Magnet Forensics 2023 Virtual Summit CTF – Windows 11
- Challenge Creators: Jessica Hyde, Dylan Navarro, Alayna Cash, Austin Grupposo, Thomas Claflin, A'zariya Daniels, and Lorena C.
- MD5 of Download: 8cf0c007391f4a72ddc12a570a115b46
Case Overview: Magnet Forensics hosted this CTF on March 1, 2023, from 11-2 PM EST. This CTF included three images. Below, you will find the steps I took to solve the questions for the Windows 11 image.
- Magnet Forensics AXIOM Examine v184.108.40.206807 trial available for CTF registrants
- DB Browser for SQLite v3.12.2 free tool
- RegRipper v3.0 free tool
- Autopsy v4.20.0 free tool
#1: Gmail? Outlook? Yeah, right..: What non-standard email service has the user used previously?
User Accounts show us that the user was using the non-standard e-mail service Proton Mail.
"Proton Mail is a private email service that uses open source, independently audited end-to-end encryption and zero-access encryption to secure your communications."
Users\borch\AppData\Local\Google\Chrome\User Data\Profile 2\Login Data
The Login Data file is a SQLite database that can be viewed using DB Browser for SQLite. The accounts will be listed under the
Additional resources on this topic:
#2: Two different versions, twice the emulation power! Makes sense to me!: The user installed and ran a mobile device emulation program on their system. Which 2 versions of this software did the user install? (Format: SoftwareName V1/V2)
Installed programs can be found in AXIOM under
APPLICATION USAGE > Installed Programs. There were two versions of the program BlueStacks. Unfamiliar with BlueStacks, I confirmed it was an emulator with a Google search.
You can also find this information by extracting the data from the NTUSER.dat and SOFTWARE hives using RegRipper.
Additional resources on this topic:
- Investigating Installed Programs, by Forensafe
- RegRipper: Ripping Registries With Ease, by Keven Murphy
- Effectively Using RegRipper 3.0, by Harlan Carvey
#3: LITEning fast write speeds!: The user's system is equipped with a 256GB NVMe SSD. What is the make and model of this drive?
I filtered artifacts by searching "nvme", and found the friendly name of the SSD in
CONNECTED DEVICES > USB Devices. In this case, the friendly name was the make and model of the drive.
#4: Really...? Plaintext...?: The user frequently accesses a Chrome Remote Desktop virtual machine. What password is used to log into this VM?
It's surprising how many people don't take great lengths to protect information that they frequently access. I went straight to the filesystem and found a text document located in the Desktop folder titled "Employee Logins.txt". Upon opening the document, I discovered a few lines of text, including what appeared to be a username and password for Google Virtual Machine: "google vm: sgarza ,a]JEU0yG^+]2O]"
#5: Why was 6 afraid of 7? Because 7 can unarchive virtual drives!: Within the past 2 years, a popular unarchiving program gained the ability to unarchive VHDX virtual disk images. What version of the program was this upgrade implemeted?
I initially thought the question was about 7-zip due to the presence of the number 7 in the question and finding it installed on the PC. 7-zip is a software used for file archiving. To find the answer, I searched for "7-zip versions" on Google and visited the 7-zip history page.
#6: We're not in Kansas anymore...: The user has established an RDP connection to one destination more than any other. What is the Geolocation of this destination? (Format: City, ST)
Remote Desktop Protocol (RDP) can be found in AXIOM under
CONNECTED DEVICES > Remote Desktop Protocol. Filter on Destination IP Address column, and you will quickly see the most frequented IP address. Copy and paste that into an IP Address locater found through Google. The IP locator tools I was first using were giving me wrong locations. I would suggest validating with a few different tools/sites.
The website I used for the answer was: https://tools.keycdn.com/geo
If you do not have access to AXIOM, you can find RDP connection destinations by extracting data from the NTUSER.dat file with RegRipper, and looking at the Terminal Server Client (TSClient) information.
