TryHackMe writeup: Digital Forensics Case B4DM755 – InfoSec Write-ups

Digital forensics and incidence response are the art and science of reconstructing past events and what events have occurred during a computer system’s operation. It has shown itself to be very useful in solving engineering problems, detecting threats against an individual or organisation, and even bringing criminals to justice. In this article, I intend to document experience that I got acting as a “first responder” for a hypothetical computer forensics case in a TryHackMe room.

Base Image: eBay (n.d.).

Contents at a glance

1. Background
2. Procedure
3. Discussion
4. Conclusion
5. References

Background

The Digital Forensics Case B4DM755 TryHackMe room (“tryhackme” and “Orzykf”, 2023) gives its users a fictitious digital forensics case to practice on. The room has the defined objectives for users to learn more about the chain of custody, practise using the FTK Imager (n.d.) tool to image a non-volatile storage medium, and analyse the imaged device to be used in a hypothetical legal case.

Background information

Task 2 introduces case #B4DM755 — an investigation to the fictitious crime of corporate espionage — specifically theft of trade secrets. The suspect is William Super McClean, a British person who recently fled to Metro Manila — the largest urban area in the Philippines. An informant gave the law enforcement agency investigating case #B4DM755 the context in which the crime was committed, and information regarding a

possible transaction between McClean and a Metro Manila gang member.

Task 4 further elaborates: as law enforcement attempted to get McClean in an apartment, they found out that they were too late and that the transaction between himself and the gang member may have already happened. Law enforcement was able to seize a non-volatile flash drive tied to a key chain with the initials “WSM” on it.

This room has me playing the role as a first responder in the law enforcement agency’s digital forensics and incidence response team. We are given authorisation to seize and search McClean and others involved with the crime. Specifically, I am to acquire a forensically sound image of McClean’s non-volatile storage devices and perform a cursory forensic assessment of their contents. In this case, I am starting with the flash drive attached to the key chain.

Interlude: Brief discussion of the chain-of-custody

Regarding the acquisition of digital evidence, task 3 of the room recommends the first imaging RAM and physical memory, then checking for drive encryption, and finally imaging hard drives and maybe other non-volatile storage mediums if necessary or instructed to do so.

Task 3 also briefly discusses the chain-of-custody; the qualities of a good chain-of-custody to maintain the integrity of the investigation include: proper documentation, hashing digital artefacts, cold shutdowns, and bagging, sealing and tagging of seized hardware.

With this context out of the way, I can now get started with the task.

Procedure Problem statement

In this room, I am to preserve and analyse the contents of the USB flash drive described in a previous subsection. The forensics scenario here is hypothetical, so I am to find the “flag” in the forensic artefact and gain experience using the tools used by agents who are “in the field.”

I will connect to a virtual machine where I will perform my acquisition and analysis of the USB flash drive. I simply need to start up the virtual machine, connect to it and set up the analysis environment.

Setting up the environment

Task 5 gives the username analyst and password DFIR321! as credentials for connecting to the analyst machine. I used the Remote Desktop Connection (n.d.) to make the connection, with figure 1 depicting the username and domain that I am connecting to:

Figure 2.1

I clicked on the “[c]onnect” button, entered the password, and was

presented a desktop session as depicted by figure 2.2:

Figure 2.2

I simply need to open up the FTK Imager (n.d.) software utility in the top- left corner. Doing so gave me the following window (figure 2.3):

Figure 2.3

In the following subsections, I will follow the methods prescribed in tasks 5, 6 and 7 to do an analysis. I will not document each step of the process in its meticulous details, as to avoid plagiarism of the graphics and figures,

Furthermore, the reader can easily visit the TryHackMe room and repeat the experiment if they wish to learn more.

Adding evidence

Task 5 describes, with screenshots, the procedure by which to add digital artefacts and determine whether or not they are encrypted. I reproduced the steps detailed in task 5 and determined that there is no encryption on the flash drive. Figure 2.4 depicts my results:

Figure 2.4 (screenshot by this author)

Thanks to the lack of encryption, it will be much easier to analyse the flash drive (because I do not have to run cryptanalysis against the filesystem)!

Initial analysis

This subsection deals with the prescribed method in task 6. Here, I created a disk image based on the one analysed in the previous subsection. I used

the dd utility (see Hutchinson et al. 1999) to create the image. Figure 2.5 depicts the evidence item information that I set for the item:

Figure 2.5 (screenshot by this author)

After creating the disk, I was given the following basic information about its data structure— as depicted by figure 2.6:

Figure 2.6 (screenshot by this author)

Information like the MD5 and SHA1 checksums are good stuff for

maintaining the integrity of the digital artefacts (see Gilpin 2018). I then imported this virtual disk onto FTK Imager, and then exported its [root] directory onto the analysis folder. Figure 2.7 depicts a listing of the [root] directory:

Figure 2.7 (screenshot by this author)

I also switched the File View pane into “Icon mode” to get an easier view of how many files are deleted (a red “X” symbol denotes a deleted file).

Figure 2.8 depicts the results:

Figure 2.8 (screenshot by this author)

I counted six (6) deleted files. With the forensic artefacts exported, I can now proceed to analyse their contents and construct a coherent narrative that is hopefully consistent with my discoveries and other established facts.

Content analysis

I noticed an interesting file called hideout.pdf — which initially appears to be a PDF file. However, upon closer inspection, it is shown that this file may be an image produced by a device made by the OnePlus

 (n.d.) electronics company. I inspected its file contents with FTX Imager

— with Figure 2.9 depicting the contents of the file:

Figure 2.9 (screenshot by this author)

Observe the Exif and ONEPLUS strings in hideout.pdf’s hex dump.

This leads me to suspect that this file is more likely an image and has been disguised as a PDF file to make it slightly more difficult for investigators to work out its contents.

I employed the EXIF Tool (n.d.) to see if I can get more information on this hideout.pdf file. The following is a snippet of the tool:

C:\Users\analyst\Desktop\artefacts\[root]>exiftool hideout.pdf

ExifTool Version Number : 12.47 File Name : hideout.pdf

Directory : .

File Size : 4.7 MB

File Modification Date/Time : 2022:09:11 04:31:48+00:00

File Access Date/Time : 2024:03:03 23:37:56+00:00

File Creation Date/Time : 2024:03:03 23:37:56+00:00 File Permissions : -rw-rw-rw-

[… snip …]

The output of the tool was too large to just be listed, so I instead decided to format it into a table to make it easier to parse. Figure 2.10 depicts the results of exiftool.exe on the supposed PDF file:

Figure 2.10

I do apoligise in advance for the flood of information and data regarding the image file, or if it is difficult to read.

I did notice quite a few interesting things from the output. For one thing, this is not really a PDF file, but rather a JPEG image. I also verified that the phone was manufactured by OnePlus, and that this is specifically their A6013 model (see Amazon.com, n.d.).

I then decided to investigate the warehouse.pdf file, which, like the hideout.pdf file, is actually a JPEG image file as opposed to a PDF document. I ran the exiftool utility against it, and came up with the following output (some of which is redacted for the sake of good presentation):

C:\Users\analyst\Desktop\artefacts\[root]>exiftool warehouse.pdf

ExifTool Version Number : 12.47 File Name : warehouse.pdf

Directory : .

File Size : 6.0 MB

File Modification Date/Time : 2022:09:11 06:59:02+00:00 [… snip …]

File Type : JPEG

File Type Extension : jpg

MIME Type : image/jpeg

[… snip …]

Camera Model Name : Mi 9 Lite

[… snip …]

This confirms that the warehouse.pdf file is a JPEG image and that it was produced by a smartphone’s camera that is a Mi 9 Lite model.

After investigating other files, I worked out that operations.xlsx is a WinZip (n.d.) archive as opposed to a Microsoft Excel Spreadsheet. I proceeded to extract it and examine its contents — with figure 2.11 depicting what is contained in the archive:

Figure 2.11

The notes.txt file looks interesting, so I decided to dump its contents:

==========================================================

CSSC Annual Meetup: 09-09 / 9th of September Topic: Product Distribution Schedule

[… snip …]

Shipment Details:

• Schedule: 3rd day of every month
• Products: 0days, Trojans, Ransomware, Backdoors, Rootkits [ … snip …]

> Year: 2022

– Total Profits: $1,092,564,789.23

– Meetup: 14°26’25.7″N 120°59’00.8″E

– PoC: Karl Renato Abelardo / 09124329876 / [email protected]

==========================================================

Underground Community Creds:

• DarkPool Marketplace: SerpentWhisperer86 / Cr1m$0nSh@d0w$3rp3nt5
• Menacingly Marketplace: KingCrimson201 / Sh@d0wSerp3nt$C4rt3l

==========================================================

Send email to Mr. DeVentura and Mr. Durr Alessio later.

Subject: Task Completed – All Traces Erased Message:

Mr. DeVentura, Mr. Durr Alessio,

I am pleased to inform you that the requested task has been successfully executed. You can now rest assured that all tracks with our counter-parties and other institutions have been meticulously cleaned, leaving no traces behind. Please feel free to reach out if you need any further assistance.

Best regards, William, WSM

DarkVault$Pandora=DONOTOPEN!K1ngCr1ms0n!

I learnt a lot of interesting stuff from notes.txt; specifically that:

• William McClean’s point of contact (PoC) is called Karl Renato Abelardo
• The coordinates to get to their informal tradeshow are 14°26’25.7″N 120°59’00.8″E
• The password to unzip the contents of pandorasbox.zip is

DarkVault$Pandora=DONOTOPEN!K1ngCr1ms0n!

I then proceeded to unzip pandorasbox.zip — with figure 2.12 depicting a portion of its contents:

Figure 2.12

The DONOTOPEN file looks pretty interesting, so I proceeded to open it. Its contents are the following:

Congratulations! Flag is: THM{redacted}

I also casually explored the other documents. A file called LOW Investment Benificiaries.docx looked interesting enough for me to explore. Figure 2.13 depicts an excerpt of its contents:

Figure 2.13

This implying some kind of inheritance or beneficiary. I then identified another Word document: UTCL242231 — Capital distribution to the principal beneficiary GVDeVentura.docx , which made me aware of a beneficiary called Mr. Giovanni Vittorio DeVentura.

Finally, I decided to explore the HFT_Algorithm folder. I identified a Python script called main.py and dumped its contents:

!/usr/bin/python3

import threading import time

from config import settings, trading_parameters from data.market_data import MarketDataHandler

from data.historical_data import HistoricalDataHandler from execution.execution_handler import ExecutionHandler from execution.order_manager import OrderManager

from models.example_strategy import ExampleStrategy from models.risk_management import RiskManagement

def run_trading_loop(strategy, market_data_handler, historical_data_handler, risk_management, order_manager, execution_handler):

while True:

[… snip …]

When I was in my early twenties, I had an interest in quantitative finance, and from the terminology (and script comments) I recognise this as a high frequency trading (HFT) bot (see Chen 2023 to learn more). While I do not have much experience with financial documentation and the accounting that makes up for finance, I can infer that William McClean’s theft of the source code could be a part of some financial fraud plot.

It looks like that this HFT bot was developed by someone called Perry Parsons under the tenure of SwiftSpend Financial.

The final task of the room (task #8) wraps everything up by discussing the how to go about presenting evidence in the courthouse and how to legally procure evidence. I do want to discuss my thoughts on this in later sections of this article.

Discussion

Brief discussion of philosophical problems in digital forensics

The reader may skip this subsection if they are not interested in my philosophical musings.

Forensics is an attempt at describing what occurred in the past using scientific knowledge. Science can be seen as the process of people, directly or indirectly, working together to make testable and falsifiable theories about the material world. The keyword here being “falsifiable,” meaning that scientific theories run the risk of being proven wrong.

Popper (2002) contends that science is not a set of theories that have been proven, but rather a set of theories that have yet to be disproven. Other scholars are in agreement with Popper’s view of science (see Kanazawa 2008; Henderson 2018; Schroedl 2021).

Contrast a scientific field to trial law, which attempts to come with a binary “proof” of a defendant being innocent or guilty of committing a crime. Prosecutors and attorneys enter evidence into a courthouse record, argue their validity and create narratives of the evidence in favour of their clients. The lawyers may cite forensic science and empirical evidence, but not to solve a scientific problem.

Instead, they are interested in solving a social engineering problem: which is different to the kind of social engineering that penetration testers or black hat hackers are used to. Here, the social engineering problem involves a cost-benefit analysis of allowing McClean, who may or may not be guilty of intellectual property theft, roam free. Evidence is accumulated until it becomes “beyond a shadow of a reasonable doubt” that McClean is guilty of intellectual property theft.

This is a problem that bothered me since I was a teenager. Science is the best way to make sense of the material world because anyone can participate in it — as long as they can play by its tough rules. Forensics is a bit different: not everyone can participate in the process. Security clearance is needed to access certain kind of information regarding a crime (Federal Bureau of Investigation, n.d.), and not just anyone can go into a

crime scene. Furthermore, there is also more of an emphasis on credentials (Ashcroft et al. 2004?, pp. 7–10).

Besides my intuitive reason for why forensic investigations may be flawed, others have pointed out problems with forensics and the legal system:

• Kennedy (2003) noted that the reliability of fingerprint and other artefacts generated by the human body might not be reliable.
• In a thesis discussing malware analysis, Kennedy (2017, pp. 19–21), while citing Kennedy (2003), acknowledges that forensic science may not be as rigourous as other sciences, and that this may have implications when doing malware analysis and presumably other kinds of computer forensics.

I do not intend for anyone to deny the field of digital forensics and incidence response, or forensics in general. But this “epistemological barrier” does raise a lot of questions — especially when the stakes are high. Unfortunately, I do not have an answer to them.

Limitations

I must confess that as I write this article, I am by no means an expert in digital forensics. I am currently an undergraduate student of computer science, and because of this, there may be more erratas and mistakes in my analysis compared to a professional. Because of this, I recommend that readers treat this writeup more as a documentation of experience than an authority on the subject matter.

Furthermore, the forensic acquisition methods that I used are not at the most rigourous: one shortcoming is the fact that I did not use a write- blocking device. This hardware device prevents the analyst computer from unintentionally writing information to storage mediums (CSRC, n.d.).

Figure 3.1 depicts a write-block device in use to read a hard drive:

Figure 3.1 (Image Credits: “ErrantX”, 2010)

Because I did not use a write-block device, it is possible that a kernel-level software glitch caused information to be written onto the storage medium that I was imaging. This introduces the risk of violating the data integrity of the forensic image, and will most likely disqualify this kind of evidence from court.

Conclusions

In this article, I played the role of a first responder where my job was to image a USB flash drive and perform a cursory analysis of its contents. I discuss my procedure for doing so, share some of my thoughts on the state of forensic science and the legal system, and also discuss the limitations of my work.

Further resources

GitHub repository of my work while doing this room:

I can also recommend the following resources for anyone who wants to learn more about the subject matter:

• Jabocia (2004) for readers who wants to learn more about the role of “first responder.”
• Ashcroft et al. (2004?, pp. 7–10) for readers who are interested in a career in digital forensics and incidence response.
• The Citizen Lab (based in the University of Toronto) for anyone who is interested in digital forensics and incidence response applied to social justice and human rights causes: https://citizenlab.ca/

Plug

For any readers who are enjoying this article, I would like to invite them to check out my technical writeups series where I discuss more computer security problems and their solution: https://medium.com/@EpsilonCalculus

Technical writeups References

Amazon.com (n.d.). OnePlus 6T A6013 128GB Mirror Black — US Version T-Mobile GSM Unlocked Phone (Renewed). Retrieved on Mar. 3, 2024 from: https://www.amazon.com/OnePlus-A6013-128GB-Mirror- Black/dp/B07V3TL48P

Ashcroft et al. (2004?). Education and Training in Forensic Science: A Guide for Forensic Science Laboratories, Educational Institutions, and

Students. National Institute of Justice. https://www.ojp.gov/pdffiles1/nij/ 203099.pdf

