Challenge Overview #
CTF Name: Allegretto
Category: Sherlock - DFIR
Active/Retired (at pwn): Active
Difficulty: Medium
Author: felamos
Date Released: 19 Jun 2025
Date Completed: 05 Aug 2025
CTF Link: https://app.hackthebox.com/sherlocks/Allegretto
Description #
We have been conducting surveillance on a suspected drug dealer known as Shadow. Recently, we obtained intelligence regarding his location, which led us to a flat in London. Upon executing a raid, we encountered a violent situation resulting in multiple casualties. During the operation, Shadow attempted to delete critical information from his computer to evade capture. However, we successfully apprehended him before he could cause significant damage. We have since recovered important files from his computer and would like you to analyze this data to determine his activities.
Files #
We get a zip file Allegretto.zip which contains around 1.5GB of files.
To inspect the general structure of the files (the first three layers of directories should tell us enough for a start):
tree -L 3 -d
.
├── Important collections
│ ├── KeePass
│ ├── LibreOffice
│ │ └── 4
│ ├── Others
│ │ ├── Documents
│ │ └── Pictures
│ ├── Proton Mail
│ │ ├── blob_storage
│ │ ├── Cache
│ │ ├── Code Cache
│ │ ├── Local Storage
│ │ ├── logs
│ │ ├── Network
│ │ ├── Partitions
│ │ └── Shared Dictionary
│ ├── Thunderbird
│ │ ├── Crash Reports
│ │ ├── Pending Pings
│ │ └── Profiles
│ ├── Tor Browser
│ │ └── Browser
│ └── Tor_History
├── Modules
│ ├── FileFolderAccess
│ ├── KeywordSearches
│ ├── LiveResponse
│ ├── ProgramExecution
│ ├── Registry
│ └── VolumeInformation
└── Target
└── C
├── $Extend
├── $Recycle.Bin
├── ProgramData
├── Users
└── Windows
38 directories
Tasks #
Answer 10 questions related to the recovered files.
[1] Which version of QGIS is being used by Shadow? #
QGIS is a geographic information system (GIS) software that is free and open-source.[2] QGIS supports Windows, macOS, and Linux. It supports viewing, editing, printing, and analysis of geospatial data in a range of data formats. Its name comes from an abbreviation of its previous name, Quantum GIS.
https://en.wikipedia.org/wiki/QGIS https://github.com/qgis/QGIS
On Windows, QGIS stores user-specific data and settings within the AppData\Roaming\QGIS\QGIS3 directory within your user profile.
Using grep for a keyword usually never disappoints…
grep -r qgis
---snip---
Modules/ProgramExecution/20240923153208_Amcache_AssociatedFileEntries.csv:QGIS 3.34.11 'Prizren',000093b774f77d55c4353ec647ca619b816700000904,2024-09-23 11:22:23.2126249,e1396047cd8e90f0d8060dd1d1b29f89c00bffcb,False,c:\program files\qgis 3.34.11\apps\grass\grass84\bin\v.lidar.correction.exe,v.lidar.correction.exe,.exe,2024-08-05 10:56:46.0000000,grass 8,224467,8.4.0,8.4.0,,pe64_amd64,False,8.4.0.0,8.4.0.0,449387992,1033,
---snip---
This strongly suggests the version used is 3.34.11
We also can’t ignore: Modules/ProgramExecution/20240923153208_Amcache_AssociatedFileEntries.csv
It is one of the files in Modules/ProgramExecution:
PECmd_Output.csv - Parsed execution info from .pf (Prefetch) files, run history, execution paths. PECmd_Output_Timeline.csv - Same as above, but organized chronologically for timeline analysis. Amcache_ProgramEntries.csv - Installed programs (paths, hashes, timestamps). Amcache_AssociatedFileEntries.csv - Files linked to installed programs, often DLLs or EXEs. Amcache_UnassociatedFileEntries.csv - Files observed in Amcache but not linked to a known program. Amcache_DriveBinaries.csv - Executables run from external drives. Amcache_DriverPackages.csv - Info about installed drivers and INF files. Amcache_DeviceContainers.csv - USB and other device metadata (make, model, serial). Amcache_DevicePnps.csv - Plug and Play device metadata from Amcache. Amcache_ShortCuts.csv - Shortcut (.lnk) file metadata.
So at some point during the analysis it might be useful to check for any installed exe files on the system:
cat Modules/ProgramExecution/20240923153208_Amcache_AssociatedFileEntries.csv | grep -oE '\b[A-Za-z0-9._-]+\.exe\b' | sort | uniq
7za.exe
appinstallerelevatedappserviceclient.exe
AppInstallerElevatedAppServiceClient.exe
appinstaller.exe
AppInstaller.exe
appinstallerfulltrustappserviceclient.exe
---snip
xxmklink.exe
yourphoneappproxy.exe
YourPhoneAppProxy.exe
yourphone.exe
YourPhone.exe
Anyways, QGIS version = 3.34.11
[2] What is the Shadow’s Darkmail email address? #
Here it is clear we have to snoop around his user folder (Target/C/Users/Shadow):
Target/C/Users/shadow$ tree -d
.
├── AppData
│ ├── Local
│ │ ├── ConnectedDevicesPlatform
│ │ │ └── 446580ec21cb3fe7
│ │ ├── Microsoft
│ │ │ ├── Edge
│ │ │ │ └── User Data
│ │ │ │ └── Default
│ │ │ │ ├── Cache
│ │ │ │ │ └── Cache_Data
│ │ │ │ ├── Collections
│ │ │ │ └── Sessions
│ │ │ ├── Internet Explorer
│ │ │ │ └── CacheStorage
│ │ │ └── Windows
│ │ │ ├── Explorer
│ │ │ ├── INetCache
│ │ │ │ └── IE
│ │ │ │ ├── 4YZEQC1P
│ │ │ │ ├── H16679CY
│ │ │ │ ├── IP172ZUS
│ │ │ │ └── U6PARRM1
│ │ │ ├── INetCookies
│ │ │ └── WebCache
│ │ └── Mozilla
│ │ └── Firefox
│ │ └── Profiles
│ │ └── oyeydbsh.default-release
│ │ ├── cache2
│ │ │ ├── entries
│ │ │ ├── trash17036
│ │ │ └── trash31079
│ │ ├── jumpListCache
│ │ ├── personality-provider
│ │ ├── safebrowsing
│ │ │ └── google4
│ │ ├── settings
│ │ │ └── main
│ │ │ └── ms-language-packs
│ │ │ └── browser
│ │ │ └── newtab
│ │ ├── startupCache
│ │ └── thumbnails
│ ├── LocalLow
│ │ ├── Google
│ │ │ └── GoogleEarth
│ │ └── Microsoft
│ │ └── CryptnetUrlCache
│ │ ├── Content
│ │ └── MetaData
│ └── Roaming
│ ├── Microsoft
│ │ ├── Internet Explorer
│ │ │ └── Quick Launch
│ │ │ └── User Pinned
│ │ │ └── TaskBar
│ │ ├── Protect
│ │ │ └── S-1-5-21-3718134835-1919426685-3059265731-1002
│ │ └── Windows
│ │ ├── Recent
│ │ │ ├── AutomaticDestinations
│ │ │ └── CustomDestinations
│ │ └── Start Menu
│ │ └── Programs
│ ├── Mozilla
│ │ └── Firefox
│ │ └── Profiles
│ │ └── oyeydbsh.default-release
│ │ ├── bookmarkbackups
│ │ └── sessionstore-backups
│ └── Thunderbird
│ ├── Crash Reports
│ └── Profiles
│ └── ka48xic2.default-esr
│ ├── calendar-data
│ └── ImapMail
│ └── mail.darkmail.htb
└── Desktop
79 directories
An interesting folder appears: mail.darkmail.htb:
Target/C/Users/shadow$ cd $(find . -name "mail.darkmail.htb")
...ka48xic2.default-esr/ImapMail/mail.darkmail.htb$ ls
INBOX
...ka48xic2.default-esr/ImapMail/mail.darkmail.htb$ cat INBOX
From
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <marcus@darkmail.htb>
X-Original-To: shadow152535@darkmail.htb
---snip---
From here it is clear what email shadow uses, however, if a list with all emails from shadow’s inbox in Thunderbird is needed:
cat INBOX | grep -oE '[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}' | sort | uniq
20240922125403.124B31790@mail.darkmail.htb
20240922131325.05A1F1790@mail.darkmail.htb
20240922182505.48E537279@mail.darkmail.htb
20240922183914.A9D79179E@mail.darkmail.htb
8188fc07-72dc-445f-9e41-3b599f8c7155@darkmail.htb
MAILER-DAEMON@darkmail.htb
marcus@darkmail.htb
mark.chan@darkmail.htb
shadow152535@darkmail.htb
Shadow’s email: shadow152535@darkmail.htb
[3] What is Shadow’s Bitcoin address? #
While we are still analyzing his INBOX, we could try looking for it there.
