Once again, the question referred to an Android image.
A Google search revealed a list of Android apps
that include picture-in-picture capability:
...one of which is Google Chrome.
Most recently used apps can be found
using an Autopsy module...
...in the Extracted Content section:
The most recently visited domain appears to be
malliesae.com (using Chrome).
SUCCESS!
Get link
Facebook
Twitter
Pinterest
Email
Other Apps
Comments
Popular posts from this blog
-
MAGNET WEEKLY CTF #9 This week begins our forensic analysis of information resident in the RAM of a Windows host when the memory was captured. The acquisition software created a .mem file that I examined using Volatility as well as MemProcFS. MemProcFS allows the investigator to view the memory dump files in a virtual file system, allowing the files to be viewed using Windows Explorer. Part 1involves a conversation: My first step was to look at the image with Volatility, so I needed to get the image info... ...then use pslist , to get an idea of which processes were running. Of the many options, two stood out to me as potentially containing text – slack and WINWORD: I dumped the suspect processes to files... ...ran strings | grep "password" on all of them, and discovered this: Success! On to Part 2: At first, despite my suspicions at the solution was as simple as creating an MD5 hash of my 3180.dmp file, I tried it because, after all, th
MAGNET WEEKLY CTF #4 This is the final question that refers to the Android image. Thanks to the elephant-sized hint, I'll be narrowing my search to: and search for a GUID, which will be in this format: (according to Kalid Azad ) Following the philosophy of @CiofecaForensic and team NoToolsJustRight, I'm still using only open-source tools. (Primarily because I believe that the best way to get the most complete answer is to know what is going on under the hood, but also because I'm a student without LEO or corporate access to the commercial toys.) Starting with the awesome (especially in dark mode) ALEAPP from @AlexisBrignoni, I discovered this phishy item under recent activity : That looks like the answer, but is Effective_UID the same as the GUID? I'm assuming it's related somehow, but the format is wrong. 10239 is not the enormous 128-bit number I'm looking for. There's probably some way to view the GUID in ALEAPP, but it will require fu
MAGNET WEEKLY CTF #5 This is the first question that refers to a Linux image shared by Ali Hadi, Assistant Professor at Vermont's Champlain College . The question refers to the original filename of a block ID. The relationship between filenames and block ID's in Linux was not readily apparent to me, even after a Google search which led me to a SANS presentation by Kevvie Fowler which involved using hdfs terminal commands (only viable after loading Hadoop tools on Linux) and perfoming a "checkpoint" to ensure accurate results...maybe there's an easier way. My next stop after loading the file HDFS-MASTER.E01 into Autopsy was to check /home/hadoop/.bash_history to see if a file had been copied and enter the original filename as the flag. mapred-site.xml.template was not the answer, however. Fortunately, I had multiple tries at the answer this week. A keyword search in Autopsy for the block ID: Turned up this related file: Which was not the answer, eit
Comments
Post a Comment