Spotlight - MAC Image Forensics

Read some articles before you play.

What version of macOS is running on this image?

# Google "mac os file system structure"
# /System/Library/CoreServices/SystemVersion.plist

# sudo python3 mac_apt.py -d E01 ../Spotlight/FruitBook.E01 APPLIST
# cat /Export/BASICINFO/SystemVersion.plist

$ sudo python3 mac_apt.py -d E01 ../Spotlight/FruitBook.E01 APPLIST
$ cat /Export/BASICINFO/SystemVersion.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>ProductBuildVersion</key>
    <string>19A583</string>
    <key>ProductCopyright</key>
    <string>1983-2019 Apple Inc.</string>
    <key>ProductName</key>
    <string>Mac OS X</string>
    <key>ProductUserVisibleVersion</key>
    <string>10.15</string>
    <key>ProductVersion</key>
    <string>10.15</string>
    <key>iOSSupportVersion</key>
    <string>13.0</string>
</dict>
</plist>

Second way:

Export SystemVersion.pslist from /System/Library/CoreServices/SystemVersion.plist
cat SystemVersion.plist

What "copetitive advatge" did Hansel lie about in the file AnotherExample.jpg? (two words)

/usr/share/AnotherImage.jpg
strings AnotherImage.jpg
!Our newest phone will have helicopter blades and six cameras and <"flip phone"> technology!

How many bookmarks are registered in safari?

# Download tool at http://jafat.sourceforge.net/files.html
# count the bookmarks

> safari_bm.exe Bookmarks.plist > output.txt
> type output.txt

Folder Title:    History


Folder Title:    BookmarksBar
     URL_Title:     Apple     URL:     https://www.apple.com/
     URL_Title:     iCloud     URL:     https://www.icloud.com/
     URL_Title:     Yahoo     URL:     https://www.yahoo.com/
     URL_Title:     Bing     URL:     https://www.bing.com/
     URL_Title:     Google     URL:     https://www.google.com/?client=safari&channel=mac_bm
     URL_Title:     Wikipedia     URL:     https://www.wikipedia.org/
     URL_Title:     Facebook     URL:     https://www.facebook.com/
     URL_Title:     Twitter     URL:     https://twitter.com/
     URL_Title:     LinkedIn     URL:     https://www.linkedin.com/
     URL_Title:     The Weather Channel     URL:     https://www.weather.com/
     URL_Title:     Yelp     URL:     https://www.yelp.com/
     URL_Title:     TripAdvisor     URL:     https://www.tripadvisor.com/
     URL_Title:     Inbox - Zoho Mail (hansel.apricot@fruitinc.xyz)     URL:     https://mail.zoho.com/zm/#mail/folder/inbox

Folder Title:    BookmarksMenu

Second way:

$ sudo python3 mac_apt.py -d E01 ../Spotlight/FruitBook.E01 SAFARI
$ ls /Export/SAFARI/hansel.apricot_Bookmarks.plist

What's the content of the note titled "Passwords"?

/root/Users/hansel.apricot/Libary/Group Containers/group.com.apple.notes/NoteStore.sqlite
Passwords

Second way:

$ sudo python3 mac_apt.py -d E01 ../Spotlight/FruitBook.E01 NOTES
$ ls /Export/NOTES/hansel.apricot_NoteStore.sqlite

Provide the MAC address of the ethernet adapter for this machine.

$ /root/private/var/log/daily.output
$ cat daily.output
00:0c:29:c4:65:77

Name the data URL of the quarantined item.

# Analyze with SQLite Browser
/root/Users/sneaky/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2
https://futureboy.us/stegano/encode.pl

What app did the user "sneaky" try to install via a .dmg file? (one word)

# It can be bash history or zsh history
/root/Users/sneaky/.zsh_history
silenteye

What was the file 'Examplesteg.jpg' renamed to?

