26
Feb
2012

CODEGATE 2012 – Forensics 100

Challenge Description

In order to steal financial information of Company X, IU got a job under cover. She decided to attack CFO’s computer, and then insert malicious code to his computer in the way of social engineering. She figured out that he didn’t use to turn off his computer, when he gets off work. After he leaves the office, she obtains financial data from his computer to search EXCEL file. By checking installed application program, she can find the information in the file. She lacks the file externally. In order to remove all traces, she erases malicious code, event logs and recent file list.

The company X has to figure out what information she stole correctly to make an appropriate measure. These are files attacked from CFO’s computer. Find the full path and size of the file which she stole. On the day, CFO left the office at 14:00. The time is based on Korea Standard Time(UTC +09:00).
Answer: strupr(md5(full_path|file_size)) (‘|’ is just a character)

The file that is provided in this challenge is 525321B9CEDAF3C8D35FC9071D5DD237 which is a 7zip compressed archive. After unpacking the archive you will find a \Users\ folder from a Windows 7 Installation.

In the recent file list of Microsoft Office we can find an interesting LNK file:

\Users\proneer\AppData\Roaming\Microsoft\Office\Recent\[Top-Secret]_2011_Financial_deals.LNK

Parsing a LNK file can be done with multiple tools, forensic tools such as FTK parse these files by default. However free tools are available as well such as ‘lp’ which can be found on http://www.tzworks.net/prototype_page.php?proto_id=11

Using this tool the following information can be retrieved from the LNK file:

C:\CodeGate>lp64.exe "[Top-Secret]_2011_Financial_deals.LNK"

lp (lnk parser) ver: 0.46, Copyright (c) TZWorks LLC
lnk file: [Top-Secret]_2011_Financial_deals.LNK
lnk created:           02/26/2012 19:56:13 [UTC]
lnk modified:          02/12/2012 10:01:54 [UTC]
lnk accessed:          02/26/2012 19:56:13 [UTC]
lnk flags:             HasLinkTargetIDList, HasLinkInfo, HasRelativePath, IsUnicode
file attributes:       FILE_ATTRIBUTE_ARCHIVE
Target create time:    02/12/12 05:39:49.989 [UTC]
Target write time:     01/07/09 04:17:41.484 [UTC]
Target access time:    02/12/12 05:39:49.989 [UTC]
file size:             0x00002450 [9296 bytes]
show cmd:              [SW_SHOWNORMAL]
ID List:               {CLSID_MyComputer}\C:\INSIGHT\Accounting\Confidential\[Top-Secret]_2011_Financial_deals.xlsx
DriveType:             fixed
volume serial num:     8ce8-c6c4
local base path:       C:\INSIGHT\Accounting\Confidential\[Top-Secret]_2011_Financial_deals.xlsx
relative path:         ..\..\..\..\..\..\..\INSIGHT\Accounting\Confidential\[Top-Secret]_2011_Financial_deals.xlsx
NETBIOS name:          win-in5aeg6ushu
Volume ID:             34458ad4-c9f5-4c74-bf29-be8a9a096682
Object ID:             007ca29d-54c6-11e1-a011-000c29d6d5a8
MAC address:           00:0c:29:d6:d5:a8

The information we need for this challenge:

File: C:\INSIGHT\Accounting\Confidential\[Top-Secret]_2011_Financial_deals.xlsx 
Size: 9296

The answer needed to be submitted in a certain form:
Answer: strupr(md5(full_path|file_size))

To create this value we will use a simple PHP one-liner:

php -r 'echo md5("C:\INSIGHT\Accounting\Confidential\[Top-Secret]_2011_Financial_deals.xlsx|9296");'
d3403b2653dbc16bbe1cfce53a417ab1

Although the challenge description told us we needed to provide the answer in uppercase the answer needed to be provided in lower case.

Final answer: d3403b2653dbc16bbe1cfce53a417ab1

Comments are closed.