Spotlight is a MAC OS image forensics challenge where you can evaluate your DFIR skills against an OS you usually encounter in today's case investigations.
Created By AccessData® FTK® Imager 4.2.1.4
Case Information:
- Acquired using: ADI4.2.1.4
--------------------------------------------------------------
Image Information:
- Acquisition started: Mon Apr 20 12:13:11 2020
- Acquisition finished: Mon Apr 20 12:24:31 2020
Segment list:
- F:\DFA_Mac\FruitBook.E01
- F:\DFA_Mac\FruitBook.E02
- F:\DFA_Mac\FruitBook.E03
- F:\DFA_Mac\FruitBook.E04
- F:\DFA_Mac\FruitBook.E05
- F:\DFA_Mac\FruitBook.E06
- F:\DFA_Mac\FruitBook.E07
- F:\DFA_Mac\FruitBook.E08
- F:\DFA_Mac\FruitBook.E09
- F:\DFA_Mac\FruitBook.E10
- F:\DFA_Mac\FruitBook.E11
- F:\DFA_Mac\FruitBook.E12
- F:\DFA_Mac\FruitBook.E13
- F:\DFA_Mac\FruitBook.E14
- F:\DFA_Mac\FruitBook.E15
- F:\DFA_Mac\FruitBook.E16
- F:\DFA_Mac\FruitBook.E17
- F:\DFA_Mac\FruitBook.E18
- F:\DFA_Mac\FruitBook.E19
Image Verification Results:
- Verification started: Mon Apr 20 12:24:32 2020
- Verification finished: Mon Apr 20 12:34:49 2020
- MD5 checksum: 7300f808f5046e8372c27854daf6d553 : verified
- SHA1 checksum: e629634283f2e5861a91847ec64042e240516da4 : verified
# | Question | Weight | Solved | |
---|---|---|---|---|
1 | What version of macOS is running on this image? | 50 | 16 | |
2 | What "copetitive advatge" did Hansel lie about in the file AnotherExample.jpg? | 150 | 12 | |
3 | How many bookmarks are registered in safari? | 200 | 16 | |
4 | What's the content of the note titled "Passwords"? | 200 | 6 | |
5 | Provide the MAC address of the ethernet adapter for this machine. | 200 | 11 | |
6 | Name the data URL of the quarantined item. | 300 | 13 | |
7 | What app did the user "sneaky" try to install via a .dmg file? | 300 | 15 | |
8 | What was the file 'Examplesteg.jpg' renamed to? | 400 | 12 | |
9 | How much time was spent on mail.zoho.com on 4/20/2020? | 450 | 3 | |
10 | What is the name of the file that has a QuickLook bitmap data location of 166472? | 500 | 11 | |
11 | What's hansel.apricot's password hint? | 550 | 12 | |
12 | The main file that stores Hansel's iMessages had a few permissions changes. How many times did the permissions change? | 600 | 9 | |
13 | What's the UID of the user is responsible for connecting mobile devices? | 600 | 6 | |
14 | Find the flag in the GoodExample.jpg image. It's hidden with better tools. | 600 | 10 | |
15 | What was exactly typed in the Spotlight search bar on 4/20/2020 02:09:48 | 600 | 12 | |
16 | What is hansel.apricot's Open Directory user UUID? | 650 | 9 |