GraymanRe - BTLO Countdown

Introduction

Today we will be walking through one of the Blue Team Labs Online Investigations: Countdown. The Investigation is rated as "Medium" and will earn you 50 points. To earn full points, you have to answer 7 questions in regard to the following scenario:

                                NYC Police received information that a gang of attackers has entered the city and are planning to detonate an explosive device. Law enforcement have begun investigating all leads to determine whether this is true or a hoax.

Persons of interest were taken into custody, and one additional suspect named 'Zerry' was detained while officers raided his house. During the search they found one laptop, collected the digital evidence, and sent it to NYC digital forensics division.

Police believe Zerry is directly associated with the gang and are analyzing his device to uncover any information about the potential attack.

Disclaimer: The story, all names, characters, and incidents portrayed in this challenge are fictitious and any relevance to real-world events is completely coincidental.

Verify the Disk Image

The first question asks us to verify the disk image, and submit the sector count and MD5 hash corresponding to the disk image.

Q1) Verify the Disk Image. Submit SectorCount and MD5 (7 points)

We are provided with a custom Windows Virtual Machine and we will find the main files we need on the Desktop after logging in. In the "Investigation Files" folder, we browse to "Disk Image", go into the "Zerry" folder and we will find two specific files: Zerry.E01 and Zerry.E01.txt. The E01 file extension denotes that the file is an Encase Image File Format. When forensic experts acquire digital evidence, for example by taking a forensic copy ("Disk Imaging") of the dark drive of a targeted computer, one of the most common format used is E01. Another common extension that is used is .EWF or "Expert Witness Format". These digital evidence files can be read using tools like FTK Imager or Autopsy.
In most, if not all, cases E01 and EWF image files are accompanied by a secondary file in txt format which contains basic information pertaining to the disk image. If we therefore open the Zerry.E01.txt, we are presented with the information that is requested to answer question 1. The Sector Count is: 25165824 and the MD5 hash that is calculated over the disk image is: 5c4e94315039f890e839d6992aeb6c58 q1_answer

Finding the Decryption Key

The next question asks us to find the decryption key of the online messenger app that was used by Zerry.

                                Q2) What is the decryption key of the online messenger app used by Zerry? (7 points)
                            

To be able to answer this question, we need to use Autopsy to analyze the disk image. We create a new case and add a new data source. Since we want Autopsy to handle the E01 image in a way that will allow is to browse it like a file system, we select "Disk Image or VM File", in the next window, we add the specific E01 image file from Zerry's computer and we leave all other settings over the following screen as they are. Then, Autopsy will import the disk image and analyze it for us. Note that this might take some time due to the limited resources we have to our disposal within the Blue Team Labs Windows VM.

Once the image has been loaded, we expand the "Data Sources" tab as well as "Zerry.E01". Next, we are confronted with 6 volumes, of which 3 contain an underlying folder structure. Without looking into the specific folders, we can disregard volumes 1, 4, 5 and 6, since these are either Unallocated or of type Unknown. The remaining volumes are 2 and 3. Those familiar with Windows operating systems, will conclude that the main operating system is located in volume 3, since volume 2 starts at 0x2048, which for modern Windows systems, signals the bootloader section. Additionally, the size in bytes for volume 3 (24125556 - 104448) is significantly larger than that of volume 2: 104447 - 2048.
volume_structure

Applications and programs on Microsoft Windows use three main folders to store their data. The first folder is likely familiar to everyone reading this, the C:\Program Files folder, which should be used to store an application's read-only files. Applications that use persistent data that should be read and written during application runtime are actively discouraged from using the C:\Program Files folder. Instead, Microsoft offers to alternatives where applications should store this data. For files that the do not contain user-specific information related to the application, Microsoft advises to use C:\ProgramData. If the application handles user-specific information, then the application should use the users 'AppData' folder and often the subfolder 'Roaming' is used. This folder can be found in a users personal folder, like: C:\Users\*user*\AppData\Roaming.

Based on this information, let's first analyze the C:\Program Files folders. Remember that we are looking for an "online messenger app". In both of the Program Files folders, we don't find any clues. Note that applications might also install themselves directly in the User's AppData folder, specifically the Local subfolder. In that folder, one specific folder attracts the attention signal-desktop-updater. A Google search reveals that Signal Desktop is an online messenger application. Let's continue our analysis under the assumption that we have identified Signal Desktop to be the online messenger application in question. Note that Zerry's Downloads folder also contains an executable called signal-desktop-win-1.39.5.exe, further confirming our assumption.

Now that we have found an online messaging application, we have two potential locations where the application data, and subsequently likely the encryption key will be stored. Since we are talking about a encryption key that should be unique for each user, the first location we will follow up will be Zerry's AppData folder. In C:\Users\ZerryD\AppData\Roaming we do find the Signal folder. Inside the main Signal folder, we identify multiple files, one of which is named config.json. If we open this file, we see that it contains a single line entry: {"key": "c2a0e8d6f0853449cfcf4b75176c277535b3677de1bb59186b32f0dc6ed69998"}. A quick Google search for the config.json file in combination with the keyword "Signal", brings us to this Reddit post, claiming suggesting that we have found the encryption key.
q2_answer

Discovering Zerry's profile information

Now that we have figured out the decryption key, we can look for additional details within the Signal folder pertaining to Zerry's profile name and registered phone number, to solve question 3.

                                Q3) What is the registered phone number and profile name of Zerry in the messenger application used? (7 points)
                            

Applications often use databases to store large volumes of data so that they can be easily queried and reduce the amount of storage required. The Signal AppData folder contains two obvious folders to continue our search: databases and sql, and the observant reader will claim that the folders blob_storage, sqland Local Storage might also hold valuable information. During my research, I discovered this post detailing how to perform digital forensic analysis on Signal. It denotes that the main Signal database is C:\Users\ZerryD\AppData\Roaming\Signal\sql\db.sqlite.

Therefore, we extract this file from Autopsy and open it in the SQLite viewer that's included in the Tools folder on the desktop. When trying to open the database, we are met with a prompt for a password. To be able to decrypt the contents of the database, we will need the encryption key we have discovered earlier. In the menu, set the authentication method from Password to Raw Key. Notice that it prompts to add 0x in front of the key, meaning that the actual decryption key is 0xc2a0e8d6f0853449cfcf4b75176c277535b3677de1bb59186b32f0dc6ed69998.
sqlite_decrypt

Now that we have obtained access to the database, we can browse through the tables. Specifically in the conversations table, we find a single entry containing both the profile name and the telephone number that were used by Zerry: ZerryThe and +13026482364.
q3_answer

Looking for Zerry's email address

Q4) What is the email id found in the chat? (7 points)

Since we have obtained access to the main Signal database, we continue our search to find the email address that was in use by Zerry to receive additional details pertaining to the attack, in order to solve question 4. Still browsing through the SQLite database, my eye falls on the messages table. If we go into this table, we see the beginning of a chat conversation. The specific messages that were sent are stored in the column body. In this column, we can search for the @ sign, since this is quite a unique indicator of an email address. Here we find one result: eekurk@baybabes.com
q4_answer

Identifying the email attachment

                                Q5) What is the filename(including extension) that is received as an attachment via email? (7 points)
                            

In the messages we already discovered the email address and we discovered that Zerry used TOR to download the attachment that was sent to him. We build upon this information to answer question 5. Those that followed along have seen that in the top level directory, a folder called Tor Browser exists. I have spent quite some time investigating the files in this folder, and researching Google where to find indicators of files that were downloaded using the TOR Browser. I could not find any indicators that led to the discovery of the file that was downloaded. Therefore, after some time, I decided to leave the TOR lead for what it was. Autopsy provides multiple valuable features, amongst others its automated way of extracting potentially interesting information. I decided to scroll through the Web Downloads, Web History and Web search but could not find any further leads. Per accident, after disregarding it previously, I looked into the Recent Documents and found ⏳📅.lnk pointing to C:\Users\ZerryD\ud83d\udca3\ud83d\udd25\Downloads\*icon*\ud83d\udcc5.PNG. Submitting this as the filename of the file that was downloaded appeared to be the correct answer. q5_answer

Attack date and time

Q6) What is the Date and Time of the planned attack? (7 points)

Since we found the email attachment, and based on its ".png" extension, we should be able to answer question 6 if we gain access to the original file. The original image is not present anymore on the operating system, which means we have to resort to alternative solutions to figure out what the image specifically displays that was downloaded by Zerry. Those familiar with forensics will know that Windows stores thumbnails of images on the operating system in a dedicated database. This feature allows Windows to display thumbnails and cache it which eliminates the need for reloading of the thumbnail every time a user opens a folder containing images. The thumbnail cache is located in the folder C:\Users\ZerryD\AppData\Local\Microsoft\Windows\Explorer\. Since the folder contains multiple thumbcaches, I decided to primarily focus on the thumbcache databases that are larger than the 24 bytes that some of these caches are, hoping for a higher chance of success. We hit the figurative jackpot when analyzing thumbcache_256.db. We identify two filenames ending in png and specifically filename e61cb36b1bc62fb5.png appears to contain a date and time. The date, 01-02-2021, is straightforward, however the time threw a small obstacle. It shows 09:00 and a sun, which can be interpreted as 09:00 in the morning, which woud rule out 21:00 as the potential answer. However, 01-02-2021 09:00 is incorrect. I then tried 01-02-2021 09:00AM, before discovering that the correct answer should be: 01-02-2021 9:00AM.
q6_answer

Attack GPS Location

Now that we have obtained most of the details pertaining to the attack, one main challenge remains: figuring out where the attack will take place:

                                Q7) What is the GPS location of the blast? The format is the same as found in the evidence . [Hint: Encode(XX Degrees,XX Minutes, XX Seconds)] (8 points)
                            

So my first idea was that the location was maybe hidden as text in the image data, instead of in the actual picture. However, I could not find it. Then I went on a rabbit hole tour, until I decided to peruse the the Hints file that was left in the Investigation Files folder. Here we can read the following "hint" for this challenge.

                                Hint: It is possible this information was stored in a Sticky Note. Find this in /Users/Zerry/AppData/Local/Packages and export it. Open the plum.sqlite database file in the /LocalState/ directory using SQLiteDatabaseBrowser. Find which table the notes are stored in. We can work out how to decrypt the encoded result by checking recent sites visited via Tor in Autopsy by looking at /Tor Browser/Browser/TorBrowser/Data/Browser/proile.default/places.sqlite.
                            

In my honest opinion, this is not a hint, but quite a huge spoiler of how to solve this last part of the challenge. Additionally, it is quite a detour from the original storyline so far. There are no logical dots that connect the storyline so far to the usage of StickyNotes, the Desktop of ZerryD is void of any such hints and it hasn't been mentioned elsewhere. I was surprised to see that the answer was spoiled this easily, and it takes away any requirement of understanding how the operating systems and specific applications work, and subsequently where any relevant artificats for a forensic process are stored.

Building upon these hints, we browse to C:\Users\ZerryD\AppData\Local\Packages\Microsoft\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite. Next we extract the database, open it in the SQLite browser and notice that it contains one entry for the table "Note" with text: 40 qrterrf 45 zvahgrf 28.6776 frpbaqf A, 73 qrterrf 59 zvahgrf 7.944. Downloading the places.sqlite database from the location C:\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default and analyzing its entries, we notice that the website "rot13.com" was visited. Those familiar know it also as the Caesars Cipher, which substitues a letter with the 13th letter after it. As such, we can decode the value we found on the sticky note. Decoding it with ROT13 using Cyberchef gets us the result: "40 degrees 45 minutes 28.6776 seconds N, 73 degrees 59 minutes 7.994 seconds W".

Blue Team Labs Online - Countdown