Home Articles Magnet User Summit CTF: Anti-Forensics

Magnet User Summit CTF: Anti-Forensics


Yesterday Troy Schnack and Kevin Pagano suggested on Twitter that it would be good to write how I solved Magnet User Summit CTF. I thought it was a good idea, and decided to do it with my friend Igor Mikhaylov. This will be a series of posts, and the first part is dedicated to anti-forensics.

Wiping App

This is really easy question, especially if you are using Magnet AXIOM. Just look at Encryption / Anti-forensics Tools tab, and you’ll find that it’s Eraser:

User that Wiped

We started from UserAssist, of course. What did we see?¬†Eraser was downloaded and ran by itsupport, and… it was the flag:

Data Written

This is easy too –¬†SRUDB.dat. Also, you can find the answer to the previous question here as it contains user SID too. But we are interesting in the amount of data written, and it’s¬†27394048:

Browser to Download Wiper

This is a bit tricky. You must know that both Internet Explorer and Edge store data at the same ESE database –¬†WebCacheV01.dat. Magnet AXIOM shows it as Internet Explorer 10-11 Main History, but the flag isn’t Internet Explorer, it’s Edge:

Wiped File Names

This is one of the hardest questions. The answer is hidden in $UsnJrnl. First of all, you should extract $J file:

Next, you should parse it. I used¬†UsnJrnl2Csv. For CSV output analysis I used Timeline Explorer. According to prefetch files, eraser.exe was last run on¬†26.04.2018 18:41:07. Let’s look at suspicious activity after:

Looks strange, huh? So,¬†applypatch-msg.sample is the first file name we are looking for. If you scroll down, you’ll find other file names, more than 5 actually. So the flag may be¬†applypatch-msg.sample,¬†commit-msg.sample,¬†fsmonitor-watchman.sample,¬†post-update.sample,¬†pre-applypatch.sample.

That’s all for today!

Happy forensicating!

About the authors

Oleg Skulkin, GCFA, MCFE, ACE, is a DFIR enthusional (enthusiast + professional), Windows Forensics Cookbook and Practical Mobile Forensics co-author.

Igor Mikhaylov, MCFE, EnCE, ACE, OSFCE, is a digital forensic examiner with more than 20 years of experience and Mobile Forensics Cookbook author.

Load More Related Articles
Load More In Articles

Leave a Reply

Your email address will not be published. Required fields are marked *