tag:blogger.com,1999:blog-1746946614390371171.post3274445515536289944..comments2011-05-29T04:59:20.472-07:00Lance Muellerhttp://www.blogger.com/profile/15789264000499223230noreply@blogger.comBlogger21125tag:blogger.com,1999:blog-1746946614390371171.post-20100360963474946562011-05-29T04:59:20.472-07:002011-05-29T04:59:20.472-07:00Hello,<br /><br />three years later, there&#39;s no writeup? like practical 1?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-43115023770294829692010-07-28T22:30:19.821-07:002010-07-28T22:30:19.821-07:00It appears that either VMWARE was used or Castor changed the name of his workstation to connect to a network share which is where the secret files were located. Also it also looks like Castor changed the system time of the workstation perhaps to throw off any IT staff who might be reviewing his computer after his departure. He also deleted the NLTDR file so that his workstation would not boot to try and cover his tracks. <br /><br />How am I doing so far?? Am I on the right path?SBnoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-14119413172048335442008-02-20T19:15:00.000-08:002008-02-20T19:15:00.000-08:00The server outage caused an issue with the image, but it is now fixed and you should be able to download it fine now.Lance Muellerhttp://www.blogger.com/profile/15789264000499223230noreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-91017363119727839812008-02-20T14:14:00.000-08:002008-02-20T14:14:00.000-08:00I cannot download the image file...Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-33648241561923576972008-02-19T14:41:00.000-08:002008-02-19T14:41:00.000-08:00Yeah EnCase V6.10 has deleted reg stuff. This is the first pass and there are deleted folders that point to existing items.niknoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-4448196046682791372008-02-18T09:16:00.000-08:002008-02-18T09:16:00.000-08:00Now that I'm back at work.<BR/><BR/>http://home.eunet.no/pnordahl/ntpasswd/<BR/><BR/>He admits to finding details of the registry in a file attributed to an individual with the initials B.D.<BR/><BR/>There's a link provided, as well as some cleaned up information in the source code for this utility.<BR/><BR/>Great stuff.Paul Bobbynoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-41933801270326765362008-02-16T12:45:00.000-08:002008-02-16T12:45:00.000-08:00I don't have Harlan's book handy, but he mentioned an individual who created a utility to boot/blow away a password in the SAM. He also happens to have done the most research on the registry, at least from a code and structure breakdown.<BR/><BR/>Fascinating stuff, but it looks like the registry contains multiple HK blocks each one a multiple of 4096bytes in size. When items are deleted from the registry, these blocks become available.<BR/><BR/>Looks like the mounting a registry file in Encase with the 'calculate unallocated space' option checked looks for all these available areas and concatenates them together.<BR/><BR/>I fortunately get to beta test Encase, and right now there's a new option, kinda like a create folders type thing, that seeks to put some structure in to the deleted registry entries. Great stuff.Paul Bobbynoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-41986095280493329482008-02-14T17:08:00.000-08:002008-02-14T17:08:00.000-08:00Nik, <BR/><BR/>SID "...682003330-1003" is OWNER while SID "...682003330-1004" is CASTER TROY.<BR/><BR/>(Security.evt)du212noreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-51772560367758008932008-02-14T17:01:00.000-08:002008-02-14T17:01:00.000-08:00Paul Bobby or Lance,<BR/><BR/>What DOES mounting the ntuser.dat with the option "Calculate UA Space" (In Encase) do ?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-92074179951572017572008-02-14T14:54:00.000-08:002008-02-14T14:54:00.000-08:00Just some locations I immediately started looking in:<BR/><BR/>a)(Castor)\Ntuser.dat->Software-><BR/>Microsoft->Windows->CurrentVersion-><BR/>Explorer->Comdlg32->OpenSaveMRU<BR/><BR/>b)(Castor)\Ntuser.dat->Software-><BR/>Microsoft->Windows->CurrentVersion-><BR/>Explorer->RecentDocs->zip<BR/><BR/>c)(Castor)\Ntuser.dat->Software-><BR/>Microsoft->Windows->CurrentVersion-><BR/>Explorer->CDburning->Drives-><BR/><BR/>d)(Castor)\Ntuser.dat->Software-><BR/>NicoMakComputing->Winzip->filemenu<BR/><BR/>e)System->ControlSet->Enum->USBStor<BR/><BR/>f)SystemRestore->RP0,1,2,3->du212noreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-39184064937588511422008-02-11T17:42:00.000-08:002008-02-11T17:42:00.000-08:00Furthermore, Secret2 and secret 5 have ben copied off the computer and then caster DID double-click on them.<BR/>(see the times in the INDX slack of recent)<BR/>The fact that there are no OBJID's on the local secret2/5.zip means they were offsite.niknoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-23748246080405504722008-02-11T17:32:00.000-08:002008-02-11T17:32:00.000-08:00ObjId:<BR/>(GMT times)<BR/>Winzip installed between 6:10 am and 8:32 pm on 1/30<BR/><BR/>clicked on secret.zip in same time span (accessed time matches puts it to 6:27 AM)<BR/><BR/>Caster's password set to BLANK on 1/30 8:32PM<BR/><BR/>There's a deleted explorer.exe in the recycling bin deletd at 7:13;<BR/>it was mapped to <BR/>(oddly the sid is unknown!)