포렌식/CTF
Securinets Time matters
CHIqueen
2020. 3. 24. 15:50
솔직히 많이 못만든 문제
문제 설명도 구대기고 정확히 뭘 원하는지 모르는 문제
$ vol.py -f for1.raw kdbgscan
Volatility Foundation Volatility Framework 2.6
**************************************************
Instantiating KDBG using: Unnamed AS WinXPSP2x86 (5.1.0 32bit)
Offset (P) : 0x2785b78
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win7SP1x86_23418
Version64 : 0x2785b50 (Major: 15, Minor: 7601)
PsActiveProcessHead : 0x8279ad70
PsLoadedModuleList : 0x827a2730
KernelBase : 0x8264e000
**************************************************
Instantiating KDBG using: Unnamed AS WinXPSP2x86 (5.1.0 32bit)
Offset (P) : 0x2785b78
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win7SP1x86
Version64 : 0x2785b50 (Major: 15, Minor: 7601)
PsActiveProcessHead : 0x8279ad70
PsLoadedModuleList : 0x827a2730
KernelBase : 0x8264e000
**************************************************
Instantiating KDBG using: Unnamed AS WinXPSP2x86 (5.1.0 32bit)
Offset (P) : 0x2785b78
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win7SP0x86
Version64 : 0x2785b50 (Major: 15, Minor: 7601)
PsActiveProcessHead : 0x8279ad70
PsLoadedModuleList : 0x827a2730
KernelBase : 0x8264e000Win7SP1x86
프로세스를 한번 보자
$ vol.py -f for1.raw --profile=Win7SP1x86_23418 pslist
Volatility Foundation Volatility Framework 2.6
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x839af9d0 System 4 0 85 529 ------ 0 2020-03-20 12:38:06 UTC+0000
0x8485c880 smss.exe 280 4 2 29 ------ 0 2020-03-20 12:38:06 UTC+0000
0x848bc540 csrss.exe 356 348 8 467 0 0 2020-03-20 12:38:07 UTC+0000
0x84929030 wininit.exe 392 348 3 76 0 0 2020-03-20 12:38:07 UTC+0000
0x849296d8 csrss.exe 400 384 8 316 1 0 2020-03-20 12:38:07 UTC+0000
0x84b2dd20 winlogon.exe 440 384 5 118 1 0 2020-03-20 12:38:07 UTC+0000
0x850ef458 services.exe 484 392 8 195 0 0 2020-03-20 12:38:07 UTC+0000
0x85100698 lsass.exe 492 392 9 738 0 0 2020-03-20 12:38:07 UTC+0000
0x850f8620 lsm.exe 500 392 10 148 0 0 2020-03-20 12:38:07 UTC+0000
0x85148030 svchost.exe 608 484 13 365 0 0 2020-03-20 12:38:07 UTC+0000
0x85155030 VBoxService.ex 668 484 13 125 0 0 2020-03-20 12:38:08 UTC+0000
0x85165b40 svchost.exe 724 484 7 285 0 0 2020-03-20 12:38:08 UTC+0000
0x85183578 svchost.exe 776 484 24 520 0 0 2020-03-20 12:38:08 UTC+0000
0x851ae4e8 svchost.exe 896 484 31 552 0 0 2020-03-20 12:38:08 UTC+0000
0x851c5030 svchost.exe 940 484 33 505 0 0 2020-03-20 12:38:08 UTC+0000
0x851ce030 svchost.exe 984 484 38 827 0 0 2020-03-20 12:38:08 UTC+0000
