Hints should be revelead in order.
| SHA1SUM | e4b3f7c5886b29bad0f68cb46335b335bcae1171 |
| Published | Oct. 7, 2020 |
| Author | DFA |
| Size | 55 MB |
| Tags | MAC Forensics OSX Forensics Autopsy Steganography |
| Instructions | Uncompress the challenge (pass: cyberdefenders.org) |
Your progress
Your score
0/6350
Category
MAC Disk Image Forensics
Spotlight is a MAC OS image forensics challenge where you can evaluate your DFIR skills against an OS you usually encounter in today's case investigations.
Created By AccessData® FTK® Imager 4.2.1.4
Case Information:
- Acquired using: ADI4.2.1.4
--------------------------------------------------------------
Image Information:
- Acquisition started: Mon Apr 20 12:13:11 2020
- Acquisition finished: Mon Apr 20 12:24:31 2020
Segment list:
- F:\DFA_Mac\FruitBook.E01
- F:\DFA_Mac\FruitBook.E02
- F:\DFA_Mac\FruitBook.E03
- F:\DFA_Mac\FruitBook.E04
- F:\DFA_Mac\FruitBook.E05
- F:\DFA_Mac\FruitBook.E06
- F:\DFA_Mac\FruitBook.E07
- F:\DFA_Mac\FruitBook.E08
- F:\DFA_Mac\FruitBook.E09
- F:\DFA_Mac\FruitBook.E10
- F:\DFA_Mac\FruitBook.E11
- F:\DFA_Mac\FruitBook.E12
- F:\DFA_Mac\FruitBook.E13
- F:\DFA_Mac\FruitBook.E14
- F:\DFA_Mac\FruitBook.E15
- F:\DFA_Mac\FruitBook.E16
- F:\DFA_Mac\FruitBook.E17
- F:\DFA_Mac\FruitBook.E18
- F:\DFA_Mac\FruitBook.E19
Image Verification Results:
- Verification started: Mon Apr 20 12:24:32 2020
- Verification finished: Mon Apr 20 12:34:49 2020
- MD5 checksum: 7300f808f5046e8372c27854daf6d553 : verified
- SHA1 checksum: e629634283f2e5861a91847ec64042e240516da4 : verified
Tools:
| # | Question | Weight | Solved | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| #1 |
What version of macOS is running on this image? |
50 | 76 | ||||||||||||
|
|
|||||||||||||||
| #2 |
What "competitive advantage" did Hansel lie about in the file AnotherExample.jpg? (two words) |
150 | 70 | ||||||||||||
|
|
|||||||||||||||
| #3 |
How many bookmarks are registered in safari? |
200 | 71 | ||||||||||||
|
|
|||||||||||||||
| #4 |
What's the content of the note titled "Passwords"? |
200 | 56 | ||||||||||||
|
|
|||||||||||||||
| #5 |
Provide the MAC address of the ethernet adapter for this machine. |
200 | 62 | ||||||||||||
|
|
|||||||||||||||
| #6 |
Name the data URL of the quarantined item. |
300 | 64 | ||||||||||||
|
|
|||||||||||||||
| #7 |
What app did the user "sneaky" try to install via a .dmg file? (one word) |
300 | 70 | ||||||||||||
|
|
|||||||||||||||
| #8 |
What was the file 'Examplesteg.jpg' renamed to? |
400 | 65 | ||||||||||||
|
|
|||||||||||||||
| #9 |
How much time was spent on mail.zoho.com on 4/20/2020? |
450 | 45 | ||||||||||||
|
|
|||||||||||||||
| #10 |
What is the name of the file that has a QuickLook bitmap data location of 166472? |
500 | 51 | ||||||||||||
|
|
|||||||||||||||
| #11 |
What's hansel.apricot's password hint? (two words) |
550 | 57 | ||||||||||||
|
|
|||||||||||||||
| #12 |
The main file that stores Hansel's iMessages had a few permissions changes. How many times did the permissions change? |
600 | 53 | ||||||||||||
|
|
|||||||||||||||
| #13 |
What's the UID of the user who is responsible for connecting mobile devices? |
600 | 46 | ||||||||||||
|
|
|||||||||||||||
| #14 |
Find the flag in the GoodExample.jpg image. It's hidden with better tools. |
600 | 53 | ||||||||||||
|
|
|||||||||||||||
| #15 |
What was exactly typed in the Spotlight search bar on 4/20/2020 02:09:48 |
600 | 54 | ||||||||||||
|
|
|||||||||||||||
| #16 |
What is hansel.apricot's Open Directory user UUID? |
650 | 52 | ||||||||||||