BTC Address: *39tjYdCgsmko1uqW1uiE7sKEZZxhHo2UmK*
BTC Address: 39tjYdCgsmko1uqW1uiE7sKEZZxhHo2UmK
[4] What is the onion URL for the SilkRoad where Shadow sells drugs? #
There is a Important Collections/Tor_History/ folder which might help us here.
Important collections/Tor_History$ ls
bookmarks-2024-10-09.json
Important collections/Tor_History$ cat bookmarks-2024-10-09.json
{"guid":"root________","title":"","index":0,"dateAdded":172699565 ---snip---
This is some non formatted json, to make it easier to read use python’s json.tool:
cat bookmarks-2024-10-09.json | python3 -m json.tool
{
"guid": "root________",
"title": "",
"index": 0,
"dateAdded": 1726995657528000,
"lastModified": 1726995658340000,
"id": 1,
"typeCode": 2,
---snip---
"id": 6,
"typeCode": 2,
"type": "text/x-moz-place-container",
"root": "mobileFolder"
}
]
}
To get the list of onion links along with the titles:
cat bookmarks-2024-10-09.json | python3 -m json.tool | grep -E "\"title\"|\"uri\""
---snip---
"title": "Learn more about Tor",
"uri": "http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion/"
"title": "The Tor Blog",
"uri": "http://pzhdfe7jraknpj2qgu5cz2u3i4deuyfwmonvzu5i3nyw4t4bmg7o5pad.onion/"
"title": "Tor Support portal - Get help",
"uri": "http://rzuwtpc4wb3xdzrj3yeajsvm3fkq4vbeubm2tdxaqruzzzgs5dwemlad.onion/"
"title": "Tor Browser Manual",
"uri": "about:manual"
"title": "Tor Community - Get Involved",
"uri": "http://xmrhfasfg5suueegrnc4gsgyi2tyclcy5oz7f5drnrodmdtob6t2ioyd.onion/"
"title": "Tor Project Forum",
"uri": "http://v236xhqtyullodhf26szyjepvkbv6iitrhjgrqj4avaoukebkk6n6syd.onion/"
"title": "Donate - Keep Tor Strong",
"uri": "https://donate.torproject.org/"
"title": "Circumvent Censorship, Get Bridges",
"uri": "http://yq5jjvr7drkjrelzhut7kgclfuro65jjlivyzfmxiq2kyv5lickrl4qd.onion/"
---snip
No mentions of SilkRoad though. Should probably try looking in the INBOX again, since shadow talked about some transaction with marcus. No hit there either.
Addresses in the onion TLD are generally opaque, non-mnemonic, alpha-numerical strings which are automatically generated based on a public key when an onion service is configured. Formerly 16 characters long prior to V2 onion services being made obsolete by V3 services, which are 56 characters long.[
https://en.wikipedia.org/wiki/.onion
Since onion links are 56 characters long, we can easily search for any links found in shadow’s computer (These strings can be made up of any letter of the alphabet, and decimal digits from 2 to 7 - wiki):
grep -r -oE 'http[s]?://[a-z2-7]{56}\.onion'
Important collections/Tor_History/bookmarks-2024-10-09.json:http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion
Important collections/Tor_History/bookmarks-2024-10-09.json:http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion
Important collections/Tor_History/bookmarks-2024-10-09.json:http://pzhdfe7jraknpj2qgu5cz2u3i4deuyfwmonvzu5i3nyw4t4bmg7o5pad.onion
---snip---
Important collections/Thunderbird/Profiles/ka48xic2.default-esr/Mail/Local Folders/Drafts:http://silkroadm5oqzuz3yq7pvwvinvyzeg2wnpnw3t4cyrsggrcgqfy2ptid.onion
---snip---
We found a silkroadm5oqzuz3yq7pvwvinvyzeg2wnpnw3t4cyrsggrcgqfy2ptid.onion in shadow’s Thunderbird drafts where he was asking for it:
---snip---
Please don't tell him, I am almost done with my setup for new laptop tho I have lost so many accounts so I am creating new ones. Could you also please send me the drugs onion urls? I forgot which one we used for the southern clients. All of them look exactly the same? bloody mate?
