MAGNET WEEKLY CTF #4
Thanks to the elephant-sized hint,
I'll be narrowing my search to:
(according to Kalid Azad)
Following the philosophy of @CiofecaForensic and
team NoToolsJustRight, I'm still using only open-source tools.
(Primarily because I believe that the best way to get
the most complete answer is to know what is going on
under the hood, but also because I'm a student
without LEO or corporate access to the commercial toys.)
Starting with the awesome (especially in dark mode) ALEAPP
from @AlexisBrignoni, I discovered this phishy item under recent activity:
That looks like the answer,
but is Effective_UID the same as the GUID?
I'm assuming it's related somehow, but the format is wrong.
10239 is not the enormous 128-bit number I'm looking for.
There's probably some way to view the GUID in ALEAPP,
but it will require further research.
Meanwhile, ALEAPP showed that the information came
from the com.evernote package.
Maybe it holds some clues, or a reference to the GUID.
To the (read-only) image files!
There's an interesting database in the com.evernote folder:
I'll drag it into
and see what pops up.
Many options for Tables appeared:
I brute-forced my way through the list
(mostly out of curiosity) looking for
any and all GUID information.
Well. This certainly looks suspicious:
But which GUID? The guid or the notebook_guid?
I'm leaning toward the guid at this point,
because we're probably trying to pin down
an actual user, not just the app.
Browsing more tables...
But wait...
?!?!?
named, coincidentally, guid_updates...
...that referenced the very popular, but newer
c80ab339-7bec-4b33-8537-4f5a5bd3dd25.
The O.G. version of that new_guid is
7605cc68-8ef3-4274-b6c2-4a9d26acabf1
I'll give it a shot...
But I wasn't satisfied yet.
Why would someone take a screenshot of their crime?
I needed to dig deeper and get some more info on the image.
I took the filename of the snapshot that I found in ALEAPP...
...and entered it as a keyword search in Autopsy...
/data/system_ce/0/snapshots
and what is it used for?
According to Michael Altfield, who, while trying to recover
a deleted file using DiskDigger, was very surprised to discover screenshots on his phone
that he did not take.
After some panicked research due to a suspected hack,
he determined that the snapshots were saved to the
Credential Encrypted (ce) folder by android for use in the "recent apps" navigation.
False alarm.
BTW, if you're looking for a great intro to ALEAPP
(and iLEAPP), Alexis gave a fantastic talk HERE.
Comments
Post a Comment