0x851d3310 audiodg.exe 1036 776 5 125 0 0 2020-03-20 12:38:08 UTC+0000
0x8bee6030 svchost.exe 1072 484 5 118 0 0 2020-03-20 12:38:08 UTC+0000
0x85211af8 svchost.exe 1260 484 18 384 0 0 2020-03-20 12:38:09 UTC+0000
0x8523c790 spoolsv.exe 1360 484 17 298 0 0 2020-03-20 12:38:09 UTC+0000
0x85255d20 svchost.exe 1396 484 19 306 0 0 2020-03-20 12:38:09 UTC+0000
0x852e3688 svchost.exe 1496 484 28 293 0 0 2020-03-20 12:38:09 UTC+0000
0x842f41a8 taskhost.exe 296 484 12 228 1 0 2020-03-20 12:38:25 UTC+0000
0x8540f730 taskeng.exe 384 984 8 93 0 0 2020-03-20 12:38:25 UTC+0000
0x84986b30 dwm.exe 476 896 5 77 1 0 2020-03-20 12:38:25 UTC+0000
0x8505f030 explorer.exe 328 404 38 883 1 0 2020-03-20 12:38:25 UTC+0000
0x85456760 VBoxTray.exe 1888 328 13 138 1 0 2020-03-20 12:38:26 UTC+0000
0x8546e7b8 GoogleUpdate.e 1240 384 6 114 0 0 2020-03-20 12:38:26 UTC+0000
0x85421510 SearchIndexer. 1236 484 13 612 0 0 2020-03-20 12:38:33 UTC+0000
0x8547ad20 wmpnetwk.exe 2056 484 16 439 0 0 2020-03-20 12:38:33 UTC+0000
0x854acc28 SearchProtocol 2136 1236 8 262 1 0 2020-03-20 12:38:34 UTC+0000
0x847fba38 SearchFilterHo 2176 1236 6 84 0 0 2020-03-20 12:38:34 UTC+0000
0x854dad20 chrome.exe 2288 328 29 666 1 0 2020-03-20 12:38:34 UTC+0000
0x854e7848 svchost.exe 2336 484 11 355 0 0 2020-03-20 12:38:34 UTC+0000
0x854e92a0 chrome.exe 2356 2288 8 64 1 0 2020-03-20 12:38:34 UTC+0000
0x85575810 WmiPrvSE.exe 2524 608 15 317 0 0 2020-03-20 12:38:36 UTC+0000
0x85597030 chrome.exe 2588 2288 2 55 1 0 2020-03-20 12:38:36 UTC+0000
0x842fed20 chrome.exe 2692 2288 14 301 1 0 2020-03-20 12:38:37 UTC+0000
0x842fdbb0 chrome.exe 2888 2288 10 170 1 0 2020-03-20 12:38:39 UTC+0000
0x854beb98 WmiPrvSE.exe 3040 608 7 129 0 0 2020-03-20 12:38:40 UTC+0000
0x8431ed20 chrome.exe 3260 2288 13 224 1 0 2020-03-20 12:38:43 UTC+0000
0x847f8d20 software_repor 3344 2288 11 197 1 0 2020-03-20 12:38:45 UTC+0000
0x856a7328 software_repor 3356 3344 7 82 1 0 2020-03-20 12:38:46 UTC+0000
0x84804c28 WmiApSrv.exe 3468 484 7 116 0 0 2020-03-20 12:38:47 UTC+0000
0x84816410 software_repor 3500 3344 3 106 1 0 2020-03-20 12:38:48 UTC+0000
0x84884c28 software_repor 3792 3344 2 96 1 0 2020-03-20 12:39:00 UTC+0000딱히 크롬말곤 없다
$ vol.py -f for1.raw --profile=Win7SP1x86 cmdscan
$ vol.py -f for1.raw --profile=Win7SP1x86 consoles
$ vol.py -f for1.raw --profile=Win7SP1x86 screenshot -D ./
$ vol.py -f for1.raw --profile=Win7SP1x86_23418 clipboard뭐 없다
그나마 스크린샷 했을때
FolderView외엔 뭐 없는것 크롬은 안쓴거 같다.
$ vol.py -f for1.raw --profile=Win7SP1x86 mimikatz
Volatility Foundation Volatility Framework 2.6
Module User Domain Password
-------- ---------------- ---------------- ----------------------------------------
wdigest studio studio-PC Messi2020
wdigest STUDIO-PC$ WORKGROUPmimikatz결과다. 원래 설정을 잘 안하는 편인데 비번이 있는걸보니 일단 킵 해두자
$ vol.py -f for1.raw --profile=Win7SP1x86 hivelist
Volatility Foundation Volatility Framework 2.6
Virtual Physical Name
---------- ---------- ----
0x8ee14888 0x1af1a888 \Device\HarddiskVolume1\Boot\BCD
0x8ee414c8 0x1aba04c8 \SystemRoot\System32\Config\SOFTWARE
0x9025f008 0x158fd008 \SystemRoot\System32\Config\DEFAULT
0x903ce9c8 0x149ff9c8 \SystemRoot\System32\Config\SAM
0x903ef9c8 0x18ff19c8 \SystemRoot\System32\Config\SECURITY
0x98d229c8 0x075a19c8 \??\C:\Users\studio\AppData\Local\Microsoft\Windows\UsrClass.dat
0x8740a6a8 0x1ba366a8 [no name]
0x87418218 0x1b8bc218 \REGISTRY\MACHINE\SYSTEM
0x87438590 0x1bc5c590 \REGISTRY\MACHINE\HARDWARE
0x880f82c0 0x18b3e2c0 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
0x881b02e0 0x04e052e0 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
0x89165008 0x08e35008 \??\C:\Users\studio\ntuser.dathivelist를 통해 레지스트리에서 최근 실행 UserAssist를 뽑을것이다.
0x89165008
UserAssist는 중간에 GUID때문에 두번 진행해 줘야한다.
$ vol.py -f for1.raw --profile=Win7SP1x86 printkey -o 0x89165008 -K "SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist"
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \??\C:\Users\studio\ntuser.dat
Key name: UserAssist (S)
Last updated: 2020-03-20 12:15:20 UTC+0000
Subkeys:
(S) {CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}
(S) {F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}
Values:$ vol.py -f for1.raw --profile=Win7SP1x86 printkey -o 0x89165008 -K "SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count" | grep REG_BINARY
Volatility Foundation Volatility Framework 2.6
REG_BINARY {0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Jrypbzr Pragre.yax : (S)
REG_BINARY HRZR_PGYFRFFVBA : (S)
REG_BINARY {0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Zrqvn Pragre.yax : (S)
REG_BINARY {0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Pnyphyngbe.yax : (S)
REG_BINARY {0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Fgvpxl Abgrf.yax : (S)
REG_BINARY {0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Favccvat Gbby.yax : (S)
REG_BINARY {0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Cnvag.yax : (S)
REG_BINARY {0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Erzbgr Qrfxgbc Pbaarpgvba.yax : (S)
REG_BINARY {N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Npprffvovyvgl\Zntavsl.yax : (S)
REG_BINARY ::{RQ228SQS-9RN8-4870-83O1-96O02PSR0Q52}\{00Q8862O-6453-4957-N821-3Q98Q74P76OR} : (S)
REG_BINARY HRZR_PGYPHNPbhag:pgbe : (S)
REG_BINARY {9R3995NO-1S9P-4S13-O827-48O24O6P7174}\GnfxOne\Vagrearg Rkcybere.yax : (S)
REG_BINARY {9R3995NO-1S9P-4S13-O827-48O24O6P7174}\GnfxOne\Jvaqbjf Rkcybere.yax : (S)
REG_BINARY {9R3995NO-1S9P-4S13-O827-48O24O6P7174}\GnfxOne\Tbbtyr Puebzr.yax : (S) 어처구니 없다
RT_OVANEL {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\Welcome Center.lnk : (F)
ERT_OVANEL UEME_CTLSESSION : (F)
ERT_OVANEL {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Media Center.lnk : (F)
ERT_OVANEL {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\Calculator.lnk : (F)
ERT_OVANEL {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\Sticky Notes.lnk : (F)
ERT_OVANEL {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\Snipping Tool.lnk : (F)
ERT_OVANEL {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\Paint.lnk : (F)
ERT_OVANEL {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\Remote Desktop Connection.lnk : (F)
ERT_OVANEL {A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Accessories\Accessibility\Magnify.lnk : (F)
ERT_OVANEL ::{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\{00D8862B-6453-4957-A821-3D98D74C76BE} : (F)
ERT_OVANEL UEME_CTLCUACount:ctor : (F)
ERT_OVANEL {9E3995AB-1F9C-4F13-B827-48B24B6C7174}\TaskBar\Internet Explorer.lnk : (F)
ERT_OVANEL {9E3995AB-1F9C-4F13-B827-48B24B6C7174}\TaskBar\Windows Explorer.lnk : (F)
ERT_OVANEL {9E3995AB-1F9C-4F13-B827-48B24B6C7174}\TaskBar\Google Chrome.lnk : (F)윈도우 설치하고 그냥 파일 복붙하고 사람들 속일라고 크롬킨거 같다.
