Magnet Forensics recently concluded their Virtual CTF for the Magnet Summit 2022.
Participants were provided with the following three images to process prior to the start of the Capture-the-Flag (CTF) challenge, as well as a trial key for the newly launched AXIOM 6.
- Pixel image containing what appears to be a full file system extraction of a Pixel 3 running Android 9;
- HP Image containing a full disk image of a Windows 11 system; and
- Google Takeout image of the account used in the CTF, rafaelshell24@gmail.com.
The questions for the CTF are split into three sections, and the write-ups for each section is as follows:
Android
Processing
Questions
1. If you are looking for an image, it was probably deleted
How many emojis were used in the first snapchat received by the User (5 points)
Using the Pixel image, I sorted the decoded Snapchat messages by their Message ID and counted the number of emojis in the first message.
Answer: 9
2. ooo so popular!
What snapchat account sent the User the most messages? (5 points)
3. BurgLARProof
What Live Action Role Play armor was the user building? (5 points)
4. Your charIoT awaits
What was the MAC address of the first IoT device connected? Format: XX:XX:XX:XX:XX:XX (5 points)
5. ID Please
What was the ICCID for the SIM card used with this device? (5 points)
6. Never-ending
Podcasts can seem like they drag on forever, how long was Rafael's longest Podcast? HH:MM:SS (10 points)
7. Keep on Moving
When is Next Vegas Show? Format MM/DD (10 points)
The answer for this is found in the Takeout image's Google Keep note.
8. Snap Your Fingers
What is the username of the last friend added to the user's Snapchat? (10 points)
From the Pixel image, sort by added timestamp if using ALEAPP, or by the ID in the Friends table if using AXIOM.
Answer: angie_frank07
9. Starting over
What day was the device factory reset? Format YYYY/MM/DD (10 points)
I solved this using ALEAPP's 'Factory Reset' artifact, which takes from the last modified timestamp of the data/misc/bootstat/factory_reset file.
Answer: 2022/01/14
10. Last 4
What were the last four digits of the Visa used to purchase the User's most-used video game? (10 points)
Sadly this question took me longer than a ten points question should have. I solved this question while looking at the user's emails for another question, and saw the email receipt for the user's purchase of Minecraft from Mojang Studios containing the redacted Visa card number.
Answer: 1815
Note: On hindsight, it should have occurred to me that the video game mentioned in the question was Minecraft based on the user's web history and the laptop image, which would have narrowed down the search much earlier.
11. Expired Milk
What was the earliest expiration date for the user's guest wifi account? (10 points)
While looking through the user's emails in the Takeout image, I chanced upon some receipts for guest account on ChamplainGuest Wi-Fi. Sorting by the delivered date, we find the earliest expiration from the email on January 25, 2022.
Answer: 01-28-2022 17:01
12. Water Water Everywhere
What is the zip code of the location that the image of the water was taken? (10 points)
Since the question asked about the location of an image that was taken, I filtered for pictures with geolocation data and found an image matching the description in the DCIM folder.
Answer: 05401
13. Hash it out
What hashing algorithm was used for Bumble's email confirmation email? (25 points)
This was the second last question that I solved, as I wasn't sure what the question was asking for initially. To complicate matters further, the question had a two attempts lockout and I accidentally used up one attempt by submitting the answer for a different question in my haste. 😣
Thankfully I chanced upon Metaspike's post on Leveraging DKIM in Email Forensics, which explains how the DomainKeys Identified Mail (DKIM) standard is used to hash and sign email messages for authentication. The key fields we're looking for are the 'a' and 'bh' tags, which indicates the algorithm used as well as the hash of the message body in Base64 form.
Searching the Takeout image for Bumble's confirmation email we see the following DKIM signature (note that the same email from the Pixel image does not contain email headers):
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bumble.com; s=m23uiy45; t=1643426166; bh=V3+2oOZB6HbkzkEiTrdR0NeR62otQLWBIfR2P9UzXU8=; h=Date:To:Reply-to:From:List-Unsubscribe:Subject; b=WurAJYPzlsFL631+GC/fMVQ50Vj/W/voKOuiqlFt+4b71ElwkMacpcbqw/Q5KUTpA fNx+dGHh5KnQ+a68HZmxQpjnfwnLiseCkByIWDdvdWa/QzEEqFXtH20uXJ0ddWkfLN B19hRtFcq92sRrBb6F5SDLyArVQqGLHXvcHs7Reo=
The algorithm is 'rsa-sha256' which uses SHA256 for calculation of the hash value. We can also try to guess the hash type from the 'bh' value in CyberChef.
