Saturday, May 15, 2021

Digital Forensics:CAPTURE THE FLAG:DRUG DEALER CASE

Digital Forensics:CAPTURE THE FLAG:DRUG DEALER CASE

วันนี้มาแนะนำการแข่งขัน Belkasoft CTF  ซึ่งจัดโดยบริษัท  Belkasoft  เป็นโซลูชันด้านนิติวิทยาศาสตร์และ incident response ที่ใช้งานง่ายและมีประสิทธิภาพซึ่งช่วยลดความซับซ้อนและเร่งขั้นตอนการสืบสวนทางดิจิทัล   โดยกิจกรรมจะเปิดและปิดเป็นช่วง   May 2021

Digital Forensics CTF

 Direct: dl.spbctf.com/BelkaDayUS_CTF_IMAGE.7z
Torrent: dl.spbctf.com/BelkaDayUS_CTF_IMAGE.7z.torrent
Archive password: CwMglC7pLRHSkIlwoSqA

Digital Forensics CTF
Phone Image

Digital Forensics CTF
The background of a case?
Digital Forensics CTF

Digital Forensics CTF

1. What is the full name of the phone owner?

Digital Forensics CTF

Digital Forensics CTF
Digital Forensics CTF

Flag

Derek Hor

2.What is the phone number he reported to about drug delivery?

Digital Forensics CTF

Digital Forensics CTF

Digital Forensics CTF

Flag

+12395104974

3.What were the suspect’s delivery locations on the night of arrest?

Digital Forensics CTF

Digital Forensics CTF
Digital Forensics CTF
Digital Forensics CTF
Digital Forensics CTF
Digital Forensics CTF

Flag

Camelback Golf Club, 7847 N Mockingbird Ln, Scottsdale, AZ (33.5542226,-111.9340928)
2013 W Harwell Rd., Phoenix, AZ (33.374304,-112.1035501)
33°29'04.2"N 111°52'38.0"W (33.4845,-111.877215)

 

4.How long has the suspect been acting as a drug dealer?




  1. So now we see an interview on June 20th, 2020 and an arrest date of April 18th, 2021. If we navigate to https://www.timeanddate.com/date/duration.html and enter those dates (To include the date of the arrest) we get the flag

Solution without Belkasoft X

  1. The logic is the same

Flag

303 days 


5.From what Bitcoin wallet did he get paid the last time for his job ?


 

The next step involves us doing a search on https://blockchair.com/bitcoin/outputs (or a similar service) where we have to enter the evidence that we do have. We can filter by the date and time (April 15th, 2021 between 17:20 and 17:40) as well as the range of bitcoin value (0.0913 and around). This will give us the output of only one transaction that took place within those set parameters. Following that transaction link gives us our flag:

Flag

113JqY3CqsQPT7EN6wj5tRAVKftEP9rQC 


6.What is the phone number of the drug supplier?

 





Solution 

  1. After locating the Signal backup (manually) and the password (any SQLite viewerthis time you do not need WAL or freelist support), you can use an open source tool https://github.com/pajowu/signal-backup-decode as follows:

    /root/.cargo/bin/signal-backup-decode --password '04049 19810 47697 72485 91554 88046' signal-2020-12-20-21-04-59.backup
  2. The tool creates an SQLite database with the extracted data. In the 'recipient' table we see two phone numbers: +13148346839 corresponding to profile name horatio0.42k (it's Derek Hor), and +14233767293 which is our target supplier

Flag

+14233767293

7.When was the last time the suspect met his supplier?





 

Solution 

  1. The same logic and any SQLite viewer will help you to solve the task. This time, SQLite viewer does not necessarily has to support forensic features, so 'DB Browser for SQLite' will do
  2. For time conversion, use any online converter or the DCode tool

Flag

Sat, 10 Apr 2021 07:30:00 UTC


8.What is the supplier’s phone IMEI identifier?
  1. For this task, we were given an 'NSA' tool that allows us to look up cellphone registration history. When we look at the tool, we see we need a latitude, longitude, and a date in (MST). Now we must enter the data. Take the data extracted from the Calendar automatically by Belkasoft X or manually by yourself
  2. Feed every line into the lookup tool. You will get the output of the number of devices found with their IMEIs. Copy the list of IMEIs into an Excel spreadsheet. You can intersect all the lists by duplicates search (meaning that an IMEI was found in more than one location). Just two IMEIs will be common for all the locations, they are 350236009513272 and 332182208414842. One of those is Derek, the other is the supplier

Flag
332182208414842

“I sure am proud to work with you sonny boy!” – The Chief smiled and delivered a handshake that has never been so strong. And, I bet, now he was not cunning. – “This isn’t the end of the story, though. Thanks to your efforts,” – he smiled – “well, mine too, we now have a pretty solid lead. We are as close to the Boss as ever before. Go get a good night's sleep, and we will continue this later. I'll give a call.”

Belkasoft CTF Certificate Participation

BelkaCTF #2 (Drugdealer case)


Refer: https://belkasoft.com/ctf

            Write-Up

หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น

* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ

#WindowsForensic #ComputerForensics #dfir #forensics #digitalforensics #computerforensic #investigation #cybercrime #fraud #CTF

No comments:

Post a Comment

Digital Forensics:User Access Logging (UAL)

 Digital Forensics:UAL  Log What Is User Access Logging? UAL is a feature included by default in Server editions of Microsoft Windows, start...