CyberDefenders: Blue Team CTF Challenges

Spotlight - MAC Image Forensics

	SHA1SUM	2ead137781e022c25645b84b153feee3d6a8e71a
	Released	Oct. 7, 2020
	Author	DFA
	Size	27.1G
	Tags	MAC Forensics OSX Forensics

	Instructions	Uncompress the challenge (pass: cyberdefenders.org)

Download Challenge

Details
Questions
Scoreboard
Score /6350 pts.

Spotlight is a MAC OS image forensics challenge where you can evaluate your DFIR skills against an OS you usually encounter in today's case investigations.

Created By AccessData® FTK® Imager 4.2.1.4

Case Information:

Acquired using: ADI4.2.1.4

--------------------------------------------------------------

Image Information:

Acquisition started: Mon Apr 20 12:13:11 2020
Acquisition finished: Mon Apr 20 12:24:31 2020

Segment list:

F:\DFA_Mac\FruitBook.E01
F:\DFA_Mac\FruitBook.E02
F:\DFA_Mac\FruitBook.E03
F:\DFA_Mac\FruitBook.E04
F:\DFA_Mac\FruitBook.E05
F:\DFA_Mac\FruitBook.E06
F:\DFA_Mac\FruitBook.E07
F:\DFA_Mac\FruitBook.E08
F:\DFA_Mac\FruitBook.E09
F:\DFA_Mac\FruitBook.E10
F:\DFA_Mac\FruitBook.E11
F:\DFA_Mac\FruitBook.E12
F:\DFA_Mac\FruitBook.E13
F:\DFA_Mac\FruitBook.E14
F:\DFA_Mac\FruitBook.E15
F:\DFA_Mac\FruitBook.E16
F:\DFA_Mac\FruitBook.E17
F:\DFA_Mac\FruitBook.E18
F:\DFA_Mac\FruitBook.E19

Image Verification Results:

Verification started: Mon Apr 20 12:24:32 2020
Verification finished: Mon Apr 20 12:34:49 2020
MD5 checksum: 7300f808f5046e8372c27854daf6d553 : verified
SHA1 checksum: e629634283f2e5861a91847ec64042e240516da4 : verified

#	Question	Weight	Solved
1	What version of macOS is running on this image?	50	16
2	What "copetitive advatge" did Hansel lie about in the file AnotherExample.jpg?	150	12
3	How many bookmarks are registered in safari?	200	16
4	What's the content of the note titled "Passwords"?	200	6
5	Provide the MAC address of the ethernet adapter for this machine.	200	11
6	Name the data URL of the quarantined item.	300	13
7	What app did the user "sneaky" try to install via a .dmg file?	300	15
8	What was the file 'Examplesteg.jpg' renamed to?	400	12
9	How much time was spent on mail.zoho.com on 4/20/2020?	450	3
10	What is the name of the file that has a QuickLook bitmap data location of 166472?	500	11
11	What's hansel.apricot's password hint?	550	12
12	The main file that stores Hansel's iMessages had a few permissions changes. How many times did the permissions change?	600	9
13	What's the UID of the user is responsible for connecting mobile devices?	600	6
14	Find the flag in the GoodExample.jpg image. It's hidden with better tools.	600	10
15	What was exactly typed in the Spotlight search bar on 4/20/2020 02:09:48	600	12
16	What is hansel.apricot's Open Directory user UUID?	650	9