Magnet Forensics recently announced on their blog that they are beginning a weekly CTF challenge. The first question for the challenge went live on October 5th. The blog says that the questions revolve around an Android image that can be found here. A new challenge will be released each Monday morning on the CTF’s main website. A week after each challenge is released, it will be closed and blog posts can be made. Points will be awarded based on solving the challenge, creating custom Magnet Artifact and posting it on their Artifact Exchange, and posting a link to your blog post with #MagnetWeeklyCTF. The first challenge is titled “Challenge 1 (OCT 5-11) - Mapping the Digits” and is worth 20 points. The question for the challenge reads “What time was the file that maps names to IP’s recently accessed? (Please answer in this format in UTC: mm/dd/yyyy HH:MM:SS)”
First, we need to figure out what device the Android image was created from and then load it in Cellebrite Physical Imager. The file given to us is a tar file: MUS_Android.tar. Extracting the file gives a data directory that contains a lot of Android filesystem data. Before being able to load this properly in Cellebrite, we need to determine what device the image came from. My favorite way to determine this easily is to look at the Bluetooth device name. This can be found at in the settings_secure XML file found at /data/system/users/0/settings_secure.xml. Searching for “bluetooth_name” reveals the value assigned to it is “Pixel 3”.
So this Android image was taken from a Google Pixel 3 phone. With this knowledge, we can fully load it in Cellebrite Physical Analyzer. After opening Physical Analyzer, select Open Case. Select Add Evidence > Open (Advanced). Then we can hit Select Device and then set the device to the Google Pixel 3.
After this, select Filesystem - Android ADB Backup. Then we are prompted to select the folder or zip file containing the data. Select Zip Archive and add the tar file. Then select save UFD to save our case to a file. Next before finishing I selected Carve locations and Recover data from archives in case it’s needed for other challenges. Then select Examine to begin the processing.
Now we can focusing on solving the challenge question. The question has to do with the file that maps names to IP’s. The service that resolves names to IP addresses is the Domain Name System, or DNS. The file that stores resolved names to IPs is typically /etc/hosts on Linux systems. Searching for hosts in Cellebrite reveals that a file called hosts is located in /data/adb/modules/hosts/system/etc/hosts. The question wants the last time the file was accessed. Cellebrite shows this in the right hand panel.
Converting this to the time format required by the question gives us 03/05/2020 05:50:18. Enter this into the solution box, and we see this is correct! First week down!
