Challenge Details

Challenge #T0048
Digital Duplicates
Author: Jeff Echlin
Framework Category: Investigate
Specialty Area: Digital Forensics
Work Role: Law Enforcement/CounterIntelligence Forensics
Task Description: Create a forensically sound duplicate of the evidence (i.e., forensic image) that ensures the original evidence is not unintentionally modified, to use for data recovery and analysis processes. This includes, but is not limited to, hard drives, floppy diskettes, CDs, PDAs, mobile phones, GPS, and all tape formats.
Scenario
Recently Gary Thatcher our senior system administrator, came across a thumb drive attached to an employee's system. According to the employee, the thumb drive was attached without their consent and they are unsure of the origin of said drive. The drive was passed to Ione Leventis one of our security analysts. Ione has attached the drive to our sheep-dip system which in our case is the Security-Desk machine. However, Ione was called away on other matters and you are now entrusted with the task. According to current company policy the thumb drive must be inspected for any malicious agents that could threaten DAS Web's overall security. Your job is to create a forensically sound duplicate image of the thumb drive using dcfldd so it can be examined without the risk of inadvertently modifying potential evidence. SHA512 hashes should also be taken and compared between the original thumb drive which is already attached, but not mounted, to the system and the forensic image.

Additional Information
More details and objectives about this challenge will be introduced during the challenge meeting, which will start once you begin deploying the challenge.

You will be able to check your progress during this challenge using the check panel within the workspace once the challenge is deployed. The checks within the check panel report on the state of some or all of the required tasks within the challenge.

Once you have completed the requested tasks, you will need to document the methodology you used with as much detail and professionalism as necessary. This should be done on the documentation tab within the workspace once the challenge is deployed. Below the main documentation section be sure to include a tagged list of applications you used to complete the challenge.

Your username/password to access all virtual machines and services within the workspace will be the following...
Username: playerone
Password: password123


NICE Framework & CAE KU Mapping

NICE Framework KSA
K0001. Knowledge of computer networking concepts and protocols, and network security methodologies.
K0002. Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).
K0004. Knowledge of cybersecurity and privacy principles.
K0005. Knowledge of cyber threats and vulnerabilities.
K0041. Knowledge of incident categories, incident responses, and timelines for responses.
K0042. Knowledge of incident response and handling methodologies.
K0070. Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
K0161. Knowledge of different classes of attacks (e.g., passive, active, insider, close-in, distribution attacks).
K0162. Knowledge of cyber attackers (e.g., script kiddies, insider threat, non-nation state sponsored, and nation sponsored).
K0179. Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).
K0259. Knowledge of malware analysis concepts and methodologies.
K0287. Knowledge of an organization's information classification program and procedures for information compromise.
S0003. Skill of identifying, capturing, containing, and reporting malware.
S0078. Skill in recognizing and categorizing types of vulnerabilities and associated attacks.
S0080. Skill in performing damage assessments.

CAE Knowledge Units
Basic Cyber Operations
Basic Networking
Basic Scripting and Programming
Cyber Crime
Cybersecurity Foundations
Cyber Threats
Digital Forensics
Security Risk Analysis
Software Reverse Engineering
Software Security Analysis


Meeting

 

 


Network Map:

 


Summary:

Applications used:
Linux: cat, strings
Windows: WinSCP, .NET Reflector

Used strings to look at any text in the file. Used cat to output the file to the screen. I was able to identify IP 172.31.2.89.

I then turned to the Windows workstation and transferred the payload.exe using WinSCP. Download .NET Reflector a .NET decompiler. I opened the payload.exe in .NET Reflector and took a look at the source code. Found that the application runs for 7 minutes.

Found the function that launches the connection connects to 172.31.2.89 on port 0x38. Converted the hex of the port 0x38 to decimal 56. 

I filled in the form at 172.16.30.100 with the information from the decompiled payload.exe.

Submitted:
Title: Submission #1
Activity Type: reverseshell
Mallicious IP Address: 172.31.2.89
Malicious Port: 56
Interval Payload Ran On: 7

The payload.exe looks to create a reverse shell and connect to the destination IP. It is then used as a command and control to exfiltrate data from the machine.