Home Articles Magnet User Summit CTF: Misc

Magnet User Summit CTF: Misc


We are continuing our write-up. The second part will walk you through the solution of the second set of CTF problems – Misc.


Again, very easy task, but it’s only the beginning. You can find the flag in Timezone Information section of AXIOM, or via manual analysis of TimeZoneInformation key:

As you can see, the flag is Mountain.


Another easy task – finding volume serial number. There are lot’s of tools capable of providing you with this info, but we will you AXIOM again – the flag isĀ 6C19-1B65:

YouTube Search

Not difficult at all either. It’s time to analyze browsing history. A good idea is to filter data as we needĀ 3/28/2018. Once it’s filtered, you can search for “youtube”. Bingo! We got the flag –Ā simpsons max power:

Sleuthkit + PowerShell

The system we are analyzing has great logging capabilities, so you can find PowerShell transcripts in the Documents folder. But it’s not all. If you search for “SRUDB.dat”, you’ll quickly findĀ ConsoleHost_history.txt, where you can find the flag –Ā $inode = ifind -n /Windows/System32/sru/SRUDB.dat \\.\C: ; icat \\.\C: $inode > SRUDB.dat:

Administrator Logon Count

Extremely easy with AXIOM – look at User Accounts section. The flag is 14:

Install Q

It’s time to look at Installed Programs list, it’s very easy to find this flag – 2018-04-11:

File Sequence Number

This was the time to test new tool by Eric Zimmerman – MFTEcmd. First you should export $MFT file and parse it with the tool. Next – search for “python.exe”. The flag is 1:

Filename Lookup

You can use the same CSV, and search for “86280”. The flag isĀ $UsnJrnl:

File Timestamp

Again, same CSV. Search for “CMD.EXE-89305D47.pf” and look at Last Access0x10. So the flag isĀ 2018-04-26 15:48:40:

Who Installed Atom?

Let’s look at Installed Programs list again:

So, now we know it’s maxpowers, who installed it. Let’s get SID. Look at User Accounts:

As you can see, the flag isĀ S-1-5-21-2801897208-1878083585-4182000528-1002.

Deletion in LogFile

AXIOM is capable of parsing $LogFile contents, so you can find the flag in $LogFile Analysis section:

As you can see, the deleted file’s name is 7z.dll, and this if the flag.

That’s all for today!

Happy forensicating!

About the authors

Oleg Skulkin, GCFA, MCFE, ACE, is a DFIR enthusional (enthusiast + professional),Ā Windows Forensics CookbookĀ andĀ Practical Mobile ForensicsĀ co-author.

Igor Mikhaylov, MCFE, EnCE, ACE, OSFCE, is a digital forensic examiner with more than 20 years of experience andĀ Mobile Forensics CookbookĀ author.

Load More Related Articles
Load More In Articles

Leave a Reply

Your email address will not be published. Required fields are marked *