$ sudo python3 mac_apt.py -d E01 ../Spotlight/FruitBook.E01 -o ../fsevents FSEVENTS
GoodExample.jpg

How much time was spent on mail.zoho.com on 4/20/2020?

$ sudo python3 mac_apt.py -d E01 ../Spotlight/FruitBook.E01 -o ../screentime SCREENTIME

What is the name of the file that has a QuickLook bitmap data location of 166472?

# /private/var/folders/bf/r04p_gb17xxg37r9ksq855mh0000gn/C/com.apple.QuickLook.thumbnailcache/index.sqlite
$ sudo python3 mac_apt.py -d E01 ../Spotlight/FruitBook.E01 -o ../quicklook QUICKLOOK
$ ls quicklook/Export/QUICKLOOK/Thumbnails/hansel.apricot
GET A NEW PHONE TODAY!.jpg

What's hansel.apricot's password hint? (two words)

# private/var/db/dslocal/nodes/Default/users/hansel.apricot.plist
$ plistutil hansel.apricot.plist > output.txt
$ cat out.txt # find hint
Family Opinion

The main file that stores Hansel's iMessages had a few permissions changes. How many times did the permissions change?

$ sudo python3 mac_apt.py -d E01 ../Spotlight/FruitBook.E01 -o ../fsevents FSEVENTS
7

What's the UID of the user is responsible for connecting mobile devices?

private/var/db/dslocal/nodes/Default/users/_usbmuxd.plist

Find the flag in the GoodExample.jpg image. It's hidden with better tools.

# When i find in the fsevents logs, it point to Users/shared/GoodExample.jpg
# I export it and analyze

$ steghide extract -sf GoodExample.jpg
Enter passphrase: 
wrote extracted data to "steganopayload27635.txt".

$ cat steganopayload27635.txt
Our latest phone will have flag<helicopter> blades and 6 cameras on it. No
other phone has those features!

What was exactly typed in the Spotlight search bar on 4/20/2020 02:09:48

# Users/sneaky/Library/Application Support/com.apple.spotlight/com.apple.spotlight.Shortcuts

$ cat com.apple.spotlight.Shortcuts 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>silent</key>
    <dict>
        <key>DISPLAY_NAME</key>
        <string>silenteye-0.4.1b-snowleopard_installer</string>
        <key>LAST_USED</key>
        <date>2020-04-20T02:44:27Z</date>
        <key>URL</key>
        <string>/Applications/silenteye-0.4.1b-snowleopard_installer.app</string>
    </dict>
    <key>term</key>
    <dict>
        <key>DISPLAY_NAME</key>
        <string>Terminal</string>
        <key>LAST_USED</key>
        <date>2020-04-20T02:09:48Z</date>
        <key>URL</key>
        <string>/System/Applications/Utilities/Terminal.app</string>
    </dict>
</dict>
</plist>

What is hansel.apricot's Open Directory user UUID?

# private/var/db/dslocal/nodes/Default/users/hansel.apricot.plist

$ plistutil -i hansel.apricot.plist > output.txt
$ cat output.txt

    </array>
    <key>home</key>
    <array>
        <string>/Users/hansel.apricot</string>
    </array>
    <key>uid</key>
    <array>
        <string>501</string>
    </array>
    <key>_writers_passwd</key>
    <array>
        <string>hansel.apricot</string>
    </array>
    <key>generateduid</key>
    <array>
        <string>5BB00259-4F58-4FDE-BC67-C2659BA0A5A4</string>
    </array>
    <key>gid</key>
    <array>
        <string>20</string>
    </array>
    <key>passwd</key>
    <array>
        <string>********</string>
    </array>
    <key>_writers_hint</key>
    <array>
        <string>hansel.apricot</string>
    </array>
    <key>_writers_jpegphoto</key>
    <array>
        <string>hansel.apricot</string>
    </array>
</dict>
</plist>

PreviousJailbroken - Mobile Forensics NextSzechuan Sauce - Case Investigation

Last updated 4 years ago