LetsDefend — PDFURI Challenge Walkthrough
Forensic Endpoint Investigation with FTK Imager, DB Browser, PDFStreamDumper, & Registry Explorer
Introduction:
Hello — Thanks for joining me for this weekly walkthrough!
This week I am going to tackle the medium difficulty PDFURI blue team challenge over on LetsDefend. This challenge uses a hosted virtual machine analysis environment on LetsDefend so that the challenge can be completed in a web browser! The virtual machine also comes with a ton of cool tools pre-installed to help us complete the challenge. It’s a fantastic opportunity to try out some new tools and get creative while analyzing a forensic image of a victim’s hard drive.
As always, this write up will serve as a learning notebook for me and a LetsDefend challenge walkthrough for anyone else who stumbles upon this post. Thanks for reading along, hope it helps!
Challenge Link: https://app.letsdefend.io/challenge/pdfuri
Challenge Scenario:
Our friend “Dee” was looking for a job in Tanta, but it seems she was hacked by one of the malicious websites, so can you examine her hard drive and find some evidence?
Question 1: What is the MD5 hash of the malicious document?
Alright, let’s start this off by launching our Lab Environment and unzipping the challenge file. From the challenge scenario, we know that we are going to be examining the victim’s hard drive, right? So, let’s check out the Tools folder on the Desktop and see what our analysis environment has installed for us to use:
It looks like we have FTK Imager available! If you aren’t familiar, FTK imager is a forensic hard disk imaging tool. In this case, we will use it to mount the victim’s disk image (challenge file) so that we can analyze the file system within the forensic image, search for files/folders, and even extract artifacts from the image!
Let’s launch FTK Imager and load the image file by pressing File > Add Evidence Item > Image File > Select the extracted Challenge File (PDFURI.001). Now that we have mounted the image, we can expand the evidence tree and browse the disk artifacts.
Since our scenario says the victim was searching for a job, maybe they downloaded a malicious file during their search? Let’s start simple and browse to the user’s Downloads folder within FTK (PDFURI.001 > NONAME [NTFS] > [root]/Users/Work\/Downloads) and see if we can find the malicious document to answer Question 1.
Hey, we found something of interest — a job application (Application.pdf) in the victim’s Downloads folder! Fortunately for us, we can quickly collect the file hash of this artifact by right-clicking the file and using the Export File Hash function. This will allow us to export the MD5 & SHA1 hashes to a text file for evidence.
Let’s check our export, copy the MD5 hash, and submit the answer to confirm our findings.
Question 2: What is the domain from which the document was downloaded?
Since we know the victim downloaded the file from a website, let’s check if we can locate the download source. A good starting point will be to check if there are any interesting artifacts in the web browser databases. So, our plan is to try to extract the History database file from the disk image and view it with another one of our installed tools, DB Browser.
Before we go further, let’s pull back and reference a handy cheat sheet from Foxtron Forensics as a reference to the web browser databases:
This article applies to Google Chrome but since Microsoft Edge is Chromium-based (Since 2019), this will apply to either one on the victim’s system.
Let’s head back into FTK Imager and check which browser the victim used to download the malicious application. Navigate to PDFURI.001 > NONAME [NTFS] > [root]\Users\Work\AppData\Local
In the directory we do not see any reference to Google as we would expect from the cheat sheet, but we do see Microsoft, so the user probably used Microsoft Edge as their browser. Now, let’s navigate to Microsoft\Edge\User Data\Default.
Right-Click on the Default folder and select export files — this will allow us to extract the contents of the entire Default folder including the browser databases so that we can view them.
Now, we will load up DB Browser (SQLite) from our Tools folder. Once it is open, press Open Database and select the History database. Now we can select the Browse Data tab and browse the tables within it.
Referencing the cheat sheet we understand:
Downloads are stored in the ‘History’ SQLite database, within the ‘downloads’ and ‘downloads_url_chains’ tables.
Let’s start with the Downloads and Downloads_URL_Chains tables to see what we find? Unfortunately, these come up empty so let’s pivot and just try to explore the victim’s browsing history.
We’ll select the URLs table and browse through the URL history. After reviewing the entries, we start to piece together the victim’s browsing history and then, we stumble across this entry:
It looks like we located the domain of the Application.pdf file we found earlier — nice work!
Question 3: What is the email address of the victim?
Okay, let’s stick with DB Browser (SQLite) and continue searching for data in the Microsoft Edge browser databases. Let’s think about where the victim’s email address might be stored — maybe they saved it as an autofill item in the browser to save time during their job search?