---snip---
[5] Based on the cookie’s last access, when was the last time Shadow visited the Silk Road website using its onion domain? #
Find all occurences of the link on shadow’s computer, this will lead us to the browser’s storage:
grep -r http://silkroadm5oqzuz3yq7pvwvinvyzeg2wnpnw3t4cyrsggrcgqfy2ptid.onion
grep: Important collections/Tor Browser/Browser/TorBrowser/Data/Browser/profile.default/sessionstore-backups/previous.jsonlz4: binary file matches
grep: Important collections/Tor Browser/Browser/TorBrowser/Data/Browser/profile.default/favicons.sqlite: binary file matches
---snip---
previous.jsonlz4 might be helpful.
In Tor Browser, the sessionstore-backups/ directory stores backups of your browsing session, primarily to recover tabs and windows after a crash or unexpected shutdown. I am not positive this will give us a time though.
Decompress Mozilla Firefox bookmarks backup files
Current Firefox bookmarks backup files are stored as non-standard file format based on lz4 compression. These files have a .jsonlz4 extension. Use dejsonlz4 to decompress them. - https://github.com/avih/dejsonlz4
Important collections/Tor Browser$ dejsonlz4 Browser/TorBrowser/Data/Browser/profile.default/sessionstore-backups/previous.jsonlz4 | python3 -m json.tool
{
"version": [
"sessionrestore",
1
],
"windows": [
{
"tabs": [
{
"entries": [
{
"url": "http://silkroadm5oqzuz3yq7pvwvinvyzeg2wnpnw3t4cyrsggrcgqfy2ptid.onion/?road",
"title": "Silk Road 4",
"cacheKey": 0,
"ID": 42,
"docshellUUID": "{0d3ad73d-34fb-4cc8-a912-d01883722573}",
"referrerInfo": "BBoSnxDOS9qmDeAnom1e0AAAAAAAAAAAwAAAAAAAAEYAAAAAAAAAAAABAQAAAAABAA==",
"originalURI": "http://silkroadm5oqzuz3yq7pvwvinvyzeg2wnpnw3t4cyrsggrcgqfy2ptid.onion/",
"resultPrincipalURI": "http://silkroadm5oqzuz3yq7pvwvinvyzeg2wnpnw3t4cyrsggrcgqfy2ptid.onion/?road",
"loadReplace": true,
---snip---
A lot more links, the ones that were opened on his computer, but no timestamps.
Important collections/Tor Browser$ ls -l Browser/TorBrowser/Data/Browser/profile.default/
---snip---
-rw-r--r-- 1 x x 524288 sep 22 2024 cookies.sqlite
---snip---
Use an sqlite browser:
Important collections/Tor Browser$ sqlitebrowser Browser/TorBrowser/Data/Browser/profile.default/cookies.sqlite
Inspect the database, there is only one table moz_cookies which has 21 records. Record with id=6 is:
| id | originAttributes | name | value | host | path | expiry | lastAccessed | creationTime | isSecure | isHttpOnly | inBrowserElement | sameSite | rawSameSite | schemeMap |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 6 | ^firstPartyDomain=silkroadm5oqzuz3yq7pvwvinvyzeg2wnpnw3t4cyrsggrcgqfy2ptid.onion | token | VmtaYVUxUnRWbFpPVm1oWVlsZDRVRmxYZEdGaU1WSlhXa1pPYUZKVVZrbFdSbEpEVkd4WmQyRXpaRmhXTTBKUFZGUkdjMWRHU25SbFJUVlhVbGhDZGxZeWRHdFNNa1pIWWtSYVVsWkVRVGs9 | silkroadm5oqzuz3yq7pvwvinvyzeg2wnpnw3t4cyrsggrcgqfy2ptid.onion | / | 1727096480 | 1727030020304000 | 1727010080588000 | 0 | 0 | 0 | 1 | 0 | 1 |
Unix time is a date and time representation widely used in computing. It measures time by the number of non-leap seconds that have elapsed since 00:00:00 UTC on 1 January 1970, the Unix epoch. For example, at midnight on 1 January 2010, Unix time was 1262304000. - https://en.wikipedia.org/wiki/Unix_time
To convert UNIX time (seconds) to a readable format:
date -d @172...
