Lab Preface, Takeaways

In Countdown, the goal is to identify communication from a seized laptop, then discover when and where a potential bomb threat will occur. While a typical SOC analyst will never face a bomb threat, many of the practices used to identify answers are commonly used in forensic investigations.

Zerry attempted to clear their tracks by using Eraser, which was not totally effective since message history and other key information was still stored on the device. Had Zerry taken the extra step of performing malicious activity in a VM, or wiping the device operating system before being arrested, then analysis would prove more difficult. Many investigations that include digital forensics use prepared custom scripts that automate the collection of IOCs, shortening the response time.

Questions and Answers

Verify the Disk Image. Submit SectorCount and MD5

FTK Imager will always generate these values with every report created. The values can be referenced to verify any copy of the logical image and prove that it is digitally sound. This is provided in the Investigation Files folder on the desktop, the report was created by FTK Imager. The answer can be found in C:\Users\BTLOTest\Desktop\Investigation Files\Disk Image\Zerry\Zerry.E01

Answer: 25165824,5c4e94315039f890e839d6992aeb6c58

Acquisition text data from FTK Imager

What is the decryption key of the online messenger app used by Zerry?

The online messenger app must first be identified. Autopsy will show a list of all installed apps, however, there does not appear to be one listed. By visiting Zerry’s Downloads folder, singal-desktop-win-1.39.5.exe is found. Artifacts from Signal Desktop exist in the file system and are found under /img_Zerry.E01/vol_vol3/ ZerryD💣🔥/AppData/Roaming/Signal/. While Signal is an encrypted messaging service, messages and other data from the desktop client will be stored in a database with a separate plaintext key. This key can be used to decrypt any communication from that user. The key is located in a file called config.json, which can be read by any text editor.

Answer: c2a0e8d6f0853449cfcf4b75176c277535b3677de1bb59186b32f0dc6ed69998

Directory listing of Zerry's Signal folder under Appdata/Roaming/ , listing config.json file

What is the registered phone number and profile name of Zerry in the messenger application used?

Using the previously discovered key, the database storing all messages and contacts can be decrypted. This is stored in a file called db.sqlite, under /img_Zerry.E01/vol_vol3/ZerryD💣🔥/AppData/Roaming/Signal/sql/. Using SQLite DB Browser, the raw key will be prepended by “0x” in the menu box. This will decrypt the database, and all database tables will be accessible. Table “messages” contains the phone number, and table “items” has the answer to this question.

Answer: 13026482364,ZerryThe🔥

What is the email id found in the chat?

By visiting table “messages”, all messages sent and received can be viewed. Row 21 contains an email address that was send by the other user.

Answer: eekurk@baybabes.com

Text conversation between Zerry and an unnamed malicious actor coordinating their planned attack

What is the filename(including extension) that is received as an attachment via email?

While the name of the file is not directly mentioned, it can be assumed that Zerry recently interacted with it. Thanks to Autopsty, the shortcut file to the attachment was easily found under Recent Documents in the file explorer window. After extracting the file, the shortcut can be viewed in Windows File Analyzer, showing the linked path the shortcut references.

Answer: ⏳📅.png

List of recent files that Zerry has interacted with

What is the Date and Time of the planned attack?

While the shortcut does not contain the actual image, this can be refenced in a report to identify the original image. Knowing that the image was interacted with, the image thumbnail is generated by Windows and is stored locally. Windows stores image thumbnails at /img_Zerry.E01/vol_vol3/ZerryD💣🔥/AppData/Local/Microsoft/Windows/Explorer/thumbcahce_256.db. Extracting this file and loading the database in Thumbcache Viewer shows the image preview, which can be exported. The data is posted in readable text; however, the time is displayed with emojis. Read the clock and reference the emoji keyboard to determine the time.

Answer: 01-02-2021 9:00 AM

Date and timestamp of the planned attack found from the thumbail files

What is the GPS location of the blast? The format is the same as found in the evidence. [Hint: Encode(XX Degrees,XX Minutes, XX Seconds)]

After some searching, it is discovered that the GPS location text was stored in a sticky note on the desktop. Sticky note data is stored in /img_Zerry.E01/vol_vol3/ZerryD💣🔥/AppData/Local/Packages/Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe/LocalState/plum.sqlite. The file does not require exporting, as the encoded text can be read directly in Autopsy’s details view. The text is encoded in ROT13, and can be placed into CyberChef to get the hidden message.

Answer: 40 degrees 45 minutes 28.6776 seconds N, 73 degrees 59 minutes 7.994 seconds W

BTLO Pro Lab - Countdown

Digital investigation on the clock