20 BTLO 蓝队靶场 Sticky Situation 解题记录

难度：5/10

考察技能: Windows admin, Autopsy 使用

场景：分析USB设备使用情况

Autopsy使用注意：用管理员打开，在实际分析时注意先复制一个镜像文件，保存好原文件

常用的Windows USB 取证的位置:

Windows XP:

Registry Key: USB-related information is stored in:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\

SetupAPI Logs: C:\WINDOWS\setupapi.log

Windows 7 had a few changes:

SetupAPI Logs moved to: C:\WINDOWS\INF\setupapi.dev.log

The category Windows Portable Devices was added: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Portable Devices\Devices

Windows 8/8.1 added:

DeviceClasses: Additional device information may be found under:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses

Windows 10 and Windows 11:

The category Device Container ID was added:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbccgp

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbhub

其他取证位置:

Windows Event Logs:

• System event logs may contain entries related to USB device insertions and removals.
• Event Viewer path: Applications and Services Logs\Microsoft\Windows\DriverFrameworks-UserMode\Operational

Windows Prefetch:

• USB-related executables may be found in C:\Windows\Prefetch\.

Mounted Devices:

• Mounted device artifacts: HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices

UserAssist:

• Tracks user interaction with USB devices in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist.

挑战场景

A highly confidential document has been stolen from Prime Minister’s laptop and has been sold in the Dark Web. Can you help the intelligence services figure out how this happened?

1. 计算机名称是什么 What is the computer name?

我们可通过在结果面板中查看操作系统信息来获取终端主机名。在标黄的SYSTEM条目中即可找到主机名。

2. 操作系统安装时间 When was the OS installed?

从上图SOFTWARE条目中同样可获取系统安装日期。

3. 计算机时区设置 What is the Timezone of the computer?

通过分析"TimeZoneInformation"注册表键值可确定时区。Autopsy会自动导出注册表配置单元以加速取证分析。 

TimeZon 

4. 首个连接的USB大容量存储设备序列号 What is the serial number of the first USB mass storage device connected?

从系统注册表配置单元的"USBSTOR"键值中可获取该信息。

最后一个

或者在提供的regripper文件里面找：

（RegRipper 是一个用于注册表取证的开源工具，主要用于在Windows系统中分析注册表数据。）

5. 首个USB大容量存储设备厂商名称 What is the vendor name of the first USB mass storage device?

上上图有

6. 首个USB设备首次连接时间（系统本地时间） When was the first USB mass storage device connected for the first time? (system local time)

在"windows/inf"目录下的"setupapi.dev.log"日志文件中可找到该记录。

或者在提供的regripper文件里面找：

7. 特定USB存储设备的卷标 What is the Volume Label of the unique USB mass storage device?

卷标信息存储于软件注册表配置单元中，通过之前获取的序列号即可定位。

8. 找出使用过USB设备的用户及其SID Find the user that used the USB Device. What is the user’s SID?

通过系统注册表中"MountedDevices"键值获取设备GUID后，进行关键词搜索即可关联用户。在"提取内容→操作系统用户账户→PM→属性"中可查看用户SID。

9. 该USB设备最后分配的盘符 What is the last drive letter assigned to the USB device?

继续分析第7题提供的截图即可获得该信息。

10. 被窃取的文件名是什么 What is the filename of the document stolen?

综合所有取证证据后，通过"提取内容→最近文档"中的LNK文件即可立即锁定被盗文档。