Thursday, May 30, 2013

CodeGate CTF 2012 Forensics 400

CodeGate2012 Forensics400

Hints given to us:
In Energy corporate X which is located in Seoul, APT(Advanced Persistent Threat) was occurred.
For 6 months, Attacker A has stolen critical information with an elaborate attack.
Attacker A exerted great effort to remove his all traces such as malicious file, prefetch, registry and event logs for the period of attacking,
so it was hard for Energy Corporate X to find an attacking path.
However IU who is Forensic expert can find the traces of the malicious files Attacker A used by analyzing MFT(Master File Table).
What time malicious file was created? The time is based on Korea Standard Time(UTC +09:00)
Answer: YYYY-MM-DDThh:mm:ss.sTZD
(TZD : +hh:mm or -hh:mm). Calculate down to seven decimal points. (e.g. 2012-02-25T10:20:33.1234567+??:??)
Download : 9327ACF33377C03DAFA46CE98B5DB4D0

This is a mirror of the original file:
9327ACF33377C03DAFA46CE98B5DB4D0.zip

Recommended Tools:
analyzeMFT V1.7 (http://code.google.com/p/opensourceforensics/downloads/detail?name=analyzeMFT-V1-7-x86.exe&can=2&q=)

Analysing the File:
Using TRiD, i know that it's a 7-zip file. So when i extracted out the contents, it's a $MFT file.
Could this be a MFT file?
Further checks on this file proved that it is indeed a MFT file.

Ok, so i used analyzeMFT with this file.
Using the following command, i was able to extract valuable information from the MFT file.
analyzeMFT-V1-7-x86.exe -f $MFT -o forensics400.csv

Since the objective is to find the malicious file which might have been deleted, i did a quick find on "recycle" & ".exe" on the forensics400.csv file.
I've found 2 files in the recycle bin, /$Recycle.Bin/cc.dat and /$Recycle.Bin/r32.exe
As the hint was on a malicious file, maybe i should focus on r32.exe first as shown in the image below.



Solving the Puzzle:
Using all the information that we have gathered thus far, and the hints given
Answer: YYYY-MM-DDThh:mm:ss.sTZD
(TZD : +hh:mm or -hh:mm). Calculate down to seven decimal points. (e.g. 2012-02-25T10:20:33.1234567+??:??)

"2012-02-23T01:39:18.897461" seems like the answer. But wait, it require 7 decimal points. Maybe i should add a 0 behind it
However, using the above key, i got it wrong. After some reading up, it seems like the fault is due to analyzeMFT.
It auto correct the time to my timezone (+8) whereas the challenge require me to be in +9 timezone.
So either i change my system time to +9 or i just add 1 more hr to it.
Being the lazy pig that i am, i chose the latter option.
The correct key that for Forensics 400 is : 2012-02-23T02:39:18.8974610

cheers
0x4a61636f62

No comments:

Post a Comment