Forensics 300 was an extremely difficult challenge at first – until we simply took a step back and analyzed the situation. First, SecureState selected Forensic 300 from the game board, and we were told to find the pirates treasure, and that the answer format should be a “place”. Also, SecureState was given the password to the file provided, which was b00ty.
After initially determining the file type as an archive, SecureState extracted the file using the password given and a 3GB “.dmg file” was left. SecureState took a forensics approach first, and started to carve data out of this iPhone image. There were roughly around 10k deleted files recovered, and we ran key word searches looking for anything to do with a pirate or a treasure, but we were unable to find anything.
After hours of being frustrated, a fellow team member thought about just going strictly after the GPS coordinates, so he brought in his (sigh…) Mac and mounted the image. Luckily, SecureState had team members that were extremely experienced with iPhone forensics and decided to pull out the “consolidated.db file”. From here, we were able to pull over five thousand different GPS coordinates. SecureState’s team then used this data to plug the coordinates into Google Earth; next, a huge map was made in an attempt to locate an X marks the spot, or some noticeable pattern. Unfortunately, SecureState was unable to determine the location through this method.
Next, SecureState decided to truncate the results. For instance, instead of -77.843122, 166.673122, SecureState shortened this number to -77.84, 166.67. The logic behind this move was to figure out which locations were visited most often; pirates always come back for the treasure right?
SecureState, after multiple attempts at other locations, tried the coordinates of -77.84, 166.67 in Google Maps, which led to an area in Antarctica.
As you might be able to tell, there is an “X” landmark shaped item to the left of “A”. From here, SecureState assumed we were on the right path and started looking more into the area, only to discover a place called “Scott Base”. After a quick search on Wikipedia, we found multiple “places” to enter such as “Butter Point”, “Pram Point”, “Observation Hill”, “Arrival Heights”, and finally “McMurdo Station”.
Unfortunately, these answers appeared to be incorrect, and again we were frustrated and decided to take a lunch break. After coming back, we logged back into the ddtek board and one of the team members tried McMurdo Station again. SecureState was then granted a +300 to our score and a thorough level of confusion. Apparently, having more than one user logged in to the game board at one time prevented us from answering the questions properly. Overall, this challenge was interesting, and difficult. There were a lot of “red herrings” in this challenge, and it was hard to determine when the actual answer was found. But, it is a CTF and that is part of the challenge; overall, it was a great experience, and we enjoyed testing our skills.