그럼 남은건 filescan밖에 없다.
$ vol.py -f for1.raw --profile=Win7SP1x86 filescan | grep "Desktop"
Volatility Foundation Volatility Framework 2.6
0x000000001e200038 2 1 R--rwd \Device\HarddiskVolume2\Users\studio\Desktop
0x000000001e203d58 2 1 R--rwd \Device\HarddiskVolume2\Users\Public\Desktop
0x000000001e203e10 2 1 R--rwd \Device\HarddiskVolume2\Users\Public\Desktop
0x000000001e246af0 2 1 R--rwd \Device\HarddiskVolume2\Users\studio\Desktop
0x000000001e24a0e8 2 1 R--rwd \Device\HarddiskVolume2\Users\studio\Desktop\steghide
0x000000001e24bcd0 2 1 R--rwd \Device\HarddiskVolume2\Users\studio\Desktop\steghide
0x000000001e45e730 8 0 R--rwd \Device\HarddiskVolume2\Users\studio\Desktop\DS0394.jpg
0x000000001e5cbe40 8 0 R--rwd \Device\HarddiskVolume2\Users\Public\Desktop\desktop.ini
0x000000001ed2fa30 8 0 R--rwd \Device\HarddiskVolume2\Users\studio\Desktop\desktop.ini
0x000000001ee76f80 8 0 R--rwd \Device\HarddiskVolume2\Users\studio\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.inisteghide랑 사진이 있다.
어이x
$ vol.py -f for1.raw --profile=Win7SP1x86 mftparser | grep Desktop
Volatility Foundation Volatility Framework 2.6
2020-03-20 21:06:46 UTC+0000 2020-03-20 21:06:46 UTC+0000 2020-03-20 21:06:46 UTC+0000 2020-03-20 21:06:46 UTC+0000 Desktop.ini
2020-03-20 21:06:46 UTC+0000 2020-03-20 21:06:46 UTC+0000 2020-03-20 21:06:46 UTC+0000 2020-03-20 21:06:46 UTC+0000 Scenes\Desktop.ini
2020-03-20 21:06:46 UTC+0000 2020-03-20 21:06:46 UTC+0000 2020-03-20 21:06:46 UTC+0000 2020-03-20 21:06:46 UTC+0000 Desktop.ini
2020-03-20 12:19:20 UTC+0000 2020-03-20 12:19:20 UTC+0000 2020-03-20 12:19:20 UTC+0000 2020-03-20 12:19:20 UTC+0000 Users\Public\Desktop\GOOGLE~1.LNK
2020-03-20 12:19:20 UTC+0000 2020-03-20 12:19:20 UTC+0000 2020-03-20 12:19:20 UTC+0000 2020-03-20 12:19:20 UTC+0000 Users\Public\Desktop\Google Chrome.lnk
2020-03-20 12:35:00 UTC+0000 2020-03-20 12:35:00 UTC+0000 2020-03-20 12:35:00 UTC+0000 2020-03-20 12:35:00 UTC+0000 Users\studio\Desktop\steghide
2020-03-20 21:05:22 UTC+0000 2020-03-20 21:05:22 UTC+0000 2020-03-20 21:05:22 UTC+0000 2020-03-20 21:05:22 UTC+0000 DesktopWindowsMgmt.dll
2020-03-20 21:05:22 UTC+0000 2020-03-20 21:05:22 UTC+0000 2020-03-20 21:05:22 UTC+0000 2020-03-20 21:05:22 UTC+0000 DesktopWindowsMgmt.dll
2020-03-20 12:33:35 UTC+0000 2020-03-20 12:33:35 UTC+0000 2020-03-20 12:33:35 UTC+0000 2020-03-20 12:33:35 UTC+0000 Users\studio\Desktop\DS0394.jpg