Answer: sha256
14. So Tasking
What is the status of the Go grocery shopping list? (25 points)
This was a fairly easy 25 points from AXIOM processed results of the Takeout image, under the 'Cloud Google Tasks' category. Or parse it manually from 'Takeout\Tasks\Tasks.json' in the Takeout zip file.
Answer: needsAction
15: Surviving a Snake Bite
What is the name of the YouTube channel that hosts the video that was watched at 10:30 PM EST on Feb 1st? (25 points)
Initially I tried searching for YouTube web history in the Pixel image but there was no entry for Feb 1st at the indicated time. Manually looking through the unzipped Takeout files, I noticed there was a folder for 'YouTube and YouTube Music' and found the entry on Feb 1st at 10:30 PM EST in the watch-history.html file:
16: All Trail Blazer
How many miles were left until Stowe Pinnacle? Format: X.X (50 points)
Once again, another question that had me stumped as I dived into databases and configuration files for the All Trails application in the Pixel image. I had almost given up hope, thinking that I misunderstood the 'All Trail' hint, until I reviewed the processed pictures with keyword filter 'alltrails' and found the answer. I guess the question maker did not want the 50 points to come easy, as the Optical Character Recognition (OCR) plugin for AXIOM failed to pick up on 'Stowe Pinnacle' in the image.
17: A Recent Trick
What is the name of Step 5: Step 4 -? (50 points)
This question sent me on a wild goose chase watching videos of magic tricks to find out what were steps 4 & 5. 😂 Noting that the search results for keyword 'trick' in the Takeout image had an additional Google Search artifact for 'larp shield', I followed the link in the search results to Instructables and found the answer.
Answer: Ca-chunk!
Note: While scrolling through the images in the Pixel image for other questions, I chanced upon an image that looked like a screenshot of the Instructables page. Looking at the artifact source, I realized this was a snapshot of recent apps in Android task switcher (similar to iOS SplashBoard snapshots) and a much faster solution would have been to reference the 'Recent Activity' category (data/system_ce/0/recent_tasks) in ALEAPP.
18: Bee Sweater
What famous cartoon from the mid 1900s did the user watch a snippet of? (50 points)
Since the user watched a snippet of a cartoon, my first instinct was to search for YouTube history but hit a dead end on that front. Theorizing that the answer should be in video form and that it might have been cached on the system, I reviewed AXIOM results for videos from the Pixel image and finally found a likely match in the Bumble app cache, which ties in with the 'bee' (bumblebee) in the question name.
Answer: Peanuts19: Seeing Through the Trees
What was the last street that Google told the user to turn on to on the way to Sugarbush Mountain? (50 points)
Since this question relates to Google directions, I started with the Pixel image and searched for 'Sugarbush' in map view. Unfortunately my brain wasn't working too well with the stress of the CTF and I mistook the pin in the results as the destination and tried various visible street names as potential answers. Thankfully there was no lockout for this question.
Reviewing activity from the Takeout image, I found a search for directions to 'Sugarbush Resort' and tried to locate the resort in Google Maps, I tried both street names near the resort and chanced upon the answer.
Answer: Forest Dr
Note: Perhaps a less trial-and-error method to solve this would be ALEAPP's Google Maps Voice Guidance report, where the last audio clip in data/data/com.google.android.apps.maps/app_tts-cache instructed the user to turn right onto Forest Drive.
Another method would be to use the link from the Takeout image's 'My Activity' direction search: https://www.google.com/maps/dir//Sugarbush+Resort,+102+Forest+Dr,+Warren,+VT+05674/@44.3020592,-72.9792802,10z/data=!3m1!4b1!4m8!4m7!1m0!1m2!1m1!1s0x4cb56d7b952c28bb:0x78dc5cf31c15ff36!2m1!7e2!3e0 with '44.3020592,-72.9792802' as the starting location and view the directions provided.
No comments:
Post a Comment