There is an amazing range of open-source tools for Mac Forensics. My favorite ever is mac_apt, and I solved all questions (except one which requires mounting the E01 image) with it. The most important filetypes in Mac Forensics are the Property Lists (.plist) and Sqlite databases. These usually hold the most precious artifacts and information. Mac_apt does the job automatically and gathers the best, crunchiest artifacts into a pretty, well organized sqlite database.
Information
Category Name: DFA2020: Fruit Book
Files: DFA_Mac.zip: 28.66 GB
My Recommendations
From the CTF . Since it’s a large file, I downloaded the .zip file to an external drive, and uncompressed it in the external drive. I shared the folder of the extracted archive with my Virtual Machine. Verify the hash with ewfverify:
ewfverify /path/to/FruitBook.E01
SHA1: e629634283f2e5861a91847ec64042e240516da4
This is my personal preference, I like being organized and deleting a folder when I’m done with it .
mkdir Documents/dfa20/mac
If you followed my FruitPad write-up and already installed mac_apt, you can skip to run.
Installation (from the CTF WD Documents/dfa20):
cd Documents/dfa20
mkdir macapt && cd macapt
##Install mac_apt following these instructions
Run:
cd macapt
source env/bin/activate
cd mac_apt
python mac_apt.py -o /home/remnux/Documents/dfa20/mac E01 /mnt/hgfs/DFA_Mac/FruitBook.E01 ALL
cd ..
deactivate
cd ..
Don’t forget to go back to the Documents/dfa20/mac directory:
cd mac
This my cheatsheet to mount APFS E01 images in Linux.
Walkthrough
1. Mmmm, red and DeliciOuS (50)
What version of macOS is running on this image?
sqlitebrowser mac_apt.db
Open the Basic_info table and you will see that macOS Version is 10.15
Answer: flag<10.15>
2. Simple Secret Messaging (150)
What “copetitive advatge” did Hansel lie about in the file AnotherExample.jpg?
Flag will be found in this format: <“two words”>. (sumbit as ‘flag<“two words”>’ no single quotes)
In the Notes table of mac_apt.db, Hansel has a note titled 555-0123, which contains “I know some of the new features of our phone! That’s a “competitive advantage” :D”. I looked everywhere and couldn’t find anything more about the subject… until I get to the TermSessions table. Plot twist, hansel created the user sneaky!
Looking at the Commands of sneaky, he actually tried?succeded? at appending a text in AnotherExample.jpg.
Sneaky’s first two attempts didn’t work, eventually he redirected the text: “!Our newest phone will have helicopter blades and six cameras and <“flip phone”> technology!” to a file “secret”, which he then merged into AnotherExample.jpg.
Answer: flag<“flip phone”>
3. Book it real good (200)
How many bookmarks are registered in safari?
Warning, you only have 1 try at this
In the Safari table of mac_apt.db, filter type by typing “Bookmark” which will list all Safari Bookmarks. There are 13 total!
Answer: flag<13>
4. Have you been keeping notes this semester? (200)
What is the IOS version of this device?
On mac_apt.db, in the Notes Table, the content are in the Data column:
CyberDefenders: Answer is Passwords
I personally find that super misleading as the note’s content is technically empty. It’s literally a blank line.
DFA2020 CTF: I have no idea. I tried every possible combination, I created a timeline to figure out what this note could be, but didn’t help.
Time
2020-04-20 00:53:38.660101
2020-04-20 00:53:46.427545
2020-04-20 00:55
2020-04-20 00:56
2020-04-20 00:56
2020-04-20 00:56:27.42515
2020-04-20 00:57:28
2020-04-20 01:00:16.887645
Activity
Note Created
Note Modified (8 seconds later)
Safari Search: “should I store my passwords in notes?”, “Is it safe to store passwords on a note-taking app of an iPhone and iPad?”
Safari Search: “should I store my passwords in notes desktop?”
Visited Link: “How to secure your passwords on Mac” (url contains list of softwares)
Safari Search Gap START
Spotlight search hansel.apricot for Keychain Access
Safari Search Gap END
Hypothesis 1: the note was used to write down softwares/methods to secure the passwords.
Hypothesis 2: after writing his note, he copy and pasted the content of the note into the Keychain. I tried to crack the keychain with Chainbreaker, as I do know the password for sneaky (sneaky_snake), but none of the entries match.
Hypothesis 3: The image or CTF has an error?.
5. We’ve renamed it “Fruit Address” (200)
Provide the MAC address of the ethernet adapter for this machine.
In the Network_details table of mac_apt.db, we can see that there are two Ethernet devices, en1 is Bluetooth PAN and en0 is Ethernet.
We can find the Mac Address by going to Network_Interfaces table:
Answer: flag<00:0C:29:C4:65:77>
6. A topical question for this day and age (300)
Name the data URL of the quarantined item
In mac_apt.db, go to the table Quarantine. There is only one Quarantined item:
Answer: flag<https://futureboy.us/stegano/encode.pl>
7. Wrong Way (300)
What app did the user “sneaky” try to install via a .dmg file?
Going to the InstallHistory table in mac_apt.db doesn’t give any results about an App being installed via DMG. Since this table parses the /Library/Receipts/InstallHistory.plist property list, I’m assuming it accounts for the applications installed through the App Store.
To install an application via DMG on Mac, you need to first mount the DMG and Drag/Drop the .app file into the Applications directory. The RecentItems table accounts for Volumes, filtering the column by Type: Volume and User: Sneaky:
We can see that Sneaky installed the application SilentEye.
If sneaky would’ve deleted/modified the file com.apple.LSSharedFileList.RecentApplications.sfl2 (which is where this data is stored), there is evidence in the TermSessions table. If you filter by User sneaky, and look at the contents of “All_Commands” he mounted the “silenteye-0.4.1b-snowleopard.dmg” and copied the App to the Applications directory.
Answer: flag<silenteye>
8. Covering Tracks (400)
What was the file ‘Examplesteg.jpg’ renamed to?
File Modifications are stored as “fsevents” on Apple Operating Systems. In the FsEvents table in mac_apt.db I filter the FilePath with Examplesteg.jpg:
Noting its File_ID is 12885043806, I reset the Filepath and instead filter by Examplesteg.jpg’s File_ID:
The file had three names: ExampleSteg.jpg, Example.jpg, GoodExample.jpg. To make our life a little bit harder, the SourceModDate are all the same, so we have to think with a “Logical” timeline instead.
The file was:
1. Created|RenamedOrMoved|Modified|XAttrModified as Users/sneaky/Downloads/Examplesteg.jpg.download/Examplesteg.jpg
2. Then, RenamedOrMoved|XAttrModified as Users/sneaky/Downloads/Examplesteg.jpg
3. Within that same directory, (Downloads), it was renamed to Example.jpg and then to GoodExample.jpg.
I’m assuming its last name was GoodExample.jpg, because “GoodExample.jpg” was moved to Users/Shared directory, and the FileID appears nowhere else, which means it was its final destination.
My hypothesis is supported by the “LogID” column, if I sort it by descending order:
Answer: flag<GoodExample.jpg>
9. It’s time for mail (450)
How much time was spent on mail.zoho.com on 4/20/2020?
Answer in flag<MM:SS>
In the ScreenTime table of mac_apt.db, filter the Application with mail.zoho.com and the Start_date with “2020-04-20“:
04:34 + 16:24 = 20:58
Answer: flag<20:58>
10. Quickest look in the west (500)
What is the name of the file that has a QuickLook bitmap data location of 166472?
In the mac_apt.db Quicklook table, no file matches this value:
When I run into problems like this in CTFs, I prefer to look at the source files. Thankfully, mac_apt automatically exports the files it parses into the directory Export. In this case, I’m going to look at the Export/QUICKLOOK folder and copy the relevant files, as I would like to avoid messing up the “-wal” files.
ls -la macapt/Export/QUICKLOOK
cp macapt/Export/QUICKLOOK/hansel.apricot_index.sqlite hanselquick.sqlite && sqlitebrowser hanselquick.sqlite
Going to the table thumbnails, and on the column bitmapdata_location there is a matching 166472 value. There is no associated file name but there is a file_id: -9223372023969803220, which actually appears three times in the thumbnails table, but with different bitmapdata_location:
Going back to mac_apt.db, I’m going to check if there’s a bitmapdata_location belonging to this file_id:
And there is! 65864 for GET A NEW PHONE TODAY!.jpg. Considering the Hit_Count for both is 13, we can assume this is the file in question.
