26
Feb
2012

CODEGATE 2012 – Forensics 400

Challenge description:

In Energy corporate X which is located in Seoul, APT(Advanced Persistent Threat) was occurred.
For 6 months, Attacker A has stolen critical information with an elaborate attack.
Attacker A exerted great effort to remove his all traces such as malicious file, prefetch, registry and event logs for the period of attacking, so it was hard for Energy Corporate X to find an attacking path. However IU who is Forensic expert can find the traces of the malicious files Attacker A used by analyzing MFT(Master File Table).
What time malicious file was created? The time is based on Korea Standard Time(UTC +09:00)
Answer: YYYY-MM-DDThh:mm:ss.sTZD
(TZD : +hh:mm or -hh:mm). Calculate down to seven decimal points.


Again a zip archive. This time it contained a $MFT (Master File Table) file. We found several tools to read this file and create a csv file from the MFT. Now we had a bunch of files (1531) and their creation dates and modification dates.

Some example data:

"119","Good","Active","Folder","1","118","1","/Program Files/Common Files/microsoft shared/Triedit/en-US","2009-07-14 00:56:49.384178","2009-07-14 00:56:49.384178","2009-07-14 00:56:49.384178","2012-01-05 02:13:48.312498","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","","","","","","","","","","","","","","","","","","","","True","False","True","False","False","False","False","True","False","False","False","False","False","False","False","None","N","N"
"120","Good","Active","Folder","1","62","1","/Program Files/Common Files/microsoft shared/VGX","2009-07-14 00:52:30.938524","2012-02-11 04:30:23.621468","2012-02-11 04:30:23.621468","2012-02-11 04:30:23.621468","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","","","","","","","","","","","","","","","","","","","","True","False","True","False","False","False","False","True","False","False","False","False","False","False","True","None","N","N"
"121","Good","Active","Folder","1","61","1","/Program Files/Common Files/Services","2009-07-13 22:37:05.454088","2009-07-13 22:37:05.454088","2009-07-13 22:37:05.454088","2012-01-05 02:13:48.312498","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","","","","","","","","","","","","","","","","","","","","True","False","True","False","False","False","False","True","False","False","False","False","False","False","False","None","N","N"
"122","Good","Active","Folder","1","61","1","/Program Files/Common Files/SpeechEngines","2009-07-13 22:37:05.469688","2009-07-13 22:37:05.469688","2009-07-13 22:37:05.469688","2012-01-05 02:13:48.312498","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","","","","","SpeechEngines","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","","","","","","","","","","","True","False","True","False","False","False","False","True","False","False","False","False","False","False","False","None","N","N"
"123","Good","Active","Folder","1","122","1","/Program Files/Common Files/SpeechEngines/Microsoft","2009-07-13 22:37:05.469688","2009-07-13 22:37:05.485289","2009-07-13 22:37:05.485289","2012-01-05 02:13:48.312498","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","","","","","Microsoft","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","","","","","","","","","","","True","False","True","False","False","False","False","True","False","False","False","False","False","False","False","None","N","N"
"124","Good","Active","Folder","1","123","1","/Program Files/Common Files/SpeechEngines/Microsoft/TTS20","2009-07-13 22:37:05.485289","2009-07-13 22:37:05.500889","2009-07-13 22:37:05.500889","2012-01-05 02:13:48.312498","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","","","","","","","","","","","","","","","","","","","","True","False","True","False","False","False","False","True","False","False","False","False","False","False","False","None","N","N"
"125","Good","Active","Folder","1","124","1","/Program Files/Common Files/SpeechEngines/Microsoft/TTS20/en-US","2009-07-13 22:37:05.485289","2009-07-14 00:56:49.368578","2009-07-14 00:56:49.368578","2012-01-05 02:13:48.312498","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","","","","","","","","","","","","","","","","","","","","True","False","True","False","False","False","False","True","False","False","False","False","False","False","False","None","N","N"
"126","Good","Active","Folder","1","125","1","/Program Files/Common Files/SpeechEngines/Microsoft/TTS20/en-US/enu-dsk","2009-07-13 22:37:05.485289","2009-07-13 22:37:05.500889","2009-07-13 22:37:05.500889","2012-01-05 02:13:48.312498","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","","","","","","","","","","","","","","","","","","","","True","False","True","False","False","False","False","True","True","True","False","False","False","False","False","None","N","N"
"127","Good","Active","Folder","1","61","1","/Program Files/Common Files/System","2009-07-13 22:37:05.485289","2012-02-22 19:54:21.256834","2012-02-22 19:54:21.256834","2012-02-22 19:54:21.256834","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","","","","","","","","","","","","","","","","","","","","True","False","True","False","False","False","False","True","True","True","False","False","False","False","True","None","N","N"
"128","Good","Active","Folder","1","127","1","/Program Files/Common Files/System/ado","2009-07-13 22:37:05.500889","2012-02-22 10:01:18.698547","2012-02-22 10:01:18.698547","2012-02-22 10:01:18.698547","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","","","","","","","","","","","","","","","","","","","","True","False","True","False","False","False","False","True","True","True","False","False","False","False","True","None","N","N"
"129","Good","Active","Folder","1","128","1","/Program Files/Common Files/System/ado/en-US","2009-07-14 00:56:49.368578","2009-07-14 00:56:49.368578","2009-07-14 00:56:49.368578","2012-01-05 02:13:48.328125","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","","","","","","","","","","","","","","","","","","","","True","False","True","False","False","False","False","True","False","False","False","False","False","False","False","None","N","N"
"130","Good","Active","Folder","1","127","1","/Program Files/Common Files/System/en-US","2009-07-14 00:56:49.368578","2009-07-14 00:56:49.368578","2009-07-14 00:56:49.368578","2012-01-05 02:13:48.328125","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","","","","","","","","","","","","","","","","","","","","True","False","True","False","False","False","False","True","False","False","False","False","False","False","False","None","N","N"
"131","Good","Active","Folder","1","127","1","/Program Files/Common Files/System/msadc","2009-07-13 22:37:05.532089","2012-02-22 10:01:19.347961","2012-02-22 10:01:19.347961","2012-02-22 10:01:19.347961","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","2012-01-05 02:09:27.031248","","","","","","","","","","","","","","","","","","","","True","False","True","False","False","False","False","True","True","True","False","False","False","False","True","None","N","N"

