Home Magnet Weekly CTF 4 - Animals That Never Forget

Magnet Weekly CTF 4 - Animals That Never Forget

After last week’s more difficult challenge, this week Magnet gives us a simpler challenge worth 25 points. This question only allows three answers to be attempted.

Challenge question

The question asks:

Chester likes to be organized with his busy schedule. Global Unique Identifiers change often, just like his schedule but sometimes Chester enjoys phishing. What was the original GUID for his phishing expedition?

Hmm. My plan of attack was to find some possible date’s of the phishing attack and then look for references to those dates in the image. Searching for “phishing” does not yield any results in the image. Going through Chester’s chats however reveals that he was indeed planning on some phishing. On March 3rd, 2020, Chester sent a message to Alan Brunswick via a twitter conversation stating “we phish him”.

Twitter message

The following day, Chester states that he has a rough draft they should use to phish their intended target.

Twitter draft

So, if Chester came up with the idea to phish and made a draft in those two days, it’s possible he wrote the plan down, made a note, or added an event somewhere for the phishing expedition. And it could have a GUID. Looking at the Application Usage Logs section in Cellebrite for March 23rd and 24th, com.evernote was used a lot and sticks out. Evernote is a note taking app and could have been used to maybe create the phishing draft or write down some dates. We can go to Installed Applications > com.evernote > Run SQLite Wizard and look at the apps data. You will be greeted with several different databases. There are several database tables but the most promising one appears to be Evernote’s user database: user213777210-1585004951163-Evernote.db. Sure enough, this database has a notes table with an entry that has a title of “Phishy Phish phish”. It also has a GUID value of c80ab339-7bec-4b33-8537-4f5a5bd3dd25.

Note in evernote db

If we look closely at the question though, it wants the original GUID of the note. Looking through the database some more reveals there is a table called guid_updates with out GUID and and old_guid of 7605cc68-8ef3-4274-b6c2-4a9d26acabf1.


Inputting 7605cc68-8ef3-4274-b6c2-4a9d26acabf1 into the solution box reveals that is indeed the correct answer. Week 4 completed!


This post is licensed under CC BY 4.0 by the author.