This resembled a real-life scenario where one needs to determine whether someone physically accessed a computer without authorization and exfiltrated data. Cool room with Windows forensics practice.
Table of Contents
Scenario
Welcome to the team, kid. I have something for you to get your feet wet.
Our client has a newly hired employee who saw a suspicious-looking janitor exiting his office as he was about to return from lunch.
I want you to investigate if there was user activity while the user was away between 12:05 PM to 12:45 PM on the 19th of November 2022. If there are, figure out what files were accessed and exfiltrated externally.
Investigation
Story: Initial investigations reveal that someone accessed the user’s computer during the previously specified timeframe.
Whoever this someone is, it is evident they already know what to search for. Hmm. Curious.
- What file type was searched for using the search bar in Windows Explorer?
Two places where the answer could be found:NTUSER.DAT\Software\Microsoft\Windows \CurrentVersion\Explorer\TypedPaths
NTUSER.DAT\Software\Microsoft\Windows \CurrentVersion\Explorer\WordWheelQuery
-
What top-secret keyword was searched for using the search bar in Windows Explorer?
Same as the previous question. Here the answer was “continental”.
Story: Not surprisingly, they quickly found what they are looking for in a matter of minutes.
Ha! They seem to have hit a snag! They needed something first before they could continue.
- What is the name of the downloaded file to the Downloads folder?
- When was the file from the previous question downloaded? (YYYY-MM-DD HH:MM:SS UTC)
Answer in the above screenshot - Thanks to the previously downloaded file, a PNG file was opened. When was this file opened? (YYYY-MM-DD HH:MM:SS)
Story: Uh oh. They’ve hit the jackpot and are now preparing to exfiltrate data outside the network.
There is no way to do it via USB. So what’s their other option?
- A text file was created in the Desktop folder. How many times was this file opened?
2 times. To find the answer I had to use the Eric Zimmerman Jump Lists parser to export a csv, and then open it with EZViewer:JLECmd.exe -d C:\Users\THM-RFedora\Desktop\kape-results\C\Users\THM-RFedora\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\ --csv .
Here’s the answer:
- When was the text file from the previous question last modified? (MM/DD/YYYY HH:MM)
-
The contents of the file were exfiltrated to pastebin.com. What is the generated URL of the exfiltrated data?
- What is the string that was copied to the pastebin URL?
Story: At this point, we already have a good idea of what happened. The malicious threat actor was able to successfully find and exfiltrate data. While we could not determine who this person is, it is clear that they knew what they wanted and how to get it.
I wonder what’s so important that they risked accessing the machine in-person… I guess we’ll never know.
Anyways, you did good, kid. I guess it was too easy for you, huh?
Conclusions
This room was enjoyable and not too challenging. It presented a compelling narrative that addressed one of the potential reasons for conducting a Windows forensic investigation.
