Magnet CTF: Question 1 Solution Walk-Through

1: What time was the file that maps names to IP’s recently accessed? UntitledImage

Mobile Forensics is not my strongest area, and Android even less than iOS.  Based on my limited experience the first thing I started with was Google (“GTS”). Based on the question I supposed that the artifact would be DNS related.  Where on the device would that be set locally? To my delight I learned that on Android there is a local hosts file that is responsible for mapping IP’s to DNS (what do you know just like Windows and Linux).

Doing a Global Search for hosts there are a number of hits, but nothing for the hosts file itself.


The first time I processed the Android image tar file I did it as

Mobile > Android > Load Evidence > Image

Using this format when I went to the file explorer view in Magnet, all that was visible was the tar file and I couldn’t navigate the directory structure.

I extracted the tar file (using 7zip) and then re-processed the evidence as

Mobile > Android > Load Evidence > Files and Folders

This yielded the same number of artifacts; however, it exposed the directory structure for browsing in File System view.


In the File System view we can now run a search for hosts (be sure to enable subdirectory results if you’re not focusing on a particular path.


In this case the hosts file can be found at /data/adb/modules/hosts/system/etc


Looking at the preview we can see an additional entry for


With the hosts file selected, scrolling to the right reveals the Created, Accessed and Modified times for this file.  Here we see that the file was modified 03/05/2020 05:50:18.

PDF: MagnetWeeklyCTF Write-Up 1.pdf

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s