We used a powerful tool called grep to find all executables in this file. We found one hidden in the Recycle Bin.

"1047","Good","Active","File","2","57","3","/$Recycle.Bin/r32.exe","2012-02-22 12:39:18.897461","2012-02-22 10:07:04.625648","2012-02-22 12:39:18.897461","2012-02-22 12:39:18.909178","2012-02-22 12:39:18.897461","2012-02-22 12:39:18.897461","2012-02-22 12:39:18.897461","2012-02-22 12:39:18.897461","","","","","","","","","","","","","","","","","","","","True","False","True","False","False","False","True","False","False","False","False","False","False","False","False","None","N","N"

The information we need was:
/$Recycle.Bin/r32.exe
2012-02-22 12:39:18.897461

And since the answer had to contain 7 decimal points we had to add a zero:
answer: 2012-02-23T02:39:18.8974610+09:00

It took us a while to find the right string which was accepted as answer though.

{3 Responses to “CODEGATE 2012 – Forensics 400”}

  1. Can you guys briefly elaborate on how you formatted the time for the answer? As in why did you add 15 hours because our group could not get the time right for the life of us though we had the same creation date and file as you guys.

    thethird3y3
    • Trial and error mostly. It took us 10 minutes to find the malicious file, and another 50 minutes (or longer) to get the time format right. I hope future CTF’s don’t use a time as an answer, cause it was really annoying.

      admin

Trackbacks & Pings