Doug Metz

Exploring Magnet Virtual Summit 2025 CTF Challenges (iOS)

A couple weeks ago, I participated in the Magnet Virtual Summit 2025 CTF (Capture the Flag). While I don’t think I will ever see a day where I win one of these, (speed is not my forte), I enjoyed working through a good number of the challenges, starting with the lower point values and working my way up. The CTF covered images/sources including: Cipher challenges, iOS and Android full file system images, Google takeouts, and images of a Windows 11 workstation and a Chromebook. I spent my available time working on the iOS and Windows challenges. I wasn’t able to complete all of them, but I’ll share what I was able to complete.

In this post I’ll be sharing my solutions for the iOS challenges. Warning: SPOILERS AHEAD!

To determine the version of iOS, I used the iLEAPP report for the device.

Another way of finding this information in Axiom is to review the Powerlog Battery Shutdown events.

The answer is 18.0

Looking at the Owner information in Axiom is quick way to identify the telephone number associated with the device. 18024959063.

For this one you could start in Contacts or start with a Date/Time filter as that was very specific to the question. The answer is Mary.

Reviewing the iOS Call Logs in Axiom we see that the user never answers their phone. (I can relate.) The answer is “0”.

That’s a ducking odd thing to be curious about. According the the Keyboard Usage Stats, the answer is 51.

In a Discord chat, Mary and Ruth agree to meet up at 2:15 for coffee.

Started off with a global search on ‘bitmoji’ and then reviewed the media files. (Brown)

A global search on Discord narrows the results. There is an apple mail message from Discord about the user signing in from a new location. The IP address is 184.171.159.153.

Ah, Nashville. Home of the Magnet User Summit coming up in just a few weeks. iLEAPP can provide us with the Lat and Long of the cities configured in the Weather app.

Looking at the Application Permission we can see which applications had (or were denied) access to the microphone. The app identifier com.toyopagroup.picaboo corresponds to Snapchat. The name “Picaboo” refers to Snapchat’s original name before it was rebranded.

In the iOS Messages, we find a number of ‘sale’ announcement from Zenni. EARLYBF24 is the code associated with the 40% off promotion.

First off, we need to know what TikTok video this is referring to. In the iOS messages we see a TikTok video that was shared.

Copy the url and head over to Ryan Benson’s Unfurl. Unfurl decodes the different elements of the url string. One of the details embedded in the string is the time the video was posted. 2024-11-12 22:11:09.

For this one we can take a look at the Apple Maps – Biome App Intents, and see a search for directions to North Beach Park.

When I first looked at this one I thought there could be a “Welcome to your new iPhone” message or something similar. No dice. Besides, that would be too easy for a 25 pointer. A quick googling indicated was that one way to confirm the purchase date of an iPhone is too look up the warranty status on checkcoverage.apple.com.

We can grab the serial number for the device from iLEAPP.

Plugging that into the warranty coverage site we get: December 2022 (2022-12).

“October” is a good search to start with. Within the PDF documents we find a reference for an October-2023-iphone-wallpaper. In the details we see that the author of this image was nicole vranjican.

There were a few more higher point challenges in the iOS section, but that’s as far as I made it in the allotted time. I’m looking forward to reading other’s write-ups, both for the questions I was unable to solve, as well as seeing the unique and alternative ways that others solved the ones I did.

Stay tuned for my next post on the solutions for the Windows challenges.

If you’d like to access the images used for the CFT for your own training and investigation, you can find them at https://cfreds.nist.gov/all/Hexordia/2025MVSCTF.

Last but not least, my heartfelt appreciation to the team at Hexordia who put together the CTF. Another PUNderful job!

Upcoming talks at Magnet Virtual Summit 2025

DFIR, Mac, Presentations, Triage

Just two more weeks to the Magnet Virtual Summit 2025! If you’ve been procrastinating on registering, don’t miss out. It’s completely free! The conference is scheduled for February 10th through the 14th.

I’m excited to present two talks this year. The first one is titled “Unlocking DFIR: Free Resources for Efficient Triage and Acquisition.” In this talk, I’ll cover free triage acquisition solutions for Windows, Mac, and Linux.

The second talk is called “Zen & the Art of Digital Forensics: Enhancing Insight through Mindfulness.” In this talk, I’ll explore how applying Zen principles like mindfulness, non-attachment, and the ‘beginner’s mind’ can lead to improved investigations and mental well-being.

While you’re there, don’t forget to sign up for the Capture the Flag.

Book Review: Cloud Forensics Demystified

Forensic Imaging, Forensics, M365, Malware, Memory Analysis, RAM, Triage

At this point, we’ve all heard the expression ‘There is no cloud; It’s just someone else’s computer.’ While there is some truth to that, there are some fundamental differences when it comes to digital forensics when cloud resources are part of the investigation.

Recently, I had the chance to read Cloud Forensics Demystified: Decoding cloud investigation complexities for digital forensic professionals, by Ganesh Ramakrishnan and Mansoor Haqanee. I received a complimentary this book in exchange for an honest and unbiased review. All opinions expressed are my own.

I’ve been doing DFIR for about 15 years now. In the early days, almost all investigations involved having hands on access to the data or devices being investigated. As I moved into Enterprise Incident Response, it became more and more frequent that the devices I would be investigating would be in a remote location, be it another state – or even another country. As the scope of my investigations grew, so did my techniques need to evolve and adapt.

Cloud Forensics is the next phase of that evolution. While the systems under investigation may still be in another state or country, extra factors come into play like multi-tenancy and shared responsibility models. Cloud Forensics Demystified does a solid job of shedding light on those nuances.

The book is divided into three parts.

Part 1: Cloud Fundamentals
Part 2: Forensic Readiness: Tools, Techniques, and Preparation for Cloud Forensics
Part 3: Cloud Forensic Analysis: Responding to an Incident in the Cloud

Part 1: Cloud Fundamentals

This section provides a baseline knowledge of the three major cloud providers, Amazon Web Services (AWS), Google Cloud Platform (GCP) and Microsoft Azure. It breaks down the different architectural components of each, and how the platforms each handle the functions of virtual systems, networking and storage.

Part 1 also includes a broad yet thorough introduction to the different Cyber and Privacy legislation that come into play for cloud investigations. This section is not only valuable to investigators. Whether you’re a lawyer providing legal counsel for an organization, or responsible for an organizations overall security at a CISO level, this material is beneficial in understanding the challenges and responsibilities that come from hosting your data or systems in the cloud, and the different legislation and regulations that follow those choices.

Part 2: Forensic Readiness: Tools, Techniques, and Preparation for Cloud Forensics

As with enterprise investigations, logging is often where the hunting for incident indicators begins with telemetry and the correlation of different log sources. This section focuses on the different log sources available in AWS, GCP, and Azure. It also provides a detailed list of log types that are enabled by default and those that require manual activation to ensure that you have access to the most relevant data for your investigations when an incident occurs. This section also covers the different providers offerings for log analysis in the cloud including AWS Cloud Watch, Microsoft Sentinel and Google’s Cloud Security Command Center (Cloud SCC) as examples.

Part 3: Cloud Forensic Analysis: Responding to an Incident in the Cloud

As an Incident Responder, this was the section I enjoyed the most. While the first two sections are foundational for understanding the architectures of networking and storage, part three provides detailed information on how to acquire evidence for cloud investigations. The section covers both log analysis techniques as well as recommendations for host forensics and memory analysis tools. The book covers the use of commercial forensic suites, like Magnet Axiom, as well as open-source tools like CyLR and HAWK. Besides covering investigations of the three Cloud Service Providers (CSPs), there is also a section covering the cloud productivity services of Microsoft M365 and Google Workspace, as well as a brief section on Kubernetes.

Summary

Whether you’re a gray-haired examiner like me, or a neophyte in the world of digital forensics, chances are high that if you’re not running investigations in the cloud yet – you will be soon enough. Preparation is the first step in the Incident Response lifecycle. To properly prepare for incidents you need to know both what sources will be most informative to your investigations, as well as the methodology to capture and process that evidence efficiently.

