it with Chrome’s history. Extracting the file from FTK Imager the same as before.
This time, we get a match.
Alternatively, we could use a tool like ChromeHistoryView from NirSoft. One of the benefits of this tool is that it decodes the timestamp for us.
Note: Be sure to set ChromeHistoryView to use UTC(GMT) time. Unfortunately, there doesn’t seem to be a way to set it to 24-hour timestamps, so keep that in mind as well.
What is the IPv4 address of the FTP server the suspect connected to?
We looked at the list of installed software earlier and, referring back to it, we can see that among the applications is an FTP tool called FileZilla. Alongside the Brave and Chrome AppData folders was a FileZilla folder, checking this location is unnoteworthy, however, there are some XML files under Appdata\Roaming\FileZilla. Most notably, a file named recentservers.xml
What date and time was a password list deleted in UTC? (YYYY-MM-DD HH:MM:SS UTC)
We can access the Recycle Bin in FTK Imager, which lists subdirectories with SIDs. We’ll confirm the suspect’s ID.
We can see that the file was C:\Users\John Doe\Downloads10-million-password-list-top-100.txt and that the Delete flag is marked as True.
Note: The answer format is in 24-hour time, so convert accordingly.
How many times was Tor Browser ran on the suspect’s computer? (number only)
We can find this information using Windows prefetch data. An easy way is to use Eric Zimmerman’s tool PECmd which will extract the information and save it to a file. We can then use another of Zimmerman’s tools, Timeline Explorer, to view the data.
In this case, the command is PECmd.exe -d “<path\to\prefetch\folder>” -csv <path\to\output\file>.
Note: You will need to export the Prefetch folder under the Windows directory or mount the forensic image.
The only tor executable listed is the installer, the application has never been run.
What is the suspect’s email address?
Going back to the browser history, we can filter for URLs containing mail.
Browser history, filtered for 'mail'Additionally, if we check the timestamp and other browsing history we see that the email account was used shortly after the user viewed the password list we saw in the Recycle Bin.
What is the FQDN did the suspect port scan?
Among the installed software in the Registry, we see Nmap, so we’ll look for command execution history in our image. After some research, it appears that PowerShell saves the command history to “APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt”. Once we locate the ConsoleHost_history.txt file in FTK Imager, we can look for Nmap activity.
We can see a few commands using Nmap, but only one uses a FQDN.
What country was picture “20210429_152043.jpg” allegedly taken in?
We can find the photo in the Pictures folder. Once we extract the image we can use a variety of tools to determine the location based on EXIF data.
What is the parent folder name picture “20210429_151535.jpg” was in before the suspect copy it to “contact” folder on his desktop?
This one is a bit tricky, we’ll start by examining the EXIF data of the image. We can see that the photo was taken with an LG LM-Q725K.
Make and model of the cameraWe can then check to see if any shellbags can help us.
Note: Shellbags track open windows, their positions, sizes, etc. https://www.magnetforensics.com/blog/forensic-analysis-of-windows-shellbags/
We can get the Shellbags from NTUSER.dat and UsrClass.dat. We can find the UsrClass.dat file for John Doe at Users\John Doe\AppData\Local\Microsoft\Windows\UsrClass.dat.
With the file extracted from the forensic image, we can load it into another of Eric Zimmerman’s tools called ShellBags Explorer.
In ShellBags Explorer we can see there was an LG Q7 attached to the computer and accessed by John Doe. As this was used to take the photo, we can assume that the source folder is DCIM\Camera
A Windows password hashes for an account are below. What is the user’s password? Anon:1001:aad3b435b51404eeaad3b435b51404ee:3DE1A36F6DDB8E036DFD75E8E20C4AF4:::
Before we try to crack the hash ourselves, we can throw it into an online tool to see if we get lucky. No luck with CrackStation.net, but Hashes.com succeeded.
What is the user “John Doe’s” Windows login password?
We can use the infamous Mimikatz to dump John Doe’s password hash.
We’ll need to extract the SYSTEM and SAM hives from the forensic image. We can find these hives in the same location we found the SOFTWARE hive way back in Q2.
Once the hives are extracted, launch mimikatz from PowerShell or Command Prompt. With mimikatz running, execute the command lsadump::sam /system:SYSTEM /sam:SAM
Dumping hashes with MimikatzJohn Doe's password hash
With that, we’ll throw it into an online tool, starting with Hashes.com, and see if we get lucky again, which we do.
We can try to crack the passwords ourselves, using Hashcat or JohnTheRipper, however, the password doesn’t seem to be in popular wordlists.
Alternatively, we can attempt to brute-force the hashes.
I ran hashcat before throwing the hashes into CrackStation.net and Hashes.com and it was able to brute-force John Doe’s password in less than 2 minutes. It had not cracked the hash from Q10 by the time I finished writing this.
This was a fun challenge with lots of evidence to track down and correlations to hunt for. We were able to draw lines from many different artifacts to create a timeline of events using various Windows forensics such as ShellBags, Run keys, Prefetch, and PowerShell history.
Previous post
Next post