Spotlight is a MAC OS image forensics challenge where you can evaluate your DFIR skills against an OS you usually encounter in today's case investigations.

 

Created By AccessData® FTK® Imager 4.2.1.4

Case Information:

  • Acquired using: ADI4.2.1.4

--------------------------------------------------------------

Image Information:

  • Acquisition started:   Mon Apr 20 12:13:11 2020
  • Acquisition finished:  Mon Apr 20 12:24:31 2020

 Segment list:

  • F:\DFA_Mac\FruitBook.E01
  • F:\DFA_Mac\FruitBook.E02
  • F:\DFA_Mac\FruitBook.E03
  • F:\DFA_Mac\FruitBook.E04
  • F:\DFA_Mac\FruitBook.E05
  • F:\DFA_Mac\FruitBook.E06
  • F:\DFA_Mac\FruitBook.E07
  • F:\DFA_Mac\FruitBook.E08
  • F:\DFA_Mac\FruitBook.E09
  • F:\DFA_Mac\FruitBook.E10
  • F:\DFA_Mac\FruitBook.E11
  • F:\DFA_Mac\FruitBook.E12
  • F:\DFA_Mac\FruitBook.E13
  • F:\DFA_Mac\FruitBook.E14
  • F:\DFA_Mac\FruitBook.E15
  • F:\DFA_Mac\FruitBook.E16
  • F:\DFA_Mac\FruitBook.E17
  • F:\DFA_Mac\FruitBook.E18
  • F:\DFA_Mac\FruitBook.E19

Image Verification Results:

  • Verification started:  Mon Apr 20 12:24:32 2020
  • Verification finished: Mon Apr 20 12:34:49 2020
  • MD5 checksum:    7300f808f5046e8372c27854daf6d553 : verified
  • SHA1 checksum:   e629634283f2e5861a91847ec64042e240516da4 : verified
# Question Weight Solved
1 What version of macOS is running on this image? 50 16
2 What "copetitive advatge" did Hansel lie about in the file AnotherExample.jpg? 150 12
3 How many bookmarks are registered in safari? 200 16
4 What's the content of the note titled "Passwords"? 200 6
5 Provide the MAC address of the ethernet adapter for this machine. 200 11
6 Name the data URL of the quarantined item. 300 13
7 What app did the user "sneaky" try to install via a .dmg file? 300 15
8 What was the file 'Examplesteg.jpg' renamed to? 400 12
9 How much time was spent on mail.zoho.com on 4/20/2020? 450 3
10 What is the name of the file that has a QuickLook bitmap data location of 166472? 500 11
11 What's hansel.apricot's password hint? 550 12
12 The main file that stores Hansel's iMessages had a few permissions changes. How many times did the permissions change? 600 9
13 What's the UID of the user is responsible for connecting mobile devices? 600 6
14 Find the flag in the GoodExample.jpg image. It's hidden with better tools. 600 10
15 What was exactly typed in the Spotlight search bar on 4/20/2020 02:09:48 600 12
16 What is hansel.apricot's Open Directory user UUID? 650 9