Diskrupt - TryHackMe - Walkthrough
Investigate a damaged disk.
Description
This is a Write-Up for the Diskrupt Room on TryHackMe, the Room is rated as Hard and can be found here.
Storyline
An underground research group, NexgEn e-Corps, has been working on a groundbreaking research paper on Quantum-Resistant Cryptography. The paper introduces a new encryption algorithm designed to resist quantum attacks. This research is a game-changer capable of securing global communications from quantum-powered adversaries.
Last night, the system sent an alert regarding the research paper being accessed from an unknown system on the network. The suspicion is on the newly joined intern Fatima, who has been seen around the research lab a few times.
She, being the insider with direct access to the laboratory resources, is suspected of stealing the research and attempting to erase all traces of her actions.
The forensics team has taken an image of her disk, but an unexpected system failure left behind fragments of critical evidence on her workstation and external storage devices.
The lab has provided you with a forensic image of Fatima’s workstation’s hard drive. Your task is to :
- Fix the damaged disk.
- Examine the partitions.
- Find evidence of access to sensitive research documents.
- If any files were deleted or tampered with.
- What are the hidden files on the disk.
- Carve out important files deleted from the disk.
I recommend you do the required Rooms on THM before attempting this challenge.
Note: The the red points just are there to blur the solution.
MBR
To solve the first four questions you need to open the disk image in the hex editor. If we recap from the MBR nd GPT analysis room, the first 446 bytes of the disk just contain the bootloader code. To check if the bootloader got corrupted, you can simply check it with the known code it contains. This code seems fine, but if you check the Signature section from byte 510 to 511, you will see that that section got corrupted.
For the second question we need to inspect the partition section again.You can see that the partition entries begin with the first entry at 0x1BD, each entry is 16 bytes long and the last 4 bytes contain the total sectors.
To find the size of the partitions for question three and four you need to use the total number of sectors and the sector size. The sector size is usually 512 bytes. The number of sectors can be found where we already looked, these are the last 4 bytes of the partition entries.
The total disk size can be found by calculating the total number of sectors * 512 after that you can divide them by 1024*1024*1024 to get the size in GB. So the formula is:
Note: This is little endian so you need to put the bytes of the hex editor in reverse.
1
2
(0x??C77000*512)/(1024*1024*1024)
(0x??387800*512)/(1024*1024*1024)
Autopsy
To find the solutions to the next few questions you need to get the image into Autopsy. You can create a new project and load the disk image. Before loading the image into Autopsy you need to fix the bytes of the signature from before to 55 AA and save the file.
When loading the image into Autopsy I would recommend deactivating all options because the won’t really help you and this will speed up the process a lot. Also you can close the Window which is loading the disk and can inspect the files this way.
I next extracted the $J from the disk, this file in the NTFS file system contains info to creation, deletion, or modification records. This file can be found in the root/C:\ folder ot the disk.
You can now extract the data from this record database by using the MFTE Eric Zimmermann tool.
1
PS C:\Users\Administrator\Desktop\EZTools> .\MFTECmd.exe -f '..\Evidence\$UsnJrnl_$J' --csv ..\Evidence\ --csvf JFile.csv
Now I opened the output csv file with timeline explorer and then searched for password, the file password.txt file is the target file, we need to find the entry of this file where the Update Reason is FileCreate.
To answer the next question about the pdf file I simply searched for PDF and scrolled through the output of the query .pdf.
The file create date will give us the solution for the next question, I looked over the results from the previous query and found the FileCreate date.
The last question to the $J is about a folder created to exfiltration purposes, so to find it I searched for exfil in Timeline explorer.
ZIP file
In this question section we need to find a ZIP file after the offset 4E7B00000, to do that you need to search for the magic bytes of a ZIP file. Then we can search them in the hex editor. You can see a table here. The magic bytes for a ZIP file are 50 4B 03 04. Before searching for these we need to jump to the location after which we need to search otherwise the hex editor will return the first ZIP file after the current location. You can use Search > Go To for that. You should see the beginning of a png file at that location (This can be recognized by the %PNG beginning). After tha you can search for the magic bytes.
The ending of the zip file can be found by checking what the ending sequence of bytes is for a ZIP file. I simply printed out a hex dump of a PDF file of mine, you can see the cf03 is the ending.
1
00000430: 0100 0100 5900 0000 cf03 ....Y.....
Here is the end of our ZIP file.
To make the PDF to a file you can paste the hexdump of it into CyberChef. There you can also export it to a file and then extract the flag.
Disk Wiper
The final question is finding a disk wipe utility I solved that question by simply searching wipe in HxD after the ZIP file, you will find a website which let’s you download the a disk wipe tool which has the same name as the executable .exe.