2020-03-20 12:35:00 UTC+0000 2020-03-20 12:35:00 UTC+0000 2020-03-20 12:35:00 UTC+0000 2020-03-20 12:35:00 UTC+0000 Users\studio\Desktop\steghide\todo.txt
2020-03-20 12:15:02 UTC+0000 2020-03-20 12:15:02 UTC+0000 2020-03-20 12:15:02 UTC+0000 2020-03-20 12:15:02 UTC+0000 Users\studio\AppData\Roaming\MICROS~1\Windows\SendTo\Desktop.ini
2020-03-20 12:15:02 UTC+0000 2020-03-20 12:15:02 UTC+0000 2020-03-20 12:15:02 UTC+0000 2020-03-20 12:15:02 UTC+0000 Users\studio\AppData\Roaming\MICROS~1\Windows\SendTo\Desktop (create shortcut).DeskLink
2020-03-20 12:15:02 UTC+0000 2020-03-20 12:15:02 UTC+0000 2020-03-20 12:15:02 UTC+0000 2020-03-20 12:15:02 UTC+0000 Users\studio\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\MAINTE~1\Desktop.ini
2020-03-20 21:05:08 UTC+0000 2020-03-20 21:05:08 UTC+0000 2020-03-20 21:05:08 UTC+0000 2020-03-20 21:05:08 UTC+0000 Microsoft-Windows-RemoteDesktopClient-BlueIP-Package~31bf3856ad364e35~x86~en-US~7.2.7601.16415.cat
2020-03-20 21:05:08 UTC+0000 2020-03-20 21:05:08 UTC+0000 2020-03-20 21:05:08 UTC+0000 2020-03-20 21:05:08 UTC+0000 Microsoft-Windows-RemoteDesktopClient-BlueIP-Package~31bf3856ad364e35~x86~en-US~7.2.7601.16415.cat
2020-03-20 12:35:00 UTC+0000 2020-03-20 12:35:00 UTC+0000 2020-03-20 12:35:00 UTC+0000 2020-03-20 12:35:00 UTC+0000 Users\studio\Desktop\steghide\MANUAL~1.PDF
2020-03-20 12:35:00 UTC+0000 2020-03-20 12:35:00 UTC+0000 2020-03-20 12:35:00 UTC+0000 2020-03-20 12:35:00 UTC+0000 Users\studio\Desktop\steghide\manual_es.pdf
2020-03-20 21:06:46 UTC+0000 2020-03-20 21:06:46 UTC+0000 2020-03-20 21:06:46 UTC+0000 2020-03-20 21:06:46 UTC+0000 Desktop.ini
2020-03-20 21:06:46 UTC+0000 2020-03-20 21:06:46 UTC+0000 2020-03-20 21:06:46 UTC+0000 2020-03-20 21:06:46 UTC+0000 Users\Public\Desktop\desktop.ini
2020-03-20 12:35:00 UTC+0000 2020-03-20 12:35:00 UTC+0000 2020-03-20 12:35:00 UTC+0000 2020-03-20 12:35:00 UTC+0000 Users\studio\Desktop\steghide\cygwin1.dll
2020-03-20 12:35:00 UTC+0000 2020-03-20 12:35:00 UTC+0000 2020-03-20 12:35:00 UTC+0000 2020-03-20 12:35:00 UTC+0000 Users\studio\Desktop\steghide\bugs.txt
2020-03-20 12:35:00 UTC+0000 2020-03-20 12:35:00 UTC+0000 2020-03-20 12:35:00 UTC+0000 2020-03-20 12:35:00 UTC+0000 Users\studio\Desktop\steghide\copying.txt
