MINAF is in trouble again! As a main partner of project "European Happy People", an initiative to display Europe's quality of life, good mood and optimism, MINAF is leading Spain's national effort to find its very happiest citizens. An Eurovision-style contest has been created and tens of thousands of Spanish citizens, eager to show its happiness, have applied.

The jury has been deliberating for months, and finally delivered a short list of candidates ... which, according to CCN-CERT (Spanish National CERT) deep web monitoring, has been leaked! The consequences are dire: the database compiled with near 60.000 citizens keeps quite sensitive information, and a full leak could be catastrophic to EHP project (regardless of possible GDPR sanctions due to a massive data breach).

It's critical to assess the scope of the incident, help MINAF do damage control and plug the leak as fast as possible. Are you up to the task to keep safe Europe's happiness?

Basic info

MINAF, as all of Spain public administration sector, has undergone a massive overhaul of its IT systems (spearheaded mainly by its Digital Transformation initiative). Almost all its endpoints are Windows 10 based, with monthly full patch deployment and daily updated antivirus. Servers are almost in its totality migrated to Windows 2016 Server, also fully patched and with a solid backup strategy. There is an IDS/network monitoring system deployed (Suricata/Bro combo), and a Sysmon+ELK SIEM is in its testing phase. Best security practices are followed, and MINAF hopes to be ENS (Esquema Nacional de Seguridad, Spanish main security standard for public administration) certified by the end of the year.

Moreover, CHITONSRV (the server storing all the confidential data) has the additional security measures:
    - Segregated network: only 6 high rank personnel from MINAF (plus a sysadmin) are physically connected with a second network to the server.
    - Strict permission system: only the high rank personnel can access the Secret data through a shared folder.
    - Auditing: There are extra auditing items enabled
    - Encryption: MINAF database is encrypted with PGP and a strong shared key

Evidences

MINAF CISO gives you these evidences:

MINAF_chitonsrv_triage.zip : File server triage data
MINAF_chitonsrv.mem : File server RAM dump
MINAF_adminpc1.001.gz : Admin PC whole disk
MINAF_webserver_triage.zip : Web server triage data
MINAF_webserver.mem : Web server RAM dump
MINAF_webserver_inetpub.tar.gz : Web server logs & C:\inetpub content
MINAF_bro.tar.gz : Bro logs

Here you have the hashes for all the collected evidence: hashes.txt

[Note0]: Triage data has been acquired with CyLR. RAM dumps are courtesy of Winpmem
[Note1]: The flags are all case-insensitive and must be answered in plaintext (oldschool guy here).
[Note2]: Any evidence you find before 04/11/2019 18:10:00 UTC must be discarded because it's not related to our case.

Your mission

... should you choose to accept it, its to answer all the challenges and find the truth about this incident. Is Salvador Bendito guilty or innocent? His career may well be in your hands, so you'd better get ready to rock & DFIR!

Made by

This challenge has been made by Antonio Sanz (@antoniosanzalc), with support from DIEC (Telecommunications Engineering Department) at University of Zaragoza. Extra large thanks go to José Luis Salazar (crypto man) and Alvaro Alesanco (network and medical devices security guy), professors from DIEC/Unizar for their support. Play, learn, share & have fun!