Home Articles Magnet User Summit CTF: Anti-Forensics

Magnet User Summit CTF: Anti-Forensics

0
0
3,335

Yesterday Troy Schnack and Kevin Pagano suggested on Twitter that it would be good to write how I solved Magnet User Summit CTF. I thought it was a good idea, and decided to do it with my friend Igor Mikhaylov. This will be a series of posts, and the first part is dedicated to anti-forensics.

Wiping App

This is really easy question, especially if you are using Magnet AXIOM. Just look at Encryption / Anti-forensics Tools tab, and you’ll find that it’s Eraser:

User that Wiped

We started from UserAssist, of course. What did we see? Eraser 6.2.0.2982.exe was downloaded and ran by itsupport, and… it was the flag:

Data Written

This is easy too – SRUDB.dat. Also, you can find the answer to the previous question here as it contains user SID too. But we are interesting in the amount of data written, and it’s 27394048:

Browser to Download Wiper

This is a bit tricky. You must know that both Internet Explorer and Edge store data at the same ESE database – WebCacheV01.dat. Magnet AXIOM shows it as Internet Explorer 10-11 Main History, but the flag isn’t Internet Explorer, it’s Edge:

Wiped File Names

This is one of the hardest questions. The answer is hidden in $UsnJrnl. First of all, you should extract $J file:

Next, you should parse it. I used UsnJrnl2Csv. For CSV output analysis I used Timeline Explorer. According to prefetch files, eraser.exe was last run on 26.04.2018 18:41:07. Let’s look at suspicious activity after:

Looks strange, huh? So, applypatch-msg.sample is the first file name we are looking for. If you scroll down, you’ll find other file names, more than 5 actually. So the flag may be applypatch-msg.sample, commit-msg.sample, fsmonitor-watchman.sample, post-update.sample, pre-applypatch.sample.

That’s all for today!

Happy forensicating!

About the authors

Oleg Skulkin, GCFA, MCFE, ACE, is a DFIR enthusional (enthusiast + professional), Windows Forensics Cookbook and Practical Mobile Forensics co-author.

Igor Mikhaylov, MCFE, EnCE, ACE, OSFCE, is a digital forensic examiner with more than 20 years of experience and Mobile Forensics Cookbook author.

Load More Related Articles
Load More In Articles
Comments are closed.