Seized is a Medium-rated HackTheBox Forensics challenge. You receive a raw disk image of a Windows workstation. The scenario is corporate data exfiltration. The challenge tests MFT analysis, file carving, and the ability to not get distracted by
\ndeliberate decoys.<\/p>\n
# Check image structure\nmmls seized.img\n# DOS Partition Table\n# Slot Start End Length Description\n# 000: Meta 0000000000 0000000000 Primary Table (#0)\n# 001: ------- 0000000000 0000002047 Unallocated\n# 002: 000:000 0000002048 0125827071 NTFS (0x07)\n\n# Mount the NTFS partition\nsudo mkdir \/mnt\/seized\nsudo mount -o ro,loop,offset=$((512*2048)) seized.img \/mnt\/seized\n\n# Quick inventory of recently modified files\nfind \/mnt\/seized\/Users -newer \/mnt\/seized\/Windows\/System32\/ntoskrnl.exe \\\n -not -path \"*\/AppData\/Local\/Temp\/Low\/*\" \\\n -not -name \"*.log\" \\\n 2>\/dev\/null | sort<\/pre>\nBrowser history analysis<\/h3>\n
# Chrome history is a SQLite database\ncp \"\/mnt\/seized\/Users\/jsmith\/AppData\/Local\/Google\/Chrome\/User Data\/Default\/History\" \/tmp\/\n\nsqlite3 \/tmp\/History \"\n SELECT datetime(last_visit_time\/1000000-11644473600, 'unixepoch') as visit_time,\n url, title\n FROM urls\n WHERE last_visit_time > 0\n ORDER BY last_visit_time DESC\n LIMIT 50;\n\"\n\n# Relevant output:\n# 2023-09-18 23:41:22 | https:\/\/www.dropbox.com\/upload | Upload files - Dropbox\n# 2023-09-18 23:38:15 | https:\/\/pastebin.com\/api\/api_post | Pastebin\n# 2023-09-18 23:22:07 | https:\/\/file.io\/ | file.io - Super simple file sharing<\/pre>\nWindows event log analysis<\/h3>\n
# Extract and parse relevant events\npython3 -c \"\nimport subprocess, json\n\n# Get network connection events around the time of interest\nresult = subprocess.run([\n 'python3', '-m', 'evtx',\n '\/mnt\/seized\/Windows\/System32\/winevt\/Logs\/Microsoft-Windows-Sysmon%4Operational.evtx',\n '--json'\n], capture_output=True, text=True)\n\nfor line in result.stdout.split(chr(10)):\n if not line: continue\n try:\n evt = json.loads(line)\n if evt.get(chr(69)+chr(118)+chr(101)+chr(110)+chr(116)+chr(73)+chr(68)) == 3:\n # EventID 3 = Network connection\n print(evt)\n except: pass\n\"\n\n# Shows outbound connections to 185.220.x.x on port 443 at 23:38<\/pre>\nMFT analysis \u2014 finding deleted files<\/h3>\n
# Extract the MFT\nsudo cp \/mnt\/seized\/\\$MFT \/tmp\/mft_raw\n\n# Parse with MFTECmd (Wine or native Windows)\n# On Linux, use analyzeMFT:\npip install analyzeMFT\nanalyzeMFT.py -f \/tmp\/mft_raw -o \/tmp\/mft_parsed.csv\n\n# Search for .zip files created around the incident time\ngrep \"2023-09-18 23:[2-4]\" \/tmp\/mft_parsed.csv | grep \"\\.zip\" | grep -i \"deleted\\|$Recycle\"\n\n# Output includes:\n# filename: staging_package_final.zip\n# created: 2023-09-18 23:35:41\n# parent: C:\\Users\\jsmith\\AppData\\Local\\Temp\n# status: deleted<\/pre>\nFile carving from unallocated space<\/h3>\n
# Use foremost to carve zip files from unallocated clusters\nsudo foremost -t zip -i seized.img -o \/tmp\/carved\/\n\n# Check recovered files\nls -lh \/tmp\/carved\/zip\/\n# 00000000.zip 2.3M\n# 00001234.zip 847K <-- this is the one\n\n# The smaller file is the exfil package\nunzip -l \/tmp\/carved\/zip\/00001234.zip\n# Archive: 00001234.zip\n# Length Date Time Name\n# --------- ---------- ----- ----\n# 1048576 09-18-2023 23:35 Q3_financials.xlsx\n# 524288 09-18-2023 23:35 customer_database_export.csv\n# 128 09-18-2023 23:35 flag.txt<\/pre>\nThe decoy archives in the obvious staging directory were both created at the same timestamp \u2014 a tell that they were placed deliberately rather than created through normal activity. Real staged files have slightly different creation times as each
\nfile is added.<\/p>\nForensic timeline reconstruction<\/h3>\n
# Build a super-timeline using plaso\/log2timeline\nlog2timeline.py \/tmp\/seized_timeline.plaso seized.img\n\n# Filter to the incident window\npsort.py -o l2tcsv \/tmp\/seized_timeline.plaso \\\n \"date > '2023-09-18 23:00:00' AND date \/tmp\/timeline_filtered.csv<\/pre>\n","protected":false},"excerpt":{"rendered":"A disk image challenge involving a Windows host used to exfiltrate data. The
\ninteresting part was figuring out which file was the payload and which was a decoy.<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-189","post","type-post","status-publish","format-standard","hentry","category-hackthebox"],"_links":{"self":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/189","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/comments?post=189"}],"version-history":[{"count":2,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/189\/revisions"}],"predecessor-version":[{"id":231,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/189\/revisions\/231"}],"wp:attachment":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/media?parent=189"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/categories?post=189"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/tags?post=189"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}