Magnet Forensics Weekly CTF #10

Challenge 10 (Dec 7 – 14) Part 1 – 15pts

*At the time of the RAM collection (20-Apr-20 23:23:26- Imageinfo) there was an established connection to a Google Server. * What was the Remote IP address and port number? format: “xxx.xxx.xx.xxx:xxx”

The netscan module in volatility will show an output similar to netstat. Here we can see local and remote addresses and their state. The one highlighted below is in an established state, and if we do a whois lookup on the IP it will come back as being owned by Google. Therefore the IP and port we’re after is 172.253.63.188:443.

[email protected]:~$ volatility -f memdump.mem --profile=Win7SP0x64 netscan
Volatility Foundation Volatility Framework 2.4
--- SNIPPED ---                                                                                                                                            
Offset(P)          Proto    Local Address                  Foreign Address      State            Pid      Owner          Created              
0x13ec87cd0        TCPv4    192.168.10.146:54282           172.253.63.188:443   ESTABLISHED      -------- -------------- 
--- SNIPPED ---
[email protected]:~$ whois 172.253.63.188
 #
 ARIN WHOIS data and services are subject to the Terms of Use
 available at: https://www.arin.net/resources/registry/whois/tou/
 #
 If you see inaccuracies in the results, please report at
 https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
 #
 Copyright 1997-2020, American Registry for Internet Numbers, Ltd.
 #
 NetRange:       172.253.0.0 - 172.253.255.255
 CIDR:           172.253.0.0/16
 NetName:        GOOGLE
 NetHandle:      NET-172-253-0-0-1
 Parent:         NET172 (NET-172-0-0-0-0)
 NetType:        Direct Allocation
 OriginAS:       AS15169
 Organization:   Google LLC (GOGL)
 RegDate:        2013-04-04
 Updated:        2013-04-04
 Ref:            https://rdap.arin.net/registry/ip/172.253.0.0

Challenge 10 (Dec 7 – 14) Part 2 – 15pts

What was the Local IP address and port number? same format as part 1

We can see this in the Local Address column of the volatility output above: 192.168.10.146:54282

Challenge 10 (Dec 7 – 14) Part 3 – 10pts

What was the URL?

As we know the time in which the RAM was collected, we can try to match that with browser history. We know Chrome was running from pslist. Instead of trying to pull Chrome’s SQLite database and querying that, we can use a plugin readily available for volatility. This plugin will show the browser history, and we can see a visit to https://www.google.com/ at the closest time to the RAM collection.

Using chromehistory.py: https://github.com/superponible/volatility-plugins

[email protected]:~$ volatility --plugins=/usr/share/volatility/contrib/plugins -f memdump.mem --profile=Win7SP1x64 chromehistory
Volatility Foundation Volatility Framework 2.4
Index  URL                                                                              Title                                                                            Visits Typed Last Visit Time            Hidden Favicon ID
------ -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- ------ ----- -------------------------- ------ ----------
   316 https://myaccount.google.com/accounts/S...7Tvn4UuSh52LjamQbhxd1cs3HXAE8kXh9vRFAg Google Account                                                                        1     0 2020-04-20 20:24:47.494432        N/A       
   314 https://accounts.google.com/AccountChoo...%3Futm_source%3Dchrome-profile-chooser Google Account                                                                        1     0 2020-04-20 20:24:47.494432        N/A       
   317 https://myaccount.google.com/?utm_source=chrome-profile-chooser&pli=1            Google Account                                                                        3     0 2020-04-20 23:17:31.577179        N/A       
   310 https://accounts.google.com/CheckCookie...Y0Nw58kMWKsff7unbUvALH2XEg&gidl=EgIIAA Google                                                                                1     0 2020-04-20 20:24:38.839800        N/A       
   315 https://accounts.google.com/ServiceLogi...oser&sacu=1&passive=1209600&authuser=0 Google Account                                                                        1     0 2020-04-20 20:24:47.494432        N/A       
   313 https://www.google.com/                                                          Google                                                                                3     0 2020-04-20 23:17:33.124246        N/A       
   312 https://accounts.google.com/signin/chro...KkPjA8gTgn_TY0Nw58kMWKsff7unbUvALH2XEg Google

Challenge 10 ( Dec 7 – 14 ) Part 4 – 5pts

What user was responsible for this activity based on the profile?

In the Chrome history, we can see multiple references to the user Warren that we discovered last week. For example his email address and twitter handles: [email protected], twitter.com/warrenhfinance. From this we can deduce the user was Warren.

Challenge 10 ( Dec 7 – 14 ) Part 5 – 10pts

How long was this user looking at this browser with this version of Chrome? *format: X:XX:XX.XXXXX * Hint: down to the last second

My fails: I was confused as to what the question was asking for. Was it asking… how long Chrome has been running? How long this version of chrome has been running? How long this version has been on the system for? How long this web page has been open for? How long Chrome had focus for? Before I found the correct answer I tried to solve each of these questions. Some of the things I tried were:
– Taking the acquisition time (since Chrome was still running) minus the time in which Chrome was installed/updated. This can be found in the registry (Software\Google\Chrome\BLBeacon).
– Pulling the Chrome visit duration times, adding them up and calculating the difference between this and the acquisition time
– The same as above except only for timestamps within when Warren visited google.com from the previous questions
– Taking the acquisition time minus when the Chrome PID was launched

What the question is actually after is the amount of time in which the Chrome browser has focus through explorer. This information can be found in the UserAssist registry. For more information on this interesting registry key, check out this report. The TLDR is this key records information about what executables the user has launched, including the focus count and time the application had focus. Microsoft decided to ROT13 “encrypt” the keys. This is a simple rotation cipher you can easily do manually or use an online tool. We can pull the keys with the volatility printkey plugin, and look for Chrome (Puebzr after ROT13):

[email protected]:~$ volatility -f memdump.mem --profile=Win7SP1x64  printkey -K "Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count"
 Volatility Foundation Volatility Framework 2.4
 Legend: (S) = Stable   (V) = Volatile
 
 Registry: \??\C:\Users\Warren\ntuser.dat
 Key name: Count (S)
 Last updated: 2020-04-20 23:23:07 UTC+0000
 Subkeys:
 Values:
 REG_BINARY    Z
--- SNIPPED ---
REG_BINARY    Puebzr          : (S) 
 0x00000000  00 00 00 00 09 00 00 00 6a 00 00 00 d1 77 c6 00   ……..j….w..
 0x00000010  00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf   …………….
 0x00000020  00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf   …………….
 0x00000030  00 00 80 bf 00 00 80 bf ff ff ff ff 10 0d ba cf   …………….
 0x00000040  69 17 d6 01 00 00 00 00                           i…….


To find the time focused, we need the bytes at offset 12 with a length of 4. We can then convert this to decimal, then do some magic to get the resulting milliseconds into the required format.

That method would work, but the super simple way of solving this challenge is to use the userassist plugin within volatility and knock off a zero: 3:36:47.30100

[email protected]:~$ volatility -f memdump.mem --profile=Win7SP1x64 userassist
REG_BINARY    Chrome          :
Count:          9
Focus Count:    106
Time Focused:   3:36:47.301000
Last updated:   2020-04-20 23:17:07 UTC+0000
0x00000000  00 00 00 00 09 00 00 00 6a 00 00 00 d1 77 c6 00   ........j....w..
0x00000010  00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf   ................
0x00000020  00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf   ................
0x00000030  00 00 80 bf 00 00 80 bf ff ff ff ff 10 0d ba cf   ................
0x00000040  69 17 d6 01 00 00 00 00                           i.......

Leave a Reply

Your email address will not be published. Required fields are marked *