CyberDefenders: AfricanFalls

Sean Dixon
7 min readJun 12, 2023

--

Overview: AfricanFalls is a medium-difficulty forensics challenge. We’re given an AD1 image of a drive and tasked with the suspect’s actions. We’ll be using FTK Imager to examine the suspect’s drive and extract information such as browsing history, software execution, and more.

Scenario: John Doe was accused of doing illegal activities. A disk image of his laptop was taken. Your task as a soc analyst is to analyze the image and understand what happened under the hood.

Q1
What is the MD5 hash value of the suspect disk?

First, we’ll load the image into FTK Imager, once it’s imported, right-click the .ad1 file and select Verify Drive/Image from the menu.

FTK Imager — Verify Drive/Image

Answer: 9471e69c95d8909ae60ddff30d50ffa1

Q2
What phrase did the suspect search for on 2021–04–29 18:17:38 UTC? (three words, two spaces in between)

We’ll start by taking a look at what software is installed on the suspect’s device. One way to accomplish this is to check the registry on the forensic image. We’ll do this by exporting the SOFTWARE hive from the image.

Path to the SOFTWARE hive on the forensic image

Once you’ve located it, right-click the SOFTWARE file and export.

We’ll find lists of installed applications in the following keys:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
  • HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Applications listed under the App Paths key

Among the items, in the list we can see Brave and Chrome are installed along with Edge.

We’ll start by looking into Brave’s browsing history. A quick Google tells us the history file is located in “C:\Users\[username]\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\History”

Brave’s history file, in FTK Imager

The history file is a SQLite database, as we can see in the hex output. So we can load this into a program such as DB Browser for SQLite.

Brave Browser History

Unfortunately, the timestamp is encoded, after some research, and knowing that Brave is chromium based, we can conclude that it is a chromium timestamp. We can use tools like Dcode Timestamp Decoder from Digital Detective to convert the time.

The time from the question, encoded.

Note: Be sure to set the Time Zone in Dcode to UTC.

We can take the Chromium Time values and filter for them in DB Browser, sadly there are no hits from Brave’s history, so we’ll move on and try it with Chrome’s history. Extracting the file from FTK Imager the same as before.

This time, we get a match.

Chrome’s history, filtered for the encoded timestamp

Alternatively, we could use a tool like ChromeHistoryView from NirSoft. One of the benefits of this tool is that it decodes the timestamp for us.

Chromes history as displayed in ChromeHistoryView

Note: Be sure to set ChromeHistoryView to use UTC(GMT) time. Unfortunately, there doesn’t seem to be a way to set it to 24-hour timestamps, so keep that in mind as well.

Answer: password cracking lists

Q3
What is the IPv4 address of the FTP server the suspect connected to?

We looked at the list of installed software earlier and, referring back to it, we can see that among the applications is an FTP tool called FileZilla. Alongside the Brave and Chrome AppData folders was a FileZilla folder, checking this location is unnoteworthy, however, there are some XML files under Appdata\Roaming\FileZilla. Most notably, a file named recentservers.xml

Answer: 192.168.1.20

Q4
What date and time was a password list deleted in UTC? (YYYY-MM-DD HH:MM:SS UTC)

We can access the Recycle Bin in FTK Imager, which lists subdirectories with SIDs. We’ll confirm the suspect’s ID.

SID of user John Doe
Contents of the Recycle Bin for John Doe’s user.

We can see that the file was C:\Users\John Doe\Downloads10-million-password-list-top-100.txt and that the Delete flag is marked as True.

Note: The answer format is in 24-hour time, so convert accordingly.

Answer: 2021–04–29 18:22:17 UTC

Q5
How many times was Tor Browser ran on the suspect’s computer? (number only)

We can find this information using Windows prefetch data. An easy way is to use Eric Zimmerman’s tool PECmd which will extract the information and save it to a file. We can then use another of Zimmerman’s tools, Timeline Explorer, to view the data.

In this case, the command is PECmd.exe -d “<path\to\prefetch\folder>” -csv <path\to\output\file>.

