Cyber Defenders - Hunter
Case Overview: The SOC team got an alert regarding some illegal port scanning activity coming from an employee's system. The employee was not authorized to do any port scanning or any offensive hacking activity within the network. The employee claimed that he had no idea about that, and it is probably a malware acting on his behalf. The IR team managed to respond immediately and take a full forensic image of the user's system to perform some investigations.There is a theory that the user intentionally installed illegal applications to do port scanning and maybe other things. He was probably planning for something bigger, far beyond a port scanning! It all began when the user asked for a salary raise that was rejected. After that, his behavior was abnormal and different. The suspect is believed to have weak technical skills, and there might be an outsider helping him! Your objective is to analyze the image and to either confirm or deny this theory.
- AccessData FTK Imager 220.127.116.11
- Autopsy v.4.13.9
- DBBrowser for SQLite
- JumpList Explorer v.18.104.22.168
- RegRipper v.3.0
- ShellBags Explorer v.22.214.171.124
Before we dig in, we need to verify the hash of our download to make sure we downloaded the correct file. If using Windows,
Right click on file > CRC SHA > SHA1.
Image file name: Hunter.ad1
- MD5 checksum: 0a994333d883b19e0bb45356d9833dbe
- SHA1 checksum: eb5c7d1cd094772f42b1a6acda38217433dd419
Autopsy is usually my go to, because it is free, however, this is an .ad1 file and from what I gather, I need to install a module in order to use Autopsy.
Mark Mckinnon created a module that “will take an AD1 file(s) that has been added to a case as a Logical Files data source and export the files from the AD1 file and add those files back into Autopsy as a data source”. Read more about it on his blog.
First, I created a new case in Autopsy, added Hunter.ad1 as a logical file. Next, I had to figure out how to import a module.
This was my first time downloading and importing a module into Autopsy. I went to Mark’s Github, clicked
Code > Download ZIP > extracted AD1_Extractor to my user/AppData/Roaming/autopsy/python_modules folder. Put the whole zip folder in there, not just the .py file. Once it is extracted to that folder, you can go back to
Autopsy > Tools > Run Ingest Modules and it should be listed in there as AD1 Extractor.
Run it. Then, we can run any ingest module we want.
You can also open up the ad1 file in AccessData FTK Imager. This is a better option, in my opinion, but I did get to learn how to import modules. If you haven’t done that before, give it shot!
Many of the questions asked can be found by inspecting the registry hives. I extracted those files and created reports using RegRipper v.3.0.
#1: What is the computer name of the suspect machine?
Computer name can be found in the SYSTEM report under ComputerName.
#2 What is the computer IP?
Computer IP can be found in the SYSTEM report under ips > IPAddress.
#3 What was the DHCP LeaseObtainedTime?
LeaseObtainedTime can be found in the SYSTEM report under nic2.
#4 What is the computer SID?
The computer SID can be found in the SAM report.
#5 What is the Operating System(OS) version?
Operating System version can be found in the SOFTWARE report under winver > Product Name
#6 What was the computer timezone?
Timezone can be found in the SYSTEM report.
#7 How many times did this user log on to the computer?
Login Count can be found in the SAM report, under samparse > User Information.
#8 When was the last login time for the discovered account? Format: one-space between date and time
Last Login Date can be found in the SAM report, under samparse > User Information.
#9 There was a “Network Scanner” running on this computer, what was it? And when was the last time the suspect used it? Format: program.exe,YYYY-MM-DD HH:MM:SS UTC
Autopsy > Run Programs.
#10 When did the port scan end? (Example: Sat Jan 23 hh:mm:ss 2016)
Nmap scans exported as nmapscan.xml have start and end time stats at the beginning and end of the file.
#11 How many ports were scanned?
Inspecting the file with AD FTK Imager shows a file on the user’s Desktop titled nmapscan.xml. Nmap scans can be exported as .xml files. These files show details and results of the scan.
#12 What ports were found "open"?(comma-separated, ascending)
This answer will also be found in the file nmapscan.xml.
#13 What was the version of the network scanner running on this computer?
The prefetch folder lists the network scanner which has the version number in the executable filename.
#14 The employee engaged in a Skype conversation with someone. What is the skype username of the other party?
In Windows, Skype chat information can be found in the
Users/USER/AppData/Roaming/Skype/USER/main.db file. I exported this file and viewed it using DB Browser for SQLite v3.12.2. The Chats table will show the other party name.
#15 What is the name of the application both parties agreed to use to exfiltrate data and provide remote access for the external attacker in their Skype conversation?
Found in the Messages table within the Main.db file.
#16 What is the Gmail email address of the suspect employee?
This email address can also be found in the Skype database main.db, under Contacts.
#17 It looks like the suspect user deleted an important diagram after his conversation with the external attacker. What is the file name of the deleted diagram?
This diagram can be located in the Recent folder.
#18 The user Documents' directory contained a PDF file discussing data exfiltration techniques. What is the name of the file?
Go to the Documents folder and inspect the PDF files.
#19 What was the name of the Disk Encryption application Installed on the victim system? (two words space separated)
#20 What are the serial numbers of the two identified USB storage?
USB information can be found in the SYSTEM report.
#21 One of the installed applications is a file shredder. What is the name of the application? (two words space separated)
The full name for this file shredder can be found under Program Files.
#22 How many prefetch files were discovered on the system?
You can use a program for this, because there weren’t many, I counted manually in FTK Imager by highlighting and subtracting the non .pf files.
#23 How many times was the file shredder application executed?
If we head over to Autopsy, we can go to Run Programs and it will show us the run count for each program.
#24 Using prefetch, determine when was the last time ZENMAP.EXE-56B17C4C.pf was executed?
Again, Run Program in Autopsy will show us the last Date/Time this ran. This is the same answer as Question #9.
#25 A JAR file for an offensive traffic manipulation tool was executed. What is the absolute path of the file?
This tool can be found in the Downloads folder. “Offensive traffic manipulation tool” can be googled for a hint if you aren’t familiar with this tool.
#26 The suspect employee tried to exfiltrate data by sending it as an email attachment. What is the name of the suspected attachment?
In Documents, there is a folder titled “Outlook Files”, within that folder is a file titled “backup.pst”. .pst files are Outlook data files that contain messages and other information. These files can be opened using the Outlook app.
FILE > OPEN & EXPORT > OPEN OUTLOOK DATA FILE. The file will show up on the left-hand side. The answer to this question was found in the sent messages. Right-click on the data file on the left and click close to remove it from the Outlook app.
#27 Shellbags shows that the employee created a folder to include all the data he will exfiltrate. What is the full path of that folder?
Export Userclass.dat, import into ShellBags Explorer v.126.96.36.199
#28 The user deleted two JPG files from the system and moved them to $Recycle-Bin. What is the file name that has the resolution of 1920x1200?
The recycle bin contains two .jpg files. One of them shows us a small portion of a picture, which appears to be a cat. The picture looks familiar. We can head to the user’s pictures folder and explore there. Inside the pictures folder we find another folder containing pictures of cats, one of which matches the deleted photo and contains the resolution in the filename.
#29 Provide the name of the directory where information about jump lists items (created automatically by the system) is stored?
Read this article: JumpListsView - View jump lists information stored by Windows 7 (nirsoft.net)
#30 Using JUMP LIST analysis, provide the full path of the application with the AppID of "aa28770954eaeaaa" used to bypass network security monitoring controls.
Now that we know where jumplists are stored, we can right click on the one we need, export it to where we can find it (I like the Desktop), open up Eric Zimmerman’s JumpList Explorer, import the file and we see the answer to our question.