In this blog post, we will be solving the Magnet Virtual Summit Windows Server CTF created by Magnet Forensics. Below is the solution to the challenge, solved using ArtiFast Suite.
To identify the program installed on the system, we searched for installed programs using ArtiFast's registry artifacts. We specifically looked into the "Installed Programs" artifact under the "Registry" category, and found that the user had installed "Chrome Remote Desktop".
To answer this question, we examined the "Timezone Information" artifact within ArtiFast's "Registry" category. From this artifact, we determined that the time zone recorded on the system is "Greenwich Standard Time."
To address this question, we can utilize ArtiFast's "User Accounts" artifact within the "Registry" category.
By examining this artifact, we discovered that the username associated with the account is "Sgarza."
To determine the creation time of this username, we employed ArtiFast's search feature to look for this specific username within the "Windows Event Logs (EVTX)" artifact, located in the "OS" category.
The result is “2022-11-23T02:46:17.443Z".
To find this information easily, we can refer to the "System Information" artifact within ArtiFast. By examining this artifact, we can determine that the operating system recorded is Windows Server 2019 Datacenter.
As we are looking for an email we check ArtiFast’s “Chrome Autofill” artifact there we found 3 emails work “[email protected]” and personal “[email protected]” and a protonmail email “[email protected]” which is the answer.
To determine the appropriate bookmarks related to the specific date mentioned in the question, we examined ArtiFast's "Chrome Bookmarks" artifact.
From this artifact, we identified two options: "Mobile Bookmarks" and "Other Bookmarks," both of which were added on December 11, 2022, at 2:04:54 AM.
Considering the question's mention of bookmarks being synced from a mobile device, the correct answer would be "Mobile Bookmarks."
To find the answer, we examined ArtiFast's "Network Interfaces" artifact within the "Registry" category. From this artifact, we discovered that the DHCP search list includes the following domains: "us-east5-a.c.boxwood-scope-369502.internal," "c.boxwood-scope-369502.internal," and "google.internal." Therefore, the answer to the question is "c.boxwood-scope-369502.internal"."
During our search for the term "Google Cloud" we came across a reference to the Google Cloud SDK in the "ShimCache" artifact. The program's base path was identified as "C:\Program Files (x86)\Google\Cloud SDK."
To dive deeper, we utilized ArtiFast's built-in file system viewer to navigate through the specified path.Our objective was to locate the term "GoogleCloud." Eventually, we discovered a PSD1 file named "GoogleCloudPowerShell" in the following location: C:\Program Files (x86)\Google\Cloud SDK\google-cloud-sdk\platform\GoogleCloudPowerShell\GoogleCloud.psd1 Furthermore, with the assistance of ArtiFast's file viewer, we were able to identify a GUID associated with the file: e74637e6-7a4e-422d-bb9c-ca50809d78bb.
For more information or suggestions please contact: [email protected]