Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Hunter Lab – CyberDefenders
Disk Analysis
Scenario
The SOC team got an alert regarding some illegal port scanning activity coming from an employee’s system. The employee was not authorized to do any port scanning or any offensive hacking activity within the network. The employee claimed that he had no idea about that, and it is probably a malware acting on his behalf. The IR team managed to respond immediately and take a full forensic image of the user’s system to perform some investigations.
There is a theory that the user intentionally installed illegal applications to do port scanning and maybe other things. He was probably planning for something bigger, far beyond a port scanning!
It all began when the user asked for a salary raise that was rejected. After that, his behavior was abnormal and different. The suspect is believed to have weak technical skills, and there might be an outsider helping him!
Your objective as a soc analyst is to analyze the image and to either confirm or deny this theory.
Questions
1. What is the computer name of the suspect machine?
The computer name can be found in SYSTEM Registry Hive:
SYSTEM\<CurrentControlSet>\Control\ComputerName\ComputerName
So the computer name is :
4ORENSICS2. What is the computer IP?
IP Address can be found in the following in SYSTEM Registry Hive:
SYSTEM\<CurrentControlSet>\Services\Tcpip\Parameters\Interfaces
So the IP Address is:
10.0.2.153. What was the DHCP LeaseObtainedTime?
The LeaseObtainedTime can be found also in the same registry key:
SYSTEM\<CurrentControlSet>\Services\Tcpip\Parameters\Interfaces
So the LeaseObtainedTime is:
2016-06-21 12:58:064. What is the computer SID?
The Computer SID can be found in the SOFTWARE Hive:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion \ProfileList
So the Computer SID is:
S-1-5-21-2489440558-2754304563-710705792-10015. What is the Operating System(OS) version?
The Operating System (OS) Version can be found in SOFTWARE Hive:
SOFTWARE\Microsoft\Windows NT\CurrentVersion
So the Operating System (OS) Version is:
8.16. What was the computer timezone?
Timezone can be found in SYSTEM Hive:
SYSTEM\CurrentControlSet\Control\TimeZoneInformationThe timezone found is:
Pacific Standard Time
Transforming it on Google, we find it is:
UTC-07:007. How many times did this user log on to the computer?
The number of times the user logged in can be found in the SAM Registry Hive, in users registry key:
SAM\Domains\Account\Users
The user logged in:
3 times8. When was the last login time for the discovered account? Format: one-space between date and time
The last login time can be found in the SAM Registry Hive, in users registry key:
SAM\Domains\Account\Users
The last login time was:
2016-06-21 01:429. There was a “Network Scanner” running on this computer, what was it? And when was the last time the suspect used it? Format: program.exe,YYYY-MM-DD HH:MM:SS UTC
Looking inside users\Hunter, we found .zenmap:
We can analyze the prefetch for zenmap. Using PECmd.exe, we find:
10. When did the port scan end? (Example: Sat Jan 23 hh:mm:ss 2016)
In nmapscan.xml, we find at the end of the file when the port scan ended:
11. How many ports were scanned?
In nmapscan.xml, we find 1000 ports were scanned:
12. What ports were found “open”?(comma-separated, ascending)
In the same file we can find the open ports:
22, 80, 9929, 3133713. What was the version of the network scanner running on this computer?
In the same file, we can find it was version 7.12:
14. The employee engaged in a Skype conversation with someone. What is the skype username of the other party?
Skype keeps it data in main.db locate at:
D:\c16-Hunter_NONAME [NTFS]\[root]\Users\Hunter\AppData\Roaming\Skype\hunterehpt- We should export main.db using FTK Imager (Opening directly from the image mount will not work)
- In chat members, we can find linux-rul3z:
15. What is the name of the application both parties agreed to use to exfiltrate data and provide remote access for the external attacker in their Skype conversation?
In messages table, we can see that they agreed on using team viewer:
16. What is the Gmail email address of the suspect employee?
We can find the email address in contacts table:
17. It looks like the suspect user deleted an important diagram after his conversation with the external attacker. What is the file name of the deleted diagram?
The name of the deleted diagram is:
home-network-design-networking-for-a-single-family-home-case-house-arkko-1433-x-792.jpg
18. The user Documents’ directory contained a PDF file discussing data exfiltration techniques. What is the name of the file?
In user’s documents, we find Ryan_VanAntwerp_thesis that contains data exfiltration techniques:
19. What was the name of the Disk Encryption application Installed on the victim system? (two words space separated)
Crypto Swap can be found in
C:\Program Files (x86)\Jetico\BCWipe\Uninstall.log
20. What are the serial numbers of the two identified USB storage?
We can find both serial numbers in USBSTOR:
SYSTEM\CurrentControlSet001\Enum\USBSTOR
21. One of the installed applications is a file shredder. What is the name of the application? (two words space separated)
Jetco BCWipe, that can be found in Prefetch:
22. How many prefetch files were discovered on the system?
We filter on PF Files in (filtering out 0kb files):
D:\c16-Hunter_NONAME [NTFS]\[root]\Windows\PrefetchWe find 174 files
23. How many times was the file shredder application executed?
Analyzing BCWipe’s prefetch in PowerShell:
& "C:\Users\abdal\Desktop\Cyber Defenders\Tools\ZimmermanTools\PECmd.exe" `
-f "C:\Users\abdal\Desktop\BCWIPE.EXE-36F3F2DF.pf" `
-o "C:\Users\abdal\Desktop"We find it was executed 5 times:
24. Using prefetch, determine when was the last time ZENMAP.EXE-56B17C4C.pf was executed?
Analyzing the prefetch again, we find:
25. A JAR file for an offensive traffic manipulation tool was executed. What is the absolute path of the file?
The JAR can be found in:
C:\Users\Hunter\Downloads\burpsuite_free_v1.7.03.jar26. The suspect employee tried to exfiltrate data by sending it as an email attachment. What is the name of the suspected attachment?
There is a .PST file in user’s documents\Outlook Files:
Opening the .PST file using SysTools Outlook PST Viewer:
We find an email with “Pictures.7z” as attachment
27. Shellbags shows that the employee created a folder to include all the data he will exfiltrate. What is the full path of that folder?
Using ShellBagExplorer run as admin, we can find the exfiltration folder (Analyze USRCLASS.DAT):
C:\Users\Hunter\Pictures\Exfil28. The user deleted two JPG files from the system and moved them to $Recycle-Bin. What is the file name that has the resolution of 1920×1200?
In Recycle bin, we have two $R files corresponding to 2 deleted files:
I exported both files, and analyzed both using online exif tool. I found that $RP3TBNW.jpg have a 1920 x 1200 resolution:
- Now we need to know its original name. Since we don’t have $I file in the Recycle Bin, we should look for the image on the file system
- I found the image in:
C:\Users\Hunter\Pictures\Exfil
Its name is:
ws_Small_cute_kitty_1920x1200.jpg29. Provide the name of the directory where information about jump lists items (created automatically by the system) is stored?
Jump lists automatic items are located in:
C:\Users\[Profile]\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinationsSo the name of the directory is AutomaticDestinations
30. Using JUMP LIST analysis, provide the full path of the application with the AppID of “aa28770954eaeaaa” used to bypass network security monitoring controls.
We can find this AppID in custom destinations:
Exporting it using FTK Imager and then opening it using JumpList Explorer:
We get it is related to Firefox.exe, which is located in:
C:\Users\Hunter\Desktop\Tor Browser\Browser
