-
Name: Nyong Coin
-
Author: extr
-
Category: Forensics
-
Point: 140
-
Download: https://1drv.ms/u/s!At0nZXK3fObIgoQAMtilBAZd017Klg?e=7VKBqz
-
Scenario
'Kim' is the CEO of a cryptocurrency exchange 'A'. He asked the management team for the full transaction history of 'NYONG coin' traded in a specific period. And here is 'Lee', a member of the management team who hates 'Kim', delivered a maliciously manipulated transaction history to 'Kim' in a USB. Analyze the USB and find one manipulated transaction in there! Flag: ACSC{lowercase(MANIPULATED_TRANSACTION_ID)}
Excel uses shared strings in order to refer the identical content cell from a different location. it is presumed to save resources for Excel, and the shared strings file is compressed in xl/sharedString.xml
sharedStrings.xml
is changed upon addition, deletion, and modifications of cells. In particular, these data are inserted at the bottom of the sharedStrings.xml
when cells are added and updated.
This implies that these records are inserted in chronological order. However, this does not apply to some exceptional cases, such as formatted numbers or other format strings. (date, currency, scientific, etc.)
As a result, it is still possible to find out the last modified cell content by examining the shareStrings.xml
even after the attacker has maliciously modified the excel file.
-
Open FTK Imager and load E01 file (You can use any method that load E01 format)
-
Convert the xlsx file to zip format and go through the last part of
sharedString.xml
one by one.
As seen in the image above, There are two types of tags in <si>
, namely <t>
and <phoneticPr>
. The phoneticPr
attribute is used to provide a phonetic hint for a string, and the value is unique information used for each string.
Interestingly, this PhoneticPr
attribute will only be generated when the user types the data by keyboard and will not generate by Copy&Paste or such.
By examining sharedString.xml
of all existing files (except 20200715132932_20200816181652.xlsx
), you can confirm that phoneticPr
attribute does not exist in these files. This implies that all contents are copy and pasted, except for the 20200715132932_20200816181652.xlsx
.
- Conclusion
As a result, the malicious transaction can be found in 20200715132932_20200816181652.xlsx
, and the forged Transaction ID is 8d77a554-dc64-478c-b093-da4493a8534d
.
- ACSC{8d77a554-dc64-478c-b093-da4493a8534d}
-
Name: BitLocker Artifact
-
Author: extr
-
Category: Forensics
-
Point: 200
-
Download: https://1drv.ms/u/s!At0nZXK3fObIgopDx3-m4oV94gn9rw?e=UeFwCv
-
Scenario
Get the datetime that C drive was encrypted by BitLocker! Start: When the BitLocker Wizard was run (UTC+0, YYYY-MM-DD_HH:MM:SS) End: When encryption was completed by BitLocker (UTC+0, YYYY-MM-DD_HH:MM:SS) Flag: ACSC{Start_End} ex) ACSC{2021-05-06_12:00:01_2021-05-06_12:53:11}
- When the BitLocker Wizard was run
- HTLM\SYSTEM\CurrentControlSet\Control\FVEStats\OsvEncryptInit
- value: 132741897867405652
- UTC TIME(+0): 2021-08-23 10:56:26
- HTLM\SYSTEM\CurrentControlSet\Control\FVEStats\OsvEncryptInit
- When encryption was completed by BitLocker
- HTLM\SYSTEM\CurrentControlSet\Control\FVEStats\OsvEncryptComplete
- value: 132741901078561213
- UTC TIME(+0): 2021-08-23 11:01:47
- HTLM\SYSTEM\CurrentControlSet\Control\FVEStats\OsvEncryptComplete
- ACSC{2021-08-23_10:56:26_2021-08-23_11:01:47}