Write-up Magnet Weekly CTF

It is time for some fun and time to sharpen up my Mobile Forensics skills. Magnet Forensics has decided to organize a weekly CTF challenge, every Monday a new challenge will be published for the last quarter of 2020. This gives everyone a week to work on a challenge and then it will be closed and a new challenge will be published. I really like this setup, as it is a lot easier to combine with work life. More information about the CTF can be found on the Magnet website. I will use and update this article to write down my methodology to solving the challenge and hopefully the answer as well.   

CTF Setup 

A mobile Android Image is used for the first few weeks and can be downloaded here
The image consists of an Android data directory :



Directory structure of Android Image

I am going to use several tools for this CTF:
  • Magnet Axiom, thanks to Jessica 
    (Twitter) and Trey (Twitter) for the trial. 
  • Autopsy, can be downloaded here 
  • ALEAPP can be downloaded here by Alexis Brignoni (Twitter)

Week 1

Question
What time was the file that maps names to IP's recently accessed?
(Please answer in this format in UTC: mm/dd/yyyy HH:MM:SS

Methodology
After giving this question some thought I thought the answer was something with DNS, because that is what a DNS systems does right mapping IP's to (host)names. I performed several keyword searches related to DNS, this resulted in lots of hits, but I did not find anything that seemed to be related to the question. After some more Googling and thinking I stumbled upon the hosts file, which is also a file that can be used to map names to IP-addresses. This turned out to be a winner, when searching for the hosts file I got several hits in the Downloads section of the Android device as well as in the /etc directory. Both files had the same timestamp, last step was converting the timestamp to UTC timeformat 





Answer

Week 2

Question
What domain was most recently viewed via an app that has picture-in-picture capability?

Methodology
A very interesting question this week around the use of picture-in-picture (PIP) capabilities by Android applications. Because this was a new topic for me, I had to do some research on it some references that were useful for me, the official docuemntation by Android developer and a list of some apps that support PIP capabilities as of April 2020 can be found here

Next step was finding out what domains were recently viewed. I used the 'Chrome Web History' and 'Chrome Web Visits' views in Axiom. 




Both artefact views showed that the malliesae.com domain was most recently viewed.


At this point I wasn't really sure that this was the correct answer it felt a bit too easy, so I took some extra steps to prove/disprove my current line of thinking.
In Android there are several locations that are really useful for finding out what recently happened on a device. The following locations are of interest for our investigation:


Filename Location Description
Recent Images data\system_ce\0\recent_images The recent image directory contains screenshots/snapshots of recently used applications, however it's possible for apps to opt-out of this in case there is sensitve data being captured on the screen. Files are in .png format
Recent Tasks data\system_ce\0\recent_tasks The recent tasks directory contains tasks that were recently exexcuted on the device. Files are in .xml format and can be analyzed to get further information such as the app that is associated with a task
Snapshots data\system_ce\0\snapshots The snapshots directory contains snapshots of apps that were recently moved to the background. Three files are present for each snapshot the snapshot in .jpg a reduced/compressed version and a proto file for the snapshot which can be used to find out what the application was for the snapshot.

Let's test the above artefacts. Looking at Recent Images you will find that the images captured start with a certain (random) number for instance on this device we can see several images starting with 329 as shown below.


At that point you can use the information in Recent Tasks to find out more about which tasks relates to a certain image. The tasks are being capture with a number as well which is the same across the various artefacts.

So if we want to find out what task a certain image belongs to we can open the associated XML file to find out more. Let's look at task 329 it contains the following information:

Which shows that the images we found in the Recent Images are associated with the Twitter application. 

Lastly we will look at the Snapshots, which will show us an actual screenshot of the activity. Each snapshot contains 3 files, the snapshot itself, a reduced version of it and a proto file.

The snapshot shows that this person was in a Twitter DM conversation with a certain person name Alan Brunswick. 



That was a short lesson on the recent activity that you can find on an Android device, but how does this relate to the Weekly Challenge question you might ask. 

Well if we follow the same process, but then for the task with task_id 320, we can see the following information in the associated task XML that this task relates to Chrome activity. 

And the Snapshot for the task with task_id 320.


The Snapshot shows that Chrome was used to open the domain 'malliesea.com'. 

Answer

Week 3

Question
Which exit did the device user pass by that could have been taken for Cargo?

Methodology
This CTF has been a lot of fun so far and the question for Week 3, the Magnet Team came up with a very interesting question. The starting point for this week was the hint that came with the question on a recent talk done by the Magnet Team, you can find it here. The talk discusses different types of evidence on Android and iOS devices.
It was an interesting talk and one the topics discussed was Google Maps artefacts and how you can basically plot on the map the route someone's device made in the past. This was in line with my thoughts on how to solve this challenge. So I started looking at the images and the associated EXIF data to find out where certain images were taken. I already knew that the device and its user had travelled to Norway so that was my starting point, and I thought it had something to do with airports because there was a cargo exit. I made a short timeline of the different images and searched for the coordinates on Google Maps I quickly found the airport. 

Google Maps analysis Part I

I started plotting the coordinates and looking around in Google Maps. That didn't lead to immediate success. Then I rewatched some parts of the webinair and learned something new. On Android devices pictures with the prefix MVIMG_ are actually Motion Pictures which include a brief video embedded in the image file. Next step was digging into that and finding out how to extract the videos from the pictures. I used this script to extract all videos from the images.  

Timelining

Next step was making a short timeline of the device, to understand the direction it took and which roads were taken. 

IMG_20200307_053704.jpg taken on 07/03/2020 10:37:06, shows a picture from inside a plane,without geo information available. Most likely Oslo Airport based on the next pictures.
MVIMG_20200307_130221.jpg taken on 07/03/2020 12:02:24 shows a short moving image of someone travelling and a train track on the right side (keep in mind). The coordinates are: 60°11'38.7"N 11°5'46.65"E which is at Oslo Airport. 
MVIMG_20200307_130237.jpg taken on 07/03/2020 12:02:39 shows a short moving image of someone travelling in a so called Flybussen which is a shuttle bus that can be taken from Oslo airport, the coordinates are still the same. More info on the Flybussen can be found here
MVIMG_20200307_130326.jpg taken on 07/03/2020 12:03:28 shows a short moving image of someone travelling and cars passing in the other direction the coordinates are still the same.
IMG_20200307_185206.jpg which was taken on 07/03/2020 17:52:08 is a picture in Oslo itself with the coordinates 59°55'26.47"N 10°47'39.86"E

This gave me an idea for the direction that the user and device took.

Google Maps analysis Part II

Next up I opened my Google Maps again and started at 60°11'38.7"N 11°5'46.65"E and followed the highway in the right direction and then I saw this picture:

Now if you compare that to the short video in MVIMG_20200307_130221.jpg:



For me this was evidence that I was on the right track (no pun intended). Following this highway on Google Maps an exit comes up rather soon:


If you follow this exit you will find the following sign:


So I thought the answer was 2 or the name that is on the sign, however on the 3rd try I managed to put in the right answer :)

Answer

Comments

Popular posts from this blog

Importing Windows Event Log files into Splunk

Using the Blue team app for Office 365 & Azure for a BEC investigation

Everything you need to know about MailItemsAccessed and more