Magnet CTF: Question 4 Solution Walk-Through

Challenge 4 (10/26-11/2) Animals That Never Forget

Chester likes to be organized with his busy schedule. Global Unique Identifiers change often, just like his schedule but sometimes Chester enjoys phishing. What was the original GUID for his phishing expedition?

Week 4 was definitely a brain-teaser for me. On my first attempt I was focused on the final part of the question. What was the original GUID for his phishing expedition?

The equivalent of a GUID for an email would be the message ID. In the case data we have, we can see a portion of the original phishing email delivery, but the message headers were not visible. As the data sample was also used at the Magnet User Summit, I checked the Google TakeOut data for the same account and voila – the message ID (email GUID) for the phishing email was: CACWSF2E=ghTTG2hx10GUh+WOf-GkORngZc+c7-BuY4R+cKUhGA@mail.gmail.com

WRONG

So I go back to the question and this time don’t ignore 75% of the verbiage. It’s there for a reason, right?

So we know that our subject, Chester, is meticulous. My first inspection was of the calendar data – but nothing presented as intersting. Looking at the Documents artifacts, we can see that the subject uses Evernote – and among the notes on his device is one called Phishy Phish Phish (at least is wasn’t titled “Evidence”).

If we follow the source link to \user213…-Evernote.db we see that Evernote is storing this content in a SQLite database.

If we examine the notes table we can see that each notebook entry has its own guid. Our Phishy Phish Phish message has the guid of c80ab339-7bec-4b33-8537-4f5a5bd3dd25.

Is that the answer? NO.

What was the original GUID for his phishing expedition?

So this is a GUID, but is it the original?

Looking at a number of developer articles for Evernote I learned that a note can be moved or copied to another notebook.

https://dev.evernote.com/doc/reference/NoteStore.html#Fn_NoteStore_listNotebooks

When that operation takes place it keeps track of this activity in the guid_updates table.

If we reference this table we can find our message, identified by the current guid (identified above) and see that there’s a column for old_guid which for the note in question is: 7605cc68-8ef3-4274-b6c2-4a9d26acabf1. 

One thought on “Magnet CTF: Question 4 Solution Walk-Through

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: