The recent Magnet User Summit DFIR CTF Challenge was released to the public. I also took this opportunity to get familiar with the Magnet AXIOM software.
Link to CTF: https://mus2019.ctfd.io/
Other Parts:
- Mobile
- Basic-Desktop
- Secret Project
Activity
This is a part ties into the MUS-CTF-19-DESKTOP-001.E01 evidence file provided.
Sharepoint 1 5
How many files were downloaded from the magnetic4nsics Sharepoint?
Answer: 2
One was the OneDrive zip from the Edge browser, and the other was a README file from the Chrome browser.
Sharepoint 2 5
Whats the name of the archive that was retrieved from the sharepoint?
Answer: OneDrive_1_3–18–2019.zip
Notify 5
On March 18th 2019 at 18:58:21 Selma saw a Windows popup notification. What type of notification was it?
Answer: toast
The notification database is located in the path below. From there the timestamps needed to be converted from the FILETIME Windows format to UTC.
C:\Users\SelmaBouvier\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db
Sharepoint 4 5
Which was retrieved from the sharepoint first?
Answer: Readme
18/03/2019 6:45:37 PM — Onedrive
14/03/2019 7:52:37 PM — Readme
Remote 5
At 6:35PM on the 18th of March, Selma logged into her account on the Desktop. What method of did she use to access the Desktop?
Answer: Teamviewer
I first looked in the RDP event logs but couldn’t find an entry. Next was to the Teamviewer logs (quick google told me where to look). This confirmed there was a connection by Selma.
Host Name 5
What was the host name of the machine Selma used to remote into the Desktop at 6:35PM on the 18th of March?
Answer: JHYDE-SP
See above.
Unique Access 5
How many unique machines accessed the Desktop via TeamViewer?
Answer: 3
See above.
Sharepoint 3 10
What is the volume serial number of the volume the sharepoint archive was placed on (format: decimal number)?
Answer: 2935122090
The file was on the D: drive. LNK Files are a good source of finding volume serial number. The serial number AEF2-68AA needs to be converted from hex to decimal.
Notify 2 10
Again, on the 18th of March at 18:08:57, another notification was given. What did this notification say?
Answer: You are now syncing “OneDrive — Magnetic4nsics”
I converted the goal time to 131974061370000000. The notification closest to this time.
You are now syncing “OneDrive — Magnetic4nsics”
You can edit files in “OneDrive — Magnetic4nsics”. Click here to view your files.
Bytes Sent 10
How many bytes total were sent out on the network via the Team Viewer Service?
Answer: 95681804
The SRUM (System Resource Usage Monitor) monitors desktop application programs, services, windows apps and network connections. It’s saved in the file at C:\Windows\system32\sru\SRUDB.dat (using this tool to parse it by Mark Baggett). I just needed to export it and add up the bytes sent in excel.
teamviewer_service.exe
I’ll continue to slowing work away at these challenges when I get some more free time.
@zdayone1
