Eli Lab

CyberDefenders Endpoint Forensics Lab

Scenario

A user reported strange browser behavior and missing files on their Chromebook. SOC analysts suspect unauthorized access and data theft. You’ve received a forensic image for review. Investigate user activity, application data, and browsing artifacts to uncover what happened.

Question 1

The folder to store all your data in — How many files are in Eli’s downloads directory?

Answer 1

There are a few links to different resources for use during this lab, one of which provided a few different locations for user downloads.

Question 2

Smile for the camera — What is the MD5 hash of the user’s profile photo?

Answer 2

Looking into the Accounts folder, yields a profile photo as well as an meail address.

└─$ md5sum eflatt610@gmail.com                                                   
5ddd4fe0041839deb0a4b0252002127b  eflatt610@gmail.com

Question 3

Road Trip! — What city was Eli’s destination in?

Answer 3

Heading back to the downloads folder, there was a screenshot of a Google maps search results. Giving away their destination.

Question 4

Promise Me — How many promises does Wickr make?

Answer 4

Again in the downloads folder, there is a pdf file that states there are 9 promises.

Question 5

Key-ty Cat — What are the last five characters of the key for the Tabby Cat extension?

Answer 5

A quick search in file explorer for the term “tabby” yielded a chrome extension. Then while looking through the various files in sublime text gave me a key.

Question 6

Time to jam out — How many songs does Eli have downloaded?

Answer 6

Again a very simple search in the file explorer allowed me to find the music, totaling 2 file.

Question 7

Autofill, roll out — Which word was Autofilled the most?

Answer 7

I did some research as to where autofill data is stored on chromeOS. It turns out its stored in a SQLite database called Web Data, so a quick search for the file led me to the following:

Giving me email as the answer.

Question 8

Dress for success — What is this bird’s image’s logical size in bytes?

Answer 8

This confused me slightly at first, but then I remembered seeing the Linux penguin as an image file in downloads.

Question 9

Repeat customer — What was Eli’s top-visited site?

Answer 9

There was a couple of different ways I found to solve this. First looking through the SQLite history file, secondly through the Takeout -> MyActivity file.

Both of which pointed to ProtonMail being the website they visited most.

Question 10

Vroom Vroom, What is the name of the car-related theme?

Answer 10

I went back to my old reliable searching for files using the file explorer. Searching for the word theme, gave me a few results. One of which was a picture of a Lambroghini. Following this trail and looking at the files location allowed me to find the manifest.json file, which contained the answer. (The answer has a blank char at the end).

Question 11

You got mail — How many emails were received from notification@service.tiktok.com?

Answer 11

This one again was rather simple, after locating the mail file and opening it up in sublime text, I just used CRTL+F to find how many times the email was mentioned. Giving me the answer of 6.

Question 12

Hungry for directions — Where did the user request directions on March 4, 2021, at 4:15:18 AM EDT?

Answer 12

Once again a look into the MyActivity folder and finding the data for Maps gave me the timestamp and location in which they requested directions.

Question 13

Who defines essential? — What was searched on Mar 4, 2021, at 4:09:35 AM EDT?

Answer 13

After digging into the search folder and the subsequent MyActivity file, I found the following search:

Question 14

I got three subscribers, and counting — How many YouTube channels is the user subscribed to?

Answer 14

This was a little confusing, I used the same processes again. Looking at the MyActivity file in the YouTube folder. There was no indication that they were subbed to anyone. Which turned out to be correct.

Question 15

Time flies when you’re watching YT — What date was the first YouTube video the user watched uploaded?

Answer 15

The question could be refereing to 2 possible answers here. Either the date on which the user watched the video, or the data on which the video was uploaded. I got it wrong the first time, turns out it was the latter of the 2, the upload date.

Fun lab, a lot of just pure searching. Wasn’t too tough, but nice to see how ChromeOS stores things.