- Digging into windows registry to find process run counts and when it was run.
- Extracting and parsing AmCache to find the hash of process images
I have solved this challenge along with my teammate stuxn3t during the Defenit CTF.
The challenge file can be downloaded from Google Drive.
We are provided with the file
usb.ad1. From the extension, It was quite clear that the evidence was acquired via Access Data’s FTK Imager. So let us go ahead and load the file in FTK Imager with version >=4.2.0.
We observe that only very few directories are present and our objective is to find the answer to the following questions so that we can combine them to get the flag. So let us dig in.
Question 1: Among the exe files, there are several files executed on the same USB. Let's call the second executed file 'A'. What is the name of 'A'?
From the question we are clear that, we need to find what all processes were run when the USB was pluged in. As the system records all the events, we can look event logs and registry analysis.
However, we found the presence of
NTUSER.DAT in the system. As the
NTUSER.dat stores the software and operating system settings for each user profile. One can find
NTUSER.dat in his user directory
There are a lot of tools to view registry files. Here I am using Eric Zimmerman’s Registry Explorer.
UserAssist is the registry key that stores the list of processes that were run, when it was run, how many times it was run. We can find all those values from this sub-key according to our system:
To know which process was run on the USB, we first need to find when was the USB plugged in. For this, we use the
SYSTEM registry to determine the
USB Last Arrival Date time of the USB on the system. And that can be found from this sub-key:
We can see the last write time as
2020-05-17 18.15.13. So from this small detail, we can easily eliminate a lot of processes. However, we also found out that the USB was plugged-in/used ~ 18:00 Hrs as well. We found this from the
.lnk files created in the system.
.lnk files are created whenever a file/folder is opened. In this case, we find a USB (E).lnk created on
2020-05-17 19:11:36 Hrs.
So we can now identify the process. As we need to locate only 2 processes closest to this timestamp and the second one is the answer. On observing closely, we can see 2 processes are nearer to thae above timestamp.
|Program Name||Run Counter||Focus Count||Focus Time||Last Executed|
|E:\svchost.exe||1||0||0d, 0h, 00m, 00s||2020-05-17 19:11:00|
|Microsoft.Windows.Explorer||40||109||0d, 0h, 53m, 03s||2020-05-17 19:10:13|
On looking the timestamps given by processes, I chose
Question 2: How many times has 'A' been executed?
Since we have determined the which process is ‘A’ (svchost.exe), from the above table, we can get the answer to this question from the value specified in the
Run Counter column, we can see that the svchost.exe was run
Question 3: What is the sha-1 hash value of 'A'?
As we need the SHA-1 hash of
svchost.exe, we can get the sha-1 hash from Sysmon records. As its not been enabled, we can get those details from the
Amcache.hve file. Along with the SHA-1 hash, from the Amcahe.hve, we can also get recent processes that were run and lists the path of the files that’s executed which can then be used to find the executed program. Luckily, this file was present in the system.
We can use Eric Zimmerman’s tool AmcacheParser to parse the files.
We extract the following files
Next, we powerup the PowerShell to properly parse the files into
The excel file required in this case is the
So we now have the SHA-1 hash of the file as:
By concatenating all the 3 answers gives us the flag.