help needed for a cyber challenge - level 5

[neusbeer]

Ey guys,

Can anyone help me with this, I'm busy with a cyber challenge, and working on challenge 5.

Story: Pjotr is communicating with somebody else who calls the shots, Pjotr is a hacker or something,
the challenge is about investigating a murder.

Now in challange 5 ...
I got a memory dump (linux), and I have to find
the name of a file (and within that file a username and password) which has been send
by Pjotr, I found 1 mail where he's asking about the money after the file transfer 2 weeks ago.

I can't use Volatility, because I'm not sure which linux rep it is.
I used (in kali linux) bulk_extractor. and got some info (also a pcap)
https://dl.dropboxusercontent.com/u/4378489/cyberchallenge/packets.pcap


But still no clue about the asked file.

Any1 can help?  Tips how to read the raw mem.

NB, it's in Dutch :-)

File: https://dl.dropboxusercontent.com/u/4378489/cyberchallenge/mail.zegzv.be.RAWmemory.bz2

[Architect]

I've fiddled with it now for over an hour, trying to find a file name ad password. But all I can come up with is this data:

From wireshark:

Code: [Select]

Received: from [213.5.232.200] (unknown [213.5.232.200])
    by mail.snel-adsl.nl (Postfix) with ESMTP id BE81E44038
    for <boris@mail.zegzv.be>; Tue, 15 Apr 2014 13:59:04 +0200 (CEST)
Message-ID: <534D1F21.2060704@snel-adsl.nl>
Date: Tue, 15 Apr 2014 13:59:29 +0200
From: Pjotr Nowak <pjotr@snel-adsl.nl>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: boris@mail.zegzv.be
Subject: hee!!
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

nou ben ik het zat, ik heb je die file 2 weken geleden al gemaild, waar
blijft me geld!!

(roughly meaning "Well, I am tired, it's been two weeks since the file was emailed, where's my money!")
.
QUIT

Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Referer: http://mail.zegzv.be/src/compose.php?passed_id=5&mailbox=INBOX&startMessage=1&passed_ent_id=0&smaction=reply
Accept-Language: nl-NL
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Accept-Encoding: gzip, deflate
Host: mail.zegzv.be
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: squirrelmail_language=deleted; SQMSESSID=00t7e814dqruubu6s305g6ovs0; key=3%2F01kjNRF4Jj

EHLO mail.snel-adsl.nl

MAIL FROM:<pjotr@snel-adsl.nl> SIZE=648
RCPT TO:<boris@mail.zegzv.be> ORCPT=rfc822;boris@mail.zegzv.be
DATA

This gave me his IP, the sender (Pjotr) and recipient (Boris) and the user agent which can further identify his browser/OS, and not to mention his Squirrel Mail session ID:

OS: Windows 7 64bit rv:30.0 on a desktop
Browser: Firefox 30 (Release date: Tue, June 10, 2014)
Sqirrelmail Session token:  SQMSESSID=00t7e814dqruubu6s305g6ovs0; key=3%2F01kjNRF4Jj
SM token: Pve9I1OKwdGi

But aside from the email and the names and other info, I haven't found a reference to any files.
I tried analysing every TCP/HTTP/SMTP header and various filters.

[neusbeer]

Yeah that mail I found, where pjotr is angry and demanding his money.
Used the same way with Wireshark, but I thought I missed something

I wasn't 100% complete with the info, the gave also a vmdk file besides the raw mem file.
http://ccc.tweakzones.net/mail.zegzv.be.vmdk.tar.bz2
it's encrypyted

But maybe I need both files to get the answer.

the pcap is just a part of that memdump, so could be somewhere else in dump.

[Architect]

Ah, I see. Well this just got more fun then, considering images are easier to handle although much larger usually. If you want you can take a look at it with Forensic Toolkit or Sleuthkit. Mount the image read-only, and check the files and programs installed. Maybe you could check the md5sums and shit against the normal ones, but that would take so long I don't even recommend it.

But since you have the actual image of Pjotr's(?) machine it should make it easy for you to find out what he was doing and when. You should even be able to learn his locations, hotspots, email passwords, browser history, and other habits. This should build a pretty good casefile against the hacker.

Edit: You should be able to find the password to the VM in the raw memory dump.
Edit2: I forgot to mention EnCase for checking sums and other shit.

[neusbeer]

I can't get it to work, when I add im to virtualbox it's gives errors.
gonna do string searches in the hope to find something.
And try out sleuthkit

[Architect]

If you do manage to get it to work, or somehow or another mount the damn thing:
http://old.honeynet.org/scans/scan29/sol/spidernick/Scan29.pdf

That's the solution to a forensics "Scan of the Month" in which a compromised Linux Red Hat system was analyzed by a shit ton of security researchers/trainees. It might point you in the right direction. Good luck.

[Ruffnekk]

I'm also working on this challenge and I want to clarify that the raw memory dump and the image file are from the virtual mail server of the recipient´s email provider. We need to find the filename of the attachment and the username and password that is stored within it, in a particular email received by "boris" and sent by "pjotr". So far, I have the ID of the email that contains the attachment, but nothing else yet. When I get home later I will download the vmdk image and try to mount it and analyze it using Sleuthkit or similar tools.

[Ruffnekk]

To follow up my previous post:
Yesterday I managed to mount the disk image using OSForensics (http://www.osforensics.com/download.html). Analyzing with the same tool, I came across some deleted files that could be undeleted, but I could not find any credentials in these.
The filesystem has a lot of files, mostly .mod in a i386 directory, but I haven't gotten around viewing/analyzing those yet.
The Linux kernel system used is 3.11.0.12.13-generic (Ubuntu distro).
I'm still trying to figure out how to use the filesystem in combination with the memory image to determine which file was attached to the email... anyone?

[Stackprotector]

To follow up my previous post:
Yesterday I managed to mount the disk image using OSForensics (http://www.osforensics.com/download.html). Analyzing with the same tool, I came across some deleted files that could be undeleted, but I could not find any credentials in these.
The filesystem has a lot of files, mostly .mod in a i386 directory, but I haven't gotten around viewing/analyzing those yet.
The Linux kernel system used is 3.11.0.12.13-generic (Ubuntu distro).
I'm still trying to figure out how to use the filesystem in combination with the memory image to determine which file was attached to the email... anyone?

Did you try volatility https://code.google.com/p/volatility/ and see what apps are running? I did this challenge last year and was in the first 100 but this year it sounds like it's almost the same and i don't have time for that.

[Ruffnekk]

Did you try volatility https://code.google.com/p/volatility/ and see what apps are running? I did this challenge last year and was in the first 100 but this year it sounds like it's almost the same and i don't have time for that.

No, I haven't tried that yet, but thanks for the tip. I will try it tonight