26
Feb
2012

CODEGATE 2012 – Forensics 300

Challenge description:

IU is investigating the system which was contaminated by malicious code.
As a result of analyzing TimeLine, it seems to be contaminated after February 9th 2012.
Contaminating path would be from visiting Web page. IU analyses various user traces of Internet, however IU can’t find malicious URL.
Maybe traces would be removed, when it was contaminated. Find correct malicious URL and the time it was contaminated. (cf. Remove http(s)://)
The time is based on Korea Standard Time(UTC +09:00).

Answer: malicious_URL|YYYY-MM-DDThh:mm:ss
(‘|’ is just a character)


We were expecting to download another 30MB file, but this time we just got a zip archive which only contained one file. From the name and the path it was clear we were dealing with a Chrome Cookies database.

\Users\proneer\AppData\Local\Google\Chrome\User Data\Default\Cookies

Since the Cookies file is actually a sqlite database we opened it with a sqlite manager. We did see a bunch of legal looking cookies, but were they all legal? Was there not something hidden in a Base64 string? Or lead one of the cookies us to a malicious website? We tried a lot with the displayed cookies, visited half the internet, but without any result. Maybe we picked up a virus somewhere, we will let us check first thing Monday morning.

So we needed to go back to the description. There is a hint about removed traces, so in the data we were looking in, we wouldn’t going to find the deleted data. However, deleted records in sqlite are not always removed completely, the areas are marked for reuse. So maybe we are lucky. We opened the Cookies file in a hex editor and found the following data:

test.wargame.kr__utma134301300.282793704.1328799447.1328799457.1328799457.10/

So the key would be:
test.wargame.kr|2012-02-09T23:57:27

{3 Responses to “CODEGATE 2012 – Forensics 300”}

  1. Wasn’t it odd though that the good entries had it’s creation_utc in webkit format while this one ended up in epoch?

    amon
  2. Dear Sir

    Thank you your good description kindly.
    I am concerned with codegate 2012. I would like to get data 7z files (problem forensic-300, 400, 500) of codegate2012-forensic. If you have 7z data files, please give me by email (syd101@daum.net).

    Thank you

    sincerely.

    ssam

Trackbacks & Pings