# NCS Lab 9 - Forensic file system analysis
[Toc]
# Important information
Our original team:
* Talalaeva Rufina
* Osokin Egor
* Rizatdinov Kamil
Due to the fact that this task was incredibly hard, our team cooperated with the team of Danil Usmanov, Max Kureikin, and Olga Chernukhina to solve task 3. Also, 5 of 6 people are Mac OS users, and all of us spent a lot of time installing tools(some of them only for Windows), but it was unsuccessful. To solve this task we decided to work together. Our solution is a Windows PC that had enough RAM. We understand that it's was not discussed prevously, but hard times imply hard choices.
# Magic video (Task 5)
Firstly, searched the for strings inside this video file and found out something really interesting:
There are two strings, whose format is pretty like the base64 strings. We decided to divide them on two separate files for futher analysis (string1 and string2). We decoded them using the `base64 -d <filename>` command:
Now its time to analyze the resulting files after the decoding. In order to do that we run `file` command on both of this files:
We used GPG utility in order to decrypt this files:
Now we are using special utility gpg2john in order to find out the password which was asked (first we need to generate John-readable hash):
And finally we want to get the password the prompt asks us, for this we run john on newly generated hash (the password is **elviselvis**):
Now lets try to run `gpg --decrypt string1.b64dec` once again and write our password:
Yes! we found out the final flag: **elvissiguevivo**
# Digital Forensic Report (Tasks 1-4)
## Introduction
The purose of this report is to provide one-by-one section-based evidence extraction process and analysis. We start with registry and event logs analysis in order to understand the platform, version of OS and last programms which were executed. Continue with personal, browser, skype, mail, network data analysis in order to understand personal motivations and shed the light on the situation which lead to system compromization.
## Forensic Examination
<!-- Teamviewer file metadata -->
<!--  -->
### Tools
The tools envolved in digital forensic invistigation were:
* **Disk image information analysis** - Autopsy version 4.17.0
Digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools which makes it easier to extract and analyze the artefacts. We used this tool for analyzing the file system logs, personal user data, mail, browser and other assets found in the compromised system
* **Regestry information analysis** - RegRipper version 2.8
RegRipper is a tool, which does regestry infromation parsing and exctraction in order to perform the further analysis of that data. We used this look for determining the version of OS installed on machine, its hostname, user information, timezone, shutdown time, DHCP info and UserAssist registry analysis.
* **Network Usage informaton analysis** - NetworkUsageView version 1.25
NetworkUsageView extracts and displays the network usage information stored in the SRUDB.dat database of Windows 8 and Windows 10. We used this tool for analyzing user's network activity.
* **Skype logs analysis** - SkypeLogView version 1.55
SkypeLogView reads the log files created by Skype application, and displays the details of incoming/outgoing calls, chat messages, and file transfers made by the specified Skype account. We used this tool for analyzing the skype conversations.
* **Mail analysis** - PST Walker 6.02
We used this tool for email conversation analysis and timeline creation.
* **Prefetch files analysis** - WinPrefetchView version 1.36
WinPrefetchView is a small utility that reads the Prefetch files stored in your system and displays the information stored in them. By looking in these files, you can learn which files every application is using, and which files are loaded on Windows boot. We used it in order to understand that programs was executed and files loaded during the usage of machine.
* **Disk image data extraction** - FTK imager version 7.4.2
Data preview and imaging tool that lets you quickly assess electronic evidence. FTK Imager can also create perfect copies (forensic images) of computer data without making changes to the original evidence. We used it for exporting the files for further analysis with other programs denoted above.
### Clues
| Name | Description | Information Source |
| -------- | -------- | -------- |
|Skype conversation|There was a skype conversation with `linux-rul3z` user, who convinced `hunter` to install TeamViewer (program for remote access to PC). We know that TeamViewer was executed by looking inside the WinPrefetchView. | Skype, WinPrefetchView |
|Email conversation| From the mail conversation between `Atto Ehptmsgs Gmail.Com` and `linux-rul3z@hotmail.com` we can understand that TeamViewer was installed and some data such as home-network-design-networking-for-a-single-family-home-case-house-arkko-1433-x-792.jpg, fakeporn.7z, Config.png and Pictures.7z were transmitted. Where Config.png is actually a PDF file containing confidential information and design-networking-for-a-single-family-home-case-house-arkko-1433-x-792.jpg is some network scheme | Outlook, Autopsy|
### 5.1 The Windows Registry
Determining the Windows version
In order to determine the version of Windows installed on this computer, we use the ‘winver’ plugin:
ComputerName/Hostname
users info
`sudo rip.pl -r /mnt/test/Windows/System32/config/SAM -p samparse`
DHCP
Shutdown time
Timezone
Determining the recent documents used by Hunter user
Userassist of Hunter user
### 5.2 The Event logs
We used Window Prefetch View in order to determine which programs were used by Hunter. We found Skype, Hangouts, Tor browser, Outlook. The prefetch folder was exported using FTK imager.
### 5.3 File System Logs
We were able to find the CMD logs, i.e. which commands were executed by user. Some SpyNetService was executed, in particular. Possibly it was used for hacking. However, we found out that it was started by Windows Defender :thinking_face:
### 5.4 Personal data of users
We found the confidential documents while just playing with pdf files in the image:
And docx file
We got the Hunter's dropbox
### 5.5 Network
In order to find the network activity file, we checked the System Resource Usage Monitor DB found at `C:\Windows\System32\sru\SRUDB.dat`
Interesting thing – the Tor browser was used a lot
### 5.6 mail
From the Prefetch, we get that the Outlook was used. So, let's try to find the sent mails.
Outlook data is stored in `.ost` files, so let's find a one. The file path is `C:/Users/Hunter/AppData/Local/Microsoft/Outlook/`
.
We exported it, and viewed via the PST Walker.
Here is the email timeline
#### Email timeline
The time is adjusted from the -9 time (as we saw in the screenshot, the local time was UTC-9) to UTC.
Here are all the content
| Date and time ( UTC ) | sender | Receiver | subject | Email content (summary) | Attachment |
| -------- | -------- | -------- | -------- | -------- | -------- | -------- |
| Text | Text | Text | text | text | text | |
| 2016/06/21 00:53:13 | Atto Ehptmsgs Gmail.Com | linux -rul3z @ hotmail .com | TeamViewer | I installed TeamView, but when can I start talking? | None | |
| 2016/06/21 00:53:13 | linux -rul3z @ hotmail .com | Atto Ehptmsgs Gmail.Com | RE: TeamViewer| I'm working now, so I can do it when I'm done. Skype in ping and | None |
| 2016/06/21 00:57:50 | Atto Ehptmsgs Gmail.Com | linux -rul3z @ hotmail .com | RE: TeamViewer| Confirmed | None |
| 2016/06/21 01:00:31 | Atto Ehptmsgs Gmail.Com | linux -rul3z @ hotmail .com | Pics |The .7z file attached to this email contains a photo. Pass the password via Skype | Pictures.7z |
| 2016/06/21 01:01:28 | linux -rul3z @ hotmail .com | Atto Ehptmsgs Gmail.Com | RE: Pics Confirmed | None |
| 2016/06/21 11:04:05 | linux -rul3z @ hotmail .com | Atto Ehptmsgs Gmail.Com | DNS Exifl Videos |Sharing videos ( YouTube links) about DNS Data Exfiltration | None |
| 2016/06/21 01:54:21 | no-reply@accounts. google .com| Atto Ehptmsgs Gmail.Com | New sign -in from Windows | Google account new access | None |
| 2016/06/21 01:57:16 | linux -rul3z @ hotmail .com | Atto Ehptmsgs Gmail.Com | File Extensions | Ad of changing the extension to hide the file device . Check the extension of the PDF file | None |
| 2016/06/21 01:57:53 | Atto Ehptmsgs Gmail.Com | linux -rul3z @ hotmail .com | RE: File Extensions | I'll try. Please wait a little | None|
| 2016/06/21 01:01:17 | Atto Ehptmsgs Gmail.Com | linux -rul3z @ hotmail .com | RE: File Extensions | Please check this Attachment | Config.png |
| 2016/06/21 11:32:14 | Atto Ehptmsgs Gmail.Com | Atto Linux4rulez Gmail.Com | Hangouts? | I confirmed the email from you. Can Hangouts connect? |None|
| 2016/06/21 11:50:24 | Atto Ehptmsgs Gmail.Com | Linux -Rul3z Atto Hotmail .Com, Linux4rulez Atto Gmail.Com | Nice Pics | I will attach a nice photo. Please let me know if you like it | fakeporn.7z |
| 2016/06/21 11:51:04 | Atto Ehptmsgs Gmail.Com | linux -rul3z @ hotmail .com | RE: DNS Exifl Videos | I will save the video and watch it | None|
| 2016/06/21 11:56:39 | linux -rul3z @ hotmail .com | Atto Ehptmsgs Gmail.Com | RE: DNS Exifl Videos | Don't do that. The network will be detected |None|
| 2016/06/21 11:57:47 | Atto Ehptmsgs Gmail.Com | linux -rul3z @ hotmail .com | RE: DNS Exifl Videos | Okay, delete it. Delete all those folders and information |None|
| 2016/06/21 12:19:33 | Atto Ehptmsgs Gmail.Com | Linux -Rul3z Atto Hotmail .Com, Linux4rulez Atto Gmail.Com | Network Design | Network design sample attachment | home-network-design-networking-for-a-single-family-home-case-house-arkko-1433-x-792.jpg |
| 2016/06/21 12:20:39 | Atto Linux4rulez Gmail.Com | Atto Ehptmsgs Gmail.Com | RE: Network Design | Get the original print for the network |None|
| 2016/06/21 12:31:20 | Atto Linux4rulez Gmail.Com | Atto Ehptmsgs Gmail.Com | Fwd: Network Design| Forwarded mail of "RE: Network Design" |None|
| 2016/06/21 13:16:00 | Atto Ehptmsgs Gmail.Com | linux -rul3z @ hotmail .com | Greetings| Test Outlook settings verification and exit project | None |
The other attachments, Pictures.7z and fakeport.7z are protected with passwords. We possibly can find the password from Pictures.7z in skype logs.
But there is a new problem: some messages were deleted. Possibly the user has deleted the one with password
In addition, we found all the email contacts, but didn't really used them
### 5.7 Browser
We found a lot about his web history – cookies, page history, cache, downloads
We even found the history of web searches!
### 5.8 Messengers
### 5.9 Other
Some RSA keys
Google Drive
Gist
Clipboard
Sign in with Wallet
