Information
Challenge Link: https://cyberdefenders.org/blueteam-ctf-challenges/eli/
Category: Digital Forensics
Level: Medium
Scenario: A lacrosse enthusiast on the hunt for a delicious chicken sandwich.
Supportive Tools
Walkthrough
Q1) The folder to store all your data in - How many files are in Eli’s downloads directory?
Extracting the file given by the challenge and go to /decrypted/mount/user/Downloads/ and then you will found all files in Eli’s downloads directory.
Answer: *
Q2) Smile for the camera - What is the MD5 hash of the user’s profile photo?
Performing further investigation on the /2021 CTF - Chromebook/decrypted/mount/user/ directory we found interested directory /Accounts/Avatar Images/ which contains a profile picture of Eli’s user account.
1
2
3
4
5
# On Linux
md5sum [email protected]
# On Powershell
Get-FileHash -Algorithm md5 [email protected]
Answer: 5ddd4f*****************52002127b
Q3) Road Trip! - What city was Eli’s destination in?
Looking at the /Takedown/My Activity/Maps/MyActivity.html provides us a location where he was online. Therefore, we can found an answer here.
Answer: Pl**********
Q4) Promise Me - How many promises does Wickr make?
Using grep command or search box on windows explorer to search for a word Wickr found there is a pdf file named Wickr-Customer-Security-Promises-November-2020.pdf and skimming through the document, then we would found Wickr promise as shown below:
Answer: *
Q5) Key-ty Cat - What are the last five characters of the key for the Tabby Cat extension?
Using grep command to search for a word tabby we found the file located in /2021 CTF - Chromebook/decrypted/mount/user/Extensions/mefhakmgclhhfbdadeojlkbllmecialg/. However, we start investigation this directory and found the key which located in manifest.json.
Answer: ***AB
Q6) Time to jam out - How many songs does Eli have downloaded?
Looking at /2021 CTF - Chromebook/decrypted/mount/user/MyFiles/Music/ you will see all songs which have been downloaded by Eli.
Answer: *
Q7) Autofill, roll out - Which word was Autofilled the most?
On /2021 CTF - Chromebook/decrypted/mount/user/ you will see the file Web Data which is sqlite db file. Therefore, this file could open using SQLite Database Browser to view the data within a sqlite database file.
As picture above shows, we click on the autofill table and go to Browse Data tab. Finally, you will see an answer there.
Answer: em***
Q8) Dress for success - What is this bird’s image’s logical size in bytes?
Looking at /2021 CTF - Chromebook/decrypted/mount/user/Downloads/ there is a file contains bird’s image.
Answer: 4,**
Q9) Repeat customer - What was Eli’s top visited site?
By looking at /Takeout/My Activity/Chrome/ we found there is MyActivity.html which contains sites visited from newest to oldest.
Answer: pr************
Q10) Vroom Vroom, What is the name of the car-related theme?
Using find or Windows Explorer Search box to search for a word Theme found a lot of information related to the car. So, I browse to the extention folder /2021 CTF - Chromebook/decrypted/mount/user/Extensions/dkkklbgbfaeockpgbkleblklmcjdbnbj/1_0/ and then examine the manifest.json file, we got an answer there.
However, to confirm the answer is correct, I decide to look at image folder and open the picture. The picture is a Lamborghini car, so this sufficient for us to correct the answer.
Answer: La****************
Q11) You got mail - How many emails were received from [email protected]?
Looking at /Takeout/Mail/ and use Sublime Text to read a file All mail Including Spam and Trash.mbox. We found there are a bunch of mails which make me overwhelmed at a first glance. However, I use Find feature in Sublime Text by filling in From: "TikTok" <[email protected]> and hit on Find All. Therefore, we would receive an answer.
Answer: *
Q12) Hungry for directions - Where did the user request directions to on Mar 4, 2021, at 4:15:18 AM EDT
Looking at /Takeout/My Activity/Maps/MyActivity.html we can quickly look for a timeline provided by a question. The answer is straightforward.
Answer: C****-f**-*
Q13) Who defines essential? - What was searched on Mar 4, 2021, at 4:09:35 AM EDT
From the previous question, we could do the same method to find the content which was searched on a timeline given by a question. Therefore, we navigate to Takeout/My Activity/Search/MyActivity.html and an answer would be there.
Answer: is*******************************************
Q14) I got three subscribers, and counting - How many YouYube channels is the user subscribed to?
Navigating to /Takeout/YouTube and YouTube Music/subscriptions/subscriptions.json we can quickly conclude the amount of subscription channel of the user.
Answer: *
Q15) Time flies when you’re watching YT - What date was the first YouTube video the user watched uploaded?
Navigating to /Takeout/YouTube and YouTube Music/history/watch-history.html again, you would quickly found an answer by clicking to the first watched video and looking for the time it was uploaded.
Answer: 2*/**/****
Q16) How much? - What is the price of the belt?
Navigating to /Takeout/My Activity/Chrome/MyActivity.html again, you would found what you are looking for. However, when clicking on a link provided on MyActivity we can’t see the price of a belt since it has no longer available on stock as shows on picture below,
Therefore, I decided to use Internet Archive to go back to the specific timeline a user searched for a belt.
Answer: 9*.*
Key Takeaways
I’ve written this piece to summarize our accomplishments and what we’ve learned from the challenge. So far, the challenge has proven to be both useful and practical. The primary objective of the task is to teach us how to examine a Chromebook filesystem. Additionally, I believe the author hopes that we will utilize tools like CLEAPP and RLEAPP to investigate the Chrome filesystem and find a solution to the challenge. Therefore, It would be greatly appreciated by using these tools to expedite your investigation process, rather than relying solely on manual investigation.
Thank you for taking the time to engage with my content and for allowing me to share my thoughts and ideas with you. Your support and engagement mean the world to me, and I couldn’t do this without you.
If you found this post valuable, please consider hitting the share button and spreading the word with your friends, family, or colleagues. Your sharing can help me reach a broader audience and empower more people with knowledge.
I also want to encourage you to leave your thoughts and comments below. Your feedback is invaluable to me as it helps me understand what resonates with you and how I can continue to improve my content for future blog posts.