2020-03-20 12:15:02 UTC+0000 2020-03-20 12:15:02 UTC+0000 2020-03-20 12:15:02 UTC+0000 2020-03-20 12:15:02 UTC+0000 Users\studio\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\ACCESS~1\Accessibility\Desktop.ini
2020-03-20 12:15:02 UTC+0000 2020-03-20 12:15:02 UTC+0000 2020-03-20 12:15:02 UTC+0000 2020-03-20 12:15:02 UTC+0000 Users\studio\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\ACCESS~1\Desktop.ini
2020-03-20 12:15:02 UTC+0000 2020-03-20 12:15:02 UTC+0000 2020-03-20 12:15:02 UTC+0000 2020-03-20 12:15:02 UTC+0000 Users\studio\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\Shows Desktop.lnk
2020-03-20 12:15:02 UTC+0000 2020-03-20 12:15:02 UTC+0000 2020-03-20 12:15:02 UTC+0000 2020-03-20 12:15:02 UTC+0000 Users\studio\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\ACCESS~1\System Tools\Desktop.ini
2020-03-20 12:15:20 UTC+0000 2020-03-20 12:15:20 UTC+0000 2020-03-20 12:15:20 UTC+0000 2020-03-20 12:15:20 UTC+0000 Users\studio\Links\Desktop.lnk
00000000b0: 75 64 69 6f 5c 44 65 73 6b 74 6f 70 00 0a 00 2e udio\Desktop....
2020-03-20 21:05:03 UTC+0000 2020-03-20 21:05:03 UTC+0000 2020-03-20 21:05:03 UTC+0000 2020-03-20 21:05:03 UTC+0000 Users\Public\Desktop
2020-03-20 12:15:02 UTC+0000 2020-03-20 12:15:02 UTC+0000 2020-03-20 12:15:02 UTC+0000 2020-03-20 12:15:02 UTC+0000 Users\studio\Desktop
2020-03-20 21:06:46 UTC+0000 2020-03-20 21:06:46 UTC+0000 2020-03-20 21:06:46 UTC+0000 2020-03-20 21:06:46 UTC+0000 Desktop.ini
2020-03-20 21:07:40 UTC+0000 2020-03-20 21:07:40 UTC+0000 2020-03-20 21:07:40 UTC+0000 2020-03-20 21:07:40 UTC+0000 ProgramData\Desktop
2020-03-20 21:06:46 UTC+0000 2020-03-20 21:06:46 UTC+0000 2020-03-20 21:06:46 UTC+0000 2020-03-20 21:06:46 UTC+0000 ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini
출제자의 Time zone은 모르지만 아까 screenshot을 했을때 시간은 11:39분 DS0394.jpg 파일의 생성시간은 2020-03-20 12:33:35 UTC+0000 더 웃긴건 steghide 생성시간이다. 2020-03-20 12:35:00 UTC+0000
$ vol.py -f for1.raw --profile=Win7SP1x86 dumpfiles -Q 0x000000001e45e730 -D ./
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x1e45e730 None \Device\HarddiskVolume2\Users\studio\Desktop\DS0394.jpg
추출한 이미지다
하지만 steghide로 풀어줘야한다.
비번은 아까 mimikatz로 봤던 Messi2020같지만 아니다
저 사진은 보면 2019년에 찍혀있다. 그래서 Messi2019로 했더니 성공
PS C:\Users\CHIqueen\Downloads\steghide> .\steghide.exe extract -sf .\DS0394.jpg
Enter passphrase:
wrote extracted data to "image.png".
Securinets{c7e2723752111ed983249627a3d752d6}