Saturday, November 5, 2016

Forensic CTF: Baud.. James Baud..


ALL CHARACTERS AND EVENTS IN THIS CTF SCENARIO -- EVEN THOSE BASED ON REAL PEOPLE--ARE ENTIRELY FICTIONAL. ALL CONVERSATIONS ARE IMPERSONATED.....POORLY. THE FOLLOWING CTF CONTAINS PG-13 LANGUAGE AND  SHOULD NOT BE VIEWED BY FORENSICATORS WITH NO SENSE OF HUMOR 

LINK TO EVIDENCE: https://drive.google.com/open?id=0B9v_bn3f4uetZWt4cmxQVmNRa1E

SCENARIO: You're on deck to investigate the high profile hack of a celebrity. Your client provided two screenshots of pop-up message boxes he saw on his system, after which he noticed several vital files were deleted from his system.

IR PROCEDURES: A junior analyst from your team accessed the user's system directly and used FTK Imager to  take a memory capture as well as create a custom content image (user profile, hives, lnk files, etc). Unfortunately the analyst saved the data directly to the user's desktop before transferring to an external drive, but in this case it shouldn't make a difference in terms of necessary evidence or integrity.

Figure 1: Your client reports that he was hacked and threatened.

Figure 2: The client provided two screenshots that may indicate the perpetrator may have history with the client.


CTF Questions:

  1. Whose computer is this evidence from?
  2. Who is the other actor?
  3. What email service are they using (include TLD)?
  4. What makes this email service difficult to analyze?
  5. What is the email address of the user?
  6. What email address does he correspond with?
  7. What type of file is the payload?
  8. What is the first Google search the user made about the other individual?
  9. What is the second Google search the user made about the other individual?
  10. What is the third Google search the user made about the other individual?
  11. What IP address was used by the attacker for C2?
  12. What is the exact name of the payload?
  13. What is the first time the user logged into their email (MM/DD/YYYY H:MM:SS AM/PM)?
  14. What is the mail server name used to send these messages?
  15. What is the UTC time of the initial email (as stated in the email header)?
  16. What is the email subject of the first threatening email sent by the user?
  17. What insult does the other individual use in his response?