Category: Forensics
Flag: texsaw{u5njOurn@l_unc0v3rs_4lter3d_f1les_3fd19982505363d0}
Challenge Description
I was using this Windows machine for journaling and notetaking, but I think malware got onto it. Can you take a look and put together any evidence left on disk?
Analysis
The archive expands to a raw Windows disk image, so the useful first question is where the filesystem actually starts. file identifies it as an MBR-formatted Windows 7 disk image, and mmls shows a single NTFS partition beginning at sector 128. That offset is what makes the later Sleuth Kit commands work against the correct volume.
file work/evidence.001work/evidence.001: DOS/MBR boot sector MS-MBR Windows 7 english at offset 0x163 "Invalid partition table" at offset 0x17b "Error loading operating system" at offset 0x19a "Missing operating system", disk signature 0x5e7dc5f9; partition 1 : ID=0x7, start-CHS (0x0,2,3), end-CHS (0x81,254,63), startsector 128, 2091008 sectorsmmls work/evidence.001DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
000: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
001: ------- 0000000000 0000000127 0000000128 Unallocated
002: 000:000 0000000128 0002091135 0002091008 NTFS / exFAT (0x07)
003: ------- 0002091136 0002097151 0000006016 Unallocatedfsstat -o 128 work/evidence.001Volume Serial Number: BA601451601416AB
Volume Name: Challenge
Cluster Size: 4096Once the NTFS offset is known, a recursive fls search for flagsegment immediately gives away two pieces of the puzzle: a directory named flagsegment_u5njOurn@l and a deleted file named flagsegment_f1les.txt. That is enough to show the flag is being split across filesystem artifacts instead of stored as a single obvious string.
fls -r -o 128 work/evidence.001 | rg -n "flagsegment"493:++++ d/d 940-144-1: flagsegment_u5njOurn@l
496:+++++ -/r * 944-128-1: flagsegment_f1les.txtReading the deleted file with icat confirms the f1les segment, while tasks.txt hints that a fifth part is hidden somewhere else. Pulling the alternate data stream from tasks.txt reveals that last hidden segment directly.
icat -o 128 work/evidence.001 944Must be deletedicat -o 128 work/evidence.001 945To Do: Image infected device and analyze in Autopsy, identify IoCs, create timeline of events, find out where part 5 is...icat -o 128 work/evidence.001 945-128-3flagsegment_3fd19982505363d0That still leaves one missing segment, and the NTFS journals are where it turns up. Searching the extracted USN journal for the same pattern shows flagsegment_unc0v3rs.txt, which means the filename alone gives another flag part even though the file itself was not recovered as a normal artifact.
strings -el results/extracted/usnjrnl.bin | rg -n "flagsegment|unc0v3rs|4lter3d"- flagsegment_unc0v3rs.txt found in USN strings
- flagsegment_f1les.txt, flagsegment_u5njOurn@l foundThe last missing piece comes from $LogFile. Its UTF-16 strings include flagsegment_4lter3d, which completes the set of five segments recovered from the image: u5njOurn@l, unc0v3rs, 4lter3d, f1les, and 3fd19982505363d0. The accepted flag is the result of assembling those segments in the recovered timeline order implied by the NTFS artifacts.
strings -el results/extracted/logfile.bin | rg -n "flagsegment|unc0v3rs|4lter3d"- flagsegment_4lter3d found in $LogFile
- flagsegment_unc0v3rs.txt found in $LogFileSolution
The solve was to enumerate NTFS artifacts with Sleuth Kit, recover the deleted file and ADS, then search the journal artifacts for the remaining hidden filenames.
fls -r -o 128 work/evidence.001 | rg -n "flagsegment"493:++++ d/d 940-144-1: flagsegment_u5njOurn@l
496:+++++ -/r * 944-128-1: flagsegment_f1les.txticat -o 128 work/evidence.001 944Must be deletedicat -o 128 work/evidence.001 945To Do: Image infected device and analyze in Autopsy, identify IoCs, create timeline of events, find out where part 5 is...icat -o 128 work/evidence.001 945-128-3flagsegment_3fd19982505363d0strings -el results/extracted/usnjrnl.bin | rg -n "flagsegment|unc0v3rs|4lter3d"- flagsegment_unc0v3rs.txt found in USN strings
- flagsegment_f1les.txt, flagsegment_u5njOurn@l foundstrings -el results/extracted/logfile.bin | rg -n "flagsegment|unc0v3rs|4lter3d"- flagsegment_4lter3d found in $LogFile
- flagsegment_unc0v3rs.txt found in $LogFileCombining the recovered segments in order gives the accepted flag texsaw{u5njOurn@l_unc0v3rs_4lter3d_f1les_3fd19982505363d0}.