MINAF (Minerías Alcazar y Ferrán, international mining company with annual sales in excess of €40 miilion) executives come desperately for your help because they have a problem: €100k have disappeared from their bank accounts.
After having interviewed MINAF's CEO and CFO you get this information:
- MINAF has been several months in talks with Coltranistan (an ex-URSS republic in Middle East) to establish a Coltran mining operation, with an economic impact of tens of millions.
- Both parts were close to an agreement. A meeting in Estambul on June 7th was meant to reach a final deal, so MINAF's CEO (Abelardo Alcazar) flies there on June 7h first thing in the morning.
- Around 17.00h PM, MINAF's CFO (Alfonso Ferran) receives an email from the CEO, demanding several international bank transfers that add up to €100.000.
- After a brief email conversation, Alfonso Ferran makes the transfers through 17.30h PM
- Abelardo Alcazar comes back to Spain on June 9th around 13.00h AM and calls Alfonso Ferrán. Alfonso Ferran tells him his concerns about the bank transfers, and Abelardo Alcazar forthright denies having ordered these bank transfers.
- Abelardo Alcazar's mobile device stopped working properly on June 7h around 20.30h PM, shortly after having sent Alfonso Ferran an email saying that the deal was made.
- A security breach is suspected, and they want you to help them clarify the facts.
MINAF information systems are pretty standard: endpoints with Windows 7 (SP1, 64bits), and several Windows 2008 R2 Servers (one domain controller, one file server and a Microsoft Exchange 2010 server taking care of email). Exchange has OWA and ActiveSync services enabled that can be accessed through Internet (needed for mobility). MINAF executives have corporate mobile devices (Samsung Galaxy S9).
Best security practices are observed in MINAF's information systems: every server and endpoint have an antivirus and has updated security patches. There is also a security policy regarding passwords (enforced through GPO): 10 characters minimum length with complexity requirements enabled.
MINAF sysadmin gives you these evidences:
(Alfonso Ferran - MINAF CFO)
MINAF-PC1_triage.zip - Triage data
MINAF-PC1-Outlook.zip - Outlook folder
(Abelardo Alcazar - MINAF CEO)
MINAF-PC2_triage.zip - Triage data
MINAF-PC2-Outlook.zip - Outlook folder
MINAF-CORREO_triage.zip - Triage data
CORREO_CAS_LogFiles.zip - Exchange CAS (Client Access Server) logs
CORREO-MessageTracking.csv - Exchange MessageTracking
CORREO-EventHistory_Abelardo_Alcazar.txt - EventHistory abelardo.alcazar
CORREO-EventHistory_Alfonso_Ferran.txt - EventHistory alfonso.ferran
CORREO-Buzon_Abelardo_Alcazar.pst - Exchange mailbox export - abelardo.alcazar
CORREO-Buzon_Alfonso_Ferran.pst - Exchange mailbox export - alfonso.ferran
* Here you have the hashes for all the collected evidence: hashes.txt
The triage data has been obtained using CyLR
The flags are all case-insensitive and must be answered in plaintext (oldschool guy here).
Any evidence you find before June 1st must be discarded because it's not related to our case.
Answer all the challenges and help MINAF guess who took their money.
If you're not an Exchange sysadmin (I can swear not being one), you can get some useful insight in these articles: Exchange Forensics
May the for...ensic wisdom be with you!
This challenge has been made by Antonio Sanz (@antoniosanzalc
), with support from DIEC (Telecommunications Engineering Department) at University of Zaragoza. Extra large thanks go to José Luis Salazar (crypto man) and Alvaro Alesanco (network and medical devices security guy), professors from DIEC/Unizar for their support. Play, learn, share & have fun!