Episode 11: iBeg to DFIR – Reviewing the “Capture the Flag” Event
In this episode, we review Cellebrite’s Capture the Flag (CTF) event. There were multiple questions that most of the participants struggled with and in order to contribute to the learning process, we will be going over the correct answers and how we arrived at the answers to the most difficult questions.
Tony’s 100-Point Question: “What is the password for the Network of the CSIS Mesh?”
The answer to this commonly missed question is actually right there in the plain text, but people do not usually parse it. However, it’s quite possible that such a question could come up in a real-life investigation and it’s important to know that the answer is not that difficult to obtain as long as you know where to look.
There are two, main, time-efficient ways to go about finding this answer. The first way is to stream searching in Hex for CSIS mesh is the simplest way, but you will get so many entries and the time to work through all of them is far too much.
The way I did it in testing was more from an investigator’s point of view. I started with wireless networks and this is found as the top entry. One of the easy things about Cellebrite Physical Analyzer (PA) is that it always lists source attribution.
By clicking on the “source file,” we reach the “xml file” that contains the Wi-Fi information. The password is not here, but using the project tree, I clicked on the “Wi-Fi_share_ profile.” Here the password can be found listed multiple times.
The second way, which is possibly a bit quicker, is to go to the data files area of the extraction summary and click on “Configurations.” With the appropriate filter, the backup file is listed at the very top. The password is listed in the profile multiple times just as before.
Ruthie’s Questions: (15 Max Difficulty Questions)
Ruthie, who was my persona, was certainly not the most popular character in the CTF event. Many of the questions were intentionally created to be the most difficult in order to test the participants with potential real-life situations. It is very important to know how to extract the necessary data in such cases.
Many of the questions were not answered correctly due to the simple fact that many participants did not unlock an additional device.
Listen to the full episode to hear all the questions and answers regarding the recent CTF event and to better understand the most common mistakes made and how to learn from them.
Register for the next iBeg to DFIR episode here.