The first month of the #MagnetWeeklyCTF has come and gone! For the month of October, challenges were posed each week to engage forensic examiners on an Android mobile device image. It has been a blast to see how everyone approaches each question in their own way and being able to interact with players on social media and our Magnet Forensics Discord Server! Be sure to join our Discord here for more opportunities to ask questions and earn points! For details of how to join the Magnet Weekly CTF and how to earn additional bonus points, such as from writing up blogs or custom artifacts, read here!
As of November 6, with some already completing the first challenge of the new month, we have an impressive top 5!
JoDoSa will receive a prize pack for winning the first month of the competition but remember the #MagnetWeeklyCTF is based on a cumulative score, so there’s still plenty of time to play and capture the number 1 spot! Trey has already begun working on the final grand prize (challenge), that you will definitely want a shot solving! Stay tuned!
Each week in October, a CTF participant was also randomly chosen for a prize. Congrats to the following players for each week who will get some MagSwag! We’ll be reaching out via the email you registered with to confirm your details for shipping!
Week 1: swanticket
Week 2: Hoktar
Week 3: Forensicator
Week 4: hmc6721
Amazing job goes to all of our players and challenge solvers! We hope you are enjoying the Weekly CTF and continue to test your skills through the rest of 2020 as we mix things up with various image types and forensic challenges! Even more surprises await! Now, let’s take a look back week by week to highlight each question and some key results from the month of October.
We started off strong with the first challenge written by Jad Saliba, Founder and CTO of Magnet Forensics. Jad’s question was as follows:
What time (in UTC) was the file that maps names to IP’s recently accessed?
A: 03/05/2020 05:50:18
Kicking off the month, we had dozens of correct submissions! It has been awesome to see all the DFIR community engagement since week 1, with tons of great blog posts of your solves of each challenge as they come. All of the write ups have been a fantastic insight into multiple approaches to solve the same problem. An excellent example in Week 1 was able to detail how to solve the question using only command line!
The second week’s Android question was brought to you by Tarah Melton, Forensic Consultant, which read:
What domain was most recently viewed via an app that has picture-in-picture capability?
Our week 2 challenge yielded many different approaches examiners took to the problem. One approach was to use the Recent Tasks and Snapshot artifacts found in Android devices, as demonstrated in our solve here as well as this webinar comparing artifacts between Android and Google Takeout data. The Snapshot artifact was utilized here as well, and we also found numerous other blogs to write up even different methodology, as exampled here which utilized Alexis Brignoni’s tool ALEAPP!
Week 3 brought a bit more of a challenge from Jessica Hyde, Director of Forensics, with users only having 3 attempts to gain 40 points! Many were still able to find the flag, and this week resulted in tons of learning for everyone playing!
Week 3 read:
Which exit did the device user pass by that could have been taken for Cargo?
The first hint was to review the webinar comparing iOS and Android artifacts, where a method to reveal the answer was highlighted. You also had the option this week to use a hint which read “MVIMG” but also would cost you 20 points! The answer to this challenge could be found by carving out an MP4 file from an Android moving image, which contained a frame displaying the exit E16 for the flag. There were many creative approaches to solving this question, and some even detailed various witty wordplays like S. Cargo (or escargot?) as seen here! Another creative approach to highlight was viewing the moving image on a Google Pixel device itself! Read about it here!
The final challenge for Android October was written by Trey Amick, Manager of Forensic Consultants, and offered a clever Android finale detailing the device owner’s interest in “phishing.” The question stated:
Chester likes to be organized with his busy schedule. Global Unique Identifiers change often, just like his schedule but sometimes Chester enjoys phishing. What was the original GUID for his phishing expedition?
The GUID could be found relating to the Evernote application, but take notice that the question was looking for the original GUID, not the current one. This trickery may have been a bit of a curve ball, but that didn’t slow everyone down much! One interesting blog written for this week’s challenge can be found here, where the correct answer was only arrived at after exhausting the 3 try limit. We even were able to read about this solve in Spanish as well!
Last but definitely not least, there were four new custom artifacts added to the Artifact Exchange in the Magnet Forensics Resource Center to be shared with the community. These custom artifacts, written by CTF players who were awarded a whopping 50 extra bonus points per artifact selection, can be downloaded along with all the other custom artifacts available to be used in your AXIOM case processing. Here are some details about these new artifacts!
- SOLID EXPLORER 2 DB (ANDROID) – Joshua James, firstname.lastname@example.org
Solid Explorer is an Android file management app inspired by the old school file commander applications (http://neatbytes.com/solidexplorer/). This artifact is the local database for Solid Explorer 2 that shows file access and associated times in Unix ms.
- MOTION VIDEOS (ANDROID) – Kevin Rode, email@example.com
Motion Videos were Android’s answer to Apple’s Live Photos. They are stored as a jpg file with an embedded mp4. This artifact will carve out the embedded mp4 so that it can be easily viewed
- BASH HISTORY V2 (COMPUTER/MOBILE) – Kevin Pagano, firstname.lastname@example.org
An updated version of Jessica Hyde’s Bash History parser, which now includes Mobile. It parses the “.bash_history” file and lists out the executed commands.
- GOOGLE CALENDAR (ANDROID) – Joshua James, email@example.com
Android Google Calendar app SQLite database containing calendar settings including the user account and sync time.
With the month of October and the Android image in the rearview mirror, we hope that you enjoyed these challenges! November kicked off a new image focusing on Linux forensics, so be sure to join in on the fun and test your skills! Thank you to all of our players, bloggers, and custom artifact writers! We’ll check back in at the end of November with more challenges and winners from whatever the next month brings!
If you have any questions about the Magnet Weekly CTF, don’t hesitate to reach out to Trey Amick, Jessica Hyde, or Tarah Melton, or reach out on the Magnet Forensics Discord Server, and we will be happy to assist! Good luck everyone!