Tag: Magnet; DFIR; Forensics; CTF; Android

Challenge 4 (10/26-11/2) Animals That Never Forget

Chester likes to be organized with his busy schedule. Global Unique Identifiers change often, just like his schedule but sometimes Chester enjoys phishing. What was the original GUID for his phishing expedition?

Week 4 was definitely a brain-teaser for me. On my first attempt I was focused on the final part of the question. What was the original GUID for his phishing expedition?

The equivalent of a GUID for an email would be the message ID. In the case data we have, we can see a portion of the original phishing email delivery, but the message headers were not visible. As the data sample was also used at the Magnet User Summit, I checked the Google TakeOut data for the same account and voila – the message ID (email GUID) for the phishing email was: CACWSF2E=ghTTG2hx10GUh+WOf-GkORngZc+c7-BuY4R+cKUhGA@mail.gmail.com

WRONG

So I go back to the question and this time don’t ignore 75% of the verbiage. It’s there for a reason, right?

So we know that our subject, Chester, is meticulous. My first inspection was of the calendar data – but nothing presented as intersting. Looking at the Documents artifacts, we can see that the subject uses Evernote – and among the notes on his device is one called Phishy Phish Phish (at least is wasn’t titled “Evidence”).

If we follow the source link to \user213…-Evernote.db we see that Evernote is storing this content in a SQLite database.

If we examine the notes table we can see that each notebook entry has its own guid. Our Phishy Phish Phish message has the guid of c80ab339-7bec-4b33-8537-4f5a5bd3dd25.

Is that the answer? NO.

What was the original GUID for his phishing expedition?

So this is a GUID, but is it the original?

Looking at a number of developer articles for Evernote I learned that a note can be moved or copied to another notebook.

When that operation takes place it keeps track of this activity in the guid_updates table.

If we reference this table we can find our message, identified by the current guid (identified above) and see that there’s a column for old_guid which for the note in question is: 7605cc68-8ef3-4274-b6c2-4a9d26acabf1. 

Challenge 3…Which exit did the device user pass by that could have been taken for Cargo?

In NJ it’s common to inquire where someone resides with the question “What exit?” I found it interesting that some of the test data examined as part of the CTF included artifacts that originated in New Jersey. Yup. I hail from the land of Bruce Springsteen and Bon Jovi and if you even mention Jersey Shore in the context of a reality show, please just… quietly go away.

Many types of forensic artifacts include metadata that ties that evidence to a particular location using GPS data. Maps and driving applications are among these, and commonly you can retrieve this data from photos and videos. (Note: a lot of services Facebook, Instagram, etc. – will have settings on whether or not they remove this data when media is shared.)

Selecting this view limits the presentation of artifacts to just those that include GPS data.

Reviewing the artifacts with GPS metadata there was nothing that immediately presented as a reference to exit or cargo. 

However, just like Transformers, within these artifacts there is more than meets the eye. In the screenshot above you’ll see that several files start with MVIMG_ . These files are Google Motion Photos, essentially the functional equivalent of Live Photos on iOS.

A few weeks back I saw a Magnet webinar: Mobile Artifact Comparison – Understanding the Similarities Between iOS and Android Data

Mobile Artifact Comparison – Understanding the Similarities Between iOS and Android Data

Included in the comparison were both of these “live photo” types and B1n2h3x reference that previously she had carved out the MVIMG_ files and was able to isolate the key frame and the MP4 image (video) that comprised it.

If you’re not supplementing your Magnet course training with their free webinars you’re really missing out.

• Using Axiom, I exported all the MVIMG_ files to a folder.
• Next I utilized GoMoPho – Google motion photos video extractor https://github.com/cliveontoast/GoMoPho and ran it against the directory which split the MVIMG_ files into .jpg and .mp4
• From there I loaded the videos into VLC.  They were only a few seconds long and played very fast. This is where the playback speed settings in VLC come in handy. Drop it back to the slowest it will play.

When initially previewed, MVIMG_20200307_120326.jpg presented what appeared as a view from the highway in winter. There are no immediate discernable landmarks in the photo.

However, when the extracted video is played, we get a few seconds visibility from the car on the highway, including passing the following sign:

Among the words on the sign we can read “Cargo” and the exit show at the bottom of the sign, F16.

PDF: magnetweeklyctf-write-up-3-1.pdf