Note: You will need to export the Prefetch folder under the Windows directory or mount the forensic image.

The prefetch folder of the forensic image, as seen in FTK Imager
Help menu for PECmd.exe
Timeline Explorer viewing the PECmd output, filtered for ‘tor’

The only tor executable listed is the installer, the application has never been run.

Answer: 0

Q6
What is the suspect’s email address?

Going back to the browser history, we can filter for URLs containing mail.

Browser history, filtered for ‘mail’

Additionally, if we check the timestamp and other browsing history we see that the email account was used shortly after the user viewed the password list we saw in the Recycle Bin.

Comparing timestamps of internet activity

Answer: dreammaker82@protonmail.com

Q7
What is the FQDN did the suspect port scan?

Among the installed software in the Registry, we see Nmap, so we’ll look for command execution history in our image. After some research, it appears that PowerShell saves the command history to “APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt”. Once we locate the ConsoleHost_history.txt file in FTK Imager, we can look for Nmap activity.

PowerShell command history

We can see a few commands using Nmap, but only one uses a FQDN.

Answer: dfir.science

Q8
What country was picture “20210429_152043.jpg” allegedly taken in?

We can find the photo in the Pictures folder. Once we extract the image we can use a variety of tools to determine the location based on EXIF data.

output from an online location-extracting tool

Answer: Zambia

Q9
What is the parent folder name picture “20210429_151535.jpg” was in before the suspect copy it to “contact” folder on his desktop?

This one is a bit tricky, we’ll start by examining the EXIF data of the image. We can see that the photo was taken with an LG LM-Q725K.

Make and model of the camera

We can then check to see if any shellbags can help us.

Note: Shellbags track open windows, their positions, sizes, etc. https://www.magnetforensics.com/blog/forensic-analysis-of-windows-shellbags/

We can get the Shellbags from NTUSER.dat and UsrClass.dat. We can find the UsrClass.dat file for John Doe at Users\John Doe\AppData\Local\Microsoft\Windows\UsrClass.dat.

With the file extracted from the forensic image, we can load it into another of Eric Zimmerman’s tools called ShellBags Explorer.

Shellbags Explorer

In ShellBags Explorer we can see there was an LG Q7 attached to the computer and accessed by John Doe. As this was used to take the photo, we can assume that the source folder is DCIM\Camera

Answer: Camera

Q10
A Windows password hashes for an account are below. What is the user’s password? Anon:1001:aad3b435b51404eeaad3b435b51404ee:3DE1A36F6DDB8E036DFD75E8E20C4AF4:::

Before we try to crack the hash ourselves, we can throw it into an online tool to see if we get lucky. No luck with CrackStation.net, but Hashes.com succeeded.

hashes.com output

Answer: AFR1CA!

Q11
What is the user “John Doe’s” Windows login password?

We can use the infamous Mimikatz to dump John Doe’s password hash.

We’ll need to extract the SYSTEM and SAM hives from the forensic image. We can find these hives in the same location we found the SOFTWARE hive way back in Q2.

Once the hives are extracted, launch mimikatz from PowerShell or Command Prompt. With mimikatz running, execute the command lsadump::sam /system:SYSTEM /sam:SAM

Dumping hashes with Mimikatz
John Doe’s password hash

With that, we’ll throw it into an online tool, starting with Hashes.com, and see if we get lucky again, which we do.

Hashes.com output

We can try to crack the passwords ourselves, using Hashcat or JohnTheRipper, however, the password doesn’t seem to be in popular wordlists.

Alternatively, we can attempt to brute-force the hashes.

I ran hashcat before throwing the hashes into CrackStation.net and Hashes.com and it was able to brute-force John Doe’s password in less than 2 minutes. It had not cracked the hash from Q10 by the time I finished writing this.

Bruteforce of John Doe’s hash

Answer: ctf2021

Conclusion: This was a fun challenge with lots of evidence to track down and correlations to hunt for. We were able to draw lines from many different artifacts to create a timeline of events using various Windows forensics such as ShellBags, Run keys, Prefetch, and PowerShell history.

--

--