To Carry Out MockInv'estigation. Part 1

Created: 25.04.2021

❗SPOILER ALERT!

πŸ“† 16/06/2021 , Wednesday

πŸ•° 09:21 PM.

It was a very sunny day and a very nice a long walk that my daughter and I had before lunch. I feel uplifted because there is finally enough sun and green grass in my life! Unfortunately, no coffee today, since we don’t have BonAcqua, which might be not the best for drinking, but is indeed one of the best to prepare coffee (quoting my husband).

Other users, who were given this challenge and had no prior forensics knowledge and experience apart from that acquired from the IBM course, compained that there were no instruction about this lab: which tools to use and how to move on. That’s why I’ve decided to add a short description to each evidence below.

Evidence

I am given several files. Two doc files about this lab. I am going to use them to structure this analysis.

  1. Hard Drive from suspect’s computer = FlashEvidence.001. This format means that the disk image was acquired with EnCase software and to open it you need a special tool, not neccessarily EnCase itself. Autopsy is a free tool for the same purpose.

  2. Packet Capture from activity on suspect’s computer = Evidence_Pcap.pcapng. This file format means that this is a network capture and was acquired with either tcpdump or Wireshark. There might be other tools, but I don’t know of them. These two are the most popular.

  3. Registry from suspect’s computer = SAM hive. The term hive in computer forensics usually applies to Windows registry. It is a collection of key-value configurations. SAM hive collects all user authentication information. To understand SAM, you need to know about SIDs, RIDs, registry, LM/NTLM hashes. To view this file you’ll need some tool like RegRipper (I guess). May be Autopsy allows viewing these files.

  4. Browser file from alleged buyer’s laptop = j3uv3vkf.default. This one I am not sure what is. I am going to google it when I feel the urge. I’ve googled it, j3uv3vkf.default is the Profile. Judging from the files inside, it’s a Firefox data. See here to learn more about browser artifacts.

Also, from the IR we have this is Inventory list of Product IDs of recently sold kidnapped stuffed animals: Product_E1, Product_P1, Product_D1, Product_R1.

Scenario

The Toy Story Police Department (TSPD) is investigating a series of kidnappings. Baby stuffed animals are being kidnapped from their homes and sold on the international stuffed slave market. Sheriff Woody raided the office of the suspected ringleader. The Toy Story Incident Response (TSIR) team was able to perform data acquisition on found devices and computers. The suspect claims he is innocent and that any evidence found was planted on his computer. TSPD has also captured a laptop from one of the alleged stuffed animal buyers. Your job is to analyze the acquired data and answer the questions in the attached document so that Sheriff Woody can bust this evil stuffed slave market.

Questions

I am going to fill this tables as the analysis goes on and I get more information.

Analysis

As with the vulnerability assessment, the first thing I am doing for approximately an hour is applying irrational approach: following the intuition and openning files that I think might be of interest. I use this approach to get some clues, pivot points for methodical approach.

I’ve decided to start with the *.pcap capture and get the low-hanging fruits: searching for keyword “Product” (since the sold animals are given an identifier like Product_XY) in the network connections using the following filter in Wireshark: tcp contains Product. Indeed there are lots of results, HTTP traffic only. Luckily, no SSL or I would not be able to see the contents. For example, GET request to http://globalstuffed.weebly.com/store/c1/Featured_Products.html. It is not browsable, unfortunately πŸ˜”.

Let’s try pinging this domain:

ping globalstuffed.weebly.com 
PING pages-wildcard.weebly.com (199.34.228.54): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1

I know the IP now and can get some more information about this domain:

whois 199.34.228.54
...
NetRange:       199.34.228.0 - 199.34.231.255
CIDR:           199.34.228.0/22
NetName:        WEEBLYNET1
NetHandle:      NET-199-34-228-0-1
Parent:         NET199 (NET-199-0-0-0-0)
NetType:        Direct Assignment
OriginAS:       AS27647
Organization:   Weebly, Inc. (WEEBL-1)

Looks like Weebly is some hosting service. The website address (http://globalstuffed.weebly.com/) and the records above suggest that. I’m going to check this assumption. Yes, I was right. This is indeed a website builder. Our website (http://globalstuffed.weebly.com/), however, is down.

The owner of the laptop claims that the evidence were planted. Generating the network traffic is possible without physical access to the device. So, we are looking for any indicators of compromise before these HTTP request.

So, it’s time to make a timeline here as my pivot point. In Wireshark I change date/time options for a more user-friendly one: View - Time Display Options and choose the first one. Now, I look at the first filtered request and put down the time of this event.

1504	2015-07-17 02:16:00.486428	74.217.59.19	192.168.1.109	TCP	1514	80 β†’ 14005 [ACK] Seq=2921 Ack=678 Win=15571 Len=1460 [TCP segment of a reassembled PDU] 

For simplicity sake I will assume that it happened this year (not to scroll all the way back). But I will preserve the day and time, of course.

πŸ“† 17/06/2021 , Thursday

πŸ•° 07:14 PM

Got a little side-tracked, as if the universe doesn’t want me to get smarter… . All of a sudden I can’t create and rename folders on my PC and also (which might be connected) Autopsy is not working. I have to reset my PC to the dafault settings now, which will take some time, of course.

πŸ•° 08:37 PM

I have reset my PC settings, installed several programs back and now it’s working fine. Phew 😰.

Opened Autopsy, created a new case following the instrunctions. Now I need to import an image. I’m using the first option “Disk or Image” and browse to the FlashEvidence.001 file. For modules I deselect all first, then select Recent Activity, Hash Lookup, File Type Identification, Keyword Search, Email Parser, Interesting Files Identifier, Central Repository, Data Source Integrity.

References