Password for evidence collection material container: Hpp^V@FQ6bdWYKMjX=gUPG#hHxw!j@M9
Case Introduction
In May 2021, the public security organs detected an investment and financial management fraud case. The victim Chen Haomin reported the case to the public security organs, saying that he met a netizen with the nickname yang88 on WeChat and was induced by him to use a product called Vestas. APP for investment and financial management, and was defrauded of more than 60,000 yuan. After receiving the alarm, after analysis by the public security agency, the backend server of the APP involved was locked. Later, after investigation and investigation by the public security agency, it was discovered that Yang was suspected of a major crime. After many investigations, the public security agency arrested Yang at his residence and seized a mobile phone and a computer from Yang. According to Yang’s account, he The website server is a rented cloud server. The above inspection materials have been mirrored and verified respectively. Assuming that you are responsible for inspecting the electronic data in this case, please complete the evidence collection questions based on the case circumstances.
1. [APK evidence collection] What is the package name of the apk involved? [Answer format: com.baid.ccs]
Lightning strikes in seconds
com.vestas.app
2. [APK forensics] What is the signature serial number of the apk involved? [Answer format:0x93829bd]
jadx-gui opens
0x563b45ca
3. [APK forensics] What is the value of DCLOUD_AD_ID in the apk involved? [Answer format:2354642]
jadxgui finds AndroidManifast.xml and just search
2147483647
4. [APK forensics] What is the server domain name of the APK involved? [Answer format: http://sles.vips.com]
Open the app and you can see
https://vip.licai.com
5.【APK Forensic】What is the main entrance of the apk involved? [Answer format: com.bai.cc.initactivity]
io.dcloud.PandoraEntry
6. [Mobile phone forensics] What emulator is used for this image? [Answer format: Tiantian simulator]
Lightning simulator
You can also see it in the log
7.【Mobile phone forensics】What is the name of the chat software used in this image? [Answer format: WeChat]
Fire Eye Analysis
8. [Mobile phone forensics] What is the package name of the chat software? [Answer format: com.baidu.ces]
Application list
9. [Mobile phone forensics] Among investment and financial products, how much is the minimum investment required for the victim’s last investment product? [Answer format: 10,000]
50000
10. [Mobile Phone Evidence Collection] Who introduced the victim to Brother Wang? [Answer format: Dong Hui]
Hua brother
11.【Computer Forensics】Please provide the SHA-1 value of the computer image pc.e01? [Answer format: lowercase letters]
23F861B2E9C5CE9135AFC520CBD849677522F54C
12.【Computer Forensics】Who was the inspector when pc.e01 was extracted? [Answer format: admin]
Forensics Master Analysis
pgs
13. [Computer Forensics] Please give the homepage address of the IE browser on the suspect’s computer? [Answer format: http://www.baidu.com]
http://global.bing.com/?scope=web & amp;mkt=en-US & amp;FORM=QBRE
14. [Computer Forensics] Please give the account and password used by the suspect Yang to log in to the front desk of the financial management website? [Answer format: root/admin]
View the record directly
15. [Computer Forensics] Please provide the current version number of the default program for opening PDF files on the suspect’s computer? [Answer format: xxxx(xx)]
16. [Computer Forensics] Please provide the SHA-1 of the file named “C Disk Cleanup.bat” in the suspect’s computer? [Answer format: lowercase letters]
Can’t find it when searching for c drive, search for .bat
1c7f65c0d218632be9684f88e72fa0e8463ad796
17.【Computer Forensics】Please provide the decryption password of the suspect’s Vera Crypt encryption container? [Answer format: admin!@#]
3w.qax.com!!@@
18. [Computer Forensics] Please give the external port number of the iSCSI server on the suspect’s computer? [Answer format: 8080]
Starwind software was found on the suspect’s computer
3261
19. [Computer Forensics] Please provide the account and password for CHAP authentication of the iSCSI server on the suspect’s computer? [Answer format: root/admin]
Only the account number can be seen here, try to find the password in the configuration file.
So I looked for it. .
20. [Computer Forensics] Analyze the withdrawal record table in the suspect’s computer. What is the total withdrawal amount of user “mi51888”? [Answer format: 10000]
1019
A disk.img was found on the suspect’s D drive.
