## 1- Corrupted Hard Drive
- This what happen when i try to access that vhd disk
- Seemed that the file system is corrupted.
- First, we need to go to the file sytem, but we need to know the LBA address to go direct to the file system, so we need to understand the structure of the disk.
First we need have the MBR which is the first `512 bytes` of the disk.
- The first `446 bytes` are for BootCode which is copied to physical memory and executed by the BIOS after the Power On Self-Test (POST), to load partition.
- What we are interest in is the `Partition Table` which is `64 bytes` after the BootCode.
Knowing the structure of Partition Table we can get the LBA address, U can use this as reference [File System Data Structure](http://www.c-jump.com/CIS24/Slides/FileSysDataStructs/FileSysDataStructs.html#D01_0010_mbr_data_structure).
- So The LBA address is `80 00 00 00` , but in little endian so, it will be 0x80 but we need to get the byte offest to the file system so we need to multiply it with the `sector size` which is by default = 200 in hex.
```
LBA address = 0x80 x 200 = 0x10000
```
- We are now in the NTFS file system. The Second Question was about `OEM ID` which consists of a string of characters (often 8 bytes) that used by the operating system and other software to understand how to interact with the hardware.
- Brian Carrier said that the OEM is not important, but we tested this in windows 10 and if we manipulate with any byte it won't mount the disk.
- So we need to go with the structure of the file system to know what is the corrupted OEM ID, you can notice it as it is `NTF` whiout `S`, but it is better to know what the location exactly.
- The first Sector in File System is VBR (Volume Boot Record) which contains most of information about the file sytem, One of the great referrence that i go directly is [Invoke-IR Posters](https://github.com/Invoke-IR/ForensicPosters/blob/master/Posters/NTFS/%24Boot-NTFSVolumeBootRecord.png)
- After fixing the byte, you can mount the vhd disk.
```
Corrupted OEM ID = 4E 54 46 00 20 20 20 20
```
Next section is about how to analyze NTFS Attribute files through multiple questions.
- When we deal with file metadata and download or moving or copying of deletion, Then Attribute Files is your best solution to know what ever you want `$MFT, $J, $LogFile` files.
- So, we will open disk in FTKImager to extract those files as you can't see them in windows.
- `$MFT` and `$LogFile` are under roor directory, but `$J` file is under `$Extend` direcotry.
- Before we analyze them, You should what they are, what they do in the system, what you can gain from them.
### $MFT File
- Each file created on the system has a record in mft, it has each own `Entry Number` which is a unique number of each file or even directory in the system, all MACB times, size, LSN number which indicates the operations done to those files or directories,...etc.
### $J File
- The $J or Journal files are coming from system journal feature which is used to track the changes happened to the system, so if any problem happen like system crash, there would be a restore to the good state.
- It has $J and $Max files
1. `$Max` : used to track the maximum number of files or space allocated within certain structures of the NTFS file system.
2. `$J` : that is the most used in analysis as it contains the record of changes happen to all system files.
### $LogFile File
- It is also depending on NTFS Journaling feature, maintains a transaction record of all changes made to volume such as file creation, deletion, renaming, writing and moving.
In our analysis i will not use `$LogFile` as, `$MFT` and `$J` files are enough to know every thing, you can use `$MFT` with `$LogFile`, you can use them all to build the TimeLine of what happened.
### Tools Used
- $MFT and $J files are being paresed with [MFTCmd](https://www.sans.org/tools/mftecmd/) from Zimmerman Tools.
- $LogFile is being parsed with [NTFSLog Tracker](https://sites.google.com/site/forensicnote/ntfs-log-tracker)
- [TimeLine Explorer](https://www.sans.org/tools/timeline-explorer/) to Show csv files from Zimmerman Tools
```
.\MFTECmd.exe -f 'C:\Users\Administrator\Desktop\$MFT' --csv C:\Users\Administrator\Desktop\MFT
```
```
.\MFTECmd.exe -f 'C:\Users\Administrator\Desktop\$J' --csv C:\Users\Administrator\Desktop\J
```
### Analysis Time
###### Q.3 After Fixing the disk, my friend downloaded a file from google, what is the exact time when he clicked to download that file?
- We know have `$J_Output.csv,$MFT_Output.csv` files to parse.
