CODEGATE 2012 - Forensics 200 Writeup

The challenge starts with a file and description:

File: C1E4775363DE0885E8360ED9A13A86B8

Question:

When IU who lives in Seoul tried to do SQL Injection attack a certain WEB site, suddenly the browser was closed abnormally. What is the SQL Injection value she tried to enter and when the browser was closed? The time is based on Korea Standard Time(UTC +09:00)

Time Format is YYYY-MM-DDThh:mm:ssTZD (TZD : +hh:mm or hh:mm)

Answer : injection_value|time ('|' is just a character)
Convert ' ' to '_' for injection value.

I know from having very little forensics experience that Crash reports in Windows are prefixed with "AppCrash". 

7z l C1E4775363DE0885E8360ED9A13A86B8 | grep -i "Crash"

But notice you'll also see Firefox and Chrome crash report directories, where the Chrome directory is empty. A little more greping and you'll find that IE, Firefox, and Chrome were used, and there might be a link to Safari somewhere.

Let's focus on IE and Firefox since they description mentions "closed abnormally." Let's intrepret that as a crash. I used this guide/article (which I found in the Chrome history as part of the challenge): http://computerforensics.parsonage.co.uk/downloads/WebBrowserSessionRestoreForensics.pdf

I started with IE and used the Windows Structured Storage Viewer mentioned in the guide. I found nothing but updates, and references to iegallery, no SQLi attempts. ((We suspected the SQLi would have been part of either POST or GET data.)) I then turned to parsing the Firefox JSON data in sessionstore.js (also mentioned in the guide)

./Users/proneer/AppData/Roaming/Mozilla/Firefox/Profiles/075lfxbt.default/sessionstore.js

Using the web-based JSON Editor tool here: http://braincast.nl/samples/jsoneditor/

The Session Restore Forensics guide points us at json/windows/tabs/entries, and look! There's a formdata subtree with an element that contains SQLi!

json['windows'][0]['tabs'][0]['entries'][1]['formdata'] = 
  {
    "//xhtml:li[@id='search-3']/xhtml:div/xhtml:form/xhtml:fieldset/xhtml:input[@name='s']":
    "1_UNI/**/ON_SELECT"
  }

Now here's the frustrating part, the challenge asks for "when the browser was closed", you'll have to intrepret this, prefixed with "the last time the browser was used, the browser was closed, and it did not crash" That original assumption that the browser crashed is wrong.

Running with that assumption I used the timestamp in the "not so much of a crash report" crash report: 

Users/proneer/AppData/Roaming/Mozilla/Firefox/Crash Reports/InstallTime20120208060813

Which was: 1328953415 (wrong)

Instead the correct answer was the json/session/lastUpdate entry in sessionstore.js. This makes sense if we KNOW the browser closed.

This was:

json['session']['lastUpdate'] = "1329009797205"

Format this correctly (remove the milliseconds, add GMT+09:00 to the time) and win: 1_UNI/**/ON_SELECT|2012-02-12T10:23:17+09:00