CodeGate CTF 2012 : Forensics - 100 Points

CodeGate CTF 2012 : Forensics - 100 Points

I find the challenges for Forensics category are well written and fun.It's good when you're involved in malware and Incident Response.
However, the formatting for the solution(s) is the one that puts me off. Kudos to the organizer.

Hints given to us:

In order to steal financial information of Company X, IU got a job under cover.
She decided to attack CFO's computer, and then insert malicious code to his computer in the way of social engineering.
She figured out that he didn't use to turn off his computer, when he gets off work.
After he leaves the office, she obtains financial data from his computer to search EXCEL file.
By checking installed application program, she can find the information in the file. She lacks the file externally.
In order to remove all traces, she erases malicious code, event logs and recent file list.
The company X has to figure out what information she stole correctly to make an appropriate measure.
These are files attacked from CFO's computer. Find the full path and size of the file which she stole.
On the day, CFO left the office at 14:00. The time is based on Korea Standard Time(UTC +09:00).
Answer: strlwr(md5(full_path|file_size)) ('|' is just a character)
Download : 525321B9CEDAF3C8D35FC9071D5DD237

This is the original file which i have to split into multiple files due to file size restrictions:
File:
525321B9CEDAF3C8D35FC9071D5DD237.7z.001

525321B9CEDAF3C8D35FC9071D5DD237.7z.002

525321B9CEDAF3C8D35FC9071D5DD237.7z.003

525321B9CEDAF3C8D35FC9071D5DD237.7z.004


Recommended Tools:
Windows File Analyzer (http://mitec.cz/wfa.html)
TRiD (http://mark0.net/soft-trid-e.html)

Analysing the File:
Using TriD and it's shown that it's a 7-zip file. So when i extract out the contents, it seems to be the entire "Users" folder for a Windows Vista or Windows 7 user.
As the hints given, our main objective is to grab the EXCEL file. But wait, the hints also mentioned about erasing all traces. So basically i can't do a search for .xls
Ok, maybe the attacker deleted the file but let's see whether the attacker removes it from the "Recent" folder in Office.

As we can see from the image below, there are 2 previous opened excel files, [Top-Secret]_2011_Financial_deals & Carving파일분석



From the 2 excel filenames, most probably it should be the one with "Top-Secret"
Since the objective is to find out the full path and and the file size first. As the file is deleted and we are left with .lnk files.
Let's see what other tool(s) i have in my arsenal here.
I quickly copied out the shortcut, which is .lnk file, and whipped out WFA and i can see the required information in the image below.



Solving the Puzzle:
Using all the gathered information and since the answer had to be

Answer: strlwr(md5(full_path|file_size)) ('|' is just a character)

So if we run the following command in Linux:

echo -n "C:\INSIGHT\Accounting\Confidential\[Top-Secret]_2011_Financial_deals.xlsx|9296" | md5sum

Using the md5 checksum that was returned to us, the key for Forensics 100 is : d3403b2653dbc16bbe1cfce53a417ab1

cheers
0x4a61636f62

CodeGate CTF 2012 Forensics 400

CodeGate2012 Forensics400

Hints given to us:
In Energy corporate X which is located in Seoul, APT(Advanced Persistent Threat) was occurred.
For 6 months, Attacker A has stolen critical information with an elaborate attack.
Attacker A exerted great effort to remove his all traces such as malicious file, prefetch, registry and event logs for the period of attacking,
so it was hard for Energy Corporate X to find an attacking path.
However IU who is Forensic expert can find the traces of the malicious files Attacker A used by analyzing MFT(Master File Table).
What time malicious file was created? The time is based on Korea Standard Time(UTC +09:00)
Answer: YYYY-MM-DDThh:mm:ss.sTZD
(TZD : +hh:mm or -hh:mm). Calculate down to seven decimal points. (e.g. 2012-02-25T10:20:33.1234567+??:??)
Download : 9327ACF33377C03DAFA46CE98B5DB4D0

This is a mirror of the original file:
9327ACF33377C03DAFA46CE98B5DB4D0.zip

Recommended Tools:
analyzeMFT V1.7 (http://code.google.com/p/opensourceforensics/downloads/detail?name=analyzeMFT-V1-7-x86.exe&can=2&q=)

Analysing the File:
Using TRiD, i know that it's a 7-zip file. So when i extracted out the contents, it's a $MFT file.
Could this be a MFT file?
Further checks on this file proved that it is indeed a MFT file.

