Yesterday Troy Schnack and Kevin Pagano suggested on Twitter that it would be good to write how I solved Magnet User Summit CTF. I thought it was a good idea, and decided to do it with my friend Igor Mikhaylov. This will be a series of posts, and the first part is dedicated to anti-forensics.
This is really easy question, especially if you are using Magnet AXIOM. Just look at Encryption / Anti-forensics Tools tab, and you’ll find that it’s Eraser:
User that Wiped
We started from UserAssist, of course. What did we see? Eraser 126.96.36.19982.exe was downloaded and ran by itsupport, and… it was the flag:
This is easy too – SRUDB.dat. Also, you can find the answer to the previous question here as it contains user SID too. But we are interesting in the amount of data written, and it’s 27394048:
Browser to Download Wiper
This is a bit tricky. You must know that both Internet Explorer and Edge store data at the same ESE database – WebCacheV01.dat. Magnet AXIOM shows it as Internet Explorer 10-11 Main History, but the flag isn’t Internet Explorer, it’s Edge:
Wiped File Names
This is one of the hardest questions. The answer is hidden in $UsnJrnl. First of all, you should extract $J file:
Next, you should parse it. I used UsnJrnl2Csv. For CSV output analysis I used Timeline Explorer. According to prefetch files, eraser.exe was last run on 26.04.2018 18:41:07. Let’s look at suspicious activity after:
Looks strange, huh? So, applypatch-msg.sample is the first file name we are looking for. If you scroll down, you’ll find other file names, more than 5 actually. So the flag may be applypatch-msg.sample, commit-msg.sample, fsmonitor-watchman.sample, post-update.sample, pre-applypatch.sample.
That’s all for today!