Thursday, January 31, 2008

Forensic Practical #2

I have posted some answers to the first forensic practical here. Based on the lack of answers/feedback on the first one it was either too difficult or nobody was really interested, so I will post an easier second problem and see how this one goes.

An employee named Castor Troy has just abruptly left a software company that he has worked at for the past 5 years. His departure was sudden and somewhat suspicious. Co workers said he came in very early the day he quit and seemed "panicked".

Due to his tenure, he had access to some critical intellectual property. When he left, the IT department assumed control of his computer and briefly examined it pursuant to an HR request. They found several zip files in the user's home folder containing some critical information. HR has referred this to legal counsel and you have been retained to provide whatever information you can about what happened and what, if anything may have left the company when the employee quit. The information found in the user's folder is critical IP information, but the employee had access to even more sensitive information deemed very secret.

Inside Counsel would like to know if any of that information was accessed or copied. Your mission, if you choose to accept, is to conduct a forensic examination and provide whatever factual information you can to counsel so they can decide if further legal action is necessary.

Good luck, have fun, and as always, if you are caught I will deny any knowledge of your existence.

Download Here


H. Carvey Friday, 01 February, 2008  

"Castor Troy"? You're a profiler's best friend! ;-)

Lance Mueller Friday, 01 February, 2008  

It's better than Dirk Diggler..

Anonymous Thursday, 07 February, 2008  

1/30/08 9:08:50am he installed Winzip. System restore point

1/30/08 9:09:09am Maybe Google Toolbar installed

1/30/08 9:18:03am several ZIP files created.

1/30/08 9:26:30am USBSTOR.SYS is created in System32\drivers

1/30/08 9:27:29am LNK file created in a system restore directory
LNK file points to e:\, serial # of device 98eb-802a which does not match the serial number of the single partition in the evidence file.

The USBStor key in the SYSTEM registry contains a single entry
About a device called "USB NAND FLASH DISK USB Device"

1/30/08 9:41:22am sdelete.exe was created in the LST folder. No prefetch for this executable, cannot say if it was executed or not (Last Access was 1 second later, so maybe it was). Userassist does not show it executing. MUICache does not show it as having been executed. Shows up as having a window size of 800x600 in the ShellNoRoam BAGs key - application once ran with that window size, but cannot show it ran then.

So the theory is that the user created ZIP files from documents on his machine.

Copied them to a thumb drive.

Sdelete.exe may have been used by Mr. Mueller to clean up the evidence file, or by Caster Troy to remove ZIP and documents from his My Documents folder.

I'll keep looking.

BTW keep doing challenges, they are great exercises.

Lance Mueller Saturday, 09 February, 2008  

Paul Bobby -

Very good start, although there is much more there waiting to be found!! ;)

Anonymous Sunday, 10 February, 2008  

In the NTUser.dat file of Caster Troy, specifically Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\0\ViewView2, I got a keyword hit on 'supersecret'.

The Streams key records window size/location information when a particular window is closed.

The corresponding StreamsMRU key records the application used.

In this case, there is a reference to E:\, meaning Explorer was used to view the contents of the E:\ root drive - which as already determined, was an inserted USB thumb drive.

The coolness about this particular ViewView2 value inthe key is that it lists all files visible in the explorer window.

Parsing it out:


Unfortunately I've had to rely on Paraben registry analyzer to pull out timestamp information from the StreamMRU keys as I haven't been able to find the format of the StreamMRUs anywhere yet. Have to wait until tomorrow.

So he is suspected as having access to Supersecret stoof - it's already on his thumbdrive. Naughty boy.

Anonymous Sunday, 10 February, 2008  

Ack, some stuff was truncated in the previous comment.

I continued my search, taking advantage of mounting the ntuser.dat with the "calculate unallocated space" option.

were found there.

The hex surrounding these filenames and the 8.3 MSDOS filenames also there are similar to the structure in the Stream previously discovered in the clear in the registry.

High probability that these files are also present on the thumb drive.

Lance Mueller Sunday, 10 February, 2008  

Anybody look in Castor Troy's Recent folder?

Anonymous Sunday, 10 February, 2008  

Yep it's empty.


Parsed out the INDX buffer using the enscript, pulled secret2.lnk complete with timestamps.

Also within the buffer is a directory entry for secret5.lnk.

Lance Mueller Sunday, 10 February, 2008  

Good, you made the point I was trying to illustrate that just because the directory appears empty in the forensic tool you may be using, does not mean there isn't any good information there. Looking at the contents of the folder in hex or using an EnScript to parse the buffer (cheater ;) may provide excellent information, like in this case.

Might I suggest a search of the filenames you have found, using Unicode across unallocated and specifically the $LogFile.

Additionally, since you have discovered several zip files of interest, what application(s) might be used by the user to view/create those zips?

Anonymous Monday, 11 February, 2008  

(GMT times)
Winzip installed between 6:10 am and 8:32 pm on 1/30

clicked on in same time span (accessed time matches puts it to 6:27 AM)

Caster's password set to BLANK on 1/30 8:32PM

There's a deleted explorer.exe in the recycling bin deletd at 7:13;
it was mapped to
(oddly the sid is unknown!)
(Mapped drive and other user deletes it by fileshare)

Anonymous Monday, 11 February, 2008  

Furthermore, Secret2 and secret 5 have ben copied off the computer and then caster DID double-click on them.
(see the times in the INDX slack of recent)
The fact that there are no OBJID's on the local secret2/ means they were offsite.

Anonymous Thursday, 14 February, 2008  

Just some locations I immediately started looking in:







Anonymous Thursday, 14 February, 2008  

Paul Bobby or Lance,

What DOES mounting the ntuser.dat with the option "Calculate UA Space" (In Encase) do ?

Anonymous Thursday, 14 February, 2008  


SID "...682003330-1003" is OWNER while SID "...682003330-1004" is CASTER TROY.


Anonymous Saturday, 16 February, 2008  

I don't have Harlan's book handy, but he mentioned an individual who created a utility to boot/blow away a password in the SAM. He also happens to have done the most research on the registry, at least from a code and structure breakdown.

Fascinating stuff, but it looks like the registry contains multiple HK blocks each one a multiple of 4096bytes in size. When items are deleted from the registry, these blocks become available.

Looks like the mounting a registry file in Encase with the 'calculate unallocated space' option checked looks for all these available areas and concatenates them together.

I fortunately get to beta test Encase, and right now there's a new option, kinda like a create folders type thing, that seeks to put some structure in to the deleted registry entries. Great stuff.

Anonymous Monday, 18 February, 2008  

Now that I'm back at work.

He admits to finding details of the registry in a file attributed to an individual with the initials B.D.

There's a link provided, as well as some cleaned up information in the source code for this utility.

Great stuff.

Anonymous Tuesday, 19 February, 2008  

Yeah EnCase V6.10 has deleted reg stuff. This is the first pass and there are deleted folders that point to existing items.

Anonymous Wednesday, 20 February, 2008  

I cannot download the image file...

Lance Mueller Wednesday, 20 February, 2008  

The server outage caused an issue with the image, but it is now fixed and you should be able to download it fine now.

SB Wednesday, 28 July, 2010  

It appears that either VMWARE was used or Castor changed the name of his workstation to connect to a network share which is where the secret files were located. Also it also looks like Castor changed the system time of the workstation perhaps to throw off any IT staff who might be reviewing his computer after his departure. He also deleted the NLTDR file so that his workstation would not boot to try and cover his tracks.

How am I doing so far?? Am I on the right path?

Anonymous Sunday, 29 May, 2011  


three years later, there's no writeup? like practical 1?

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles