(121215) #fitalk 3th holy shield forensics probs write-ups
TRANSCRIPT
FORENSIC INSIGHT; DIGITAL FORENSICS COMMUNITY IN KOREA
3th HolyShield Forensics Probs Writeups
13lackc4t
http://13lackc4t.blog.me
Jeon Chang-bae
forensicinsight.org Page 2
Index
1. About Holyshield
2. Forensics 200
3. Forensics 300
4. Forensics 400
5. Q & A
forensicinsight.org Page 3
About Holyshield
forensicinsight.org Page 4
About Holyshield
가톨릭대학교 침해사고대응팀(CAT-CERT)에서 주최하는 해킹방어대회
2010년부터 매년 개최
여러가지 분야에서 16문제를 출제
온라인 CTF 형태로 진행
Overview
forensicinsight.org Page 5
About Holyshield
2012년 11월 16일 18:00 ~ 2012년 11월 18일 06:00(UTC+9:00)
총 상금 180만원
(1등 100만원, 2등 50만원, 3등 30만원)
PACKET 1문제, WEB 5문제, REVERSING 4문제,
PWNABLE 3문제, FORENSICS 3문제 출제
2번의 이벤트 진행
1등 : Class is permanent
2등 : KAIST GoN
3등 : B10S
3th Holyshield
forensicinsight.org Page 6
Forensics 200
forensicinsight.org Page 7
Forensics 200
Find the Key :)
Overview
forensicinsight.org Page 8
Forensics 200
Identify filesystem
Explanation (1)
forensicinsight.org Page 9
Forensics 200
Mount image
Explanation (2)
forensicinsight.org Page 10
Forensics 200
Extract all files
only one adobe document file
Explanation (3)
forensicinsight.org Page 11
Forensics 200
Context triggered piecewise hashing
Explanation (4)
forensicinsight.org Page 12
Forensics 200
Get special string
This show original file’s name, size and hash value
Explanation (5)
forensicinsight.org Page 13
Forensics 200
Ssdeep hash value in slack space
Explanation (6)
forensicinsight.org Page 14
Forensics 200
Make a file stored original file’s hash value
Using ssdeep, find the file be nearest original file
Explanation (7)
forensicinsight.org Page 15
Forensics 200
Change the pic’s width and height
Explanation (8)
forensicinsight.org Page 16
Forensics 200
Context triggered piecewise hashing
Slack space
Number of pics?
Behind
forensicinsight.org Page 17
Forensics 300
forensicinsight.org Page 18
Forensics 300
There are Digital Evidences collected on secret informant's computer.
Find the secret file!
아래는 기밀유출자의 컴퓨터에서 수집된 디지털 증거입니다.
기밀파일을 찾으십시오!
Overview
forensicinsight.org Page 19
Forensics 300
User Folder
Explanation (1)
forensicinsight.org Page 20
Forensics 300
Under Downloads folder
• ~$p_Secret.doc -> MS words file’s temporary file
• $I30 -> store $FILE_NAME attribute about current folder
Explanation (2)
forensicinsight.org Page 21
Forensics 300
Identify the download file’s name
Explanation (3)
forensicinsight.org Page 22
Forensics 300
Under “AppData\Roaming\Microsoft\Windows\Recent”
AutomaticDestinations -> Jumplist
CustomDestinations -> Jumplist
Explanation (4)
forensicinsight.org Page 23
Forensics 300
Using Jumplister
MS words file has same name different place
Explanation (5)
forensicinsight.org Page 24
Forensics 300
Strange Date/Time -> pinned
upload.html ?
Explanation (6)
forensicinsight.org Page 25
Forensics 300
Url -> Under construction
Explanation (7)
forensicinsight.org Page 26
Forensics 300
Guess URL
-> http://210.126.48.191/1f2c346c024c87e1c8382e6556402d8a/Top_Secret.doc
Explanation (8)
forensicinsight.org Page 27
Forensics 300
Jumplist
Using egrep
Change Prob?
Behind
forensicinsight.org Page 28
Forensics 400
forensicinsight.org Page 29
Forensics 400
국제공항의 항공기 관제시스템이 외부해커집단에 의해 침해당하여 Access키가 유출되었
다는 신고를 접수했다.
역추적한 결과 공항 내 내부PC에서 해킹이 이루어졌다고 판단, 켜져있던 PC의 이미지 등
을 입수했으며, 이 PC에서 Lucifer 라는 해커에게 Key를 전송한 것으로 보여진다.
Key 를 찾아라.
Overview
forensicinsight.org Page 30
Forensics 400
Memory
Disk
Explanation (1)
forensicinsight.org Page 31
Cannot indentify filesystem
Forensics 400
Explanation (2)
forensicinsight.org Page 32
Forensics 400
Explanation (2)
forensicinsight.org Page 33
Forensics 400
Using Passware password recovery kit
Explanation (3)
forensicinsight.org Page 34
Forensics 400
Explanation (4)
forensicinsight.org Page 35
Forensics 400
Zip file in send_to_lucifer.jpg
Explanation (5)
forensicinsight.org Page 36
Forensics 400
Explanation (6)
forensicinsight.org Page 37
Forensics 400
Send_to_lucifer is Windows journal file(*.jnt)
Explanation (7)
forensicinsight.org Page 38
Forensics 400
Coldbooting Attack
Behind
forensicinsight.org Page 39
Question and Answer