This writeup is about CyberDefenders macOS Spotlight challenge.
https://davidkoepi.wordpress.com/2013/07/06/macforensics4/ https://tmairi.github.io/posts/dissecting-the-ad1-file-format/
Question 1: What version of macOS is running on this image?
Using this magical tool grep I was able to find hits for grep -ri macOS .. One of the files, com.apple.touristd contained the information I needed at the bottom.
./Users/sneaky/Library/Application Support/com.apple.touristd/com.apple.touristd.plist
./Users/sneaky/Library/Application Support/com.apple.touristd/com.apple.tourist.plist
There were also additional hits from logs:
/private/var/log/install.log: 061-96008(R) | macOS Catalina 10.15.4 Update
/private/var/log/install.log:2020-03-01 11:05:13-08 stu-62-151-171-184 installd[467]: PackageKit: Preboot: UpdatePreboot: Commencing operation to update the Preboot Volume for Target Volume disk1s5 macOS Catalina
/private/var/log/install.log:2020-03-01 11:05:13-08 stu-62-151-171-184 installd[467]: PackageKit: Preboot: UpdatePreboot: Commencing operation to update the Preboot Volume for Target Volume disk1s5 macOS Catalina
TO get the exact and latest versions I’ve run
grep -ri catalina . | grep -v "install.log"
com.apple.tourist.plist file showed the latest.
😕 Other hits were in the following files:
Binary file ./Users/sneaky/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.RecentDocuments.sfl2 matches
Binary file ./Users/sneaky/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.FavoriteVolumes.sfl2 matches
Binary file ./Users/sneaky/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.FavoriteItems.sfl2 matches
Binary file ./Users/sneaky/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.RecentApplications.sfl2 matches
Binary file ./Users/sneaky/Library/Preferences/com.apple.dock.plist matches
Binary file ./Users/sneaky/Library/Preferences/com.apple.touristd.plist matches
Binary file ./Users/sneaky/Library/Preferences/com.apple.finder.plist matches
Binary file ./Users/sneaky/Library/Preferences/com.apple.tourist.plist matches
However, not all of these files have cataline keyword. I don’t understand why they are showing up.
What “competitive advantage” did Hansel lie about in the file AnotherExample.jpg? (two words)
I some this zsh_history when I was doing a preliminary research and I remebered that there was something with the AnotherExample.jpg there. I could still do grep -r AnotherExample .. Since the amount of data is very humble, this option works well.
find . -name "*zsh*"
cat "./Volume 0/root/Users/sneaky/zsh_history"
This showed me the following commands (irrelevant commands were cut off):
cat
cat Example.jpg '!Our newest phone will have helicopter blades and six cameras and <"flip phone"> technology!' > AnotherExample.jpg
cat Example.jpg (echo '!Our newest phone will have helicopter blades and six cameras and <"flip phone"> technology!') > AnotherExample.jpg
echo '!Our newest phone will have helicopter blades and six cameras and <"flip phone"> technology!' > secret
cat Example.jpg secret > AnotherExample.jpg
cat AnotherExample.jpg
There is a hint in the answer, that there are two words. And in the text box for the answer thre first words starts with letter f. So, it’s pretty straightworward. 😕 Not sure, why “lied”. May be the ! at the beginning (meaning NOT in programming)?
How many bookmarks are registered in safari?
The main artefact that shows bookmarks is here: /Users/hansel.apricot/Library/Safari/Bookmarks.plist. Of course, I’ve found it either with grep or find (don’t remember). Something like find . -name "*bookmark*" or grep -ri bookmark . would do. So, once I identified the most likely candidate, I opened it and looked through. A quick look showed that URLString is the field that stores the bookmark’s URL. It’s a 1:1 relation, so I did:
plutil -p "/Users/hansel.apricot/Library/Safari/Bookmarks.plist" | grep URLString | wc -l
What’s the content of the note titled “Passwords”?
This was a challenging one indeed. Not because of some encryption, but because it was too simple and I was looking for a complex answer.
Of course, again, I grepped for passwords and got myself a list of candidates. The one that looked the most relevant was ./Volume 0/root/Users/hansel.apricot/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite.
A deeper recon:
strings NoteStore.sqlite | grep Passwords -C5
revealed the following:
B6A0F355A-B381-4887-9D9F-6342CB928BAFThat
s a good amount of money they
re offering.555-0123
T~1A
6585435D-75E7-4777-8E99-AE5341D3C72CPasswords
b912D417B-1130-49F9-9EC5-79E41729F082Get 2nd job
no to muchIdeas for work
LocalAccount3_On My MacOn My Mac
TrashFolder-LocalAccount3_On My MacRecently Deleted
C95EF12E-8CF1-4811-95E0-CE9F9B99FA12New Note
So, the note is titled Passwords. I was trying to find this note by id 6585435D-75E7-4777-8E99-AE5341D3C72C and there was nothing else. Then I realised that in iOS when you create a note and do not name it explicitly, it’s given the same name as the beginnning of its contents.
Besides, in the text box for the answer there was a masked answer starting with the letter P. So, it was much easier than I thought it was.
What’s hansel.apricot’s password hint? (two words)
This is one of the few I knew where to look from the beggining (here).
plutil -p /var/db/dslocal/nodes/Default/users/hansel.apricot.plist | grep -C2 hint
Provide the MAC address of the ethernet adapter for this machine.
I tried… wait for it… grep with regex for this. I really don’t remember how I got this one. This one worked for me later: grep -iro '[0-9a-f]\{2\}:[0-9a-f]\{2\}:[0-9a-f]\{2\}:[0-9a-f]\{2\}:[0-9a-f]\{2\}:[0-9a-f]\{2\}' .At last (and I don’t think it took long) I found it here: ./Volume 0/root/private/var/log/daily.out.
Name the data URL of the quarantined item.
Well, grep magic was used here as well. I tried adding a macOS specific MAC prefix but there were several of them, so, I went on with a different approach.
grep -ri quarantine .
find . -name *quarantine*
cat "./Volume 0/root/Users/sneaky/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2"
What app did the user “sneaky” try to install via a .dmg file? (one word)
No valid result with grep "\.dmg" ./0/root/private/var/log/install.log. However, in ./0/root/Users/sneaky/.zsh_history there was the following command: hdiutil mount silenteye-0.4.1b-snowleopard.dmg.
https://futureboy.us/stegano/encode.pl
https://futureboy.us/stegano/encinput.html
What was the file ‘Examplesteg.jpg’ renamed to?
How much time was spent on mail.zoho.com on 4/20/2020?
grep -r "mail.zoho.com" .
Found the following results:
Binary file ./Volume 0/root/private/var/folders/bf/r04p_gb17xxg37r9ksq855mh0000gn/0/com.apple.ScreenTimeAgent/Store/RMAdminStore-Local.sqlite-wal matches
Binary file ./Volume 0/root/Users/hansel.apricot/Library/Safari/RecentlyClosedTabs.plist matches
Binary file ./Volume 0/root/Users/hansel.apricot/Library/Safari/CloudAutoFillCorrections.db matches
Binary file ./Volume 0/root/Users/hansel.apricot/Library/Safari/History.db matches
Binary file ./Volume 0/root/Users/hansel.apricot/Library/Safari/Touch Icons Cache/TouchIconCacheSettings.db matches
Binary file ./Volume 0/root/Users/hansel.apricot/Library/Safari/Bookmarks.plist matches
Binary file ./Volume 0/root/Users/hansel.apricot/Library/Safari/Template Icons/CacheSettings.plist matches
Binary file ./Volume 0/root/Users/hansel.apricot/Library/Safari/Favicon Cache/favicons.db matches
The file ./Volume 0/root/private/var/folders/bf/r04p_gb17xxg37r9ksq855mh0000gn/0/com.apple.ScreenTimeAgent/Store/RMAdminStore-Local.sqlite-wal shows ZUSAGETIMEDITEM, ZTOTALTIMEINSECONDS.
Or
python mac_apt_artifact_only.py SCREENTIME -i "RMAdminStore-Local.sqlite" -o "/Users/username/Documents/"
modulus instead of just divide. Maths!
