Doug Metz

In NJ it’s common to inquire where someone resides with the question “What exit?” I found it interesting that some of the test data examined as part of the CTF included artifacts that originated in New Jersey. Yup. I hail from the land of Bruce Springsteen and Bon Jovi and if you even mention Jersey Shore in the context of a reality show, please just… quietly go away.

Many types of forensic artifacts include metadata that ties that evidence to a particular location using GPS data. Maps and driving applications are among these, and commonly you can retrieve this data from photos and videos. (Note: a lot of services Facebook, Instagram, etc. – will have settings on whether or not they remove this data when media is shared.)

Selecting this view limits the presentation of artifacts to just those that include GPS data.

Reviewing the artifacts with GPS metadata there was nothing that immediately presented as a reference to exit or cargo.

However, just like Transformers, within these artifacts there is more than meets the eye. In the screenshot above you’ll see that several files start with MVIMG_ . These files are Google Motion Photos, essentially the functional equivalent of Live Photos on iOS.

A few weeks back I saw a Magnet webinar: Mobile Artifact Comparison – Understanding the Similarities Between iOS and Android Data

Mobile Artifact Comparison – Understanding the Similarities Between iOS and Android Data

Included in the comparison were both of these “live photo” types and B1n2h3x reference that previously she had carved out the MVIMG_ files and was able to isolate the key frame and the MP4 image (video) that comprised it.

If you’re not supplementing your Magnet course training with their free webinars you’re really missing out.

Using Axiom, I exported all the MVIMG_ files to a folder.
Next I utilized GoMoPho – Google motion photos video extractor https://github.com/cliveontoast/GoMoPho and ran it against the directory which split the MVIMG_ files into .jpg and .mp4
From there I loaded the videos into VLC. They were only a few seconds long and played very fast. This is where the playback speed settings in VLC come in handy. Drop it back to the slowest it will play.

When initially previewed, MVIMG_20200307_120326.jpg presented what appeared as a view from the highway in winter. There are no immediate discernable landmarks in the photo.

However, when the extracted video is played, we get a few seconds visibility from the car on the highway, including passing the following sign:

Among the words on the sign we can read “Cargo” and the exit show at the bottom of the sign, F16.

PDF: magnetweeklyctf-write-up-3-1.pdf

Magnet CTF: Question 2 Solution Walk-Through

CTF, DFIR

Challenge 2 (OCT 12-18) PIP Install: What domain was most recently viewed via an app that has picture-in-picture capability?

For the week 2 challenge, we’re using the same Android image we examined last week. From the question there’s two factors involved, application capability and application usage.

The first thing to understand is what applications on the device have PIP (Picture in Picture) capability.

I reviewed the installed applications on the device looking for anything that could be PIP related. A screen recording application caught my attention (googled to understand capability), but this was not the ‘Droid (app) we’re looking for.

One of the Discord users shared this helpful link describing the capability and what applications featured PIP support.

How to enable & use Android Picture in Picture (PIP) Mode. List of apps supporting PIP mode

Back to the applications I tagged anything listed that showed up in the PIP article.

From here I proceeded to look at the Application Activity – Android. One of the applications we can see recent activity for is Google Chrome. From the previously referenced article we know this app supports PIP.

In the preview card we can see that it was captured that Chrome was used to visit a URL beginning with MallieSae.com.

The artifact for this can be found at MUS_Android.tar\data\system_ce\0\snapshots\320.jpg

Answer: Google Chrome, an app that supports PIP, was recently used visit the domain malliesae.com

PDF: MagnetWeeklyCTF Write-Up 2.pdf

Magnet CTF: Question 1 Solution Walk-Through

CTF, DFIR

1: What time was the file that maps names to IP’s recently accessed? UntitledImage

Mobile Forensics is not my strongest area, and Android even less than iOS. Based on my limited experience the first thing I started with was Google (“GTS”). Based on the question I supposed that the artifact would be DNS related. Where on the device would that be set locally? To my delight I learned that on Android there is a local hosts file that is responsible for mapping IP’s to DNS (what do you know just like Windows and Linux).

Doing a Global Search for hosts there are a number of hits, but nothing for the hosts file itself.

UntitledImage

The first time I processed the Android image tar file I did it as

Mobile > Android > Load Evidence > Image

Using this format when I went to the file explorer view in Magnet, all that was visible was the tar file and I couldn’t navigate the directory structure.

I extracted the tar file (using 7zip) and then re-processed the evidence as

Mobile > Android > Load Evidence > Files and Folders

This yielded the same number of artifacts; however, it exposed the directory structure for browsing in File System view.

UntitledImage

In the File System view we can now run a search for hosts (be sure to enable subdirectory results if you’re not focusing on a particular path.

UntitledImage

In this case the hosts file can be found at /data/adb/modules/hosts/system/etc

UntitledImage

Looking at the preview we can see an additional entry for malliesae.com

UntitledImage

With the hosts file selected, scrolling to the right reveals the Created, Accessed and Modified times for this file. Here we see that the file was modified 03/05/2020 05:50:18.

PDF: MagnetWeeklyCTF Write-Up 1.pdf