Our Incident Response team started their investigation on a device found when pinning down a terrorist. They got some doubts while analyzing the device, So they framed these questions can you help them in answering these questions? Our Intelligence report states that the terrorist used a legit chat application for communication among themselves.
Questions:
What is the name of the chat application program?
Ex: Mozilla_Firefox (Use Name of the program, Not the name of the binary. If there is a space replace it with _. )
When did the user last used this chat application?
Answer in DD-MM-YYYY_HH:MM:SS. Timestamp in UTC
How many unread messages are there in the chat application that the user is using?
Answer should be an integer n.
What is the current version of the chat application that's being used?
$ vol.py -f ermittlung.raw imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
AS Layer1 : IA32PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/Users/zhangzeyu/OneDrive/Documents/CTF/inCTF/ermittlung.raw)
PAE type : No PAE
DTB : 0x39000L
KDBG : 0x8054cf60L
Number of Processors : 1
Image Type (Service Pack) : 3
KPCR for CPU 0 : 0xffdff000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2020-07-27 12:27:08 UTC+0000
Image local date and time : 2020-07-27 17:57:08 +0530
Great! We will use the WinXPSP2x86 profile from now on.
What is the name of the chat application program?
If we look at the process tree, the only relevant process with "chat" functionality is msimn.exe, which is Outlook Express.
When did the user last used this chat application?
The date and timestamp are provided in the above output (2020-07-27 12:26:17 UTC+0000).
How many unread messages are there in the chat application that the user is using?
A quick Google search on Outlook Express registry keys showed us that the registry keySoftware\Microsoft\Windows\CurrentVersion\UnreadMail contains information about the unread mail. There is a subkey for each email address, and the MessageCount value of those subkeys tell us how many unread messages there are.
$ vol.py --profile=WinXPSP2x86 printkey -K "Software\Microsoft\Windows\CurrentVersion\UnreadMail\danial.banjamin008@gmail.com" -f ermittlung.raw
Volatility Foundation Volatility Framework 2.6.1
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\crimson\NTUSER.DAT
Key name: danial.banjamin008@gmail.com (S)
Last updated: 2020-07-27 12:26:25 UTC+0000
Subkeys:
Values:
REG_DWORD MessageCount : (S) 4
REG_BINARY TimeStamp : (S)
0x00000000 42 d8 4e 25 11 64 d6 01 B.N%.d..
REG_SZ Application : (S) msimn
There were 4 unread messages.
What is the current version of the chat application thatβs being used?