Chen, J. (December 17, 2023). What Is High-Frequency Trading (HFT)? How It Works and Example. Investopedia. Retrieved on Mar. 11, 2024 from: https://www.investopedia.com/terms/h/high-frequency-trading.asp

CSRC (n.d.). Write-Blocker. National Institute of Standards and Technology. Last Retrieved on Mar. 3, 2024 from: https://csrc.nist.gov/ glossary/term/write_blocker

eBay (n.d.). DVD Anime Heaven’s Memo Pad Vol.1–12 End English Subtitle. Retrieved on Mar. 12, 2024 from: https://www.ebay .com/itm/ 354396033665

“ErrantX” (2010). A portable Tableau write-blocker attached to a hard drive. Wikimedia Commons. Last Retrieved on Mar. 3, 2024 from: https:// en.wikipedia.org/wiki/Forensic_disk_controller#/media/ File:Portable_forensic_tableau.JPG

EXIF Tool (n.d.). ExifTool by Phil Harvey. Retrieved on Mar. 3, 2024 from: https://exiftool.org/

Federal Bureau of Investigation (n.d.). Security Clearances for Law Enforcement. Retrieved on Mar. 12, 2024 from: https://le.fbi.gov/ informational-tools/security-clearances-for-law-enforcement

FTK Imager (n.d.). Create Forensic Images with Exterro FTK Imager. Exterro. Retrieved on Mar. 3, 2024 from: https://www.exterro.com/digital- forensics-software/ftk-imager

Gilpin, B. (2018). Data Integrity Checksums. Versity. Retrieved on Mar. 3, 2023 from: https://www.versity .com/data-integrity-checksums/

Hutchinson et al. (1999). Logical vs. Physical File System Backup. In Proceedings of the 3rd Symposium on Operating Systems Design and

Implementation. New Orleans, Louisiana. USENIX. https:// www.usenix.org/legacy/events/osdi99/full_papers/hutchinson/ hutchinson.pdf

Jacobia, J. (2004). Computer Forensics: Duties of the First Responder. In Law Enforcement Technology (Vol. 31, Issue 4, pp. 28–34). https:// www.ojp.gov/ncjrs/virtual-library/abstracts/computer-forensics-duties- first-responder

Kanazawa, S. (2008). Common Misconceptions About Science I: “Scientific Proof:” Why there is no such thing as a scientific proof. Psychology Today. Retrieved on Mar. 3, 2024 from: https:// www.psychologytoday .com/us/blog/the-scientific-fundamentalist/200811/ common-misconceptions-about-science-i-scientific-proof

Kennedy, D. (2003). Forensic Science: Oxymoron? In Science (Vol. 302, Issue 5651, pp. 1625–1625). American Association for the Advancement of Science (AAAS). https://doi.org/10.1126/science.302.5651.1625

Kennedy, I. M. (2017). A Framework for the Systematic Evaluation of Malware Forensic Tools. The Open University. https://doi.org/10.21954/ OU.RO.0000C559

OnePlus (n.d.). About OnePlus (NEVER SETTLE) — OnePlus United States. Retrieved on Mar. 3, 2024 from: https://www.oneplus.com/us/ brand

Popper, K. (2002). The logic of scientific discovery. Routledge Classics.

Remote Desktop Connection (n.d.). How to use Remote Desktop. Microsoft Support. Retrieved on Mar. 3, 2024 from: https:// support.microsoft.com/en-us/windows/how-to-use-remote- desktop-5fe128d5-8fb1-7a23-3b8a-41e636865e8c

Schroedl, S. (2021). The Fallacy of the “Scientific Proof:” Uncertainty is

the bread and butter of good scientists. Science and Philosophy. Retrieved on Mar. 3, 2024 from: https://medium.com/science-and-philosophy/the- fallacy-of-the-scientific-proof-3e47385fa773

“tryhackme” and “Orzykf” (2023). Digital Forensics Case B4DM755. TryHackMe. Last Retrieved on Mar. 3, 2024 from: https://tryhackme.com/ room/caseb4dm755

WinZIP (n.d.). Need to open or create a Zip file? Retrieved on Mar. 11, 2024 from: https://www.winzip.com/en/learn/file-formats/zip/