MAGNET WEEKLY CTF #3

-

 

MAGNET WEEKLY CTF #3

This question also refers to an Android image.
 

"exit, pass by, Cargo"

Some sort of route or map may be involved.

Maybe something visual?

 

A search the media folder on the device

turned up some .mp4 videos and .jpegs:


The videos yielded no clues.

But one of the still images revealed part of a highway exit sign:

There wasn't enough of the sign in the still image to read.

However, this .jpg has a filename prefix of MVIMG,
indicating that it is a Motion Photo.

I recalled Jessica Hyde's presentation with Christopher Vance on 10/7/20 where she showed that additional visual information could be extracted from the Motion Photo format, which contains extra frames in the form of an embedded .mp4 movie file.

 

 
https://www.magnetforensics.com/resources/mobile-artifact-comparison-webinar-recording-oct-7/

 

Jessica said that she manually extracted the extra frames,
but didn't give any details about the method that she used.

 

Stack overflow had exactly what I needed.

https://stackoverflow.com/questions/53104989/how-to-extract-the-photo-video-component-of-a-mvimg

I used Phil Harvey's exiftool:

https://exiftool.org/

In addition to some python code:
(Thanks, Mitchle)


Even the best shot of the exit sign contained no visible clues.


I think I saw another picture on the drive
that was taken from a moving vehicle.

That shot contained an aircraft glide path antenna array,
so that could mean a nearby airport and CARGO!

 
I used the same extraction technique as above,
but this time I had better luck:
 

Cargo exit! And a highway number. F16?
Could it be E16? It's cut off in the photo.


I can't be sure from the photo, so I'll go back to exiftool
to get the geocoordinates of the image.

 


 The corresponding map of the area shows highway E16.

 

 


 

 

This demonstrates the importance of using more
than one method to validate examination results.


 


Comments

Post a Comment

Popular posts from this blog

-
Image
MAGNET WEEKLY CTF #9     This week begins our forensic analysis of information resident in the RAM of a Windows host when the memory was captured. The acquisition software created a .mem file that I  examined using Volatility as well as MemProcFS. MemProcFS allows the investigator to view the memory dump files in a virtual file system, allowing the files to be viewed using Windows Explorer. Part 1involves a conversation:       My first step was to look at the image with Volatility, so I needed to get the image info... ...then use pslist , to get an idea of which processes were running. Of the many options, two stood out to me as potentially containing text – slack and WINWORD:       I dumped the suspect processes to files...     ...ran strings | grep "password" on all of them, and discovered this:       Success!     On to Part 2:       At first, despite my suspicions at the solution was as simple as creating an MD5 hash of my 3180.dmp file, I tried it because, after all, th
Read more
-
Image
  MAGNET WEEKLY CTF #4 This is the final question that refers to the Android image.   Thanks to the elephant-sized hint, I'll be narrowing my search to:   and search for a GUID, which will be in this format:   (according to Kalid Azad )   Following the philosophy of @CiofecaForensic and team NoToolsJustRight, I'm still using only open-source tools.   (Primarily because I believe that the best way to get the most complete answer is to know what is going on under the hood, but also because I'm a student without LEO or corporate access to the commercial toys.)   Starting with the awesome (especially in dark mode) ALEAPP from @AlexisBrignoni, I discovered this phishy item under recent activity : That looks like the answer, but is Effective_UID the same as the GUID?   I'm assuming it's related somehow, but the format is wrong. 10239 is not the enormous 128-bit number I'm looking for.   There's probably some way to view the GUID in ALEAPP, but it will require fu
Read more
-
Image
  MAGNET WEEKLY CTF #5 This is the first question that refers to  a Linux image shared by Ali Hadi, Assistant Professor at Vermont's Champlain College .     The question refers to the original filename of a block ID. The relationship between filenames and block ID's in Linux was not readily apparent to me, even after a Google search which led me to a SANS presentation by Kevvie Fowler which involved using hdfs terminal commands (only viable after loading Hadoop tools on Linux) and perfoming a "checkpoint" to ensure accurate results...maybe there's an easier way. My next stop after loading the file HDFS-MASTER.E01 into Autopsy was to check   /home/hadoop/.bash_history   to see if a file had been copied and enter the original filename as the flag. mapred-site.xml.template was not the answer, however.   Fortunately, I had multiple tries at the answer this week. A keyword search in Autopsy for the block ID: Turned up this related file: Which was not the answer, eit
Read more