Home Articles Magnet User Summit CTF: Misc

Magnet User Summit CTF: Misc


We are continuing our write-up. The second part will walk you through the solution of the second set of CTF problems – Misc.


Again, very easy task, but it’s only the beginning. You can find the flag in Timezone Information section of AXIOM, or via manual analysis of TimeZoneInformation key:

As you can see, the flag is Mountain.


Another easy task – finding volume serial number. There are lot’s of tools capable of providing you with this info, but we will you AXIOM again – the flag is 6C19-1B65:

YouTube Search

Not difficult at all either. It’s time to analyze browsing history. A good idea is to filter data as we need 3/28/2018. Once it’s filtered, you can search for “youtube”. Bingo! We got the flag – simpsons max power:

Sleuthkit + PowerShell

The system we are analyzing has great logging capabilities, so you can find PowerShell transcripts in the Documents folder. But it’s not all. If you search for “SRUDB.dat”, you’ll quickly find ConsoleHost_history.txt, where you can find the flag – $inode = ifind -n /Windows/System32/sru/SRUDB.dat \\.\C: ; icat \\.\C: $inode > SRUDB.dat:

Administrator Logon Count

Extremely easy with AXIOM – look at User Accounts section. The flag is 14:

Install Q

It’s time to look at Installed Programs list, it’s very easy to find this flag – 2018-04-11:

File Sequence Number

This was the time to test new tool by Eric Zimmerman – MFTEcmd. First you should export $MFT file and parse it with the tool. Next – search for “python.exe”. The flag is 1:

Filename Lookup

You can use the same CSV, and search for “86280”. The flag is $UsnJrnl:

File Timestamp

Again, same CSV. Search for “CMD.EXE-89305D47.pf” and look at Last Access0x10. So the flag is 2018-04-26 15:48:40:

Who Installed Atom?

Let’s look at Installed Programs list again:

So, now we know it’s maxpowers, who installed it. Let’s get SID. Look at User Accounts:

As you can see, the flag is S-1-5-21-2801897208-1878083585-4182000528-1002.

Deletion in LogFile

AXIOM is capable of parsing $LogFile contents, so you can find the flag in $LogFile Analysis section:

As you can see, the deleted file’s name is 7z.dll, and this if the flag.

That’s all for today!

Happy forensicating!

About the authors

Oleg Skulkin, GCFA, MCFE, ACE, is a DFIR enthusional (enthusiast + professional), Windows Forensics Cookbook and Practical Mobile Forensics co-author.

Igor Mikhaylov, MCFE, EnCE, ACE, OSFCE, is a digital forensic examiner with more than 20 years of experience and Mobile Forensics Cookbook author.

Load More Related Articles
Load More In Articles
Comments are closed.