Tried burning but it doesn’t seem to work. Try exporting using Forensic Master.
record found
21. [Memory Forensics] Please give the Beijing time when the computer memory was created? [Answer format: 2000-01-11 00:00:00]
2023-06-21 01:02:27 + 0800
22.【Memory Forensics】Please provide the power-on password of user yang88 in the computer? [Answer format: abc.123]
I have done the fire eye before
23. [Memory Forensics] Extract the USB device information in the memory image and give the last connection time of the USB device in Beijing? [Answer format: 2000-01-11 00:00:00]
24. [Memory Forensics] Please give the LMHASH value of user yang88? [Answer format: lowercase letters]
aad3b435b51404eeaad3b435b51404ee
25. [Memory Forensics] Please give the Beijing time when user yang88 accessed the file “Withdrawal Record.xlsx”? [Answer format: 2000-01-11 00:00:00]
2023-06-21 00:29:16
26. [Memory Forensics] Please give the Beijing time when “VeraCrypt” was last executed? [Answer format: 2000-01-11 00:00:00]
Method 1: Eye of Fire
Method Two: Meiya Gadgets
3. I tried to use timeliner but it seems not very accurate.
27. [Memory Forensics] To analyze the memory image, please indicate how many times the user visited the “Vestas” backend in “2023-06-20 16:56:57 UTC + 0”? [Answer format:10]
UTC + 0 is our 6.21 00:56:57
I’ve read many answers from masters and I don’t know which is the correct answer/(ㄒoㄒ)/~~
28. [Memory Forensics] Please give the process PID of the last time the user accessed the chrome browser? [Answer format: 1234]
the last time!
2456
pslist can also be used
29. [Server forensics] Analyze the server involved in the case. Please give the kernel version of the server involved? [Answer format: xx.xxx-xxx.xx.xx]
3.10.0-957.el7.x86_64
30. [Server Forensics] To analyze the server involved, please provide the root account password of the MySQL database? [Answer format: Admin123]
I saw the pagoda panel in Huoyan. After logging in, I found that I couldn’t see the password! But at least I know the account number
Another good way is to view the configuration file.env
APP_NAME=LaravelGlobalBonus
APP_ENV=local
APP_KEY=base64: + 90gHlNsoj6J0G9OepRfOkW/9IJHiK + bGS1Lt + wzn + M=
#APP_DEBUG=false
APP_DEBUG=true
APP_URL=http://localhostLOG_CHANNEL=stack
DB_CONNECTION=mysql
DB_HOST=pc-uf6mmj68r91f78hkj.rwlb.rds.aliyuncs.com
DB_PORT=3306
DB_DATABASE=viplicai
DB_USERNAME=root
DB_PASSWORD=ff1d923939ca2dcfBROADCAST_DRIVER=log
CACHE_DRIVER=file
QUEUE_CONNECTION=sync
SESSION_DRIVER=file
SESSION_LIFETIME=120REDIS_HOST=127.0.0.1
REDIS_PASSWORD=null
REDIS_PORT=6379MAIL_DRIVER=smtp
MAIL_HOST=smtp.mailtrap.io
MAIL_PORT=2525
MAIL_USERNAME=null
MAIL_PASSWORD=null
MAIL_ENCRYPTION=nullAWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY=PUSHER_APP_ID=
PUSHER_APP_KEY=
PUSHER_APP_SECRET=
PUSHER_APP_CLUSTER=mt1MIX_PUSHER_APP_KEY=”${PUSHER_APP_KEY}”
MIX_PUSHER_APP_CLUSTER=”${PUSHER_APP_CLUSTER}”
Edition=LC.V5RoutePrefix=AdminV9YY
Template=hui
#Start recommendation code
StartCode=513566
#Random recommendation code
RanDomCode=369
#Dividend rebate time setting
BonusHours=H
BonusMinutes=30
31. [Server forensics] Analyze the server involved in the case. Please give the RDS database address of the website involved? [Answer format: xx-xx.xx.xx.xx.xx]
DB_HOST=pc-uf6mmj68r91f78hkj.rwlb.rds.aliyuncs.com
Method 1: The configuration file contains
Method 2: Pagoda
32. [Server forensics] Please give the database version number of the website involved? [Answer format: 5.6.00]
Change password first
Log in to view version
select @@version;
33. [Server Evidence Collection] Please give the cumulative number of people promoted by the suspect? [Answer format: 100]
The inspection materials were given an xb file, and the database was restored first.
