BTLO PIE

Blue Team Labs Online - PIE Walkthrough

Scenario: We’ve had reports from customers that their credit card details have been stolen! Some affected users have stated that we are the only company they have submitted these details to. Confirm if there has been a breach and collection key information – our reputation depends on it!

Tool: GNU/Linux CLI, Grep, PHPMyAdmin

Question 1: On which web page did the Attacker discovered the API?

Question 2: What is the name of the php file with the configured API?

Question 3: How many fields does the API return when a customer’s data is requested?

Question 4: List all public IP addresses that have abused this API functionality (List the IPs in ascending order, with the smallest initial octet first. Ex. 185.x.x.x, 197.x.x.x)

Question 5: What is the customer name of the first customer that had their data stolen?

Question 6: What is the customer name of the last customer that had their data stolen?

Question 7: How many unique customers data, based on customer IDs(cid), have been successfully accessed?

Question 8: How many customer entries within the database have NOT had their data accessed?

log2timeline

Event logs Tool - Log2timeline

Log2timeline is a powerful forensic tool designed to create timelines from various digital artifacts, helping investigators analyze events and actions taken on a computer system. Unlike traditional methods that can be tedious and time-consuming, log2timeline automates the process of collecting and organizing data from multiple sources, such as event logs, file systems, and browser history. This enables forensic analysts to visualize a sequence of events and gain valuable insights into user activity and potential security incidents.

The tool supports a wide range of input formats, making it versatile for different forensic scenarios. Once the timeline is generated, users can export it in several formats for further examination and reporting. Log2timeline is often used alongside other forensic tools, enhancing the investigative workflow and allowing for deeper analysis of evidence. Its efficiency in compiling and structuring data makes it an essential asset for incident response teams, digital forensics experts, and legal professionals working to uncover the details of a security breach or other digital crime.

The Sleuth Kit Tools

Chainsaw

Incident Response Tool - Chainsaw

Chainsaw is an innovative incident response tool designed to streamline the analysis of Windows event logs and other critical data sources during a forensic investigation. Unlike traditional methods that can be cumbersome and time-consuming, Chainsaw focuses on providing security analysts with a user-friendly interface that facilitates rapid examination of log data. By parsing through event logs, the tool identifies and highlights potentially malicious activity, allowing investigators to pinpoint security incidents more effectively.

One of Chainsaw’s features is its ability to integrate seamlessly with various data formats, including the Windows Event Log and other log sources, ensuring a comprehensive analysis of all relevant information. The tool generates detailed reports that summarize findings, making it easier for incident response teams to communicate their insights and recommendations. This capability not only enhances the efficiency of the investigation but also assists in meeting compliance requirements. With Chainsaw, security professionals can quickly assess and respond to threats, making it an invaluable asset in any incident response toolkit.

The Sleuth Kit Tools

Hayabusa

Incident Response Tool - Hayabusa

Hayabusa is an advanced incident response tool designed for quickly gathering and analyzing digital evidence from live systems. This software is particularly useful in forensic investigations, allowing security experts to collect vital data without interfering with ongoing processes. Hayabusa captures various information types, such as active processes, network connections, and system logs, all while preserving the original system’s integrity.

A standout feature of Hayabusa is its ability to generate detailed reports on the collected data, making it simpler for investigators to grasp the context and timeline of an incident. The tool accommodates a wide range of data sources, enabling users to conduct thorough analyses of potential security breaches or other suspicious activities. By offering real-time insights and forensic capabilities, Hayabusa proves to be an essential resource for incident response teams, helping them address security threats promptly and collect the evidence needed for further investigation and legal actions.

The Sleuth Kit Tools

LNK Analyzer

Incident Response Tool - LNK Analyzer

LNK Analyzer is a specialized Incident response tool used to thoroughly examine Windows shortcut files (.LNK). While they appear simple, these files contain surprisingly rich data, making them valuable artifacts in digital investigations. The tool dissects these files, revealing details such as the target file’s location, creation and modification times, file size, and even the original working directory. This information is critical for reconstructing user activity, identifying the source of malware, or tracking how files spread throughout a system.

LNK Analyzer often goes beyond basic metadata extraction, correlating LNK file data with other system information. For instance, it might link a shortcut to a specific user profile or associated application. This contextual information is invaluable for creating timelines of events or connecting different pieces of evidence. Some advanced LNK Analyzers include features that detect anomalies or suspicious patterns within LNK files, potentially identifying malicious shortcuts designed to execute harmful code. These capabilities make LNK Analyzer a crucial tool for incident response, digital forensics, and malware analysis, helping investigators understand how files were accessed, where they originated, and what actions a user might have performed.

