MAGNET WEEKLY CTF #1

-


 MAGNET WEEKLY CTF #1

 
 
This challenge involves analysis of an Android phone image.
 
 
I started with a Google search of the file in question:
 
 
 
 
and found this info on stack overflow:
 

 
 
I loaded the image into Autopsy and located the file,
 

but the access time (in fact, all of the times) were 00:00:00.

There was some interesting information in the text of the file:



Maybe the timeline would yield some clues:

 
 

Could the "hosts" file have been most recently accessed
the last time the site was accessed?



NO.
 

Maybe it was most recently accessed the first time
the site was accessed?
Some sticky initialization assignment, perhaps?
 


NO, again. Two guesses down.
 
OK, enough Autopsy.
Maybe I'll just check the file info using finder (MacOS).
 
 

What? No SECONDS?
 
Time to change the default.
(https://discussions.apple.com/thread/7474924)
 


Drag SECONDS to the Short field:
 
 
 
Open file info again, and SECONDS appear. 
 
 
Add +5 hours for UTC:
 

SUCCESS!

 
 
NOTE: it would have been much easier
to use exiftool from the beginning, though confusing
access and modification time would probably still
have cost me an incorrect entry.
 

https://exiftool.org/ 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 


Comments

Post a Comment

Popular posts from this blog

-
Image
MAGNET WEEKLY CTF #9     This week begins our forensic analysis of information resident in the RAM of a Windows host when the memory was captured. The acquisition software created a .mem file that I  examined using Volatility as well as MemProcFS. MemProcFS allows the investigator to view the memory dump files in a virtual file system, allowing the files to be viewed using Windows Explorer. Part 1involves a conversation:       My first step was to look at the image with Volatility, so I needed to get the image info... ...then use pslist , to get an idea of which processes were running. Of the many options, two stood out to me as potentially containing text – slack and WINWORD:       I dumped the suspect processes to files...     ...ran strings | grep "password" on all of them, and discovered this:       Success!     On to Part 2:       At first, despite my suspicions at the solution was as simple as creating an MD5 hash of my 3180.dmp file, I tried it because, after all, th
Read more
-
Image
  MAGNET WEEKLY CTF #4 This is the final question that refers to the Android image.   Thanks to the elephant-sized hint, I'll be narrowing my search to:   and search for a GUID, which will be in this format:   (according to Kalid Azad )   Following the philosophy of @CiofecaForensic and team NoToolsJustRight, I'm still using only open-source tools.   (Primarily because I believe that the best way to get the most complete answer is to know what is going on under the hood, but also because I'm a student without LEO or corporate access to the commercial toys.)   Starting with the awesome (especially in dark mode) ALEAPP from @AlexisBrignoni, I discovered this phishy item under recent activity : That looks like the answer, but is Effective_UID the same as the GUID?   I'm assuming it's related somehow, but the format is wrong. 10239 is not the enormous 128-bit number I'm looking for.   There's probably some way to view the GUID in ALEAPP, but it will require fu
Read more
-
Image
  MAGNET WEEKLY CTF #5 This is the first question that refers to  a Linux image shared by Ali Hadi, Assistant Professor at Vermont's Champlain College .     The question refers to the original filename of a block ID. The relationship between filenames and block ID's in Linux was not readily apparent to me, even after a Google search which led me to a SANS presentation by Kevvie Fowler which involved using hdfs terminal commands (only viable after loading Hadoop tools on Linux) and perfoming a "checkpoint" to ensure accurate results...maybe there's an easier way. My next stop after loading the file HDFS-MASTER.E01 into Autopsy was to check   /home/hadoop/.bash_history   to see if a file had been copied and enter the original filename as the flag. mapred-site.xml.template was not the answer, however.   Fortunately, I had multiple tries at the answer this week. A keyword search in Autopsy for the block ID: Turned up this related file: Which was not the answer, eit
Read more