Cellebrite 2022 CTF!
Cellebrite decided to launch another CTF this year! Their last CTF was quite fun and helped me learn more about forensic methodology. Here’s the scenario for this year:
Beth Dutton was invited to the Vienna Inn in Vienna, VA on July 21st at 5:00 PM and was arrested while there. She was invited by Heisenberg. Police arrested her for grand theft. Upon questioning Beth, she revealed that her sister, Marsha Mellos introduced her to Heisenberg and that he was responsible for stealing cars and she and her sister were innocent. They are in the cattle business in Montana and got mixed up with the wrong guy. Marsha has both a PC and an iPhone. Beth had an iPhone and Heisenberg had an Android. The interest here is auto theft and selling. Cash transfers matter.
Marsha’s PC - Windows 10 - Build 19043
For the first set of challenges, we can’t use Cellebrite’s tools just yet. We’ll start with Magnet AXIOM.
Question 1 – 10pts
What is the Serial Number of the disk acquired?
To solve this challenge, we don’t even need to load the image. The answer can be found in Acquisition Log.txt.
The serial number for /dev/sda is 170615BA93CC and is the solution for challenge 1.
Question 2 – 10pts
How did the user most recently sign into Windows?
The first approach we can use is the Magnet Timeline view and filter by account activity. It shows data for the last login, but not the login type that we need. Next, we can check the registry. Some Googling shows that the last login information can be found under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI. This can be access within the Magnet Registry viewer.
We can see the key LastLoggedOnDisplayName to see who logged in (Marsha) and LastLoggedOnProvider shows us the method: {BEC09223-B018-416D-A0AC-523971B639F5}. Microsoft provides a handy table for the credential providers here.
And now we have the sign in method! The credential provider BEC09223-B018-416D-A0AC-523971B639F5 is the Fingerprint login method.
fingerprint is the solution to the challenge.
Question 3 – 10pts
Someone stole a truck and left his inmate card behind. What is his inmate number?
Now we need to find a card number. Since we aren’t given any idea as to the length or format of the number, we can make the educated guess that there is a picture of the card. When processing the case, I enabled the Magnet.AI image categorization. This lets a user sort by images that may contain drugs, documents, id’s, etc. Unfortunately, no image with an inmate card was categorized under Card/ID. However, several images can help lead where should look. One image is a photo of a sim packaging card and is stored in C:\Users\marsh\OneDrive\Pictures\Camera Roll. Looking around these directories, one can find a Pictures\Screenshots directory with several images, one being an inmate card!
The inmate number and solution is 2101460.
Question 4 – 10pts
What is the serial number of the last USB drive connected to the device, excluding acquisition tools?
One of the first places to go when time is involved in a question, is the timeline. In Magnet, we can sort the timeline by latest first and filter by only USB device usage. The last devices used shows the following details:
Seeing as this has the manufacturer listed as Blackbag, a forensic company now owned by Cellebrite, this is probably the acquisition device. Continuing down the timeline of devices, the next device found is a Toshiba USB 3.0 flash drive.
The listed serial number is 20151017004222F. This is the solution!
(Note, you may have noticed the &F after the serial in the image. This appears to be a parsing error and the “&” character shouldn’t appear in a flash drive serial number.)
Question 5 – 10pts
What is the only camera model that was found within a picture created by the user browsing the Internet? e.g. 1 3 01-22-2019 19:46
Magnet AXIOM Examine keyword searches include image metadata, so we can just do a search for common camera manufacturers. Searching for “canon” reveals a single cached image that contains the camera model in metadata.
The camera model in the metadata is a Canon EOS 5D Mark II and is the solution to this challenge!
Question 6 – 10pts
What two email addresses were found in web forms? Format: [email address] [email address] e.g. john@gmail.com ryan@gmail.com
One again, we can use the keyword search and filtering to our advantage. Searching for the “@” character and filtering by ‘Web Related’ category shows us the first email in the Chrome autofill:
There aren’t any more user related emails returned though. Searching for common email domain names within the Web Related and form content still wasn’t revealing anything. Finally, filtering web related content for the keyword “email” and web encoded @ character (%40), another email is revealed in the carved Webkit Browser history!
