Capture the Flags type contests are fun. You may remember them from Real Lifeā¢, where you have a couple of teams pitted against each other and each team has a base with a flag, each team has to storm (of course, sometimes sneaking is the better play) the opposing base and physically steal the other team’s flag. This game model has been digitised in a number of ways over the years. One of the more accessible ways is its incorporation into computer games, the one I’m most familiar with is Team Fortress, a Half-Life mod which I believe is still going relatively strongly despite it being out for longer than 15 years now.
But those sorts of Capture the Flag games are not what this post is about, oh no. Instead I’m going to delve into the world of geekdom inspired by these real world examples. In the type of game I will be discussing the goal is to solve technical computer puzzles to find a small piece of data hidden somewhere which acts as the flag for that challenge.
Before I give the BLUF, allow me to address a departure from previous behaviour. I’m not a fan of click-baity stories that make readers read a full post before they get to the point, so in the past I have usually provided a TL;DR at the start of my posts, but I think by convention they are meant to go at the end of an article. For that reason I’m switching up initialisms. The BLUF (Bottom Line Up Front) is my new TL;DR because it’s meant to go at the start, and by goodness, do I believe you should not have to scroll very far to find the point of any particular post!
Obviously I go into more detail as to my journey of finding the knowledge I’m about to reveal, and I would prefer if you took that journey with me, but I get it, you’re busy, so here it is:
In order to get the account creation date for a user account on Windows you need to navigate to the registry key located at:
Once there you will see a list of the user name accounts on the system and if you locate the user name you’re interested in, for example “testuser1”, and then check the “Last Written Date” for that folder it will correlate to the user creation date (on that specific computer).
Figure 1: SAM file users list showing testuser1Figure 2: Last written timestamp for testuser1
It is an exercise left to the reader as to how to get one’s hands on the SAM file.
Caveat: A lot of the resources mentioned below are quite old, as a result, Your Mileage May Vary.
I’m starting to take a deep dive into EnScript in EnCase, and I was lamenting the lack of freely available resources, but lo and behold Today I struck gold and found a few resources that had escaped my attention before now, so I thought I’d do a quick post collating what I found.
Then of course you have Simon Key’s Github page which hosts a few EnScript samples. Simon Key is a “Sr. Principal Courseware Developer at OpenText” according to his LinkedIn page, so you should be able to learn from his samples how an EnScript should be.
That should be enough to get me off the ground, if I find any more I’ll add them here. If you have any suggestions for resources, feel free to let me know.
I was recently presented with a packet capture file to perform some forensics on it as a challenge and see if I could find the hidden message. Naturally, it being a packet capture I fired up Wireshark only to be faced with a very bland single colour screen, quite different from the usual network captures most would be used to when using Wireshark (see Figure 1 below). There was none of the usual indication of different protocols broken down by colour. This was going to be a different type of challenge, and one I was going to learn a lot from, I knew I would enjoy it, and I sure did!
Yesterday, with 3 days left on my deadline, I completed the GIAC Open Source Intelligence certifications exam with a score of 91%. Needless to say I was pretty delighted. I’m still unsure which of the following questions had the biggest impact on my certification exam result: Was the exam too easy? Did I prepare very well? Was the training provided so good that it was inevitable?
I’m leaning towards a combination of the training and my preparation. To be fair the “SANS SEC487 Open-Source Intelligence (OSINT) Gathering and Analysis” covered a breadth and depth of topics, and covered them well. A series of books are made available to course participants, one for each day of the course, and since the exam is open book, these materials are vital to your success in the exam. I did learn many new tools and techniques. However, if you’re a seasoned OSINTer you may find the course a bit foundational and remedial and it might be better to do one of their more advanced courses. But in terms of how I scored so well, as you might expect, every question asked in the exam could be answered from the pages of the training materials.
This brings me to my preparation, the books provided are between 140 to 180 pages each. Needless to say you can’t page through those materials for each of the 75 questions you get asked in the 2 hours you have to do the exam. So a big shout out has to go to Lesley Carhart for her blog post on her “Pancakes Index System”. It would not have been possible to efficiently work through the materials without an index, and I went with the Pancakes Index System, and it definitely worked and ended up looking like this:
Figure 1: Pancakes Index System in operation
Following the putting together of my index, I then completed the two practice tests. The practice tests were very close to the actual exam in terms of the format of the questions and provided great preparation for the exam itself.
And there you have it. A great course with a great instructor @dutch_osintguy in my case, and enthusiastic class mates led to a great experience and now, thankfully, another successfully completed certification exam.
While conducting my preparations I have been slowly collecting the various resources that were used during the course into a list of bookmarks that I can share with the world. These bookmarks are available from the OSINT Bookmark Collection from DiscoveringData.org github repository as a html file that can be imported into your browser (right click -> save file, for best results). For anyone who has never imported bookmarks before or even for those who do it very irregularly a set of instructions can be found below.
So you’re set up on Github, and being the privacy conscious person you are you have Two Factor Authentication turned on. You’ve added a personal access token so that you can push from repos from a machine. Now you have a new install of Git on some flavour of Linux and you want to configure Git on the command line to be as frictionless as possible while you’re using it, while still remaining secure. What you really need for this is to set up credential caching so that you won’t need to enter your password every time you run git push. Let’s explore this and some other initial configuration steps that will make use of Git that much easier.
I’m not going to lie, I hadn’t heard of bookmarklets until earlier this year at one of the SANS summits. They were quite the revelation. Their potential at automating collection and analysis of data was very obvious and very powerful. However, up until Today I hadn’t come across a compelling reason to make a bookmarklet. If you already know what bookmarklets are skip the next section to see what I made.
What are bookmarklets anyway?
Bookmarklets allow you to use javascript code in a bookmark in order to enable automation of some action. That’s a very brief summary and it’s not a whole deal more complicated than that but for a bigger explanation and a few more examples go visit this freecodecamp.org article on bookmarklets.
So you need a timeline chart and you need it for work. No worries, services exist for creating beautiful charts online, Lucidchart being one of the best examples (not a sponsor). But… You need the chart for work, you need it to contain sensitive data for internal use only, you may even need to include the dreaded PII (Personally Identifiable Information).
Now, are any of these chart producing services going to leak your data? It’s not likely to be honest. Am I saying don’t trust Lucidchart for example? Not necessarily. But I am particularly sensitive to the risk of data leaks due to having come from a Law Enforcement background where a PII leak could lead to loss of employment. Also I have recently completed a course in Cyber Security. These are both huge factors in my sensitivity to the risk of a data breach that could occur by using a third party service. Just think, if Lucidchart were to suffer a breach that in turn led to breach of data contained in charts created by you on that service, you might in turn also have to report a breach, it’s all very complicated at that stage.
The solution? Roll your own, read on for a relatively easy way to create your own timeline chart without ever having to reach out to an online service with data you don’t want exposed.