#Download the qoress package, unzip it and give permissions
wget “http://docs-aliyun.cn-hangzhou.oss.aliyun-inc.com/assets/attach/183466/cn_zh/1608011575185/qpress-11-linux-x64.tar”
tar xvf qpress-11-linux-x64.tar
chmod 775 qpress
cp qpress /usr/bin
wget https://www.percona.com/downloads/XtraBackup/Percona-XtraBackup-2.4.9/binary/redhat/7/x86_64/percona-xtrabackup-24-2.4.9-1.el7.x86_64.rpm
yum install -y percona-xtrabackup-24-2.4.9-1.el7.x86_64.rpm
Use xftp to transfer xb files
Use xbstream to process qp.xb files
cat hins261244292_data_20230807143325_qp.xb | xbstream -x -v -C /www/server/data
Enter /www/server/data to decompress
cd /www/server/data
innobackupex --decompress --remove-original /www/server/data
innobackupex --defaults-file=/etc/my.cnf --apply-log /www/server/data chown -R mysql:mysql /www/server/data
Modify mysql configuration file
vim /etc/my.cnf</code><code>#Add under the [mysqld] block</code><code>lower_case_table_names=1
And add skip-grant-tables to skip login verification
Enter the database after restarting the mysql server
Give the website an IP domain name
Login error reported
Change configuration file
Went in
We need to try to log in to the backend and modify the source code first.
Huoyan can find the backend login address
Find the login source code location
/www/wwwroot/v9.licai.com/app/Http/Controllers/Admin
Modify login logic
Try to log in
success!
You can start doing the questions now
69
34. [Server forensics] Please provide the super administrator enabled in the background of the website involved? [Answer format: abc]
You can see that there is also a root user. We directly switch to the root user to log in.
root
35. [Server forensics] What is the daily income of the investment project “Wind Power Generation Infrastructure Project in Liupanshui City, Guizhou”? [Answer format: 1.00%]
4.00%
36. [Server forensics] The earliest IP address that accessed the backend of the website involved in the case is [answer format: 8.8.8.8]
183.160.76.194
37. [Server forensics] Analyze how many members there are in the website database or backend VIP2 involved [answer format: 100]
20
38. [Server forensics] Analyze the number of potential victims in the user table of the website database involved in the case whose account balance is greater than zero and whose bank card opening bank belongs to Shanghai is [answer format: 8]
navicat connection
Find table menber about user
New query
2
39. [Server forensics] Analyze the database or backend of the website involved in the case, and calculate how much money the suspect successfully withdraws offline? [Answer format:10000.00]
128457.00
40. [Server forensics] Analyze the database of the website involved or the number of backend victims online. How many people are offline in the platform? [Answer format:123]
According to the above question, the online ID is 513935 and you can query it.
41. [Server Forensics] Analyze how many agents are offline for more than 2 people in the database of the website involved or the backend website? [Answer format: 10]
SQL query, a total of 60 items were found
SELECT COUNT(*) AS inviter_count, `inviter` FROM `member` GROUP BY `inviter` HAVING COUNT(*) > 2;
60
42. [Server forensics] Analyze the website database involved or the real name of the most offline agent in the backend website is [Answer format: Zhang San]
In fact, he is obviously the suspect.
But let’s check the database
SELECT COUNT(*) AS inviter_count, `inviter` FROM `member` GROUP BY `inviter` ORDER BY inviter_count DESC
SELECT realname FROM `member` WHERE invicode = 617624
43. [Server forensics] Analyze the database or backend flow details of the website involved in the case, and how much total profit this website made [answer format: 10,000.00]
You can write a crawler to crawl web pages
But I’m lazy/(ㄒoㄒ)/~~
There is a table moneylog in the database
Export the table and view it in excel
Add up the positives Add up the negatives
14,978,796.38
over take it!