Posts

Showing posts from October, 2020

MAGNET WEEKLY CTF #3

-
Image
  MAGNET WEEKLY CTF #3 This question also refers to an Android image.   " exit, pass by, Cargo " Some sort of route or map may be involved. Maybe something visual?   A search the media folder on the device turned up some .mp4 videos and .jpegs: The videos yielded no clues. But one of the still images revealed part of a highway exit sign: There wasn't enough of the sign in the still image to read. However, this .jpg has a filename prefix of MVIMG, indicating that it is a Motion Photo. I recalled Jessica Hyde's presentation with Christopher Vance on 10/7/20 where she showed that additional visual information could be extracted from the Motion Photo format, which contains extra frames in the form of an embedded .mp4 movie file.     h ttps://www.magnetforensics.com/resources/mobile-artifact-comparison-webinar-recording-oct-7/   Jessica said that she manually extracted the extra frames, but didn't give any details about the method that she used.   Stack overflow had
Post a Comment
Read more

Magnet Weekly CTF #2

-
Image
  MAGNET WEEKLY CTF #2 Once again, the question referred to an Android image.   A Google search revealed a list of Android apps that include picture-in-picture capability: ...one of which is Google Chrome .   Most recently used apps can be found using an Autopsy module...   ...in the Extracted Content section: The most recently visited domain appears to be malliesae.com (using Chrome ).       SUCCESS!  
Post a Comment
Read more

MAGNET WEEKLY CTF #1

-
Image
 MAGNET WEEKLY CTF #1     This challenge involves analysis of an Android phone image.     I started with a Google search of the file in question:         and found this info on stack overflow:       I loaded the image into Autopsy and located the file,   but the access time (in fact, all of the times) were 00:00:00. There was some interesting information in the text of the file: Maybe the timeline would yield some clues:     Could the "hosts" file have been most recently accessed the last time the site was accessed? NO.   Maybe it was most recently accessed the first time the site was accessed? Some sticky initialization assignment, perhaps?   NO, again. Two guesses down.   OK, enough Autopsy. Maybe I'll just check the file info using finder (MacOS).     What? No SECONDS?   Time to change the default. ( https://discussions.apple.com/thread/7474924 )   Drag SECONDS to the Short field:       Open file info again, and SECONDS appear.      Add +5 hours for UTC:   SUCCESS
Post a Comment
Read more