Digital Forensic Scientist

2 minute read

Magnet Forensics is running a weekly forensic CTF. More information can be found on their blog. It is a fun way to practice, so let’s get to it!

CTF Posts

Week 1 Week 2 Week 3 Week 4 Week 5 Week 6 Week 7 Week 8 Week 9 Week 10

Getting Started

New image for December! It can be found here. This is a memory image, and this week has multiple questions. Note: I may jump between Volatility 2.6 and 3 as I’m playing around.

Q1: What is the IPv4 address that myaccount.google.com resolves to?

First I pinged myaccount.google.com. I was pretty sure the same resolution would not be it, but it was worth a try. Next, I looked for active connections. I found a few owned by Google, but no indication that they belong to “myaccount”.

I looked for a way to extact the DNS cache, but could not find any tool or tip that worked for me. After a long while running down some research leads, I decided to try a search for any Google IP addresses around “myaccount.google.com”. Hopefuly this would get me the DNS cache, even if I don’t know the structure.

$ strings memdump-001.0.mem | grep -B 5 -A 5  myaccount | grep 172\.
172.217.12.131
172.217.10.238le.com0

In the command above I am using strings on the memory image, and returning 5 rows before and after the hit for “myaccount”. Then I search for 172, which is what I guess is the first octet of a Google IP address.

Tried 131, but failed. Trying 172.217.10.238 and BING! Success.

Really looking forward to the writeup for this question!

Q2: What is the canonical name (cname) associated with Part 1?

I’m not sure if I did this one as intended, but I queried the current state of Google DNS.

$ dig myaccount.google.com

;; DiG 9.16.1-Ubuntu myaccount.google.com
;; global options: +cmd
;; Got answer:
;; HEADER opcode: QUERY, status: NOERROR, id: 16677
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
[SNIP]
ANSWER SECTION:
myaccount.google.com.	2674	IN	CNAME	www3.l.google.com.
www3.l.google.com.	283	IN	A	172.217.31.174
[SNIP]

Trying www3.l.google.com and BING! Success.

Lessons Learned

I spent a lot of time looking for DNS cache in memory and didn’t find anything. I tried to look a bit at the structure that was returned during search. This is something I really want to look into more in the future. I’m excited to see what everyone came up with, and maybe there is an easy solution I didn’t find.

You may also enjoy

iLEAPP and RLEAPP updates and dev thoughts

2 minutes to read

Alex (@kviddy) has been pushing some extremely useful updates to the open-source Android forensic tool - [ALEAPP](https://github.com/abrignoni/ALEAPP]. Speci...

What data can you find in RAM?

2 minutes to read

To determine if you need to collect Random Access Memory on-scene, it is useful to know what kinda of investigation-relevant data is often available in RAM.

Modular artifact scripts coming to iLEAPP

2 minutes to read

kviddy has been pushing some great core updates to ALEAPP. Specifically, artifact scripts are now self-contained. This means that script authors no longer ne...