- I just want to learn you a good thing from this question, when the user initiate the download time, a `.crdownload` abd `.tmp` files is created on the disk till the download is finished, and `it's modification time is the time of Download End Time = Time of Download file creation on disk`.
- so the time exactly the user started download is `2024-10-22 21:51:13` and end of download is `2024-10-22 21:53:19`
- Based on `$J_Output.csv file`.
```
Answer is : 2024-10-22 21:51:13
```
###### Q.4 how much time did that file take to for download (in seconds)??
- It takes `51:13 to 53:19` to download which is `126 sec `
```
Answer is : 126
```
###### Q.5 the first directory he moved this file to ?
- As i said before each file has `Entry Number` a unique value to the file , `Parent Entry Number`, unique value to directory contains that file and is also and unique value to that dirctory if you consider it as a file in general concept.
- Going to `$MFT_Output.csv` to search for that direcotry entry number.
```
Answer is : best
```
###### Q.6 last directory the suspicious move the file to ?
```
Answer is : MustRead
```
###### Q.7 the time he of the deletion?
- The deletion of the File is in `$J_Output.csv file`
```
Answer is : 2024-10-22 22:20:28
```
## 2- CPUsage
- First we need to determine the image profile if we use `Vol2`, or we can make it fast, getting profile with `vol3` and give it to vol2.
```
vol2 -f win10.raw imageinfo
vol3 -f win10.raw windows.info
```
- Secondly, it said that there was a high CPU usage after he opened the machine, so we are gonna to check the process using `pslist` or `windows.pslist` in vol3.
```
vol2 -f win10.raw --profile=Win10x64_19041 pslist
vol3 -f win10.raw windows.pslist
```
- If you see all processes you will notice `dlIhost.exe` running under `svchost.exe` at `2024-08-22 11:57:21`
- To get it easy u can use `pstree -v`, -v argument to show the path the process running from.
```
vol2 -f win10.raw --profile=Win10x64_19041 pstree -v
```
- U will only see that dlIhost.exe running from suspicious path which is `C:\Users\m4shl3\AppData\Roaming\DLL\dlIhost.exe`
- We need to check connections to see if this process has an established connection with external ip, we will use netscan from vol2, but it won't show.
> Always run vol3 with vol2.
- we need to extract that process to know what is the familyname or what is that malware. we will try to dump the process using `procdump` from vol2.
- we will extract it using vol3 through `filescan `then `dumpfiles` as vol2 will not make it using `filescan`.
- We can calc the hash and get the family name from virustotal.
- I could make this chall a little hard by asking for the actual program responsible for spooning that process, So for further analysis we can get a lot of good strings that will help identifing the cracked program.
#### IOCs
```
45.77.240.51
server.custompool.xyz
randomx
```
```
Answer is : ISITDTU{dlIhost.exe-C:\Users\m4shl3\AppData\Roaming\DLL\dlIhost.exe-264_45.77.240.51-harharminer}
```
## 3- Initial
- From discription you can know that there was an initial access relating to windows feature abused, and i hit a word ''SEARCH''
- Our way to know the technique is to search simply to know the technique and also use that word, I don't put it there to tell you to search XD.
- LoL first search result XD.
- U can read the technique i will not discuss it here, but it was about that you can use search-ms URI to convince user to download malicious file as it was on his system, that will be after the user clicked on an html file that will lead him to` Windows Explorer` as shown.
- We will first use [Registry Workshop](https://www.torchsoft.com/en/download.html) for opening hive as it was your registy editor, One of the best tools that deal with .reg files, I think it is the only one that open `.reg` hives.
- We can know the file name that the user clicked from `recentdocs` key as this is HKCU hive.
- Forensic Traces needed for this chall is the registry key `WordWheelQuery` is an integral component of the Windows operating system that stores the history of user search queries through the Windows Search feature. Found under the path
`HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery`
Reference : [Stephan Berger](https://dfir.ch/posts/search-ms_protocol_handler/) Blog.
<iframe src="https://giphy.com/embed/3oFzmqN1xHwaEXGl7q" width="480" height="254" style="" frameBorder="0" class="giphy-embed" allowFullScreen></iframe><p><a href="https://giphy.com/gifs/end-final-analogue-3oFzmqN1xHwaEXGl7q"></a></p>
Sign in with Wallet
Connect another wallet