Home > CTF, Forensics > Nullcon CTF 2014 Forensics 100 writeup

Nullcon CTF 2014 Forensics 100 writeup

Question 1:

“The Client complained that whenever he boots up the machine, all files in his document folder automatically gets deleted. Can you identify the culprit executable process doing this?”.

We were asked to find the name of the executable which is deleting the files in the document folder, whenever the system boots. I have studied about triaging windows system before. Some key points are,

– Examine the Programs Ran on the System
– Examine the Auto-start Locations
– Examine File System Artifacts

Here we need to focus more on the second bullet point, the Auto start locations. Usually we can peep in these locations to trace the rogue process or executables.
– Programs executing from temporary or cache folders
– Programs executing from user profiles (AppData, Roaming, Local, etc)
– Programs executing from C:\ProgramData or All Users profile
– Programs executing from C:\RECYCLER
– Programs stored as Alternate Data Streams (i.e. C:\Windows\System32:svchost.exe)
– Programs with random and unusual file names
– Windows programs located in wrong folders (i.e. C:\Windows\svchost.exe)

So, look into the auto-starting locations of the startup monitor, which can show you, what programs are configured to run during system bootup or login, and the entries in the order Windows processes them. You can use this tool, you don’t need to go to each location and find, sometime it is tedious to traverse through and it is not so easy to find those locations manually. In order to use that you need to convert the given dd image (the 2 GB image ) to a vdi format. Since I am using Virtual Box I am converting it to vdi. If you are using Vmware then you have to convert the dd image to vmdk.

h1dd3ntru7h@bi0s:~/Desktop/ctf/nullcon/forensics$ vboxmanage convertdd syn_null2014ctf.dd.001 nullcon1.vdi –format VDI
Converting from raw image file=”syn_null2014ctf.dd.001″ to file=”nullcon1.vdi”…
Creating dynamic image with size 10737418240 bytes (10240MB)…

When the file is converted, I imported the vdi file into my Virtual box and I booted it. I opened the tool, and located the executable, once after brute forcing few executables :D. Finally the flag is : ntbackup.exe


  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This Week In 4n6

Your weekly roundup of Digital Forensics and Incident Response news

RAM Slack - Random Thoughts from a Computer Forensic Examiner

Random Thoughts from a Computer Forensic Examiner


behind the scenes

DFIR Journal

Trials and Tribulations of a DFIR life

I dont know zilch !

For the noobs out there like me

X-Ways Forensics Practitioner's Guide

The Guide to X-Ways Forensics!

Forensic Focus - Articles

Digital forensics articles and research papers

my abbreviations......

gain,learn and share knowledge!!!!


Windows Logging Service (WLS), DFIR, etc.

Belkasoft Forensic: The Digital Evidence Blog

Searching for, analyzing and recovering digital evidence

Gail Tredwell. Amma. Truth. Lies. Scandals. Fraud. And. Reality

Three things cannot be long hidden: the sun, the moon, and the truth.

Integriography: A Journal of Broken Locks, Ethics, and Computer Forensics

Musings about UAVs, search & rescue, computer forensics, cyber security, and the state of play in all .....

Life is beautiful

when the mind is full with love, you see beauty in every thing

Techno Krat

.... Dare To Try .......

%d bloggers like this: