From my research before the Actual CTF, the acquisition method MAGNET Chromebook Acquisition Assistant uses is based on Daniel Dickerman’s method explained here. In short, if we are to analyze the image in CLI, we want the “decrypted/mount” folder only.
Information
Image: Chrome OS
Category Name: Chromebook
My Recommendations
This is my personal preference, I like being organized and deleting a folder when I’m done with it.
cd Documents/MagnetVerify the file with md5sum:
md5sum Chromebook.tgzWalkthrough
1. Promise Me (5)
How many promises does Wickr make?
Not going to lie, I googled ‘Wickr Promises’, found this and counted the Customer Security Promises on page 3.
Answer: 6
2. RoadTrip (5)
What city was Eli’s destination in?
cat root/Users/*/AppData/*/FileZilla/filezilla.xml
Thanks to question 6, I managed to answer this one! His destination was Plattsburgh New York.
Answer: Plattsburgh
3. Smile for the camera (5)
What is the MD5 hash of the user’s profile photo?
Per Google, the user’s profile photo is stored at chromebook/decrypted/mount/user/Accounts/Avatar\ Images/.
md5sum chromebook/decrypted/mount/user/Accounts/Avatar\ Images/*
Answer: 5ddd4fe0041839deb0a4b0252002127b
4. The folder to store all your data in (5)
How many files are in Eli’s downloads directory?
ls -la chromebook/decrypted/mount/user/Downloads
Answer: 6
5. Autofills, roll out (10)
Which word was Autofilled the most?
Autofills are stored in the Web Data database, in the “Autofills” table:
sqlitebrowser chromebook/decrypted/mount/user/Web\ Data
The word “email” was autofilled most.
Answer: email
6. Dress for success (10)
In bytes, what is the logical size of this bird’s image?
find chromebook/decrypted/mount/user -name "*.png" -o -name "*.jpg" -o -name "*.jpeg"
All files matching these extensions are in the Extensions directory or in Downloads. Moving up to the Downloads directory, as the file syntax of the files (with white spaces) is too time consuming to escape with backslashes.
cd chromebook/decrypted/mount/user/Downloads
##using ImageMagick's display command
display *.jpg
##It displays third_party_1613945285717.jpg, which is a picture of Lacrosse.
display 'Screenshot 2021-03-04 at 3.16.31 AM.png'
##A screenshot of a Google Search.
display 'Screenshot 2021-03-04 at 3.17.06 AM.png'
##The answer to question 2! which I skipped because *time*.
display tux.png
A penguin! To get its logical size:
ls -l tux.png
Answer: 46791
7. Key-ty Cat (10)
What are the last five characters of the key for the Tabby Cat extension?
The parent directory of the tabby cat extension is at:
chromebook/decrypted/mount/user/Extensions/mefhakmgclhhfbdadeojlkbllmecialg
Need to cat its “manifest.json”, where the key is stored:
cat chromebook/decrypted/mount/user/Extensions/mefhakmgclhhfbdadeojlkbllmecialg/*/manifest.json
Answer: DAQAB
8. Time to jam out (10)
How many songs does Eli have downloaded?
find chromebook/decrypted/mount/user -name "*.mp3" -o -name "*.ogg"
Answer: 2
9. It’s about the journey not the destination (25)
How many miles would the trip have been if Eli took the long way? Answer to the single decimal digit (ex. 9.1).
Back to the screenshot in Question 2, the long way would’ve been 81.2 miles.
Answer: 81.2
10. Repeat customer (25)
What was Eli’s top visited site? (Domain Name)
I know that the visit counts in Google Chrome are stored in the “urls” tables of the History database.
sqlitebrowser chromebook/decrypted/mount/user/History
In the Table “urls”, I sort by “visit_count” and see 124 counts for https://docs.google.com/spreadsheets/d/1uAv_iMnp0xt8Cn_NJqbk8zA1SPFjL3ddWWhRy8K0Gsc/edit#gid=0 (AKA the To-Purchase spreadsheet).
????? https://docs.google.com or google.com (since technically docs.google.com is a subdomain of google?) docs.google.com doesn’t work.
UPDATE
Dear TN from the Comments ☺️ Thank you! The answer is not in the History database, but in the Top Sites database at chromebook/decrypted/mount/user/Top Sites.
sqlitebrowser chromebook/decrypted/mount/user/Top\ Sites
Answer: protonmail.com
11. Vroom Vroom (50)
What is the name of the car related theme?
Honestly, since I completed the Takeout Challenge first, I knew there was something about ‘Lamborghini’ in the Browser Search. During the challenge, I grepped for Lamborghini just to confirm and – voila.
If I hadn’t completed that part first, I would probably do the following:
1. Google Search where Chrome Themes are stored, which says they are stored in the Extensions directory.
2. From the Key-Tey cat question, I know that extension information is stored in “manifest.json”. So let’s find all of them:
find chromebook/decrypted/mount/user/Extensions -type f -name "manifest.json"
3. They are stored in a subfolder within their respective “parent” folder.
grep "theme" chromebook/decrypted/mount/user/Extensions/*/*/manifest.json
4. There’s three files matching “theme”, but one matches more than the other, so CAT and …
Answer: Lamborghini Cherry
TLDR
– MacOS
2 thoughts on “MVS2021: Chromebook”
Your write-ups helped me solve some of the questions that I got stuck. Really apprecite it. For question 10, you may want to check out another database (as mentioned in the question). I had the same thinking as you, but the answer is not in that History database 🙁
Thank you for the tip!! Will check it out and update the write up😁