Skip to content

Instantly share code, notes, and snippets.

@iidx
Last active September 23, 2021 06:09
Show Gist options
  • Save iidx/fb94b41b2c3ecb2c96651c26c411cdd6 to your computer and use it in GitHub Desktop.
Save iidx/fb94b41b2c3ecb2c96651c26c411cdd6 to your computer and use it in GitHub Desktop.
acsc2021_forensics

Nyong Coin

Description

  • Name: Nyong Coin

  • Author: extr

  • Category: Forensics

  • Point: 140

  • Download: https://1drv.ms/u/s!At0nZXK3fObIgoQAMtilBAZd017Klg?e=7VKBqz

  • Scenario

    'Kim' is the CEO of a cryptocurrency exchange 'A'. 
    He asked the management team for the full transaction history of 'NYONG coin' traded in a specific period.
    And here is 'Lee', a member of the management team who hates 'Kim', delivered a maliciously manipulated transaction history to 'Kim' in a USB.
    Analyze the USB and find one manipulated transaction in there!
    Flag: ACSC{lowercase(MANIPULATED_TRANSACTION_ID)}

Solution

Last modified cell in Excel

Excel uses shared strings in order to refer the identical content cell from a different location. it is presumed to save resources for Excel, and the shared strings file is compressed in xl/sharedString.xml

sharedStrings.xml is changed upon addition, deletion, and modifications of cells. In particular, these data are inserted at the bottom of the sharedStrings.xml when cells are added and updated.

This implies that these records are inserted in chronological order. However, this does not apply to some exceptional cases, such as formatted numbers or other format strings. (date, currency, scientific, etc.)

As a result, it is still possible to find out the last modified cell content by examining the shareStrings.xml even after the attacker has maliciously modified the excel file.

Real Solution

  1. Open FTK Imager and load E01 file (You can use any method that load E01 format)

  2. Convert the xlsx file to zip format and go through the last part of sharedString.xml one by one.

As seen in the image above, There are two types of tags in <si>, namely <t> and <phoneticPr>. The phoneticPr attribute is used to provide a phonetic hint for a string, and the value is unique information used for each string.

Interestingly, this PhoneticPr attribute will only be generated when the user types the data by keyboard and will not generate by Copy&Paste or such.

By examining sharedString.xml of all existing files (except 20200715132932_20200816181652.xlsx), you can confirm that phoneticPr attribute does not exist in these files. This implies that all contents are copy and pasted, except for the 20200715132932_20200816181652.xlsx.

  1. Conclusion

As a result, the malicious transaction can be found in 20200715132932_20200816181652.xlsx, and the forged Transaction ID is 8d77a554-dc64-478c-b093-da4493a8534d.

Flag

  • ACSC{8d77a554-dc64-478c-b093-da4493a8534d}

BitLocker Artifact

Description

  • Name: BitLocker Artifact

  • Author: extr

  • Category: Forensics

  • Point: 200

  • Download: https://1drv.ms/u/s!At0nZXK3fObIgopDx3-m4oV94gn9rw?e=UeFwCv

  • Scenario

    Get the datetime that C drive was encrypted by BitLocker!
    
    Start: When the BitLocker Wizard was run (UTC+0, YYYY-MM-DD_HH:MM:SS)
    End: When encryption was completed by BitLocker (UTC+0, YYYY-MM-DD_HH:MM:SS)
    
    Flag: ACSC{Start_End}
    ex) ACSC{2021-05-06_12:00:01_2021-05-06_12:53:11}

Solution

  • When the BitLocker Wizard was run
    • HTLM\SYSTEM\CurrentControlSet\Control\FVEStats\OsvEncryptInit
      • value: 132741897867405652
      • UTC TIME(+0): 2021-08-23 10:56:26
  • When encryption was completed by BitLocker
    • HTLM\SYSTEM\CurrentControlSet\Control\FVEStats\OsvEncryptComplete
      • value: 132741901078561213
      • UTC TIME(+0): 2021-08-23 11:01:47

Flag

  • ACSC{2021-08-23_10:56:26_2021-08-23_11:01:47}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment