There is an amazing range of open-source tools for Mac Forensics. My favorite ever is mac_apt, and I solved all questions (except one which requires mounting the E01 image) with it. The most important filetypes in Mac Forensics are the Property Lists (.plist) and Sqlite databases. These usually hold the most precious artifacts and information. Mac_apt does the job automatically and gathers the best, crunchiest artifacts into a pretty, well organized sqlite database.
Spotlight is a MAC OS image forensics challenge where you can evaluate your DFIR skills against an OS you usually encounter in today's case investigations.
Information
Category Name:Â Spotlight
Files: c18-spotlight.zip: 55MB
– FruitBook.ad1 56M
– FruitBook.ad1.txt 16K
My Recommendations
This is my personal preference, I like being organized and deleting a folder when I’m done with it .
mkdir Documents/CyberDefenders/Spotlight && cd Documents/CyberDefenders/Spotlight
Verify the image and then unzip it:
sha1sum /path/to/c18-spotlight.zip
unzip -j /path/to/c18-spotlight.zip
SHA1: e4b3f7c5886b29bad0f68cb46335b335bcae1171
If you are on Linux, you can view my guide to install and use FTK imager with wine. To run FTK Imager, go to your home directory and run:
wine '.wine/drive_c/Program Files/AccessData/FTK Imager/FTK Imager.exe'Extract the AD1 image:
- From File select Image File.
- Click Browse and navigate to MyDocuments/CyberDefenders/Spotlight and select FruitBook.ad1.
- Click Finish.
Once it is attached, select File and ‘ExtractFiles’. Browse to the working Directory (MyDocuments/CyberDefenders/Spotlight) and click OK.
The extracted folder has a massive names which isn’t ideal for CLI. We can rename them like so:
mv 'FruitBook.E01_Partition 2 [102071MB]_[APFS Container] (5_5) [APFS]' APFS
mv 'APFS/macOS Catalina - Data [volume_0]' APFS/Data
mv 'APFS/macOS Catalina [volume_4]' APFS/Vol4The main open-source tool I used for this CTF is mac_apt. I followed the instructions and installed it to my third-party tools directory in ‘/home/remnux/packs’.
Walkthrough
1. What version of macOS is running on this image?
The Operating System version can be found in the file ‘SystemVersion.plist’, just like on iOS.
find . -name 'SystemVersion.plist'
This returns the path ./APFS/Vol4/root/System/Library/CoreServices/SystemVersion.plist. To view its contents we can print the plist:
cat ./APFS/Vol4/root/System/Library/CoreServices/SystemVersion.plist
The version of macOS is under ‘ProductVersion’, which is 10.15 aka MacOS Catalina:
Answer: 10.15
2. What "competitive advantage" did Hansel lie about in the file AnotherExample.jpg? (two words)
Let’s find the file first:
find . -name 'AnotherExample.jpg'
Which returns : ./APFS/Data/root/Users/Shared/AnotherExample.jpg. Displaying the files shows nothing related to a competitive advantage:
Grepping for ‘advantage’ returns ‘CloudAutoFillCorrections.db’ which I doubt is related, as its related to Safari.
Given that it’s a CTF, we can print the file if any information can be found:
The last line is: Our newest phone will have helicopter blades and six cameras and <“flip phone”> technology!
Answer: flip phone
3. How many bookmarks are registered in safari?
The directory that contains Safari-related data is in /Users/(username)/Library/Safari. There is a Bookmarks.plist file that stores information about saved bookmarks. First, let’s identify the path of the Safari folder, and then print the property list:
find . -name 'Safari'
#returns ./APFS/Data/root/Users/hansel.apricot/Library/Safari
cat ./APFS/Data/root/Users/hansel.apricot/Library/Safari/Bookmarks.plist
Trying to print it with cat shows it’s in Binary Format:
To make it readable, we can convert it with plistutil into an XML formatted plist:
plistutil -i ./APFS/Data/root/Users/hansel.apricot/Library/Safari/Bookmarks.plist -o Bookmarks.plist
cat Bookmarks.plist
By printing it, we get an idea of its structure. This will help us identify which lines to grep.
Â
The Property List contains values for different types of Web Bookmarks. We are interested in the ‘BookmarksBar’ array, which stores the URLs of bookmarked websites. The URLs of the websites are associated with the key ‘URLString’.
To find the exact count of ‘urls’ we can grep the file for ‘URLString’ and pipe the output to ‘wc -l’ :
cat Bookmarks.plist | grep 'URLString' | wc -l
##returns 13
Answer: 13
4. What's the content of the note titled "Passwords"?
Notes are stored in a database called ‘NoteStore.sqlite’. Using find to find its full path:
find . -name 'NoteStore.sqlite'
#returns ./APFS/Data/root/Users/hansel.apricot/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite
Before doing anything, it’s important to take in account the question. Since we are dealing with an sqlite database, the data could be stored in the .sqlite-wal file. It’s best practice to copy the file to the working directory before opening it. It prevents the sqlite-wal file from being modified.
cp './APFS/Data/root/Users/hansel.apricot/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite' .
sqlitebrowser NoteStore.sqlite
In the Table ‘ZICCLOUDSYNCINGOBJECT’, filter the column ZTITLE1 for Passwords:
The note is empty. In iOS and MacOS, Notes have a title and text (the actual note). It’s a bit of a misleading question but the answer is Passwords. I assume the question accounts for the title as part of the content of the note.
Answer: Passwords
5. Provide the MAC address of the ethernet adapter for this machine.
The image doesn’t contain the NetworkInterfaces.plist file that stores this information. We can try and grep for ‘en0’ since ethernet is designated as en0:
grep -r -i 'en0' *
The file APFS/Data/root/private/var/log/daily.out provides a match. MacOS logs disk and networking usage daily, and stores them in this file. The MAC Address for en0 (ethernet) is 00:0c:29:c4:65:77 .
Answer: 00:0C:29:C4:65:77
6. Name the data URL of the quarantined item.
Quarantined Events are a log of all downloaded items on MacOS. The log is stored in an Sqlite database called ‘com.apple.LaunchServices.QuarantineEventsV2’, in the User’s Library/Preferences directory.
cp APFS/Data/root/Users/sneaky/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 .
sqlitebrowser com.apple.LaunchServices.QuarantineEventsV2
There is only one Quarantined item:
7. What app did the user "sneaky" try to install via a .dmg file? (one word)
First, let’s find out what .dmg files are present:
find . -name "*.dmg"
#returns APFS/Data/root/Users/sneaky/.Trash/silenteye-0.4.1b-snowleopard.dmg
There is only one .dmg file in the trash called silenteye-0.4.1b-snowleopard.dmg. This would be the SilentEye app used for steganography.
To confirm that it was installed, we can grep for its name:
grep -r -i 'silenteye' *
The actions show that the sneaky mounted the .dmg and then copied the installer app to the Applications directory.
Answer: silenteye
8. What was the file 'Examplesteg.jpg' renamed to?
Short-term filesystem changes are stored in the ‘.fseventsd’ directory. Mac_apt has a plugin to parse those files.
If you followed my installation recommendations, you can enter these commands:
cd ~/packs/mac_apt
source env/bin/activate
python mac_apt_artifact_only.py -i ~/Documents/CyberDefenders/Spotlight/APFS/Data/root/.fseventsd -o ~/Documents/CyberDefenders/Spotlight/fsevents FSEVENTS
deactivate
cd ~/Documents/CyberDefenders/Spotlight
sqlitebrowser fsevents/mac_apt.db
Filter Filepath for Examplesteg.jpg and sort LogID in Descending order. This will ensure the first row returns the last file that was named ‘Examplesteg.jpg’:
Note the File_ID of the first row, it’s 12885043806. Now, reset the Filepath filter and filter File_ID with 12885043806:
We can see that the file was renamed multiple times, and the last filename (first row) is GoodExample.jpg.
Answer: GoodExample.jpg
9. How much time was spent on mail.zoho.com on 4/20/2020?
ScreenTime data can be found in RMAdminStore-Local.sqlite database, just like in iOS. We can ask bash to copy the file in our working directory:
find . -name 'RMAdminStore-Local.sqlite' -exec cp "{}" . \;
This is a good time to use mac_apt because the database is a nightmare to work with. If you followed my installation recommendations, you can enter these commands:
cd ~/packs/mac_apt
source env/bin/activate
python mac_apt_artifact_only.py -i ~/Documents/CyberDefenders/Spotlight/RMAdminStore-Local.sqlite -o ~/Documents/CyberDefenders/Spotlight/Screentime SCREENTIME
deactivate
cd ~/Documents/CyberDefenders/Spotlight
sqlitebrowser Screentime/mac_apt.db
mac_apt returns No Screen Time artifacts found. If you grep for ‘mail.zoho.com’ you will find that RMAdminStore-Local.sqlite-wal matches. Our best bet is to copy the sqlite-wal file and run mac_apt again with the instructions above:
rm Screentime/mac_apt.db
find . -name 'RMAdminStore-Local.sqlite-wal' -exec cp "{}" . \;
##follow the mac_apt instructions above to parse the database
When you open the database, filter Application with mail.zoho.com and Start_Date with 2020-04-20:
On that day, mail.zoho.com was used twice. The total time is 00:04:34 + 00:16:24 = 00:20:58
Answer: 20:58
10. What's hansel.apricot's password hint? (two words)
Password information can be found in the user plist, in private/db/dslocal/nodes/Default/users/(username).plist. There is only one user called hansel.apricot, so we can ask bash to find and copy the file to our directory:
find . -name 'hansel.apricot.plist' -exec cp "{}" . \;
plistutil -i hansel.apricot.plist -o hansel.plist
cat hansel.plist | grep hint -A 5
The hint value contains the password hint, which is Family Opinion.
Answer: Family Opinion
11. The main file that stores Hansel's iMessages had a few permissions changes. How many times did the permissions change?
The permissions changes are also recorded in .fseventsd. Since we already parsed the files with mac_apt , we can open the database:
sqlitebrowser fsevents/mac_apt.db
The mail file storing iMessages in MacOS is ‘chat.db’. Filter EventFlags with ‘permissions’ and filepath for ‘chat.db’:
There were 7 permissions changes.
Answer: 7
12. What's the UID of the user who is responsible for connecting mobile devices?
The process responsible for connecting iPhones/iPads with MacOS is lockdown. So we can grep for it:
grep -r -i 'lockdown' *
#returns APFS/Data/root/private/var/db/dslocal/nodes/Default/users/_usbmuxd.plist
plistutil -i 'APFS/Data/root/private/var/db/dslocal/nodes/Default/users/_usbmuxd.plist' -o usbmux.plist
cat usbmux.plist
The UID is actually the GID:
Answer: 213
13. Find the flag in the GoodExample.jpg image. It's hidden with better tools.
Let’s find the file and copy it to our directory:
find . -name 'GoodExample.jpg' -exec cp "{}" . \;
In Question 8, we found out that Examplesteg.jpg was renamed to GoodExample.jpg. Originally, the file was downloaded from the web, it was then renamed and moved. Given the pattern of artifacts referencing stenography, we can assume that GoodExample.jpg contains a message hidden with an online stenography tool.
In Question 6, we saw that MacOS logged a download for https://futureboy.us/stegano/encode.pl. If we open the URL in a browser, it shows that its a steganography tool to encode/decode messages in images.
We can try and decode the message by choosing ‘Decode an image’ and upload ‘GoodExample.jpg’:
Answer: helicopter
14. What was exactly typed in the Spotlight search bar on 4/20/2020 02:09:48
Since we do not have the Spotlight databases, which usually store Spotlight related data, we can grep for the date:
grep -r -i '2020-04-20' *
Which returns a match at the Spotlight Shortcuts:
cat 'APFS/Data/root/Users/sneaky/Library/Application Support/com.apple.spotlight/com.apple.spotlight.Shortcuts'
The word ‘term’ was typed to open the Terminal application at 2020-04-20T02:09:48Z.
Answer: term
15. What is hansel.apricot's Open Directory user UUID?
In question 10, we copied the user plist for hansel.abricot. This property list will have the value for the UUID.
cat hansel.plist
The Open Directory user UUID is located under the value ‘generateduid’:Â
Answer: 5BB00259-4F58-4FDE-BC67-C2659BA0A5A4
Description:
Spotlight is a MAC OS image forensics challenge where you can evaluate your DFIR skills against an OS you usually encounter in today’s case investigations.
