-

 

MAGNET WEEKLY CTF #4


This is the final question that refers to the Android image.
 
Thanks to the elephant-sized hint,
I'll be narrowing my search to:
 

and search for a GUID, which will be in this format:
 
(according to Kalid Azad)
 
Following the philosophy of @CiofecaForensic and
team NoToolsJustRight, I'm still using only open-source tools.
 
(Primarily because I believe that the best way to get
the most complete answer is to know what is going on
under the hood, but also because I'm a student
without LEO or corporate access to the commercial toys.)
 
Starting with the awesome (especially in dark mode) ALEAPP
from @AlexisBrignoni, I discovered this phishy item under recent activity:


That looks like the answer,
but is Effective_UID the same as the GUID?
 
I'm assuming it's related somehow, but the format is wrong.
10239 is not the enormous 128-bit number I'm looking for.
 
There's probably some way to view the GUID in ALEAPP,
but it will require further research.
 
Meanwhile, ALEAPP showed that the information came
from the com.evernote package.
 
Maybe it holds some clues, or a reference to the GUID.
 
To the (read-only) image files!

There's an interesting database in the com.evernote folder:
 
 
I'll drag it into

DB Browser for SQLite 
and see what pops up.
 
Many options for Tables appeared:
 
I brute-forced my way through the list
(mostly out of curiosity) looking for
any and all GUID information.
 
Well. This certainly looks suspicious:
 
 
 But which GUID? The guid or the notebook_guid?
 I'm leaning toward the guid at this point,
because we're probably trying to pin down
an actual user, not just the app.

Browsing more tables...
 

I'm beginning to see a pattern emerging:
 

 I'm pretty convinced that this is the GUID I'm looking for.

But wait...
 
?!?!?


Could you repeat the question, please?
 
 
 
I saw another table that referenced guid updates
named, coincidentally, guid_updates...

 
...that referenced the very popular, but newer
c80ab339-7bec-4b33-8537-4f5a5bd3dd25.

The O.G. version of that new_guid is

7605cc68-8ef3-4274-b6c2-4a9d26acabf1

I'll give it a shot...


 
Success!



But I wasn't satisfied yet.
 
Why would someone take a screenshot of their crime?
 
I needed to dig deeper and get some more info on the image. 
 
I took the filename of the snapshot that I found in ALEAPP...
 
 
...and entered it as a keyword search in Autopsy...


Viewed it in its Directory, which is:
/data/system_ce/0/snapshots
 

So, where did this mysterious directory come from,
and what is it used for?
 
According to Michael Altfield, who, while trying to recover
a deleted file using DiskDigger, was very surprised to discover screenshots on his phone
that he did not take.
 
After some panicked research due to a suspected hack,
he determined that the snapshots were saved to the
Credential Encrypted (ce) folder by android for use in the "recent apps" navigation.
 
False alarm.





BTW, if you're looking for a great intro to ALEAPP
(and iLEAPP), Alexis gave a fantastic talk HERE.



 

 

 
 
 
 
 

Comments

Post a Comment

Popular posts from this blog

-
Image
MAGNET WEEKLY CTF #9     This week begins our forensic analysis of information resident in the RAM of a Windows host when the memory was captured. The acquisition software created a .mem file that I  examined using Volatility as well as MemProcFS. MemProcFS allows the investigator to view the memory dump files in a virtual file system, allowing the files to be viewed using Windows Explorer. Part 1involves a conversation:       My first step was to look at the image with Volatility, so I needed to get the image info... ...then use pslist , to get an idea of which processes were running. Of the many options, two stood out to me as potentially containing text – slack and WINWORD:       I dumped the suspect processes to files...     ...ran strings | grep "password" on all of them, and discovered this:       Success!     On to Part 2:       At first, despite my suspicions at the solution was as simple as creating an MD5 hash of my 3180.dmp file, I tried it because, after all, th
Read more
-
Image
  MAGNET WEEKLY CTF #5 This is the first question that refers to  a Linux image shared by Ali Hadi, Assistant Professor at Vermont's Champlain College .     The question refers to the original filename of a block ID. The relationship between filenames and block ID's in Linux was not readily apparent to me, even after a Google search which led me to a SANS presentation by Kevvie Fowler which involved using hdfs terminal commands (only viable after loading Hadoop tools on Linux) and perfoming a "checkpoint" to ensure accurate results...maybe there's an easier way. My next stop after loading the file HDFS-MASTER.E01 into Autopsy was to check   /home/hadoop/.bash_history   to see if a file had been copied and enter the original filename as the flag. mapred-site.xml.template was not the answer, however.   Fortunately, I had multiple tries at the answer this week. A keyword search in Autopsy for the block ID: Turned up this related file: Which was not the answer, eit
Read more