THE CASE OF THE STOLEN SZECHUAN SAUCE

The Stolen Szechuan Sauce [image courtesy of artwork-tee]

Your bedroom door bursts open, shattering your pleasant dreams. Your mad scientist of a boss begins dragging
you out of bed by the ankle. He simultaneously explains between belches that the FBI contacted him. They
found his recently-developed Szechuan sauce recipe on the dark web. As you careen past the door frame you
are able to grab your incident response “Go-Bag”. Inside is your trusty incident thumb drive and laptop.

Resources for getting started will be provided at the bottom of the post. Additionally, individual articles on
working through the artifacts and solving the case will be posted in the coming weeks! So be sure to check
back soon.
PURPOSE
This lab is for learning and practicing forensics obviously! We will also be providing training for free through
a series of upcoming posts on how to solve the case!

TARGET AUDIENCE
Experienced digital forensics Jedi Masters who want a fun case as well as aspiring forensics folks who want to
learn and practice.
Teachers, Professors, Mentors, and Students are welcome to use these materials so long as credit is given to
this site and its authors.

GAME-ISMS
With training in mind, there are intentional (not to mention unintentional) mistakes in the data. Consequently,
the timelines are sometimes compressed. For example, the time between the victim’s notification and when
someone acquired the images does not make sense in the real world. Likewise, some of the adversary activities
are stealthy, funny, or enable training efforts. However, the attack mirrors real-world adversary tactics,
techniques, tools, and procedures. Consequently, it will support training and real-world incident preparedness.

QUESTIONS TO ANSWER / GOALS

1. What’s the Operating System of the Server?
2. What’s the Operating System of the Desktop?
3. What was the local time of the Server?
4. Was there a breach?
5. What was the initial entry vector (how did they get in)?
6. Was malware used? If so what was it? If there was malware answer the following:
1. What process was malicious?
2. Identify the IP Address that delivered the payload.
3. What IP Address is the malware calling to?
4. Where is this malware on disk?
5. When did it first appear?
6. Did someone move it?
7. What were the capabilities of this malware?
8. Is this malware easily obtained?
9. Was this malware installed with persistence on any machine?
1. When?
2. Where?
7. What malicious IP Addresses were involved?
1. Were any IP Addresses from known adversary infrastructure?
2. Are these pieces of adversary infrastructure involved in other attacks around the
time of the attack?
8. Did the attacker access any other systems?
1. How?
2. When?
3. Did the attacker steal or access any data?
 1. When?
9. What was the network layout of the victim network?
10. What architecture changes should be made immediately?
11. Did the attacker steal the Szechuan sauce? If so, what time?
12. Did the attacker steal or access any other sensitive files? If so, what times?
13. Finally, when was the last known contact with the adversary?

ADVANCED AND BONUS QUESTIONS

1. What CIS Top 20 or SANS Top 20 Controls would have directly prevented this breach?
2. What major architecture improvement could be made that would have prevented this breach?
3. Can you identify policy improvements or controls that should be implemented to secure this
environment?
4. Which users have actually logged onto the DC?
5. Which users have actually logged onto the Desktop machine?
6. What are the passwords for the users in the domain?
7. Can you recover the original file about Beth’s Secrets?
1. What was the original name?
2. Original Contents?
8. Finally, what file was time stomped?

The answers for the Stolen Szechuan Sauce are here. A humble recommendation: require that students produce
screenshots with their names in a report explaining their findings since the answers are here.

CLIENT INTERVIEW

This interview was conducted while retrieving the artifacts from the system using FTK Imager Lite and a
Redline Collector.
Where were the files in question stored?
On the bellllcchhhh File Server on the Domain Controller.
What was the Operating System version of this server?
Belch Whatever that idiot Jerry put on there a few years back.
May I have a network map where the affected systems were located?
Sure. All the systems were loc-bellllch-ated in 10.42 something something
Were there any other systems or files you are concerned about?
Yeah, certainly. Morty is ramble belllch rambling on about something he might have had on there. Also, there
was a secret about Bebelllech …. Beth on the server. So if you find it, and YOU TELL ANYBODY I WILL
KILL YOU!
(The threat here matches a character from a popular cartoon character and not any real threat so stay calm).