Hmmmm. Seeing as this a Cellebrite email address, one would think it might not be an intended solution, but attempting to submit marsha4mellos@gmail.com sydney.peason@cellebrite.com reveals it is indeed the intended solution!
Question 7 – 20pts
What is the content of a user-made file where the file extension is a mismatch?
For this challenge, I had accidentally stumbled upon the answer when trying to solve challenge #3. When browsing around C:\Users\marsh, a Google drive folder can be found. Inside this folder is a file titled Figure it out.zip. AXIOM Examine immediately shows something is up with the file.
The file is actually just a text file containing the ASCII text Huh this is a test. And that text is the solution to challenge 6!
Question 8 – 20pts
The target captured a sports game that took place in April 2014. What was the name of the venue (at that time) and the name of the guest team? Format: [Name of stadium] [guest team] eg: Mercedes Benz Stadium Atlanta Falcons
This seems easy enough. First, select the Media category then set the date/time filter to between 4/1/2014 and 4/30/2014. This shows a single .MOV file that records the game that day.
Looking at the footage, we can see the stadium name in the background!
This is the Centurylink Field. A quick Google search for the date the video was taken reveals this is the Seattle Sounders vs. the Colorado Rapids.
Using the specified format, the solution is Centurylink Field Colorado Rapids!
Question 9 – 20pts
How many unique acquisition tools were recognized by Marsha’s PC, how many times did the acquisition tools connect, and when was the last time an acquisition tool was connected? Format: [unique #] [total #] MM-DD-YYYY HH:MM e.g. 1 3 01-22-2019 19:46
Unfortunately, I was unable to solve this challenge. Will update when I have solved it.
Question 10 – 50pts
What is the Windows Hello PIN code of the user signed into the Windows PC with a Microsoft account?
Cool! We need to break a Windows Hello pin. Researching how to crack a Windows Hello Pin leads to the WINHELLO2hashcat Github repo. It’s a Python script designed to spit out a hash that is crackable with Hashcat. Looking at the README and some other tutorials, we first need to export some files and folders from the image to pass to the tool.
| Argument | Path |
|---|---|
| –cryptokeys | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys |
| –masterkey | C:\Windows\System32\Microsoft\Protect\S-1-5-18\User |
| –ngc | C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc |
| –system | C:\Windows\System32\config\SYSTEM |
| –security | C:\Windows\System32\config\SECURITY |
| –software | C:\Windows\System32\config\SOFTWARE |
Once we have those, we can run the tool to get the pin hash.
Then, we can pass the hash as input to Hashcat. Hahcat needs to be passed the mode for the Windows Hello Pin (-m 28100), an attack type (-a 3 for a mask attack), the mask (?d?d?d?d for 4 digit passcode), and the file containing the hash as well output file. However, Hashcat fails exhausts all codes without finding the correct one. Trying a 6 digit pincode (?d?d?d?d?d?d) works!
The Windows Hello pin and the solution to this challenge is 134679!
Question 11 – 100pts
What is the Personal Meeting ID of the Zoom user account holder?
Sadly, this question went unsolved as well. Again, will update if I get it figured out.
Question 12 – 100pts
What is the password for the URL containing a private IPv4 address in Microsoft Edge web browser’s saved logins? (Case Sensitive)
I ended up solving this challenge after the CTF ended, but it was still a fun solve. As far as research went, there is no easy way to get the decrypted Edge passwords. But it could be done if it was possible to log into the machine. WHich it is! Using FTK’s image mounter and VMWare Workstation, we can mount the E01 and load up a VM of Marsha’s machine. Here is the tutorial I used. After that, simply log into the machine using the Windows Hello Pin we found earlier, open Edge, go to Settings > Passwords, and reveal the password!
The password used to log into 104.106.102:9997 was NPaacYaE.