It's been a while since I did any forensic challenges, so I was excited when I saw this new challenge from CyberDefenders. Even though I never did any macOS forensics, I did quite well on this challenge (solved 14/16 questions) and learned a bunch. This post is my attempt at a quick recap.
I have been using macOS daily for about 11 months now but only in an everyday context (e.g. office work, entertainment, etc.). I never did any macOS forensics before yesterday, so this challenge was quite the experience and twice the fun.
What is Spotlight?
A few days ago, I saw this tweet on Twitter and given the fact I had no concrete plans for this weekend; I decided to take a swing at the challenge. My goal was to see if I can Google search my way through the various questions. Bear in mind, I did a lot of macOS troubleshooting when administrating and configuring an MDM solution, so I wasn't diving in blind.
Spotlight is a MAC OS image forensics challenge where you can evaluate your DFIR skills against an OS you usually encounter in today's case investigations. (source)
First Steps
- I signed up for an account on https://cyberdefenders.org
- I downloaded the challenge image.
- I quickly realised I would need a Windows machine if I wanted to install tools quickly and not spend an hour troubleshooting why something didn't work.
- I turned on my Windows laptop and installed FTK Imager and Autopsy
- We are now ready. Let's dive in.
Questions
There are a total of 16 questions of varying levels of difficulty. Some are super easy to solve; others took some time. You can find the full list of questions here. Here are some of the questions and a few hints to give you an idea of to expect:
How many bookmarks are registered in safari?
You guessed it! There is a SQLite database that contains a list of bookmarks. Find it and bingo.
What was exactly typed in the Spotlight search bar on 4/20/2020 02:09:48
Find the logs. That's all I am going to say.
Provide the MAC address of the ethernet adapter for this machine.
I took the easy way out, aka. Regex.
Find the flag in the GoodExample.jpg image. It's hidden with better tools.
As with most forensics challenges, steganography makes an appearance.
TILs
I am not going to post any solutions to avoid ruining the fun for everyone else but I will list some of the things I learned while solving most of the questions. Take these points with a grain of salt.
So Many SQLite Databases
You would be surprised how many SQLite databases macOS uses to orchestrate and store important information about our day to day use, few examples are:
- KnowledgeC.db
- History.db
Make sure to learn about these databases, and what data they contain, that knowledge can save you a lot of time when researching through a macOS machine or image.
Regular Expressions FTW
There is a lot of search and filtering in any investigation. Being able to utilize regular expressions will save you a lot of time and narrow the amount of data you need to go through. I solved a few of the questions by crafting a regex to look for the specific information I needed to find, and it worked like a charm, so make sure to get acquainted with Regex.
Autopsy Is Awesome
I didn't use Autopsy before, so I was pleasantly surprised by how good it works. Seriously, it's a great open-source tool. I hardly needed to look for any other tools for most of the questions in this challenge, and I dug through a lot of different areas of macOS. Check it out and learn it if you are into forensics.
Time Formatting Is Hard
Apple stores time in many of their SQLite databases in their own weird format and converting that to a human-readable format can be quite the search trip.
Outro
This challenge was fun. As it stands now, I solved 14 out of 16 questions and collected 5700/6350 pts. There are more challenges and labs on the platform, and I will keep doing them whenever I have the time. I added a bunch of resources at the end of this post for those who want to learn more about macOS forensics.
Resources
- https://cyberdefenders.org
- https://cyberdefenders.org/labs/34
- https://www.autopsy.com
- https://github.com/ydkhatri/mac_apt/
- https://www.mac4n6.com/blog/2018/8/5/knowledge-is-power-using-the-knowledgecdb-database-on-macos-and-ios-to-determine-precise-user-and-application-usage
- http://2016.padjo.org/tutorials/sqlite-your-browser-history/
- https://github.com/pstirparo/mac4n6
- https://medium.com/@karaiskc/understanding-apples-binary-property-list-format-281e6da00dbd
- https://www.r-bloggers.com/2019/10/spelunking-macos-screentime-app-usage-with-r/
- http://az4n6.blogspot.com/2016/10/quicklook-thumbnailsdata-parser.html