The Sleuth Kit Tools

Winprefetchview

Incident Response Tool - Winprefetchview

WinPrefetchView is a useful forensic tool designed to assist investigators in examining the Windows Prefetch folder, which contains data related to application execution. By extracting and displaying prefetch information, WinPrefetchView enables forensic professionals to understand which programs have been run on a system, including details about execution times, frequency, and the associated files. This insight is essential for analyzing user behavior and reconstructing events during investigations.

A significant benefit of WinPrefetchView is its intuitive interface, which presents prefetch file information in a clear and organized format. Investigators can easily sort and filter data based on different criteria, allowing for the quick identification of relevant artifacts. The tool also offers the option to export results in various formats, streamlining further analysis and documentation. As a lightweight application, WinPrefetchView is particularly well-suited for incident response situations where immediate access to application execution history is necessary. Its capability to provide valuable context regarding user activity enhances the overall effectiveness of digital forensic investigations.

The Sleuth Kit Tools

GKape

Incident Response Tool - GKape

gKAPE (Graphical Kroll Artifact Parser and Extractor) is a forensic tool designed to streamline the collection and analysis of digital evidence. As a graphical interface for the command-line-based KAPE, it simplifies the process of gathering key forensic artifacts from live systems or forensic images. Instead of requiring full disk acquisition, gKAPE allows investigators to quickly target specific files, directories, and registry hives, making it an essential tool for rapid triage in incident response and digital forensics investigations.

With support for both collection and processing modes, gKAPE can not only acquire artifacts like event logs, browser history, and prefetch files but also process them using other forensic tools for deeper analysis. Its user-friendly interface makes it accessible to investigators of all experience levels, reducing the learning curve associated with command-line tools. Whether used for cybersecurity investigations, malware analysis, or legal proceedings, gKAPE helps forensic professionals efficiently collect and analyze critical data while maintaining forensic integrity.

The Sleuth Kit Tools

Kape

Incident Response Tool - Kape

KAPE (Kroll Artifact Parser and Extractor) is a comprehensive incident response tool designed to streamline the collection and analysis of forensic artifacts from endpoints. Unlike traditional forensic tools that may require extensive manual intervention, KAPE automates the process of identifying and extracting critical data from systems. It can gather a wide range of information, including file artifacts, registry data, and event logs, making it an invaluable resource for incident responders and forensic investigators.

One of the standout features of KAPE is its ability to operate in both live and dead-box scenarios, allowing investigators to gather evidence even from powered-on systems. The tool employs a modular approach, enabling users to customize their data collection based on specific needs or incidents. This flexibility helps investigators focus on relevant data, saving time and resources during an investigation. Additionally, KAPE generates detailed reports that summarize the collected artifacts, facilitating easier analysis and documentation. Overall, KAPE enhances the efficiency and effectiveness of incident response efforts, making it a go-to choice for security professionals facing a variety of challenges in the digital forensics landscape.

The Sleuth Kit Tools

Splunk

SIEM Tool - Splunk

Splunk is a powerful tool widely used for Security Information and Event Management (SIEM), helping organizations gain deep insights into their IT environments. It collects and analyzes machine-generated data from various sources, like servers, networks, and applications, making it easier for security teams to spot unusual activities and respond to potential threats. Its user-friendly interface allows users to quickly search through vast amounts of data, which is invaluable when time is of the essence in security incidents.

What sets Splunk apart is its ability to correlate data from different sources, providing a clear picture of security events and alerts. This means that security professionals can connect the dots between disparate data points to identify potential vulnerabilities and respond before issues escalate. Additionally, Splunk offers impressive analytics and visualization tools, allowing users to create customized reports and dashboards that suit their specific needs. With strong integration capabilities and support for various data formats, Splunk has become a go-to solution for cybersecurity teams, enhancing incident response efforts and ensuring ongoing monitoring in today’s complex threat landscape.

The Sleuth Kit Tools

YaraGen

Detection Rules Tool - YaraGen

YaraGen is a specialized tool designed to simplify the process of creating YARA rules for malware detection and classification. Unlike manual rule creation, which can be time-consuming and complex, YaraGen provides a user-friendly interface that allows users to generate rules quickly and efficiently. This is particularly useful for security analysts and researchers who need to adapt to the ever-evolving landscape of threats.

One of the key features of YaraGen is its ability to analyze files and automatically suggest patterns that can be used in YARA rules. Users can input various parameters, such as file types or specific characteristics, and YaraGen will generate corresponding rules based on the provided data. This streamlining of the rule creation process not only saves time but also helps ensure that the rules are effective and accurate. By facilitating the rapid development of detection rules, YaraGen empowers security teams to enhance their threat detection capabilities and respond more effectively to emerging malware threats.

The Sleuth Kit Tools