Thursday, September 11, 2014

Super Sunday Funday Forensic Challenge - Update 1

Hello Reader,

Current Contest

First things first, one change is here. I am extending the contest by one day since it started one day late. So the contest will end on 9/16/14 so you have 5 days left.

Second, no one has so far beat level 3. So far 12 people have made it to level 3. This means you have plenty of time to catch up and win if you are so motivated.

Third, if you have questions I am planning to be in #dfir on irc.freenode.net on 9/11, 9/12, 9/15 and 9/16. If you have questions get an IRC client and come ask them.

For those of you not playing, or looking for a break here is some more good information.

Learn Windows Forensics from me!

I'll be co-teaching SANS FOR408 with Rob Lee in Ft. Lauderdale, FL at DFIRCon East Nov 3rd-8th 2014. If you want to spend a week learning everything you can about Windows forensics, and nights going deeper into the artifacts/structures if you want, I can't wait to meet you. As a bonus SANS has put out a $400 coupon for the event, go here to claim it.

Solutions to the past contest

Something I have not posted that I've been promising is the answers to the last 5 stage challenge. Let's start that now. 

Stage 1 Question:
You are dealing with an attacker who has used the volume shadow service to create a a new copy of the volume and then exported the active directory database from it, a common tactic and one we use at NCCDC. If they cleared the security logs after doing this how could you recover where they logged in from.

Stage 1 Answer from a winner: 

If I understand your question correctly, the attacker used "System Restore" from the control panel to make a new snapshot, and then mounted that to extract the ntds.dit.  After the attacker took the db, then they cleared the event logs.

If that is what occurred then the solution is fairly simple, so I can't imagine I have your scenario right, but here it goes.  The  security event logs could be recovered from the snapshot the attacker created to look for logon records to determine where they came in from.  The attacker's logon would have been recorded in that snapshot since it was created after they logged in.  Time to filter down those 4624 event ID's and look for your logon. Maybe we're super lucky and the attacker used RDP, so we can filter down more quickly with event type 10. 

The only answer I needed:
What I was really looking for here was an understanding that the unaltered event log at the time of the incident was sitting in a shadow copy because of the attackers actions. If you just said you could extract it from the shadow copy you moved forward. Tomorrow I'll post then next level's question and answer.