Windows Forensics CTF write-up
solved and written by dark_mendes and I.
This ctf was put up by ekraal, as part of the aspire program. new challenges can be found at ciphercode.dev every other week:)
A windows disk image was provided to conduct forensic analysis on.
To solve the Windows Forensics challenges, we used the following resources:
- FTK Imager
2. Windows Event Viewer
3.PECmd
4. WinPrefetchView
5. analyzeMFT
6. FTK Registry Viewer
#Windows-1 Hostname
Step 1: Navigate to the Windows\System32\Config folder in FTK Imager and export the SYSTEM file (right click and select Export Files) to your analysis system.
Step 2: Open the file using a Registry Viewer of your choice. In this case, we use AccessData FTK Registry viewer, then navigate to the
SYSTEM\ControlSet001\Control\ComputerName\ComputerName registry key. Note the data value of the ComputerName.
Flag format: Aspire{DESKTOP-M7V081J}
# Windows-2 Time-zone 50 points
Step 1: Still using the registry viewer and the SYSTEM file, navigate to the SYSTEM\ControlSet001\Control\TimeZoneInformation registry key. Note the data value for TimeZoneKeyName.
Flag format: Aspire{EASTERN_AFRICA_TIME}
#Windows-3 Build number 50 points
Step 1: Navigate to the Windows\System32\Config folder in FTK Imager and export the SOFTWARE file.
Step 2: Open the exported file using a Registry Viewer then navigate to the Software\Microsoft\Windows Nt\CurrentVersion registry key. Note the data value for the CurrentBuildNumber.
Flag format: Aspire{18363}
#Windows-4 Product name
From the same steps and results obtained from the previous challenge, the product name is also listed there (on the same registry key).
Flag format: Aspire{WINDOWS_10_PRO}
#Windows-5 Browser run-date
To solve this challenge, we look at the Windows Prefetch Files. This is a type of file created by Windows operating system and contains information about the files loaded by the application for the first time. The information in the Prefetch file is used for optimizing the loading time of the application the next time it is run.
Step 1: Download and install the PECmd tool from https://f001.backblazeb2.com/file/EricZimmermanTools/PECmd.zip that is used to find information on a particular prefetch file. In this case we will run it against FIREFOX.EXE from the Image file.
Step 2: After exporting/downloading the FIREFOX.EXE file to your analysis machine, run the command below against the exported prefetch file.
Step 3: Note when the browser was last run.
Flag format: Aspire{26–02–2021}
#Windows-5 Browser run-time
From the previous steps and results, it is very clear how many times the browser was run.
Flag format: Aspire{fifty}
#Windows-6 Browser path
Again, from the same steps and results obtained, the file path of the executable is highlighted below:
Though we replaced the random volume name with C:\
Flag format: Aspire{C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE}
#Windows-8 HXD run-times
Step 1: Download/export the HxD executable prefetch file to your analysis machine.
Step 2: Run the command below against the exported prefetch file and the PECmd tool downloaded earlier.
Step 3: Note down the run count of HxD
Flag format: Aspire{six}
#Windows-7 HXD run-date
For some reason, the answer to the challenge was not 11:35:06 as shown by PECmd tool above. Therefore, we try another prefetch tool that would provide a different last run time.
Step 1: Download WinPretechView tool from https://www.nirsoft.net/utils/win_prefetch_view.html and open the previously exported HxD prefetch file from its Advanced Options.
Step 2: Note the results provided by the tool.
Flag format: Aspire{14:35:06}
#Windows-9 Removable disk
According to https://forensixchange.com/posts/19_08_03_usb_storage_forensics_1/ there are many ways to find USB Devices that connected to a machine. One way is by looking at the Windows Partition Diagnostic event log files.
Step 1: Export/download the Partition Diagnostic event logs to your analysis computer.
Step 2: Open the exported event log with Windows Event Viewer and give it a name of your choice.
Step 3: Check for Event ID 1006 which shows successful insertion and removal of USB drives into a computer.
Flag format: Aspire{toshiba}
#Windoes-10 File creation
To solve this one, we look at this disks Master File Table (MFT). It is a database that contains information about every file and directory on an NT File System (NTFS) volume.
Step 1: Download and install the analyzeMFT tool from the URL https://github.com/dkovar/analyzeMFT Python 2.7 installation is required for it to work.
Step 2: Download/export the $MFT file from the root folder of the image. Ensure you remove the $ sign from its filename.
Step 3: Enter the command below. The results will be saved on a csv file.
Step 4: Open the csv file and look for txt files in the Desktop folder. Note the one highlighted below.
Flag format: Aspire{yOuSmArToNe.txt}
#Windows-11 Networks
To solve this challenge, we look for an events log that contains network information. The Network Profile Operational event logs is a good source.
Step 1: Export/download the Network Profile Operational event logs to your analysis computer.
Step 2: Open the exported event log with Windows Event Viewer and give it a name of your choice.
Step 3: Search for Event ID 10000 which shows a successful network connection plus the details of that network which the host connected to.
Flag format: Aspire{Network}
#Windows-12 update
To solve this challenge, the Windows Update Client Operational event logs can be used to provide update information.
Step 1: Export/download the Windows Update Client Operational event logs to your analysis computer.
Step 2: Open the exported event log with Windows Event Viewer and give it a name of your choice.
Step 3: Search for Event ID 41 which shows successful Windows Updates.
Flag format: Aspire{KB2267602}
#Windows-13 update time
The same screenshot shows the date when this update was applied.
Flag format: Aspire{26–02–2021_09:35:18}
until next time, happy learning:)
