Magnet Weekly CTF #2

-

 

MAGNET WEEKLY CTF #2

Once again, the question referred to an Android image.
 
A Google search revealed a list of Android apps
that include picture-in-picture capability:


...one of which is Google Chrome.
 
Most recently used apps can be found
using an Autopsy module...
 

...in the Extracted Content section:



The most recently visited domain appears to be
malliesae.com (using Chrome).
 
 
 
SUCCESS!




 



Comments

Post a Comment

Popular posts from this blog

-
Image
MAGNET WEEKLY CTF #9     This week begins our forensic analysis of information resident in the RAM of a Windows host when the memory was captured. The acquisition software created a .mem file that I  examined using Volatility as well as MemProcFS. MemProcFS allows the investigator to view the memory dump files in a virtual file system, allowing the files to be viewed using Windows Explorer. Part 1involves a conversation:       My first step was to look at the image with Volatility, so I needed to get the image info... ...then use pslist , to get an idea of which processes were running. Of the many options, two stood out to me as potentially containing text – slack and WINWORD:       I dumped the suspect processes to files...     ...ran strings | grep "password" on all of them, and discovered this:       Success!     On to Part 2:       At first, despite my suspicions at the solution was ...
Read more

MAGNET WEEKLY CTF #3

-
Image
  MAGNET WEEKLY CTF #3 This question also refers to an Android image.   " exit, pass by, Cargo " Some sort of route or map may be involved. Maybe something visual?   A search the media folder on the device turned up some .mp4 videos and .jpegs: The videos yielded no clues. But one of the still images revealed part of a highway exit sign: There wasn't enough of the sign in the still image to read. However, this .jpg has a filename prefix of MVIMG, indicating that it is a Motion Photo. I recalled Jessica Hyde's presentation with Christopher Vance on 10/7/20 where she showed that additional visual information could be extracted from the Motion Photo format, which contains extra frames in the form of an embedded .mp4 movie file.     h ttps://www.magnetforensics.com/resources/mobile-artifact-comparison-webinar-recording-oct-7/   Jessica said that she manually extracted the extra frames, but didn't give any details about the method that she used.   Stack o...
Read more
-
Image
MAGNET WEEKLY CTF #7 This is the third week of analysis of a Linux image shared by Ali Hadi, Assistant Professor at Vermont's Champlain College .   Examining the image in Autopsy,  the IP address of the primary node is shown in /etc/hosts file:   Success!   On to part two:   Also in the /etc folder, the network / interfaces file shows that the address is static:     Success!  On to part three:   The /etc/network/interfaces file also holds the answer to the final question :     That's it for this week's challenge!
Read more