Note: This incident occurred at an organization located in Colorado in September. So, this places the incident
at UTC -6. Keep this in mind when looking at the output of various tools.

The questions here are not a full example of what to ask during a breach. It’s part of the training scenario
as much as anything else here. It’s also a decent starting point to your investigation would be going through the
questions for the exercise and trying to answer those and use them as pivots.

POTENTIAL QUESTIONS YOU MAY HAVE

Why (outdated) Windows 2012?
Its end of life isn’t until 2023 and plenty of people still use it. In fact, investigations reveal that even Windows
2008r2 shows high usage despite an End of Life date of January 2020.
Windows 10?
This will contrast nicely with 2012 for the Memory Forensics as it uses compressed memory. There will also
be a difference in Disk Artifacts to explore between the two.
I Don’t Know Forensics! Where do I start?
That’s specifically the point of this training set! We will teach you how to approach this investigation, how to
set-up your environment, analyze artifacts, and then to generate a great report!

THE ARTIFACTS
Separate posts will start appearing soon on how to approach these artifacts, and how to answer the questions
above.

ESTIMATED DIFFICULTY LEVELS:

Nightmare – Disk Image Only
Ultra-Violence – Disk and Memory
Hurt Me Plenty – Disk, Memory, and Autoruns
I’m Too Young to Die – Disk, Memory, Autoruns, and PCAPS.
Also, for a fun twist, try and solve as much of the case as you can without the artifacts from the Desktop.

To get the E01’s you may need to use Firefox in a Private Window, hit the back button, select the file,
and hit Download.
However, if you are worried about storage and bandwidth ditch the protected files and
the pagefiles for now.

DC01 Disk Image (EO1)

DC01 Memory and PageFile
DC01 Autoruns
DC01 Protected Files
Case001 PCAP
Desktop Disk Image (E01)
Desktop Memory and PageFile
Desktop Autoruns
Desktop Protected Files
To verify file integrity in Windows Powershell, from the Download Dir: Get-FileHash -Algorithm md5 *
To verify file integrity in Linux, from the Download Dir: md5sum *
MD5 422046B753CF8A4DF49D2C4CE892DB16 case001-pcap.zip
MD5 964F2D710687D170C77C94947DA29E66 DC01-autorunsc.zip
MD5 E57FC636E833C5F1AB58DFACE873BBDE DC01-E01.zip
MD5 64A4E2CB47138084A5C2878066B2D7B1 DC01-memory.zip
MD5 964EEAF0009D08CC101DE4A83A4E5D23 DC01-pagefile.zip
MD5 AD29830A583EFE49C8C1C35FAFFD264F DC01-ProtectedFiles.zip
MD5 71C5C3509331F472ABCDF81EB6EFFF07 DESKTOP-E01.zip
MD5 3627DCAFA54E1365489A4EC0CC3D6A1C DESKTOP-SDN1RPT-autrunsc.zip
MD5 CF31E2635C77811AAA1BB04A92A721E2 DESKTOP-SDN1RPT-memory.zip
MD5 45C096F2688A0B5DE0346FB72391B245 Desktop-SDN1RPT-pagefile.zip
MD5 3E1A358D50003A9351AC2160AE6F0495 DESKTOP-SDN1RPT-Protected Files.zip

CHOOSE YOUR NEXT MOVE

The following list a rough outline of an approach to get you started.
Learn how to look at the memory!
Show me how to look at the PCAP!
I want to mount the hard drives and look around!
Show me how to look at the autoruns!
I want to look at the logs! (Coming soon)
I want to learn how to do look at a quick timeline of the disks!
Something seems off about the time!??
I want to learn how to look at a super timeline of the disks! (Coming soon)
I want to do battle field forensics! (Coming Soon)
Give me the answers!

THAT’S THE CASE OF THE STOLEN SZECHUAN SAUCE,

IN CONCLUSION, PLEASE FEEL FREE TO LEAVE YOUR
THOUGHTS IN THE COMMENTS.