Location and Structure of RDC MRU Artifacts
Information about the systems that are accessed via the Remote Desktop Connection are stored at the following location:
NTUSER.DAT\Software\Microsoft\Terminal Server Client\Default
"The values beneath this key start with “MRU” followed by a number. The numbers indicate the order in which these systems had been accessed. Every new connection is given the value of “MRU0” and sequentially all the other values will increase in number. The data associated with MRU value can contain the name or the IP address of the system the user had accessed" (Forensafe, 2021)
Additional resources on this topic:
#7: Make sure to keep some tabs on that SysAdmin from Southern California: The user visited the Mastodon page of one user more than any others on the platform. What is the full legal name of the user Michael visited?
I was not familiar with Mastodon's layout since I have not explored it much. I managed to find the answer fairly quickly, but I was overlooking it because of my unfamiliarity with the site. I searched for "mastodon" in AXIOM and found a username in the
WEB RELATED > Chrome Web Visits filter. After visiting the profile page, I was able to find the LinkedIn account associated with the username and discovered the user's full legal name.
#8: We have a History of attracting some sizeable donors with our projects: Michael used PowerShell to clone a particular GitHub utility. What is the account name of one of this repo's most prominent sponsors?
Powershell history can provide a wealth of information in forensic investigations. In AXIOM, Powershell history can be found under
OPERATING SYSTEM > Powershell History. To clone a repo, you need to use the URL of the repository in the command. Find the URL under the
COMMAND column, then copy and paste it into your browser to visit the repository site. Sponsors are listed on the right hand side of the page.
GitHub Sponsors allows the developer community to financially support the people and organizations who design, build, and maintain the open source projects they depend on, directly on GitHub (GitHub)
\Users\borch\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt - this is a text file and can be opened in Notepad. The history of PowerShell commands will be shown in plaintext.
Additional information on this topic:
#9: Scratch that Itch.io: The user viewed a YouTube video by the creator BenBonk surrounding video game developers. Within this video, how many developers were involved with the project?
For this challenge, I filtered artifacts by searching for "youtube". YouTube history of interest within this image can be found in AXIOM under
WEB RELATED > Chrome Web History. There are two titles that mention the number of developers involved, but only one was posted by YouTube creator BenBonk. This information can be verified by visiting the YouTube URL.
#10: The breakfast bell is ringing: The user has been doing some research lately on fast food items. What is, according to some experts, the unhealthiest food item of the bunch?
The answer to this question can also be found in
WEB RELATED > Chrome Web History. The user was watching a YouTube video titled "Ranking The "Healthiest" Taco Bell Items". Copy and paste the URL into your browser, and watch the YouTube video to obtain the answer.
#11: Oh Deer...I think we're lost: Michael lives just a mile south of a beautiful body of water. What is the name of this body of water?
This was one of my favorite challenges from the CTF. It involved putting myself in the shoes of a user and thinking about the crumbs I might leave on a computer that could give away my address. Although I personally don't use Autofill, many users find it convenient and because of that, it can be an excellent source of information for an investigator.
In AXIOM Chrome Autofill data can be found in
WEB RELATED > Chrome Autofill. There, we see an address with a value of "302 priestford rd". If we Google this address, we find it is near the body of water Deer Creek.
\Users\borch\AppData\Local\Google\Chrome\User Data\Default\Web Data
#12: Gotta Git going fast with some Accelrated emulation!: In order to emulate an Android device, the user required some specialized management tools. What Android port is used by default with these services?
Unfortunately, I was not able to figure this one out. However, you can find the solution on Kevin Pagano's blog.
#13: PCA - Program Clang Assistant?: The user has installed Android Studio with a specfialized plugin dedicating to diagnosing and fixing some programming errors. When this plugin runs, what exit code is used upon completion?
I found the solution pretty easily once I used the right search terms. At first, I tried searching for PCA and Program Clang Assistant to find the answer. I thought I would find a log, but I didn't have any luck searching for PCA or Clang in AXIOM. Thankfully, I also processed the image in Autopsy and was able to find the information I needed by searching for "clang" using Substring Match in Autopsy's Keyword Search.
After finally getting the answer in Autopsy, I began to explore AXIOM in order to understand why my search for "pca" in the filesystem was yielding 0 artifacts. I discovered that AXIOM was only searching the selected folder, rather than all subfolders. After changing the settings to search All subfolders, I was able to locate the data I needed.