Ok, so i used analyzeMFT with this file.
Using the following command, i was able to extract valuable information from the MFT file.

analyzeMFT-V1-7-x86.exe -f $MFT -o forensics400.csv

Since the objective is to find the malicious file which might have been deleted, i did a quick find on "recycle" & ".exe" on the forensics400.csv file.
I've found 2 files in the recycle bin, /$Recycle.Bin/cc.dat and /$Recycle.Bin/r32.exe
As the hint was on a malicious file, maybe i should focus on r32.exe first as shown in the image below.



Solving the Puzzle:
Using all the information that we have gathered thus far, and the hints given

Answer: YYYY-MM-DDThh:mm:ss.sTZD
(TZD : +hh:mm or -hh:mm). Calculate down to seven decimal points. (e.g. 2012-02-25T10:20:33.1234567+??:??)

"2012-02-23T01:39:18.897461" seems like the answer. But wait, it require 7 decimal points. Maybe i should add a 0 behind it
However, using the above key, i got it wrong. After some reading up, it seems like the fault is due to analyzeMFT.
It auto correct the time to my timezone (+8) whereas the challenge require me to be in +9 timezone.
So either i change my system time to +9 or i just add 1 more hr to it.
Being the lazy pig that i am, i chose the latter option.
The correct key that for Forensics 400 is : 2012-02-23T02:39:18.8974610

cheers
0x4a61636f62

CodeGate2012 Forensics300

CodeGate2012 Forensics300

Hints given to us:

IU is investigating the system which was contaminated by malicious code.
As a result of analyzing TimeLine, it seems to be contaminated after February 9th 2012.
Contaminating path would be from visiting Web page. IU analyses various user traces of Internet, however IU can't find malicious URL.
Maybe traces would be removed, when it was contaminated. Find correct malicious URL and the time it was contaminated. (cf. Remove http(s)://)
The time is based on Korea Standard Time(UTC +09:00).

Answer: malicious_URL|YYYY-MM-DDThh:mm:ss
('|' is just a character)

Download : 05D659000025F95CD07B2B36E94B0C15

This is a mirror of the original file:
05D659000025F95CD07B2B36E94B0C15.zip

Recommended Tools:
SQLite Browser (sqlitebrowser.sourceforge.net/)
DCode (http://www.digital-detective.co.uk/freetools/decode.asp)
Any hex viewer / editor or even notepad++

Analysing the File:
When 1 first analyse the file, the returned output from TRiD say it's a 7-zip file. I quickly extracted out the contents. I found out that it's a "cookie" file located deep at \Users\proneer\AppData\Local\Google\Chrome\User Data\Default
This probably mean that it's a SQLite file. Reading the hints given to us and given that it's a SQLite file. With information from the SQLite website, http://sqlite.org/faq.html#q20
It seems that a record can be deleted from the database. It's just that it is not viewable with normal sqlite tools.
So how do we find that data and how do we distinguish it from the non-deleted data? When you delete a record, the space allocated to the record gets added to a free-list.

In other words, the size of the database doesn't get any smaller with record removal, but the space is marked as available for future records.
According to the FAQ in SQLite website, "If SQLITE_SECURE_DELETE is not used and VACUUM has not been run, then some of the deleted content might still be in the database file, in areas marked for reuse."
So attackers, please run vacuum if you really want to delete your entry. :P

Ok, let's open the file in notepad++. Since the objective is to find the malicious url, let's do a quick search on .net .com .org .kr and compare it with all the entries found with SQLite browser.
Once we did that, we did found an extra entry as indicated in the image below, test.wargame.krutma134301300.282793704.1328799447.1328799457.1328799457.10 , that was not found with SQLite browser.



Solving the Puzzle:
But how do we know what is the time? Ok, according to http://www.randycullom.com/chatterbox/archives/2008/10/google_analytic.html


The 3rd set of numbers after utma is the timestamp of the first visit/session for the user.

Using Dcode with 1328799447, we got back Thu, 09 February 2012 23:57:27. +0900 as shown in the image below.



So using all the information that we have gathered thus far, The correct key that for Forensics 300 is : test.wargame.kr|2012-02-09T23:57:27

cheers
0x4a61636f62