Answer: flag<GET A NEW PHONE TODAY!.jpg>
11. Take a hint (550)
What’s hansel.apricot’s password hint?
In the Users table in mac_apt.db, filter the Users with hansel.apricot, move to the right and there will be a column “PasswordHint” which is “Family Opinion”
Answer: flag<Family Opinion>
12. Change is good (600)
The main file that stores Hansel’s iMessages had a few permissions changes. How many times did the permissions change?
Warning, you only have one attempt at this
The file that stores iMessages is “chat.db“. On Apple Operating Systems, changes to files or directories, are recorded in Fsevents. In mac_apt.db, I open the massive FsEvents table and filter the FilePath with “chat.db“.
Hansel.apricot’s “main” chat.db file is the one with the File_ID “12884931470”, it’s important to note this as the “.db-shm” and “.db-wal” files are different entities. Filtering the File_ID with this value, and EventFlags with PermissionChange:
There was a total of 7 Permission Changes.
Answer: flag<7>
13. CONNECT THAT FRUIT PHONE (600)
What’s the UID of the user is responsible for connecting mobile devices?
The Users table is the only table that contains UIDs. If you filter the “Realname” table for mobile you get this:
But if you filter for Iphone:
The second option, UID 213 is correct. To be honest, if I wasn’t familiar with iOS I wouldn’t know which one is correct. When you connect an iOS device to a Mac, the data is stored in /private/var/root/Library/Lockdown on the iOS device. Lockdown is what handles the communication between both devices.
Answer: flag<213>
14. REAL Steganography Hiding (600)
Find the flag in the GoodExample.jpg image. It’s hidden with better tools.
The juiciest of juiciest information in Forensics CTF is usually found in the Browser Search History. It’s what usually check first, to get an idea of the person investigated. In the Safari table of mac_apt.db, I filter the column Type with “History“. From the question 8, we know that the user Sneaky was the one playing around with GoodExample.jpg, so I filter the User column with “sneaky“.
Sneaky searched for “online steganography tools” and encrypted a file on the site: https://futureboy.us/stegano/ (at 2020-04-20 02:57:02.157343) and then https://futureboy.us/stegano/encinput.html (at 2020-04-20 02:57:08.636801).
From Question 8, we know that GoodExample.jpg was last saved on /Users/Shared/GoodExample.jpg. For this Particular Question, we are going to need to access the filesystem. This post explains how to mount the E01 image so we can get the flag!
cp /mnt/apfs/root/Users/Shared/GoodExample.jpg Documents/dfa20
So now, I go to the website that sneaky visited to encrypt this image: https://futureboy.us/stegano/ , chose Decrypt and …..
This is it! Our flag 
Answer: flag<helicopter>
15. Searching for the truth (600)
What was exactly typed in the Spotlight search bar on 4/20/2020 02:09:48
I looked at all the Spotlight tables in mact_apt.db and found nothing with this date, at first I’m assumed that maybe it was a timestamp issue. In the table SpotlightShortuts, I see that at 02:09:48 on the 4th of April 2020, sneaky searched for “term” (aka Terminal).
Answer: flag<term>
16. FBI OPEN UP (650)
What is hansel.apricot’s Open Directory user UUID?
Flag formatted as: flag<XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX>
Filter the Users table in mac_apt.db with hansel.abricot, the column UUID is his Open Directory user UUID.
Answer: flag<5BB00259-4F58-4FDE-BC67-C2659BA0A5A4>
TLDR
– MacOS Forensics is less developed/explored than other OS’s.
– mac_apt is a fantastic tool for MacOS.
– This section tapped into fsevents, a very important artifact.