If we go back to our Foxtron Forensics reference and search for autofill we find the following information:
Form History is stored in the ‘Web Data’ SQLite database, within the ‘autofill’ table. Older versions of Chrome stored associated dates within an ‘autofill_dates’ table.
Why don’t we check it out? We’ll go ahead and open the Web Data database and browse the autofill table…
There we go! I think we found the answer to Question 3. Let’s submit it and move on.
Question 4: What is the command that is executed by the malicious document?
Alright, now we get to pivot and try some static analysis!
Let’s try another tool available in our analysis environment — PDFStreamDumper. This tool should let us perform some static analysis of object streams within a PDF file and see if there is anything malicious.
This is my first time using this tool but according to the developer’s page:
This is a free tool for the analysis of malicious PDF documents.
Has specialized tools for dealing with obfuscated JavaScript, low level pdf headers and objects, and shellcode.
First things first — Remember the Application.pdf we found back in Question 1? We’re going to go back into FTK Imager, navigate to the file path from Question 1, and right-click on the file and the export.
Once we have completed the export, we’ll open PDFStreamDumper from the Tools folder, load the Application.pdf file into PDFStreamDumper. When the loading is completed, we can check the output and start to analyze the objects contained in the file!
On the left side column, we see that the tool has parsed 6 objects within the PDF file. Let’s analyze the objects one-by-one and see if we can find anything suspicious…
Something in object 5 sticks out, doesn’t it? Immediately, we can see that there is quite a bit of code in this object compared to the others. But more importantly, there also appears to be a Base64 encoded PowerShell command stored here as well — this should answer Question 4!
Side Quest:
While out of scope for this challenge, it might be fun to jump into something like CyberChef to decode the PowerShell command we found stored in the object. This will help us to better understand the impact of the User Execution (MITRE ATT&CK T1204.002) on the victim’s system.
In this case, the PowerShell script creates a stored Environmental Variable with a string message from the threat actor. Again, not relevant for this challenge but it would be something to explore in a real-world analysis.
Question 5: Seems the PC username changed to another one. Can you identify the new Username?
We’ve made it to the last question! In this question we are looking for the username that changed. To answer this question, we need to first understand where username values are stored and if we can extract that from a forensic disk image, right?
Let’s pull back a bit and recap: In Question 1 we explored the Users folder where the home folders for each user on the system is stored. Based on our evidence, the victim was using the profile named Work. Now we need to locate another location that contains user account information to see what has changed.
Where could we find this information though? Well, according to Microsoft Learn we could check the Security Account Manager (SAM) Database:
The Security Accounts Manager (SAM) is a database that stores local user accounts and groups.
Let’s go back into FTK Imager and see if we can extract the SAM Database from the image. In FTK navigate within the Evidence Tree to (PDFURI.001 > NONAME [NTFS] > [root]/Windows/System32/config/) and select the SAM file. We’ll do the same process to export this file to our evidence folder.
Now that we have the SAM Database extracted, let’s load with another analysis tool Eric Zimmerman’s Registry Explorer.
If we expand the keys within the SAM hive down to Names, we can see all the local usernames on the system. All the Names listed are default Windows usernames except one of them — Since we know the user account was called Work, and we no longer see that in the database, I think we found the answer to Question 5!
Conclusion:
Great work on the investigation, and thank you for joining me on this learning journey!
A special thanks to LetsDefend.io for presenting yet another engaging challenge. This challenge was not only enjoyable but also served as an excellent primer on various forensic tools such as FTK Imager, DB Browser, PDF Stream Dumper, and Registry Explorer. It provided us with a practical context to understand how we, as defenders, can quickly analyze browser artifacts, malicious PDF files, and the Windows Registry.
I hope that you had as much fun as I did and learned something new, too. Stay curious!
Tools & References:
FTK Imager: https://www.exterro.com/digital-forensics-software/ftk-imager
Chrome Forensics: https://www.foxtonforensics.com/browser-history-examiner/chrome-history-location
DB Browser for SQLite: https://sqlitebrowser.org/
PDF Stream Dumper: http://sandsprite.com/blogs/index.php?uid=7&pid=57
MITRE ATT&CK (User Execution: Malicious File): https://attack.mitre.org/techniques/T1204
Microsoft Learn SAM Database Reference: https://learn.microsoft.com/en-us/windows-server/security/windows-authentication/credentials-processes-in-windows-authentication#BKMK_SAM
Registry Explorer: https://ericzimmerman.github.io/#!index.md