Cloud Forensics Demystified is a comprehensive guide that covers cloud fundamentals, forensic readiness, and incident response. It provides valuable insights into cloud investigation techniques, log analysis, and evidence acquisition for major cloud providers and productivity services. The book is valuable for both experienced and novice digital forensics professionals to prepare for cloud investigations.

Beyond Hashes: Simplifying Malware Identification with Python and MpCmdRun

DFIR, Forensics, Malware, PowerShell, Python

In an earlier post titled “Growing Your Malware Corpus”, I outlined methods for building a comprehensive test corpus of malware for detection engineering. It covers using sources like VX-Underground for malware samples and details how to organize and unzip these files using Python scripts.

In today’s post we’re going to cover using Python to apply a standard naming methodology to all our malware samples.

Depending on where you curate your samples from, they could be named by their hash, or as they were identified during investigation, like invoice.exe. Depending on the size of your collection, I’d surmise it’s highly unlikely that they have a consistent naming format.

I don’t know about you, but a title that indicates the malware family and platform is a lot more useful to me than a hash value when perusing the corpus for a juicy malware sample. We can rename all our malware files using Python and the command line utility for Windows Defender.

Step 1: You’ll need to install Python on a Windows box that has Windows Defender.

Install Python

If you don’t have Python installed on your Windows machine, you can do so by downloading the installer from python.org, or alternatively, installing from the Windows store.

*Windows Store installer for Python versions 3.7 to 3.12*

Directory Exclusion

Within the Windows Defender Virus & Threat protection settings, add an exclusion for the directory you’re going to be using with the malware. Make sure the exclusion is in place before connecting the drive with the malware so it doesn’t get nuked.

Note: Doing this assumes you’ve evaluated the potential risks associated with handling malware, even in controlled settings, and have taken safety precautions. This is not an exercise to be conducted on your corporate workstation.

*Screenshot of the D:\Malware Directory being excluded from Windows Defender.*

Automatic Sample submission

It’s up to you if you want to disable the Automatic Sample submission. If you do, you’ll still may get prompted to send some.

*Windows Defender requesting to send samples to Microsoft for further analysis.*

Rename_Malware.py

The star of this show is the python script that was shared on ~~twitter~~ from vx-underground.

The post walks through various options for utilizing Windows Defender command line, MpCPmdRun.exe. Using that information a Python script was developed to loop through the contents of a directory, analyze those files with Windows Defender, and then rename the files accordingly based on the malware identification.

*Python code for rename_malware.py in VS Code.*

You can grab the code from the linked post, or a copy on my Github here.

Once you’ve got Python installed, directory exclusion configured, and a pocketful of kryptonite (malware), – you’re ready to go.

python rename_malware.py D:\Malware

Windows Defender command line will run through each file and rename them based on its detection.

*The script recursively renames the analyzed files.*

I’m running this on a copy of my malware corpus of 30,000+ malware samples.

Counting the Corpus

A bit of handy PowerShell math. Before and after the process I wanted to be sure of how many files were present to ensure that the antivirus didn’t remove any. I also wanted to exclude counting pdfs as many of the samples in my corpus also have accompanying write-ups.

*Using PowerShell for selective file counting.*

Get-ChildItem -Recurse -file | Where-Object { $_.Extension ne *.pdf" } | Measure-Object | Select Count

Back at the console the script is still running.

*The script continues recursively renaming the analyzed files.*

Finally… not begrudgingly at all considering over 30,000 samples were analyzed, the script has reached the end of the samples.

*Script has reached the end of the files.*

If we do a directory listing on the contents of the malware directory, we see that the majority of the files have all been renamed based on their malware identification.

*File listing showing malware files named Trojan.Powershell… Trojan.Script… etc.*

Hooray!

That makes it much easier to search and query through the malware repository.

The last step… make a BACKUP. 😉