- Digging into windows registry to find process run counts.
- Extracting and parsing AmCache to find the hash of process images
The challenge file can be downloaded from Google Drive.
We are provided with the file
usb.ad1. From the extension, It was quite clear that the evidence was acquired via Access Data’s FTK Imager. So let us go ahead and load the file in FTK Imager.
We observe that only very few directories are present and our objective is to find the answer to the following questions so that we can combine them to get the flag. So let us dig in.
Among the exe files, there are several files executed on the same USB. Let's call the second executed file 'A'. What is the name of 'A'?
So we have to find what processes were run when the USB was loaded. Well, we normally know that Sysmon records the events of process creation. However, Sysmon is not enabled in any system by default and when we analyzed the event logs, we did not find any trace of Sysmon as well. So this approach wouldn’t work.
However, we found the presence of
NTUSER.DAT in the system.
There are a lot of tools to view registry files. Here I am using Registry Explorer from Eric Zimmerman.
This sub-key gives us the list of processes that were run with timestamps and also how many times they were run.
To know which process was run on the USB, we first have to know when the USB was loaded. For this, we use the
SYSTEM registry to determine the
Last Installed time of the USB on the system.
We can see the last write time as
2020-05-17. So from this small detail, we can easily eliminate a lot of processes. However, we also found out that the USB was plugged-in/used ~ 19:00 Hrs as well. We found this from the
.lnk files created in the system.
.lnk files are created whenever a file/folder is opened. In this case, we find a USB (E).lnk created on
2020-05-17 19:11:36 Hrs
So we can now even accurately predict the process. We only want to locate the 2 processes closest to this timestamp and the second one in that is the answer. Observing closely, we see 2 processes pretty near the above timestamp.
|Program Name||Run Counter||Focus Count||Focus Time||Last Executed|
|E:\svchost.exe||1||0||0d, 0h, 00m, 00s||2020-05-17 19:11:00|
|Microsoft.Windows.Explorer||40||109||0d, 0h, 53m, 03s||2020-05-17 19:10:13|
Judging by the timestamp and my knowledge on the services given by processes, I chose
How many times has 'A' been executed?
Since we have determined the which process is ‘A’ (svchost.exe), from the above table, we can get the answer to this question from the value specified in the
Run Counter column, we can see the svchost.exe was run
What is the sha-1 hash value of 'A'?
We can get the process details from the
Amcache.hve file. Luckily, this file was present in the system.
We can use Eric Zimmerman’s tool AmcacheParser to parse the files.
We extract the following files
Next, we use PowerShell to properly parse the files into
The excel file required in this case is the
So we now have the SHA-1 hash of the file as:
Concatenating all the 3 answers gives us the flag.