Case 001 – The Stolen Szechuan Sauce

September 21, 2020 Labs, The Hunt
88,842 views
Reading Time: 5 minutes

The Case of the Stolen Szechuan Sauce

The Stolen Szechuan Sauce

The Stolen Szechuan Sauce [image courtesy of artwork-tee]

Your bedroom door bursts open, shattering your pleasant dreams. Your mad scientist of a boss begins dragging you out of bed by the ankle. He simultaneously explains between belches that the FBI contacted him. They found his recently-developed Szechuan sauce recipe on the dark web. As you careen past the door frame you are able to grab your incident response “Go-Bag”. Inside is your trusty incident thumb drive and laptop.

Resources for getting started will be provided at the bottom of the post. Additionally, individual articles on working through the artifacts and solving the case will be posted in the coming weeks! So be sure to check back soon.

Purpose

This lab is for learning and practicing forensics obviously! We will also be providing training for free through a series of upcoming posts on how to solve the case!

Target Audience

Experienced digital forensics Jedi Masters who want a fun case as well as aspiring forensics folks who want to learn and practice.

Teachers, Professors, Mentors, and Students are welcome to use these materials so long as credit is given to this site and its authors.

Game-isms

With training in mind, there are intentional (not to mention unintentional) mistakes in the data. Consequently, the timelines are sometimes compressed. For example, the time between the victim’s notification and when someone acquired the images does not make sense in the real world. Likewise, some of the adversary activities are stealthy, funny, or enable training efforts. However, the attack mirrors real-world adversary tactics, techniques, tools, and procedures. Consequently, it will support training and real-world incident preparedness.

Questions to Answer / Goals

  1. What’s the Operating System of the Server?
  2. What’s the Operating System of the Desktop?
  3. What was the local time of the Server?
  4. Was there a breach?
  5. What was the initial entry vector (how did they get in)?
  6. Was malware used? If so what was it? If there was malware answer the following:
    1. What process was malicious?
    2. Identify the IP Address that delivered the payload.
    3. What IP Address is the malware calling to?
    4. Where is this malware on disk?
    5. When did it first appear?
    6. Did someone move it?
    7. What were the capabilities of this malware?
    8. Is this malware easily obtained?
    9. Was this malware installed with persistence on any machine?
      1. When?
      2. Where?
  7. What malicious IP Addresses were involved?
    1. Were any IP Addresses from known adversary infrastructure?
    2. Are these pieces of adversary infrastructure involved in other attacks around the time of the attack?
  8. Did the attacker access any other systems?
    1. How?
    2. When?
    3. Did the attacker steal or access any data?
      1. When?
  9. What was the network layout of the victim network?
  10. What architecture changes should be made immediately?
  11. Did the attacker steal the Szechuan sauce? If so, what time?
  12. Did the attacker steal or access any other sensitive files? If so, what times?
  13. Finally, when was the last known contact with the adversary?

Advanced and Bonus Questions

  1. What CIS Top 20 or SANS Top 20 Controls would have directly prevented this breach?
  2. What major architecture improvement could be made that would have prevented this breach?
  3. Can you identify policy improvements or controls that should be implemented to secure this environment?
  4. Which users have actually logged onto the DC?
  5. Which users have actually logged onto the Desktop machine?
  6. What are the passwords for the users in the domain?
  7. Can you recover the original file about Beth’s Secrets?
    1. What was the original name?
    2. Original Contents?
  8. Finally, what file was time stomped?

The answers for the Stolen Szechuan Sauce are here. A humble recommendation: require that students produce screenshots with their names in a report explaining their findings since the answers are here.

Client Interview

Rick Sanchez and The Stolen Szechuan Sauce

This interview was conducted while retrieving the artifacts from the system using FTK Imager Lite and a Redline Collector.

Where were the files in question stored?

On the bellllcchhhh File Server on the Domain Controller.

What was the Operating System version of this server?

Belch Whatever that idiot Jerry put on there a few years back.

May I have a network map where the affected systems were located?

Sure. All the systems were loc-bellllch-ated in 10.42 something something

Were there any other systems or files you are concerned about?

Yeah, certainly. Morty is ramble belllch rambling on about something he might have had on there. Also, there was a secret about Bebelllech …. Beth on the server. So if you find it, and YOU TELL ANYBODY I WILL KILL YOU!

(The threat here matches a character from a popular cartoon character and not any real threat so stay calm).

 

Note: This incident occurred at an organization located in Colorado in September. So, this places the incident at UTC -6. Keep this in mind when looking at the output of various tools.

 

The questions here are not a full example of what to ask during a breach. It’s part of the training scenario as much as anything else here. It’s also a decent starting point to your investigation would be going through the questions for the exercise and trying to answer those and use them as pivots.

Potential Questions You May Have

Why (outdated) Windows 2012?

Its end of life isn’t until 2023 and plenty of people still use it. In fact, investigations reveal that even Windows 2008r2 shows high usage despite an End of Life date of January 2020.

Windows 10?

This will contrast nicely with 2012 for the Memory Forensics as it uses compressed memory. There will also be a difference in Disk Artifacts to explore between the two.

I Don’t Know Forensics! Where do I start?

That’s specifically the point of this training set! We will teach you how to approach this investigation, how to set-up your environment, analyze artifacts, and then to generate a great report!

The Artifacts

Separate posts will start appearing soon on how to approach these artifacts, and how to answer the questions above.

Estimated Difficulty Levels:

Nightmare – Disk Image Only

Ultra-Violence – Disk and Memory

Hurt Me Plenty – Disk, Memory, and Autoruns

I’m Too Young to Die – Disk, Memory, Autoruns, and PCAPS.

Also, for a fun twist, try and solve as much of the case as you can without the artifacts from the Desktop.


To get the E01’s you may need to use Firefox in a Private Window, hit the back button, select the file, and hit Download.

However, if you are worried about storage and bandwidth ditch the protected files and the pagefiles for now.


DC01 Disk Image (EO1)

DC01 Memory and PageFile

DC01 Autoruns

DC01 Protected Files

Case001 PCAP

Desktop Disk Image (E01)

Desktop Memory and PageFile

Desktop Autoruns

Desktop Protected Files

To verify file integrity in Windows Powershell, from the Download Dir: Get-FileHash -Algorithm md5 *

To verify file integrity in Linux, from the Download Dir: md5sum *

MD5 422046B753CF8A4DF49D2C4CE892DB16    case001-pcap.zip
MD5 964F2D710687D170C77C94947DA29E66    DC01-autorunsc.zip
MD5 E57FC636E833C5F1AB58DFACE873BBDE     DC01-E01.zip
MD5 64A4E2CB47138084A5C2878066B2D7B1    DC01-memory.zip
MD5 964EEAF0009D08CC101DE4A83A4E5D23    DC01-pagefile.zip
MD5 AD29830A583EFE49C8C1C35FAFFD264F    DC01-ProtectedFiles.zip
MD5 71C5C3509331F472ABCDF81EB6EFFF07     DESKTOP-E01.zip
MD5 3627DCAFA54E1365489A4EC0CC3D6A1C   DESKTOP-SDN1RPT-autrunsc.zip
MD5 CF31E2635C77811AAA1BB04A92A721E2    DESKTOP-SDN1RPT-memory.zip
MD5 45C096F2688A0B5DE0346FB72391B245    Desktop-SDN1RPT-pagefile.zip
MD5 3E1A358D50003A9351AC2160AE6F0495    DESKTOP-SDN1RPT-Protected Files.zip


Choose Your Next Move

The following list a rough outline of an approach to get you started.

Learn how to look at the memory!

Show me how to look at the PCAP!

I want to mount the hard drives and look around!

Show me how to look at the autoruns!

I want to look at the logs! (Coming soon)

I want to learn how to do look at a quick timeline of the disks!

Something seems off about the time!??

I want to learn how to look at a super timeline of the disks! (Coming soon)

I want to do battle field forensics! (Coming Soon)

Give me the answers!

That’s The Case of the Stolen Szechuan Sauce, in conclusion, please feel free to leave your thoughts in the comments.

14 Replies to “Case 001 – The Stolen Szechuan Sauce”

  1. Dusty says:

    I want to try this

  2. Smith says:

    Hi, can’t download the files 🙁

    • James says:

      Thanks! We weren’t expecting this level of demand – nor did we realize OneDrive would cut us off the way they did. Partial service is restored for now. All the files should be back shortly. We are working on a better long term solution. Thanks for your patience, and the enthusiastic demand.

  3. Om Salamkayala says:

    Hi I am Om and very interested. I think it is too much to ask, if possible can you also provide Encase old version 6.14 that has dongle as latest version is costly or set Autopsy with repositories and all ingestion modules
    , in open source virtual environment for analysing. This way you can just provide login details once registered for the virtual workstation. The virtual workstation will have the Image, Encase tool, mobile forensic tool for mobile images, Eric Zimmerman open source tools for parsing and the case hypothesis-background where it will be very easy to analyse for the people who are interested by assigned slots to access this virtual workstation. Very limited access to OS and other applications that are required in point of Analysis.
    This way people will have a Good experience in analysing, using the tool and time management . Either in word or text they can provide their findings as per the hypothesis and also answer the questions.
    Because most of them doesn’t have proper licensed tool and Autopsy is too tedious to set the repository and ingestion modules. In addition to this one has to have Good supportive System configuration.

  4. Dan says:

    Unfortunately, I am unable to download the files…

  5. LD says:

    Can’t download ENCASE images. Receiving AccessDenied.

  6. I.P. says:

    Hi I’m unable to download Encase images

  7. Yasser says:

    Where can I find answers or walkthrough?

    • James says:

      Hey,

      The answers will be released soon. The walk-throughs will be coming over time. We do this in our spare time as a way to give back to the community. I hope to have all of them in the next couple of weeks. The memory analysis walk-through just published with as a bit of a rough draft. More will be added to it. Enjoy!

  8. democrite says:

    Looks amazing ! Can’t wait to start. Thanks for all your work my sift/remnux workstation is ready :p

  9. madameroot says:

    Hi James,
    can’t find the file to download. can you provide me with the link pls?

  10. Thomas Henry says:

    Great, work – big thank you for this AMAZING WORK!

Leave a Reply

Additional Resources

Archives