However because we seem to have microseconds here, i find it easier to use: https://www.epochconverter.com/
2024-09-22 18:33:40
[6] What is Shadow’s Hotmail email address? #
grep -r hotmail
Returns a shadow152535@hotmail.com, same name as his “darkmail” address.
[7] When was Shadow supposed to meet his mysterious boss? #
| cal_id | id | time_created | last_modified | title | priority | privacy | ical_status | flags | event_start | event_end | event_stamp | event_start_tz | event_end_tz | recurrence_id | recurrence_id_tz | alarm_last_ack | offline_journal |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| c66913e5-dd0e-4ae2-9122-b56c4b81cb01 | fd3f85fa-885f-447c-8bcd-bf89a7fa0921 | 1727030434000000 | 1727030487000000 | Meet the boss | PRIVATE | 260 | 1734814800000000 | 1734815700000000 | 1727030487000000 | Europe/London | Europe/London |
This calendar record was found in AppData/Roaming/Thunderbird/Profiles/ka48xic2.default-esr/calendar-data/local.sqlite using grep and sqlitebrowser:
Target/C/Users/shadow$ grep -iro meet
---snip---
grep: AppData/Roaming/Thunderbird/Profiles/ka48xic2.default-esr/calendar-data/local.sqlite: binary file matches
grep: NTUSER.DAT: binary file matches
Time: 1734814800000000 = 2024-12-21 21:00:00
[8] When was the “Contacts Due Amounts” spreadsheet created? #
FileFolderAccess #
In Modules/FileFolderAccess there is useful information about files access on the system, specifically a csv file with the following information about each of the files:
SourceFile,SourceCreated,SourceModified,SourceAccessed,TargetCreated,TargetModified,TargetAccessed,FileSize,RelativePath,WorkingDirectory,FileAttributes,HeaderFlags,DriveType,VolumeSerialNumber,VolumeLabel,LocalPath,NetworkPath,CommonPath,Arguments,TargetIDAbsolutePath,TargetMFTEntryNumber,TargetMFTSequenceNumber,MachineID,MachineMACAddress,MACVendor,TrackerCreatedOn,ExtraBlocksPresent
After further inspection, seems it is the wrong place to look for when the actual spreadsheet was created. I only found a contacts_due_amounts.lnk, but that doesn’t help now.
