When you reveal hints for a question, the
number of points you can earn decreases.
Hints should be revelead in order.
Hints should be revelead in order.
Do you think something is wrong with this question? Let us know!
If the issue is about how to solve the question, please use our Discord server.
Spotlight
| SHA1SUM | 2ead137781e022c25645b84b153feee3d6a8e71a |
| Published | Oct. 7, 2020 |
| Author | DFA |
| Size | 27.1G |
| Tags | MAC Forensics OSX Forensics Autopsy Steganography |
| Instructions | Uncompress the challenge (pass: cyberdefenders.org) |
Your progress
0% Completed0/16 Questions
Your score
0/6350
Category
MAC Image Forensics
Spotlight is a MAC OS image forensics challenge where you can evaluate your DFIR skills against an OS you usually encounter in today's case investigations.
Created By AccessData® FTK® Imager 4.2.1.4
Case Information:
- Acquired using: ADI4.2.1.4
--------------------------------------------------------------
Image Information:
- Acquisition started: Mon Apr 20 12:13:11 2020
- Acquisition finished: Mon Apr 20 12:24:31 2020
Segment list:
- F:\DFA_Mac\FruitBook.E01
- F:\DFA_Mac\FruitBook.E02
- F:\DFA_Mac\FruitBook.E03
- F:\DFA_Mac\FruitBook.E04
- F:\DFA_Mac\FruitBook.E05
- F:\DFA_Mac\FruitBook.E06
- F:\DFA_Mac\FruitBook.E07
- F:\DFA_Mac\FruitBook.E08
- F:\DFA_Mac\FruitBook.E09
- F:\DFA_Mac\FruitBook.E10
- F:\DFA_Mac\FruitBook.E11
- F:\DFA_Mac\FruitBook.E12
- F:\DFA_Mac\FruitBook.E13
- F:\DFA_Mac\FruitBook.E14
- F:\DFA_Mac\FruitBook.E15
- F:\DFA_Mac\FruitBook.E16
- F:\DFA_Mac\FruitBook.E17
- F:\DFA_Mac\FruitBook.E18
- F:\DFA_Mac\FruitBook.E19
Image Verification Results:
- Verification started: Mon Apr 20 12:24:32 2020
- Verification finished: Mon Apr 20 12:34:49 2020
- MD5 checksum: 7300f808f5046e8372c27854daf6d553 : verified
- SHA1 checksum: e629634283f2e5861a91847ec64042e240516da4 : verified
Tools:
| # | Question | Weight | Solved | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| #1 | What version of macOS is running on this image? | 50 | 36 | ||||||||||||
|
|
|||||||||||||||
| #2 | What "copetitive advatge" did Hansel lie about in the file AnotherExample.jpg? (two words) | 150 | 30 | ||||||||||||
|
|
|||||||||||||||
| #3 | How many bookmarks are registered in safari? | 200 | 36 | ||||||||||||
|
|
|||||||||||||||
| #4 | What's the content of the note titled "Passwords"? | 200 | 22 | ||||||||||||
|
|
|||||||||||||||
| #5 | Provide the MAC address of the ethernet adapter for this machine. | 200 | 31 | ||||||||||||
|
|
|||||||||||||||
| #6 | Name the data URL of the quarantined item. | 300 | 34 | ||||||||||||
|
|
|||||||||||||||
| #7 | What app did the user "sneaky" try to install via a .dmg file? (one word) | 300 | 35 | ||||||||||||
|
|
|||||||||||||||
| #8 | What was the file 'Examplesteg.jpg' renamed to? | 400 | 31 | ||||||||||||
|
|
|||||||||||||||
| #9 | How much time was spent on mail.zoho.com on 4/20/2020? | 450 | 18 | ||||||||||||
|
|
|||||||||||||||
| #10 | What is the name of the file that has a QuickLook bitmap data location of 166472? | 500 | 28 | ||||||||||||
|
|
|||||||||||||||
| #11 | What's hansel.apricot's password hint? (two words) | 550 | 30 | ||||||||||||
|
|
|||||||||||||||
| #12 | The main file that stores Hansel's iMessages had a few permissions changes. How many times did the permissions change? | 600 | 26 | ||||||||||||
|
|
|||||||||||||||
| #13 | What's the UID of the user is responsible for connecting mobile devices? | 600 | 20 | ||||||||||||
|
|
|||||||||||||||
| #14 | Find the flag in the GoodExample.jpg image. It's hidden with better tools. | 600 | 25 | ||||||||||||
|
|
|||||||||||||||
| #15 | What was exactly typed in the Spotlight search bar on 4/20/2020 02:09:48 | 600 | 29 | ||||||||||||
|
|
|||||||||||||||
| #16 | What is hansel.apricot's Open Directory user UUID? | 650 | 27 | ||||||||||||