Tuesday, March 16, 2010

Write-up Codegate 2010 #19 - Forensic, introduction to the Sleuth Kit and Autopsy

Challenge #19 was also interesting, at least for the story:
Found a dead guy on the street, assumed that a guy committed suicide.
How can you assume that? Find the clue.
And they gave us a simple binary file: 56DACF1C6CF363F27501FFCA50CC0415 (9.6MB).

Pre-analysis

The first thing to do in this situation is to use the file command, to determine the type of data it contains:
$ file 56DACF1C6CF363F27501FFCA50CC0415
56DACF1C6CF363F27501FFCA50CC0415: Zip archive data, at least v2.0 to extract

It's a ZIP archive, let's extract it:
$ unzip 56DACF1C6CF363F27501FFCA50CC0415
Archive:  56DACF1C6CF363F27501FFCA50CC0415
inflating: 56DACF1C6CF363F27501FFCA50CC0415.raw

Same procedure, use file to determine the file type:
$ file 56DACF1C6CF363F27501FFCA50CC0415.raw
56DACF1C6CF363F27501FFCA50CC0415.raw: x86 boot sector

Ok, it looks like a disk image.

We can now imagine the whole story: the dead guy had a digital device (cellphone or computer), authorities gave it to us in order to find out if it was an homicide or a suicide (insurance reasons maybe?). Pretty real!


Fast solution


Run strings command to extract printable content, and up to your imagination try finding keywords such as 'kill', 'suicide', 'murder', 'dead', 'blackmail', 'gun', 'revolver'...
$ strings 56DACF1C6CF363F27501FFCA50CC0415.raw | grep 'kill'
[...]
http://ad.doubleclick.net/adi/wiki.health/meds/;kw=How_fast_can_potassium_cyanide_kill_you;csrc=unanswered;pos=1;answ=ad;tile=1;dcopt=ist;sz=160x600;ord=698466684?
[...]

Interesting, an advertisement was displayed to the victim in response to a search on keywords (kw): How fast can potassium cyanide kill you. It seems the victim was interested in killing himself or herself with potassium cyanide, but too bad it's not the flag.

We continue searching with keywords 'potassium' or 'cyanide'.
$ strings 56DACF1C6CF363F27501FFCA50CC0415.raw | grep 'potassium'
y268455671.1136351268.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=where%20can%20i%20buy%20potassium%20cyanide

Interesting, the victim searched where can i buy potassium cyanide on Google. Probability that the victim killed himself or herself with potassium cyanide is high: we can ask the medical examiner to specifically look after that. And bingo, it's the flag!

Finding the flag was pretty fast right?
But I admit, it is not what I have done. In such a situation, I prefer using digital forensic tools such as The Sleuth Kit and Autopsy Browser to help me finding interesting things (because we don't know what to look for!). Therefore, let's see how we can use these forensic tools in order to find the flag.


Introduction to The Sleuth Kit and Autopsy Browser


The Sleuth Kit and Autopsy Browser are open source digital investigation tools (a.k.a. digital forensic tools) that run on Windows and Unix systems. As explained on their website, the Autopsy Forensic Browser is a graphical interface to the command line digital investigation analysis tools in The Sleuth Kit. Of course, other tools exist: opensourceforensics.org gives a good list.

Download The Sleuth Kit and Autopsy Browser then install them.
Under Linux, you will have to ./configure, make and make install SleuthKit (you can use --prefix to install elsewhere), then ./configure Autopsy (if you changed the default path of SleuthKit, you will be prompted for it).

Start Autopsy merely with ./autopsy: it starts a webserver listening exclusively on localhost. If you are running it remotely (on your server), you can tell autopsy to listen to remote connections with ./autopsy <your ip> (as a security measure, only your IP will be authorized to access Autopsy).

Alright, now open Autopsy in your browser with the URL that was given to you.


Create a new case for this challenge.



Add a host.



We are now in the home of host 19, case Codegate, ready to start by first adding the disk image.


Give the full path to the disk image (and not the zip of course) and tell Autopsy that it's a partition not a disk (containing a partition table).


Autopsy recognizes a FAT-16 partition labeled C:


Disk image is now added.


Back to the Case Gallery, we now have a disk image so we can start to analyze it.



From here, you have interesting menus:
  • File Analysis: to browse directories and files on disk, even those that have been deleted
  • Keyword Search: directly search contents of files and even unallocated sectors, search for ASCII or Unicode and regular expressions are allowed
  • Filetype, Image Details, Meta Data and Data Unit also gives you valuable information


After having searched randomly for interesting (deleted) files unsuccessfully, I finally had the idea to look for specific words such as 'kill' as explained previously.


Autopsy gives the results list in the left frame, and the preview (hex or ascii) of a result in the right frame.


Like previously, we see the advertisement that was displayed to the victim in response to a search on keywords (kw) How fast can potassium cyanide kill you. Similarly, we now search for potassium.


Good, like previously we see that the victim searched where can i buy potassium cyanide on Google. That's our flag!


Autopsy has many other valuable features, such as File Activity Time Lines from the Case Gallery: you can see what happened on the file system during a specific time frame (it helps finding other suspicious activities or files).

Conclusion


After all, this challenge wasn't very hard if you had the idea to look for keywords. Anyway, I found the story behind the challenge interesting, and I hope you enjoyed this small presentation of The Sleuth Kit and Autopsy Browser, a very good digital forensic tool.. and open source!

Thanks goes to my friend Ivan for his help on this challenge.

No comments:

Post a Comment