HTB: Sherlock — WhyFind

Scenario

We have been hot on the trail for a political dissident. They jump from café to café using the Wi-Fi making it hard to nab them. During one of their trips, they unknowingly sat next to one of our agents and we captured them with their laptop on. We need to know where they have been and what they have been doing. Analyze the KAPE output and see if you can get us some answers.

Artifacts Provided

• WhyFind.zip - SHA256:edf5cdd32c2c7884922fde7ee3ad8d8ac34a94f5fa6c1eebfb405cdb6c6bf008

Initial Analysis

We have a KAPE output here. That means windows event logs and registry hives to analyze! Also the MFT table is valuable. Most of the that we are going to analyze them in Timeline Explorer. For windows logs we are going to combine them all into one file with EvtxECmd.exe:

1

.\EvtxECmd.exe -d "D:\Users\p4n4\Downloads\whyfind\KAPEOUT\C\Windows\System32\winevt\logs" --csv "D:\Users\p4n4\Downloads\whyfind" --csvf evtx.csv

Questions

1. What is the Computer name of the machine?

We find that by opening the SYSTEM hive (KAPEOUT\C\Windows\System32\config) on the Registry Explorer at SYSTEM:ControlSet001\Control\ComputerName\ComputerName.

2. What is the first Wi-Fi SSID(Decoded) they connected to on May 30th 2025?

So on the C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\{GUID}\*.xml we can find the connections and the names of the SSIDs. But we need also the date info. So we will open evtx.csv on the Timeline Explorer which has all the event logs. For what we are looking for the source log file would have been Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx. So looking at events during that date from that source we can find the answer. Event IDs 8000 and 8001 reveal that information. The first indicates the start of a new connection while the later that the connection has been established.

3. When did the system obtain a lease for the network?

So this one was a bit tricky. The steps shortly were:

• From WLAN log (Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx) → We get the Interface GUID that the connection happened.
• With that we go to the Registry in the SYSTEM hive SYSTEM:ControlSet001\Services\Tcpip\Parameters\Interfaces → There we see the Key that corresponds to our GUID.
• That key had three sub-keys meaning that there were multiple profiles/connection to that interface. Looking at the first one we can get the time in Unix epoch. Converting it here to human readable UTC date we get the accepted format.

4. What IP address did the device receive when connecting to the café?

Check the Registry as in the above question.

5. What was the BSSID (MAC address) of the access point they connected to at the café?

This one is interesting. At the same location in Registry SYSTEM:ControlSet001\Services\Tcpip\Parameters\Interfaces\{18c11dbd-93ab-4ca9-a804-4f4475da25b8} we check the same as before Key(142726F627564757D634F666665656) which corresponds to the connection profile with subject in question cafe network.

There the data looks like this although some have been redacted space economy:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

[
    {
        "Data": "172.16.100.16",
        "ValueName": "DhcpIPAddress",
        ...
    },
    {
        "Data": "86400",
        "ValueName": "Lease",
        ...
    },
    {
        "Data": "1748629368",
        "ValueName": "LeaseObtainedTime",
        ...
    },
    {
        "Data": "142726F627564757D634F666665656",
        "ValueName": "DhcpNetworkHint",
        ...
    },
    {
        "Data": "8.8.8.8",
        "ValueName": "DhcpNameServer",
        ...
    },
    {
        "Data": "AC-10-64-FE-06-00-00-00-E4-D1-24-96-A5-D1",
        "ValueName": "DhcpGatewayHardware",
        ...
    },
    {
        "Data": "1",
        "ValueName": "DhcpGatewayHardwareCount",
        ...
    }
]
 

So from the data here we would have thought that the BSSID is the DhcpGatewayHardware as that’s normally the case for small networks. But the MAC address is not the correct format. So after research it appears that the DhcpGatewayHardware has the MAC address in the last 6 bytes! That’s is because the DhcpGatewayHardwareCount is just one. The other bytes that are coming before are padding and reserved for more addresses.