Registry Hive #
After even further inspection, the registry hive didn’t really help much either:
Target/C/Users/shadow$ regipy-process-transaction-logs NTUSER.DAT -p ntuser.dat.LOG1 -s ntuser.dat.LOG2
INFO:regipy.cli:Processing hive
---snip---
Recovered 78 dirty pages. Restored hive is at /Target/C/Users/shadow/NTUSER.DAT.restored
Target/C/Users/shadow$ regipy-dump NTUSER.DAT.restored > NTUSER.JSON
Thunderbird INBOX #
We could look in the Thunderbird INBOX again. This time using a different, better approach:
Target/C/Users/shadow/AppData/Roaming/Thunderbird/Profiles/ka48xic2.default-esr/ImapMail/mail.darkmail.htb$ ripmime -i INBOX
Target/C/.../mail.darkmail.htb$ ls
contacts_due_amounts.xlsx INBOX textfile0 textfile1 textfile2 textfile3 textfile4 textfile5 textfile6 textfile7 textfile8 textfile9
Target/C/.../mail.darkmail.htb$ stat contacts_due_amounts.xlsx
File: contacts_due_amounts.xlsx
Size: 9973 Blocks: 24 IO Block: 4096 regular file
Device: 259,2 Inode: 4224538 Links: 1
Access: (0600/-rw-------) Uid: ( 1000/ x) Gid: ( 1000/ x)
Access: 2025-08-01 00:49:11.346558392 +0300
Modify: 2025-08-01 00:49:11.346558392 +0300
Change: 2025-08-01 00:49:11.346558392 +0300
Birth: 2025-08-01 00:49:11.346558392 +0300
No, still wrong, I thought this will restore the original file… (spoiler: this is what was needed for this task all along)
Encrypted Drive #
After some more digging, I executed the file command on Important Collections/shadow.E01 and it returned: shadow.E01: EWF/Expert Witness/EnCase image file format. Maybe the spreadsheet is safely stored there…
This is something I haven’t encountered before. The EWF (Expert Witness Format), also known as EnCase image format, is a proprietary forensic disk image format developed by Guidance Software for use with the EnCase forensic tool. It’s widely used in digital forensics to capture and preserve evidence with integrity. EWF images can be split into multiple segment files. After installing ewftools, we can ewfmount image.E01 /mnt/ewf. Use losetup to expose partitions.
$ sudo ewfmount shadow.E01 /mnt/ewf
$ sudo fdisk -l /mnt/ewf/ewf1
Disk /mnt/ewf/ewf1: 100 MiB, 104857600 bytes, 204800 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x4c73f99b
Device Boot Start End Sectors Size Id Type
/mnt/ewf/ewf1p1 128 198783 198656 97M 7 HPFS/NTFS/exFAT
$ sudo losetup -Pf --show /mnt/ewf/ewf1
/dev/loop12
$ sudo mount -o ro /dev/loop12p1 /mnt/mountpoint1
mount: /mnt/mountpoint1: unknown filesystem type 'BitLocker'.
dmesg(1) may have more information after failed mount system call.
NTFS is wrapped inside BitLocker, so it cannot be mounted directly without first decrypting it. In Important Collections/Others/Documents there is a:BitLocker Recovery Key 46B6AA0E-05A7-4632-AA54-28559AEF0127.TXT:
To verify that this is the correct recovery key, compare the start of the following identifier with the identifier value displayed on your PC.
Identifier:
46B6AA0E-05A7-4632-AA54-28559AEF0127
If the above identifier matches the one displayed by your PC then use the following key to unlock your drive.
Recovery Key:
356400-709885-041448-681967-471328-040931-346357-184591
If the above identifier doesn't match the one displayed by your PC then this isn't the right key to unlock your drive.
Try another recovery key or refer to https://go.microsoft.com/fwlink/?LinkID=260589 for additional assistance.
We can access a BitLocker volume with dislocker:
$ mkdir /mnt/decrypted
$ mkdir /mnt/bitlocker
$ sudo dislocker -V /dev/loop12p1 -r --recovery-password=356400-709885-041448-681967-471328-040931-346357-184591 -- /mnt/bitlocker
$ sudo mount -o ro,loop /mnt/bitlocker/dislocker-file /mnt/decrypted
$ ls /mnt/decrypted
'$RECYCLE.BIN' Backup Contact Locations Pictures Plans 'System Volume Information'
$ cd /mnt/decrypted
$ tree
.
├── $RECYCLE.BIN
│ ├── S-1-5-21-3718134835-1919426685-3059265731-1002
│ │ ├── $ICZ9AIS.kml
│ │ ├── $RCZ9AIS.kml
│ │ └── desktop.ini
│ └── S-1-5-21-4088429403-1159899800-2753317549-500
│ └── desktop.ini
├── Backup
├── Contact
├── Locations
├── Pictures
├── Plans
│ ├── Lab_Setup_Notes.pdf
│ ├── Lawyer_Contact_Information.pdf
│ └── Money_Laundering_Plan.pdf
└── System Volume Information
├── AadRecoveryPasswordDelete
├── ClientRecoveryPasswordRotation
├── FVE2.{24e6f0ae-6a00-4f73-984b-75ce9942852d}
├── FVE2.{aff97bac-a69b-45da-aba1-2cfbce434750}.1
├── FVE2.{aff97bac-a69b-45da-aba1-2cfbce434750}.2
├── FVE2.{da392a22-cae0-4f0f-9a30-b8830385d046}
├── FVE2.{e40ad34d-dae9-4bc7-95bd-b16218c10f72}.1
├── FVE2.{e40ad34d-dae9-4bc7-95bd-b16218c10f72}.2
├── FVE2.{e40ad34d-dae9-4bc7-95bd-b16218c10f72}.3
├── IndexerVolumeGuid
└── WPSettings.dat
We got his lawyers’ numbers, but no timestamp for the xlsx file, yet.