<BR/>(Mapped drive and other user deletes it by fileshare)niknoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-9069539182055249092008-02-10T20:13:00.000-08:002008-02-10T20:13:00.000-08:00Good, you made the point I was trying to illustrate that just because the directory appears empty in the forensic tool you may be using, does not mean there isn't any good information there. Looking at the contents of the folder in hex or using an EnScript to parse the buffer (cheater ;) may provide excellent information, like in this case.<BR/><BR/>Might I suggest a search of the filenames you have found, using Unicode across unallocated and specifically the $LogFile.<BR/><BR/>Additionally, since you have discovered several zip files of interest, what application(s) might be used by the user to view/create those zips?Lance Muellerhttp://www.blogger.com/profile/15789264000499223230noreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-77188319224678424842008-02-10T19:41:00.000-08:002008-02-10T19:41:00.000-08:00Yep it's empty.<BR/><BR/><BR/>;)<BR/><BR/>Parsed out the INDX buffer using the enscript, pulled secret2.lnk complete with timestamps.<BR/><BR/>Also within the buffer is a directory entry for secret5.lnk.Paul Bobbynoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-87383980048626522192008-02-10T16:15:00.000-08:002008-02-10T16:15:00.000-08:00Anybody look in Castor Troy's Recent folder?Lance Muellerhttp://www.blogger.com/profile/15789264000499223230noreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-28380375644380769292008-02-10T12:37:00.000-08:002008-02-10T12:37:00.000-08:00Ack, some stuff was truncated in the previous comment.<BR/><BR/>I continued my search, taking advantage of mounting the ntuser.dat with the "calculate unallocated space" option.<BR/><BR/>supersecret2.zip<BR/>supersecret3.zip<BR/>supersecret4.zip<BR/>supersecret5.zip<BR/>supersecret6.zip<BR/><BR/>were found there.<BR/><BR/>The hex surrounding these filenames and the 8.3 MSDOS filenames also there are similar to the structure in the Stream previously discovered in the clear in the registry.<BR/><BR/>High probability that these files are also present on the thumb drive.Paul Bobbynoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-16297753204221108182008-02-10T12:27:00.000-08:002008-02-10T12:27:00.000-08:00In the NTUser.dat file of Caster Troy, specifically Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\0\ViewView2, I got a keyword hit on 'supersecret'.<BR/><BR/>The Streams key records window size/location information when a particular window is closed.<BR/><BR/>The corresponding StreamsMRU key records the application used.<BR/><BR/>In this case, there is a reference to E:\, meaning Explorer was used to view the contents of the E:\ root drive - which as already determined, was an inserted USB thumb drive.<BR/><BR/>The coolness about this particular ViewView2 value inthe key is that it lists all files visible in the explorer window.<BR/><BR/>Parsing it out:<BR/><BR/>Supersecret<BR/>secret1.zip<BR/>secret2.zip<BR/>secret3.zip<BR/>secret4.zip<BR/>secret5.zip<BR/><BR/>Unfortunately I've had to rely on Paraben registry analyzer to pull out timestamp information from the StreamMRU keys as I haven't been able to find the format of the StreamMRUs anywhere yet. Have to wait until tomorrow.<BR/><BR/>So he is suspected as having access to Supersecret stoof - it's already on his thumbdrive. Naughty boy.Paul Bobbynoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-16503283995156762832008-02-09T18:38:00.000-08:002008-02-09T18:38:00.000-08:00Paul Bobby -<BR/><BR/>Very good start, although there is much more there waiting to be found!! ;)Lance Muellerhttp://www.blogger.com/profile/15789264000499223230noreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-71634900865974229552008-02-07T19:31:00.000-08:002008-02-07T19:31:00.000-08:001/30/08 9:08:50am he installed Winzip. System restore point<BR/>created<BR/><BR/>1/30/08 9:09:09am Maybe Google Toolbar installed<BR/><BR/>1/30/08 9:18:03am several ZIP files created.<BR/><BR/>1/30/08 9:26:30am USBSTOR.SYS is created in System32\drivers<BR/><BR/>1/30/08 9:27:29am LNK file created in a system restore directory<BR/>LNK file points to e:\secret2.zip, serial # of device 98eb-802a which does not match the serial number of the single partition in the evidence file. <BR/><BR/>The USBStor key in the SYSTEM registry contains a single entry<BR/>About a device called "USB NAND FLASH DISK USB Device"<BR/><BR/>1/30/08 9:41:22am sdelete.exe was created in the LST folder. No prefetch for this executable, cannot say if it was executed or not (Last Access was 1 second later, so maybe it was). Userassist does not show it executing. MUICache does not show it as having been executed. Shows up as having a window size of 800x600 in the ShellNoRoam BAGs key - application once ran with that window size, but cannot show it ran then.<BR/><BR/>So the theory is that the user created ZIP files from documents on his machine.<BR/><BR/>Copied them to a thumb drive.<BR/><BR/>Sdelete.exe may have been used by Mr. Mueller to clean up the evidence file, or by Caster Troy to remove ZIP and documents from his My Documents folder. <BR/><BR/>I'll keep looking.<BR/><BR/>BTW keep doing challenges, they are great exercises.Paul Bobbynoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-8148695997966640002008-02-01T09:18:00.000-08:002008-02-01T09:18:00.000-08:00It's better than Dirk Diggler..Lance Muellerhttp://www.blogger.com/profile/15789264000499223230noreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-16160446354666849922008-02-01T03:18:00.000-08:002008-02-01T03:18:00.000-08:00"Castor Troy"? You're a profiler's best friend! ;-)Keydet89http://www.blogger.com/profile/08966595734678290320noreply@blogger.com