The main file that stores Hansel’s iMessages had a few permissions changes. How many times did the permissions change?
fsevents are very close to USERJRNL and MFT on NTFS and are the first place to look at when you have questions about files created/renamed/modified/deleted etc.
iMessages are stored and chat.db database. In this challenge there was not file with that name (deleted on purpose). However, informaiton about this file will be still kept in fsevents logs.
plutil -p "./Volume 0/root/Users/sneaky/Library/Preferences/com.apple.iChat.plist"
resulted in
{
"DidCheckForDuplicateChats" => 3
"DidMigratePersonCentricIDs" => 1
"NotifyAboutMessagesFromUnknownContacts" => 1
"PlaySoundsKey" => 1
}
The file looked so juicy and yet there was nothing useful for me there.
find . -name "*fseve*"`
python mac_apt_artifact_only.py -i samples/FruitBook/fsevents -o . FSEVENTS
Find the flag in the GoodExample.jpg image. It’s hidden with better tools.
On a Windows VM I used PowerShell and steghide:
steghide info GoodExample.jpg
Enter passphrase: # no password
embedded file "steganopayload27635.txt":
[...]
steghide extract -sf GoodExample.jpg --passphrase ""
What’s the UID of the user who is responsible for connecting mobile devices?
find . -name "*zsh*"
./Volume 4/root/bin/zsh
./Volume 0/root/Users/sneaky/zsh_history
plutil -p "/Users/sneaky/Library/Preferences/com.apple.finder.plist" > appleplist
"RecentMoveAndCopyDestinations" => [
0 => "file:///Users/Shared/" ]
open -t "./macOS Catalina - Data [volume_0]/root/private/var/log/daily.out"
# fsck_hfs.log?
grep -ri iphone . # Hooray!
Results:
Binary file ./Volume 4/root/System/Library/CoreServices/mapspushd matches
Binary file ./Volume 4/root/System/Library/CoreServices/SubmitDiagInfo matches
Binary file ./Volume 4/root/System/Library/CoreServices/cloudpaird matches
Binary file ./Volume 0/root/private/var/db/dslocal/nodes/Default/groups/_usbmuxd.plist matches
Binary file ./Volume 0/root/private/var/db/dslocal/nodes/Default/users/_usbmuxd.plist matches
Binary file ./Volume 0/root/private/var/db/dslocal/nodes/Default/sqlindex matches
Binary file ./Volume 0/root/Users/hansel.apricot/Library/Safari/CloudAutoFillCorrections.db matches
Binary file ./Volume 0/root/Users/hansel.apricot/Library/Safari/History.db matches
Binary file ./Volume 0/root/Users/hansel.apricot/Library/Safari/Favicon Cache/favicons.db matches
Binary file ./Volume 0/root/Users/hansel.apricot/Library/Safari/SearchDescriptions.plist matches
What is hansel.apricot’s Open Directory user UUID?
Open Directory is something like Active Directory for Windows. Also uses LDAP.
Found the answer here: ./Volume 0/root/private/var/log/install.log.
How? Guess 🤣
grep -ri "open directory" .
What was exactly typed in the Spotlight search bar on 4/20/2020 02:09:48
find . -name "*spot*"
./plugins/spotlightshortcuts.py
./plugins/spotlight.py
./plugins/__pycache__/spotlightshortcuts.cpython-39.pyc
./plugins/__pycache__/spotlight.cpython-39.pyc
./plugins/helpers/spotlight_filter.py
./plugins/helpers/spotlight_parser.py
./plugins/helpers/__pycache__/spotlight_filter.cpython-39.pyc
./plugins/helpers/__pycache__/spotlight_parser.cpython-39.pyc
./samples/FruitBook/Volume 0/root/private/var/db/dslocal/nodes/Default/groups/_spotlight.plist
./samples/FruitBook/Volume 0/root/private/var/db/dslocal/nodes/Default/users/_spotlight.plist
./samples/FruitBook/Volume 0/root/Users/sneaky/Library/Application Support/com.apple.spotlight
./samples/FruitBook/Volume 0/root/Users/sneaky/Library/Application Support/com.apple.spotlight/com.apple.spotlight.Shortcuts
./samples/FruitBook/Volume 0/root/Users/sneaky/Library/Preferences/com.apple.corespotlightui.plist
cat ./samples/FruitBook/Volume 0/root/Users/sneakv/Librarv/Application Support/com.apple.spotlight/com.apple.spotlight.Shortcuts
Lessons Learned
Autopsy is good, but I’ve got most of the answers using grep. When you don’t know where to look, it’s the best option. For loads of data that would not be an option. But for this challenge this worked well and I had a chance to learn where and for what to look for. It’s a good way to explore the system you know little about and find out more artefacts.