tl;dr
- Digging into windows registry to find process run counts and when it was run.
- Extracting and parsing AmCache to find the hash of process images
I have solved this challenge along with my teammate stuxn3t during the Defenit CTF.
Challenge Description
The challenge file can be downloaded from Google Drive.
Initial Analysis
We are provided with the file usb.ad1. From the extension, It was quite clear that the evidence was acquired via Access Data’s FTK Imager. So let us go ahead and load the file in FTK Imager with version >=4.2.0.
We observe that only very few directories are present and our objective is to find the answer to the following questions so that we can combine them to get the flag. So let us dig in.
Solution for Question 1
Question 1: Among the exe files, there are several files executed on the same USB. Let's call the second executed file 'A'. What is the name of 'A'?From the question we are clear that, we need to find what all processes were run when the USB was pluged in. As the system records all the events, we can look event logs and registry analysis.
However, we found the presence of NTUSER.DAT in the system. As the NTUSER.dat stores the software and operating system settings for each user profile. One can find NTUSER.dat in his user directory [root]/Users/james
There are a lot of tools to view registry files. Here I am using Eric Zimmerman’s Registry Explorer.
In NTUSER.data, UserAssist is the registry key that stores the list of processes that were run, when it was run, how many times it was run. We can find all those values from this sub-key according to our system:
Path: Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
To know which process was run on the USB, we first need to find when was the USB plugged in. For this, we use the SYSTEM registry to determine the USB Last Arrival Date time of the USB on the system. And that can be found from this sub-key:
Path: ControlSet001\Enum\USBSTOR\Disk&Ven_SanDisk&Prod_Ultra&Rev_1.00\4C531001461206123040&0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066
We can see the last write time as 2020-05-17 18.15.13. So from this small detail, we can easily eliminate a lot of processes. However, we also found out that the USB was plugged-in/used ~ 18:00 Hrs as well. We found this from the .lnk files created in the system.
.lnk files are created whenever a file/folder is opened. In this case, we find a USB (E).lnk created on 2020-05-17 19:11:36 Hrs.
So we can now identify the process. As we need to locate only 2 processes closest to this timestamp and the second one is the answer. On observing closely, we can see 2 processes are nearer to thae above timestamp.
| Program Name | Run Counter | Focus Count | Focus Time | Last Executed |
|---|---|---|---|---|
| E:\svchost.exe | 1 | 0 | 0d, 0h, 00m, 00s | 2020-05-17 19:11:00 |
| Microsoft.Windows.Explorer | 40 | 109 | 0d, 0h, 53m, 03s | 2020-05-17 19:10:13 |
On looking the timestamps given by processes, I chose svchost.exe
solution for Question 2
Question 2: How many times has 'A' been executed?Since we have determined the which process is ‘A’ (svchost.exe), from the above table, we can get the answer to this question from the value specified in the Run Counter column, we can see that the svchost.exe was run 1 time.
Solution for Question 3
Question 3: What is the sha-1 hash value of 'A'?As we need the SHA-1 hash of svchost.exe, we can get the sha-1 hash from Sysmon records. As its not been enabled, we can get those details from the Amcache.hve file. Along with the SHA-1 hash, from the Amcahe.hve, we can also get recent processes that were run and lists the path of the files that’s executed which can then be used to find the executed program. Luckily, this file was present in the system.
Path: \%SystemRoot%\AppCompat\Programs\Amcache.hve
We can use Eric Zimmerman’s tool AmcacheParser to parse the files.
We extract the following files
- Amcache.hve
- Amcache.hve.LOG1
- Amcache.hve.LOG2
Next, we powerup the PowerShell to properly parse the files into .CSV format.
The excel file required in this case is the Amcache_UnassociatedFileEntries.csv.
So we now have the SHA-1 hash of the file as: d68960b8ecb374dd98ef6a33fed45dddd9796402
Flag
By concatenating all the 3 answers gives us the flag.
FLAG: Defenit{svchost.exe_1_d68960b8ecb374dd98ef6a33fed45dddd9796402}