(121215) #fitalk 3th holy shield forensics probs write-ups
TRANSCRIPT
![Page 1: (121215) #fitalk 3th holy shield forensics probs write-ups](https://reader031.vdocuments.us/reader031/viewer/2022022202/587efc741a28ab35528b63f7/html5/thumbnails/1.jpg)
FORENSIC INSIGHT; DIGITAL FORENSICS COMMUNITY IN KOREA
3th HolyShield Forensics Probs Writeups
13lackc4t
http://13lackc4t.blog.me
Jeon Chang-bae
![Page 2: (121215) #fitalk 3th holy shield forensics probs write-ups](https://reader031.vdocuments.us/reader031/viewer/2022022202/587efc741a28ab35528b63f7/html5/thumbnails/2.jpg)
forensicinsight.org Page 2
Index
1. About Holyshield
2. Forensics 200
3. Forensics 300
4. Forensics 400
5. Q & A
![Page 3: (121215) #fitalk 3th holy shield forensics probs write-ups](https://reader031.vdocuments.us/reader031/viewer/2022022202/587efc741a28ab35528b63f7/html5/thumbnails/3.jpg)
forensicinsight.org Page 3
About Holyshield
![Page 4: (121215) #fitalk 3th holy shield forensics probs write-ups](https://reader031.vdocuments.us/reader031/viewer/2022022202/587efc741a28ab35528b63f7/html5/thumbnails/4.jpg)
forensicinsight.org Page 4
About Holyshield
가톨릭대학교 침해사고대응팀(CAT-CERT)에서 주최하는 해킹방어대회
2010년부터 매년 개최
여러가지 분야에서 16문제를 출제
온라인 CTF 형태로 진행
Overview
![Page 5: (121215) #fitalk 3th holy shield forensics probs write-ups](https://reader031.vdocuments.us/reader031/viewer/2022022202/587efc741a28ab35528b63f7/html5/thumbnails/5.jpg)
forensicinsight.org Page 5
About Holyshield
2012년 11월 16일 18:00 ~ 2012년 11월 18일 06:00(UTC+9:00)
총 상금 180만원
(1등 100만원, 2등 50만원, 3등 30만원)
PACKET 1문제, WEB 5문제, REVERSING 4문제,
PWNABLE 3문제, FORENSICS 3문제 출제
2번의 이벤트 진행
1등 : Class is permanent
2등 : KAIST GoN
3등 : B10S
3th Holyshield
![Page 6: (121215) #fitalk 3th holy shield forensics probs write-ups](https://reader031.vdocuments.us/reader031/viewer/2022022202/587efc741a28ab35528b63f7/html5/thumbnails/6.jpg)
forensicinsight.org Page 6
Forensics 200
![Page 7: (121215) #fitalk 3th holy shield forensics probs write-ups](https://reader031.vdocuments.us/reader031/viewer/2022022202/587efc741a28ab35528b63f7/html5/thumbnails/7.jpg)
forensicinsight.org Page 7
Forensics 200
Find the Key :)
Overview
![Page 8: (121215) #fitalk 3th holy shield forensics probs write-ups](https://reader031.vdocuments.us/reader031/viewer/2022022202/587efc741a28ab35528b63f7/html5/thumbnails/8.jpg)
forensicinsight.org Page 8
Forensics 200
Identify filesystem
Explanation (1)
![Page 9: (121215) #fitalk 3th holy shield forensics probs write-ups](https://reader031.vdocuments.us/reader031/viewer/2022022202/587efc741a28ab35528b63f7/html5/thumbnails/9.jpg)
forensicinsight.org Page 9
Forensics 200
Mount image
Explanation (2)
![Page 10: (121215) #fitalk 3th holy shield forensics probs write-ups](https://reader031.vdocuments.us/reader031/viewer/2022022202/587efc741a28ab35528b63f7/html5/thumbnails/10.jpg)
forensicinsight.org Page 10
Forensics 200
Extract all files
only one adobe document file
Explanation (3)
![Page 11: (121215) #fitalk 3th holy shield forensics probs write-ups](https://reader031.vdocuments.us/reader031/viewer/2022022202/587efc741a28ab35528b63f7/html5/thumbnails/11.jpg)
forensicinsight.org Page 11
Forensics 200
Context triggered piecewise hashing
Explanation (4)
![Page 12: (121215) #fitalk 3th holy shield forensics probs write-ups](https://reader031.vdocuments.us/reader031/viewer/2022022202/587efc741a28ab35528b63f7/html5/thumbnails/12.jpg)
forensicinsight.org Page 12
Forensics 200
Get special string
This show original file’s name, size and hash value
Explanation (5)
![Page 13: (121215) #fitalk 3th holy shield forensics probs write-ups](https://reader031.vdocuments.us/reader031/viewer/2022022202/587efc741a28ab35528b63f7/html5/thumbnails/13.jpg)
forensicinsight.org Page 13
Forensics 200
Ssdeep hash value in slack space
Explanation (6)
![Page 14: (121215) #fitalk 3th holy shield forensics probs write-ups](https://reader031.vdocuments.us/reader031/viewer/2022022202/587efc741a28ab35528b63f7/html5/thumbnails/14.jpg)
forensicinsight.org Page 14
Forensics 200
Make a file stored original file’s hash value
Using ssdeep, find the file be nearest original file
Explanation (7)
![Page 15: (121215) #fitalk 3th holy shield forensics probs write-ups](https://reader031.vdocuments.us/reader031/viewer/2022022202/587efc741a28ab35528b63f7/html5/thumbnails/15.jpg)
forensicinsight.org Page 15
Forensics 200
Change the pic’s width and height
Explanation (8)
![Page 16: (121215) #fitalk 3th holy shield forensics probs write-ups](https://reader031.vdocuments.us/reader031/viewer/2022022202/587efc741a28ab35528b63f7/html5/thumbnails/16.jpg)
forensicinsight.org Page 16
Forensics 200
Context triggered piecewise hashing
Slack space
Number of pics?
Behind
![Page 17: (121215) #fitalk 3th holy shield forensics probs write-ups](https://reader031.vdocuments.us/reader031/viewer/2022022202/587efc741a28ab35528b63f7/html5/thumbnails/17.jpg)
forensicinsight.org Page 17
Forensics 300
![Page 18: (121215) #fitalk 3th holy shield forensics probs write-ups](https://reader031.vdocuments.us/reader031/viewer/2022022202/587efc741a28ab35528b63f7/html5/thumbnails/18.jpg)
forensicinsight.org Page 18
Forensics 300
There are Digital Evidences collected on secret informant's computer.
Find the secret file!
아래는 기밀유출자의 컴퓨터에서 수집된 디지털 증거입니다.
기밀파일을 찾으십시오!
Overview
![Page 19: (121215) #fitalk 3th holy shield forensics probs write-ups](https://reader031.vdocuments.us/reader031/viewer/2022022202/587efc741a28ab35528b63f7/html5/thumbnails/19.jpg)
forensicinsight.org Page 19
Forensics 300
User Folder
Explanation (1)
![Page 20: (121215) #fitalk 3th holy shield forensics probs write-ups](https://reader031.vdocuments.us/reader031/viewer/2022022202/587efc741a28ab35528b63f7/html5/thumbnails/20.jpg)
forensicinsight.org Page 20
Forensics 300
Under Downloads folder
• ~$p_Secret.doc -> MS words file’s temporary file
• $I30 -> store $FILE_NAME attribute about current folder
Explanation (2)
![Page 21: (121215) #fitalk 3th holy shield forensics probs write-ups](https://reader031.vdocuments.us/reader031/viewer/2022022202/587efc741a28ab35528b63f7/html5/thumbnails/21.jpg)
forensicinsight.org Page 21
Forensics 300
Identify the download file’s name
Explanation (3)
![Page 22: (121215) #fitalk 3th holy shield forensics probs write-ups](https://reader031.vdocuments.us/reader031/viewer/2022022202/587efc741a28ab35528b63f7/html5/thumbnails/22.jpg)
forensicinsight.org Page 22
Forensics 300
Under “AppData\Roaming\Microsoft\Windows\Recent”
AutomaticDestinations -> Jumplist
CustomDestinations -> Jumplist
Explanation (4)
![Page 23: (121215) #fitalk 3th holy shield forensics probs write-ups](https://reader031.vdocuments.us/reader031/viewer/2022022202/587efc741a28ab35528b63f7/html5/thumbnails/23.jpg)
forensicinsight.org Page 23
Forensics 300
Using Jumplister
MS words file has same name different place
Explanation (5)
![Page 24: (121215) #fitalk 3th holy shield forensics probs write-ups](https://reader031.vdocuments.us/reader031/viewer/2022022202/587efc741a28ab35528b63f7/html5/thumbnails/24.jpg)
forensicinsight.org Page 24
Forensics 300
Strange Date/Time -> pinned
upload.html ?
Explanation (6)
![Page 25: (121215) #fitalk 3th holy shield forensics probs write-ups](https://reader031.vdocuments.us/reader031/viewer/2022022202/587efc741a28ab35528b63f7/html5/thumbnails/25.jpg)
forensicinsight.org Page 25
Forensics 300
Url -> Under construction
Explanation (7)
![Page 26: (121215) #fitalk 3th holy shield forensics probs write-ups](https://reader031.vdocuments.us/reader031/viewer/2022022202/587efc741a28ab35528b63f7/html5/thumbnails/26.jpg)
forensicinsight.org Page 26
Forensics 300
Guess URL
-> http://210.126.48.191/1f2c346c024c87e1c8382e6556402d8a/Top_Secret.doc
Explanation (8)
![Page 27: (121215) #fitalk 3th holy shield forensics probs write-ups](https://reader031.vdocuments.us/reader031/viewer/2022022202/587efc741a28ab35528b63f7/html5/thumbnails/27.jpg)
forensicinsight.org Page 27
Forensics 300
Jumplist
Using egrep
Change Prob?
Behind
![Page 28: (121215) #fitalk 3th holy shield forensics probs write-ups](https://reader031.vdocuments.us/reader031/viewer/2022022202/587efc741a28ab35528b63f7/html5/thumbnails/28.jpg)
forensicinsight.org Page 28
Forensics 400
![Page 29: (121215) #fitalk 3th holy shield forensics probs write-ups](https://reader031.vdocuments.us/reader031/viewer/2022022202/587efc741a28ab35528b63f7/html5/thumbnails/29.jpg)
forensicinsight.org Page 29
Forensics 400
국제공항의 항공기 관제시스템이 외부해커집단에 의해 침해당하여 Access키가 유출되었
다는 신고를 접수했다.
역추적한 결과 공항 내 내부PC에서 해킹이 이루어졌다고 판단, 켜져있던 PC의 이미지 등
을 입수했으며, 이 PC에서 Lucifer 라는 해커에게 Key를 전송한 것으로 보여진다.
Key 를 찾아라.
Overview
![Page 30: (121215) #fitalk 3th holy shield forensics probs write-ups](https://reader031.vdocuments.us/reader031/viewer/2022022202/587efc741a28ab35528b63f7/html5/thumbnails/30.jpg)
forensicinsight.org Page 30
Forensics 400
Memory
Disk
Explanation (1)
![Page 31: (121215) #fitalk 3th holy shield forensics probs write-ups](https://reader031.vdocuments.us/reader031/viewer/2022022202/587efc741a28ab35528b63f7/html5/thumbnails/31.jpg)
forensicinsight.org Page 31
Cannot indentify filesystem
Forensics 400
Explanation (2)
![Page 32: (121215) #fitalk 3th holy shield forensics probs write-ups](https://reader031.vdocuments.us/reader031/viewer/2022022202/587efc741a28ab35528b63f7/html5/thumbnails/32.jpg)
forensicinsight.org Page 32
Forensics 400
Explanation (2)
![Page 33: (121215) #fitalk 3th holy shield forensics probs write-ups](https://reader031.vdocuments.us/reader031/viewer/2022022202/587efc741a28ab35528b63f7/html5/thumbnails/33.jpg)
forensicinsight.org Page 33
Forensics 400
Using Passware password recovery kit
Explanation (3)
![Page 34: (121215) #fitalk 3th holy shield forensics probs write-ups](https://reader031.vdocuments.us/reader031/viewer/2022022202/587efc741a28ab35528b63f7/html5/thumbnails/34.jpg)
forensicinsight.org Page 34
Forensics 400
Explanation (4)
![Page 35: (121215) #fitalk 3th holy shield forensics probs write-ups](https://reader031.vdocuments.us/reader031/viewer/2022022202/587efc741a28ab35528b63f7/html5/thumbnails/35.jpg)
forensicinsight.org Page 35
Forensics 400
Zip file in send_to_lucifer.jpg
Explanation (5)
![Page 36: (121215) #fitalk 3th holy shield forensics probs write-ups](https://reader031.vdocuments.us/reader031/viewer/2022022202/587efc741a28ab35528b63f7/html5/thumbnails/36.jpg)
forensicinsight.org Page 36
Forensics 400
Explanation (6)
![Page 37: (121215) #fitalk 3th holy shield forensics probs write-ups](https://reader031.vdocuments.us/reader031/viewer/2022022202/587efc741a28ab35528b63f7/html5/thumbnails/37.jpg)
forensicinsight.org Page 37
Forensics 400
Send_to_lucifer is Windows journal file(*.jnt)
Explanation (7)
![Page 38: (121215) #fitalk 3th holy shield forensics probs write-ups](https://reader031.vdocuments.us/reader031/viewer/2022022202/587efc741a28ab35528b63f7/html5/thumbnails/38.jpg)
forensicinsight.org Page 38
Forensics 400
Coldbooting Attack
Behind
![Page 39: (121215) #fitalk 3th holy shield forensics probs write-ups](https://reader031.vdocuments.us/reader031/viewer/2022022202/587efc741a28ab35528b63f7/html5/thumbnails/39.jpg)
forensicinsight.org Page 39
Question and Answer