MFT File #
In computer forensics, the Master File Table (MFT) is a crucial component of the Windows operating system. It is a database that contains essential information about every file and directory on a computer’s hard drive. The MFT keeps track of a file’s location on the hard drive and manages other attributes. It contains metadata about each file, such as its name, size, creation date, and access permissions. They understand this data is critical for any computer forensics examination.
The MFT stores information about large numbers of files efficiently. Because it is a database, it can be easily searched and accessed by the operating system. It allows the operating system to quickly locate and access files, even when millions of them are on the hard drive. - https://www.asdfed.com/Master-File-Table-and-Computer-Forensics
This is something I haven’t encountered before. After installing this tool https://github.com/msuhanov/dfir_ntfs, I can now find the creation time of the file:
pip3 install https://github.com/msuhanov/dfir_ntfs/archive/1.1.19.tar.gz
ntfs_parser --mft \$MFT a.csv
Inside the csv file:
File record,1125899907201161,Y,N,1101468514,/Users/shadow/Documents/contacts_due_amounts.xlsx,2024-09-22 18:20:17.888116,2024-09-22 18:20:34.299432,2024-09-22 18:20:17.699118,2024-09-22 18:20:17.935118,479650720,2024-09-22 18:20:17.849116,2024-09-22 18:20:17.849116,2024-09-22 18:20:17.699118,2024-09-22 18:20:17.849116,2024-09-22 12:22:38.500220,9973,Zone.Identifier,,,
2024-09-22 18:20:17 should be the creation time, and one would assume so, but it HackTheBox doesn’t accept this answer. I must have overlooked something.
And I did overlook something! The text after the colon is an identifier for an “Alternate Data Stream”. ADS is used to store meta-information about the file. For example, the Zone identifier stores whether the file was downloaded from the internet. From the csv file from $MFT we can see the contacts_due_amounts.xlsx was likely downloaded from the internet, and 2024-09-22 18:20:17 was the time when the file was downloaded on disk.
Unzip xlsx #
We have already discovered and extracted the xlsx from the INBOX, but what was overlooked was that xlsx files can be unzipped…
Target/C/Users/shadow/AppData/Roaming/Thunderbird/Profiles/ka48xic2.default-esr/ImapMail/mail.darkmail.htb$ unzip contacts_due_amounts.xlsx
Archive: contacts_due_amounts.xlsx
inflating: xl/_rels/workbook.xml.rels
inflating: xl/workbook.xml
inflating: xl/theme/theme1.xml
inflating: xl/styles.xml
inflating: xl/worksheets/sheet1.xml
inflating: xl/sharedStrings.xml
inflating: _rels/.rels
inflating: docProps/core.xml
inflating: docProps/app.xml
inflating: docProps/custom.xml
inflating: [Content_Types].xml
And inside docProps/core.xml:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
---snip---
<dcterms:created xsi:type="dcterms:W3CDTF">2024-09-22T15:44:22Z</dcterms:created>
---snip---
Thus the answer is: 2024-09-22 15:44:22
[9] Which file did Shadow delete from the encrypted USB drive? #
By using the same steps from the [8] -> Encrypted Drive chapter, mount the bitlocker partition and go to $RECYCLE.BIN:
├── $RECYCLE.BIN
│ ├── S-1-5-21-3718134835-1919426685-3059265731-1002
│ │ ├── $ICZ9AIS.kml
│ │ ├── $RCZ9AIS.kml
│ │ └── desktop.ini
│ └── S-1-5-21-4088429403-1159899800-2753317549-500
│ └── desktop.ini
NTFS renames deleted files using the $R... naming scheme.