6. It looks like they started some sort of manifesto at the café, what is the name of the file they started to write?

So in order to find files we need to check $MFT (Master File Table). For that we are going to use Timeline Explorer again but first we need to extract the $MFT data. For that we are goinf to use MFTECmd

1

C:\Users\saran\Tools\MFTECmd\MFTECmd.exe -f '.\Downloads\WhyFind\KAPEOUT\C\$MFT' --csv .\Downloads\WhyFind\ --csvf mfte_out.csv

7. What is the last sentence of the manifesto?

For this we need to use the MFT Explorer. Our csv file from the previous question cannot show any contents of the file of course. NTFS $MFT doesn’t just store metadata — for small files (usually <1 KB, sometimes a bit more), the actual file content is stored resident inside the MFT entry itself. That’s why when you browsed the MFT entry for our subject file, MFT Explorer could directly show you the text inside the record.

8. They started their research by watching a YouTube video of a speech, what is the name of the speech?

For this need to check the browser artifacts to find recent web activity. Below C:\Users\<User>\AppData\Local\ we find that depending on the browser. For is: C:\Users\Ernes\AppData\Local\Microsoft\Edge\User Data\Default\History There we find the youtube video that was being watched. We opened the database in the DB Browser for SQLite.

9. They continued their research by looking up a book on Wikipedia, what was the title of the book?

We look at the same database as the above question.

10. What was the last thing they downloaded before leaving the café?

In the SQLite browser, still on the History database we open now the Downloads table and there we find the answer.

11. When investigating changes to network profiles on a Windows system, which event log would you examine to find entries related to these profile-specific events, using event IDs such as 10000 or 10001?

So here we refer to the event logs related to the Network Profiles. Previously we had looked the WLAN logs. All of them are located in the location C:\Windows\System32\winevt\logs.

12. Using the logs from the previous answer, when did they disconnect and leave the first café?

To get that you open the NetworkProfile logs and look for 10001 (disconnect) Event ID from first cafe’s SSID. For that we can use our combined logs file evtx.csv in Timeline Explorer (recommended) or open only the specific log file in the built-in app Event Viewer from Windows. Remember that we need the time in UTC and the Event Viewer will convert the timestamps in local time!

13. Using the same logs, when did the user arrive at the second café?

In the same logic as the above we look for events 10000 (connect) for the second cafe.

14. What is the SSID(decoded) of the second Wi-Fi they connected to on May 30th 2025?

From the previous question we should already know that.

15. What IP address did the device receive when connecting to the second café?

Looking first at the Microsoft-Windows-WLAN-AutoConfig/Operational.evtx to check the interface GUID and then at the registry SYSTEM:ControlSet001\Services\Tcpip\Parameters\Interfaces\{18c11dbd-93ab-4ca9-a804-4f4475da25b8} to get the IP from the different profiles(entries). Same logic as Q4

16. When did the system obtain a lease for the second network?

Same location as above, under the specific interface in the Registry. But we had to convert it from unix epoch of course. Simillar to Q3

17. What was the BSSID (MAC address) of the access point they connected to at the second café?

Same location as above, in the Registry, but again we need to remember the field that gives us that is DhcpGatewayHardware but only the last 6 bytes of the hex value is the BSSID. Similar Q5

18. What was the first thing the user downloaded at the second café?

Looking at the Brave browser artifacts, using DB Browser for SQLite, at the History DB in C:\Users\Ernes\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\History and then looking at the Downloads table we find the answer.

19. What online forum/social media site did they visit?

Same as the above question but we search the URL table.

20. What was their username on the site?

So to find that we need to open another Database for Brave (in DB Browser for SQLite) and that’s the Login Data and then see the logins table.

21. What was the name of the VM they created?

If we search on the MFT either in the MFT Explorer or the CSV on the Timeline explorer we can find the answer. Search for .vbox file or browse around on the Explorer on the user’s folder.

22. What street was the first café on?

Finding the street requires us to do some OSINT from the SSID. Or if we didn’t have it we could do BSSID(that we already have) to GeoLocation search. That can be done in https://wigle.net in the advanced search.

23. Investigators may want to follow up on the Wi-Fi credentials used at the first café the suspect visited. Which file stores the authentication details (including the encrypted password) for the first network?

The Wi-Fi authentication details (including the encrypted password) are stored in the WLAN profile XML file under: C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\<Interface-GUID>\<Profile-Filename>.xml. In general Windows stores wireless profiles as XML files under ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\.

24. What authentication method was used to connect to the first café’s Wi-Fi?

Inside the above file is all the info needed for this answer.