Previous: Chromebook | Hunt! | iPhone
I will say that the Mac image was by far the most difficult for me. I have very little experience other than SANS DFIR NetWars in looking at Macs forensically. I'm thankful to have AXIOM by my side for this one to help ease my pain, as well as Yogesh Katri's mac_apt tool (it's free!).
Question 1 - Call me by your name (5 points)
What is the Local Host Name of this device?
Heading on over to the OS info we can see the local host name is "Elis-Mac-mini".
Question 2 - I love it when you call me big sur (5 points)
What is the Product Build Version?
From the last screenshot we can get the build number as well. It was 20D74.
Question 3 - Whose got your back(up)? (5 points)
What is the IMEI of the iOS device that is backed up?
Under the iOS Backups section in Additional Sources, we can see that the IMEI for Eli's iPhone was 356759080486567.
Question 4 - Bottoms up, and the devil laughs (10 points)
What is Eli's preferred energy drink brand?
Looking at Safari web history we see some entries for Amazon and energy drinks.
Question 5 - LaxBro (10 points)
Which college lacrosse team schedule did Eli often look at?
A quick keyword search for "lacrosse" reveals multiple hits in Safari History and Bookmarks for schedules and articles for University of Albany.
Question 6 - Stop playing with me (10 points)
How many websites have permissions to autoplay?
This one gave me fits, because it seemed like it would be easy but nothing from the obvious web related artifacts showed results. Navigating to the Safari folder in the file system showed what was needed in a plist (of course!).
stu-21-155-171-184-20210406-134216-files.zip\Users\eliflatt\Library\Safari\SitesAllowedToAutoplay.plist
This file has a list of each website that have permissions to autoplay with entries starting at 0 and going up to 164 for a total of 165 webpages.
Question 7 - Finder's Keepers (25 points)
What Source Version is the Finder app on this device?
Under Installed Applications, we get some information on versioning for Finder (com.apple.finder). It has a Display Version and an Internal Version listed. I interpreted Source to me the Internal so I tried 1350.2.10, which was correct.
Question 8 - it's raining it's pouring (25 points)
What is the size in bytes of the application found within Eli's trash?
In the Trash Items under Operating System there were only three different items, one folder, one .DS_Store file and the file we are looking for, the DMG file for installing checkra1n. It was 9,389,392 bytes in size.
Question 9 - Oh Sheet! (25 points)
What is the name of the spreadsheet Eli often navigated to?
I originally looked for most recently used files but didn't see anything but the key here was the word "navigated". Looking through Safari web history there were plenty of visits to Google Docs spreadsheets with the titled being "To-Purchase", the answer. There were also a few recently closed tabs for the same webpage.
Question 10 - Remind me Later (25 points)
What time and date in EST did Eli add a notification permission on Safari? Answer in MM/DD/YYYY HH:MM:SS
Question 11 - Secrets Secrets are no fun (50 points)
What is Eli's system password hint?
I was expecting this to be much more difficult for the point amount. Under Recovery Account Information for Operating System, we can see Eli's password hint was set to "Fix something!".
Question 12 - There are no penguins at the North Pole (50 points)
What is the SHA1 hash of Eli's profile picture on the device?
I knew from the previous question that his image was set to a penguin (obviously from the question wording too) but I wasn't too sure where that image was stored. The penguin is actually a sample image found in the Pictures folder for which I found and tried the hash value of but it didn't like it.
Looking again at the recovery info path, I opened up the CryptoUserInfo.plist file:
stu-21-155-171-184-20210406-134216-files.zip\System\Volumes\Preboot\943CAEE3-8306-426A-A65E-4E0F4B52EBDB\var\db\CryptoUserInfo.plist
AXIOM gives you the option to save out the file bytes for PictureData (score).
Question 13 - WallStreetBet You Can't Get This One (50 points)
Eli searched for 4 stock quotes (not a web search). What was the second stock he searched for? answer in ticker form ex: $MVS
I can understand why this one took so long to figure out. There was no way I would know where to look instantly for this. After hunting for a while literally clicking through anything remotely in folders named Stocks I came across the following path for a specific user:
stu-21-155-171-184-20210406-134216-files.zip\Users\eliflatt\Library\Containers\com.apple.stocks
There aren't any specific parser for this yet (custom perhaps?!) but buried further down in the Caches folder is a sqlite database call (so originally) "cache-database". On the "quote_details" table there are some info with stock tickets and last updated timestamps. Since we only care about the second searched stock quote, the answer is $SPCE.
Question 14 - Where are my keys!? (50 points)
What is the encryption-key for Eli's iCloud (SHA256)?
The keychain database file for Eli lives at the following path:
Users\eliflatt\Library\Keychains\622523FF-A9E8-5BFC-9142-B14980A33465\keychain-2.db
The database houses a lot of different tables and fields inside. The hint here is to look for something related to SHA256 which is easy to see once navigating to the "ckdevicestate" table. Under the "octagonpeerid" column we can see a few different keys. My assumption was since we were looking at the Mac that we should filter down the "osversion" column to macOS. Using what was provided gave us the correct answer of "fUpf9J+cLRI3OCJ/KdFpZoaZXgfj2DC3ZrQnW7XT9Os=".