Alongside it is $ICZ9AIS.kml. This contains metadata about the original file, including original name and pat. Use either cat or xxd. The full path will show either way:
cat '$ICZ9AIS.kml'
---snip-- E:\Locations\Item_Dropoff tracking.kml
So the deleted file was: E:\Locations\Item_Dropoff tracking.kml
[10] What are Stash Roman’s coordinates? #
.kml files - Keyhole Markup Language file, which are used by apps like Google Earth or in this case QGIS to store geographic coordinates and placemarks.
In the same $RECYCLE.BIN folder on the encrypted drive(because it suggests shadow created a custom kml file to keep track of his client data, but got rid of it):
cat '$RCZ9AIS.kml' | grep -i roman -A 20
<name>Stash Roman</name>
<description><![CDATA[<div>2-Methyl-3-morpholino-1,1-diphenylpropanecarboxylic acid buried near Konstantine The Great's statue. Only his blessing one can dig here. <br></div>]]></description>
<LookAt>
<longitude>-1.08173537760259</longitude>
<latitude>53.96184807581295</latitude>
<altitude>15.6699866995215</altitude>
<heading>0</heading>
<tilt>0</tilt>
<gx:fovy>35</gx:fovy>
<range>25.00282082335161</range>
<altitudeMode>absolute</altitudeMode>
</LookAt>
<styleUrl>#__managed_style_0DF171511233507FD5A3</styleUrl>
<Point>
<coordinates>-1.081714495171635,53.96186166446304,14.47948834533045</coordinates>
</Point>
The coordinates are:
<longitude>-1.08173537760259</longitude>
<latitude>53.96184807581295</latitude>
Convert to coordinates: https://www.gps-coordinates.net/
53°57'42"N 1°04'54"W
Lessons Learnt #
LogFile and $MFT Analysis are Important for Deleted File Recovery
Even when a file is deleted or partially overwritten, artifacts remain in NTFS metadata structures. $LogFile and $MFT parsing using tools like ntfs_parser can reveal transaction records, timestamps, LSNs, and potential paths - even if the actual file content is lost or absent.
Artifacts Often Outlive File Content
Files deleted from encrypted volumes or moved across systems may leave behind LNK files (contacts_due_amounts.xlsx), recent items, or email attachments. Forensic value exists in these secondary artifacts even if primary data is erased.
Email Headers Can Corroborate File Origins
The presence of files in Thunderbird’s IMAP cache, coupled with headers and MIME attachments, provided a solid link between the XLSX file and its delivery mechanism (email). This strengthened attribution and event sequencing.
Zone.Identifier Confirms File Origin
Presence of Zone.Identifier streams helped confirm that the file was downloaded from an external source (email client or browser), further supporting conclusions about the file’s delivery vector.
ripMIME is a command-line utility used to extract MIME-encoded attachments from raw email files. It’s especially valuable in scenarios where you need to extract embedded files (e.g., spreadsheets, executables, documents) from captured email artifacts.
xlsx
Examining docProps/core.xml inside .xlsx files reveals the original creation time, which is often more accurate than the file system timestamps, especially if the file was downloaded or transferred via email.
BitLocker Key Storage Can Be Exploited BitLocker keys may reside in the system, depending on configuration.
EWF (Expert Witness Format) Enables Reliable Forensic Imaging
Working with .E01 images (EWF format) ensures data integrity through built-in checksums, compression, and metadata tracking. Tools like ewfinfo, ewfexport, and ewfmount allow analysts to verify acquisition integrity with embedded hash verification, mount the image read-only for safe forensic access, and convert to raw (dd) format for compatibility with other forensic utilities.
Useful Resources #
https://en.wikipedia.org/wiki/.onion https://www.gps-coordinates.net/ https://www.asdfed.com/Master-File-Table-and-Computer-Forensics https://github.com/msuhanov/dfir_ntfs https://en.wikipedia.org/wiki/Unix_time
Get Involved #
I think knowledge should be shared and discussions encouraged. So, don’t hesitate to ask questions, or suggest topics you’d like me to cover in future posts.
Stay Connected #
You can contact me at ion.miron@tutanota.com