Table of Contents
Scenario
Jasmine owns a famous New York coffee shop Coffely which is famous city-wide for its unique taste. Only Jasmine keeps the original copy of the recipe, and she only keeps it on her work laptop. Last week, James from the IT department was consulted to fix Jasmine’s laptop. But it is suspected he may have copied the secret recipes from Jasmine’s machine and is keeping them on his machine.
His machine has been confiscated and examined, but no traces could be found. The security department has pulled some important registry artifacts from his device and has tasked you to examine these artifacts and determine the presence of secret files on his machine.
Investigation
- What is the Computer Name of the Machine found in the registry?
---------------------------------------- compname v.20090727 (System) Gets ComputerName and Hostname values from System hive ComputerName = JAMES TCP/IP Hostname = James ----------------------------------------
- When was the Administrator account created on this machine? (Format: yyyy-mm-dd hh:mm:ss)
User Information ------------------------- Username : Administrator [500] Full Name : User Comment : Built-in account for administering the computer/domain Account Type : Account Created : 2021-03-17 14:58:48Z Name : Last Login Date : 2022-10-12 19:26:09Z Pwd Reset Date : 2022-10-04 16:22:22Z Pwd Fail Date : 2022-10-04 17:15:21Z Login Count : 72 Embedded RID : 500 --> Normal user account
- What is the RID associated with the Administrator account?
- How many User accounts were observed on this machine?
7 users, the below users + the Administrator (the following result only shows 5 of them though)
Group Name : Users [5] LastWrite : 2022-10-04 17:03:12Z Group Comment : Users are prevented from making accidental or intentional system-wide changes and can run most applications Users : S-1-5-4 S-1-5-21-1966530601-3185510712-10604624-1012 S-1-5-11 S-1-5-21-1966530601-3185510712-10604624-1013 S-1-5-21-1966530601-3185510712-10604624-1011
- There seems to be a suspicious account created as a backdoor with RID 1013. What is the Account Name?
- What is the VPN connection this host connected to?
ProtonVPN:networksetup2 v.20191004 (System) Get NetworkSetup2 subkey info Ethernet 3 - Amazon Elastic Network Adapter (wired) CurrentAddress : 2:12:32:4a:cf:7f PermanentAddress : 2:12:32:4a:cf:7f Ethernet - AWS PV Network Device (wired) CurrentAddress : 2:71:56:2:c0:e3 PermanentAddress : 2:71:56:2:c0:e3 Teredo Tunneling Pseudo-Interface - Microsoft Teredo Tunneling Adapter (0x83) CurrentAddress : 0:0:0:0:0:0 PermanentAddress : 0:0:0:0:0:0 Local Area Connection - TAP-ProtonVPN Windows Adapter V9 (0x35) CurrentAddress : 0:ff:99:37:7e:62 PermanentAddress : 0:ff:99:37:7e:62 Ethernet 2 - Intel(R) 82599 Virtual Function (wired) CurrentAddress : a:7a:75:48:eb:fb PermanentAddress : a:7a:75:48:eb:fb
- When was the first VPN connection observed? (Format: YYYY-MM-DD HH:MM:SS)
2022-10-12 19:52:36, as shown here:
Launching networklist v.20200518 (Software) Collects network info from NetworkList key Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles Network 2 Key LastWrite : 2022-10-04 16:32:23Z DateLastConnected: 2022-10-04 16:32:23 DateCreated : 2021-03-17 15:08:34 DefaultGatewayMac: 02-C8-85-B5-5A-AA Type : wired ProtonVPN Key LastWrite : 2022-10-12 19:52:36Z DateLastConnected: 2022-10-12 19:52:36 DateCreated : 2022-10-12 19:52:36 DefaultGatewayMac: ----- Type : 53
- There were three shared folders observed on his machine. What is the path of the third share?
- What is the Last DHCP IP assigned to this host?
172.31.2.197ControlSet001\Services\Tcpip\Parameters\Interfaces has no subkeys. Adapter: {ea458d05-f4ab-48d2-9a67-97fb05ce3a76} LastWrite Time: 2021-03-17 14:58:47Z EnableDHCP 1 Domain NameServer DhcpIPAddress 172.31.2.197 DhcpSubnetMask 255.255.240.0 DhcpServer 172.31.0.1 Lease 3600 LeaseObtainedTime 2021-03-17 14:58:47Z T1 2021-03-17 15:28:47Z T2 2021-03-17 15:51:17Z LeaseTerminatesTime 2021-03-17 15:58:47Z - The suspect seems to have accessed a file containing the secret coffee recipe. What is the name of the file?
- The suspect ran multiple commands in the run windows. What command was run to enumerate the network interfaces?
- In the file explorer, the user searched for a network utility to transfer files. What is the name of that tool?
- What is the recent text file opened by the suspect?
- How many times was Powershell executed on this host?
- The suspect also executed a network monitoring tool. What is the name of the tool?
- Registry Hives also notes the amount of time a process is in focus. Examine the Hives. For how many seconds was ProtonVPN executed?
343 seconds (5 minutes * 60, + 43 seconds from the screenshot)
-
Everything.exe is a utility used to search for files in a Windows machine. What is the full path from which everything.exe was executed?
Conclusions
Looks like James has been naughty! I enjoyed doing this room, I could practice a lot my windows forensics skills, which is something I’m trying to get good at lately. I also liked the narrative behind this room, definitely recommended.
