While trying to help a classmate I ran into a small problem. Some of those who will read this will realize almost immediately why certain files in this folder aren’t showing up but for me it was a bit of a journey. So, let’s get into it.
How it started
For our second project in the Digital Forensics Analysis and Application course (Windows forensics) that am in, the students we split into groups. Each person had to choose a category (i.e., registry analysis, hashing, log analysis, browser artifact analysis, etc.) and solve a problem for that category. A capture the flag type problem.
Another student from a different group who I had helped earlier in the course asked me for help because he was having issues with finding the flag for his problem. The category he chose was Registry Analysis and the problem was:
–There is a malicious startup Application set to run when a user logs in. Please find the Registry key and the Name of that application. Hint Team1-#####.-
The problem also came with a zipped folder that had Windows registry files to examine that had to be downloaded from OneDrive. After I downloaded and unzipped the file I was left with these files:
Inside the User folder
Inside the student folder
The All Users, Default, Default User, and Public folders were “empty”
I used MiTec Windows Registry Recovery and loaded in software file. I then click on the Startup Application, this way I could see all the programs that run at startup.
I wanted to investigate a little deeper, so I then went to Raw Data and searched “UserInIt” and found two programs associated with that value, userinit.exe and msdcsc.exe.
After some research I found that msdcsc.exe is a malicious executable and with that I was pretty much done! Except I wasn’t. After talking with the classmate that reached out to me and he had pretty much done the same thing but there was no flag. I then went and searched through the other registry files that were given to us and still no flag. I then thought maybe it was the tool, so then I used RegRipper to look through the registry files but still nothing.
I had to be missing something and something told me to go back to the OneDrive where I got the zipped folder from and see if I got everything I was supposed to. As soon as I start looking I immediately see a few discrepancies between the files I see on my systems and the files in the folders in OneDrive.
Of course, as soon as I saw the NTUSER.DAT file I knew I needed to get to that. I checked the properties of the folder and made sure I could see all the hidden files, but I still couldn’t find the file. My next step was to try to unzip the folder in 7zip and in the 7zip file manager I had access to the files. I had finally did it! But not really. Some of you already know why.
I let my classmate know and he found the flag in the NTUSER.DAT file. Something was still bothering me, why can’t I see these files? I assumed that whatever the decompression algorithm was doing just wasn’t outputting these files. I honestly do not have a good understanding of how it all works.
I decided to go through the command line and look at the folder through there. I go to the student folder and use the “dir /a” command and there are all the files.
Now I know there’s not anything wrong with how Windows unzipped the folder and that there is something wrong with my settings. I start Googling what could be the issue and I found that the problem was:
I had “Hide protected operating systems files” on.
I didn’t see it before because I was looking in the folder “Properties” and this setting was in under the “Options”.
Yeah, I have a question... 