blueteam-ctf,上面少有的手机取证部分,安卓取证主要还是取数据库偏多,ALEAPP这个python写的小程序用来分析安卓的文件还是很方便的,但是详细的东西还是要手动分析,这套题是比较简单的,主要就是对安卓手机的文件分布做一个简单的了解。
对于这个网站的题目,之后我都会用开源的程序来进行做题,
题目地址:https://cyberdefenders.org/blueteam-ctf-challenges/138#nav-questions
Q1
Based on the accounts of the witnesses and individuals close to the victim, it has become clear that the victim was interested in trading. This has led him to invest all of his money and acquire debt. Can you identify which trading application the victim primarily used on his phone?
Olymp Trade
先看一下给的文件,是data的文件夹,既然要找交易用的app是什么,无非就是从*/data/app*或者 /data/data下面找,但是 /data/data 下面的好多数据是没有的。
先看看/app,里面有两个apk,扔到GDAE看一下
分别是discord和olymptrade
所以是后者
也可以拖到雷电里面
用autospy分析安卓也是可以的
Q2
According to the testimony of the victim’s best friend, he said, “While we were together, my friend got several calls he avoided. He said he owed the caller a lot of money but couldn’t repay now”. How much does the victim owe this person?
250000
放到autospy中分析一下,可以得到手机消息中的信息
You better think twice about not paying, because it won't end well for you. Prepare the sum of 250,000 EGP
Q3
What is the name of the person to whom the victim owes money?
Shady Wahab
看一下上面发信息的电话号码,然后查看电话号码关联的账号
然后可以查到人员Shady Wahab
Q4
Based on the statement from the victim’s family, they said that on September 20, 2023, he departed from his residence without informing anyone of his destination. Where was the victim located at that moment?
The Nile Ritz-Carlton
Q5
The detective continued his investigation by questioning the hotel lobby. She informed him that the victim had reserved the room for 10 days and had a flight scheduled thereafter. The investigator believes that the victim may have stored his ticket information on his phone. Look for where the victim intended to travel.
Las Vegas
Q6
After examining the victim’s Discord conversations, we discovered he had arranged to meet a friend at a specific location. Can you determine where this meeting was supposed to occur?
The Mob Museum
查看discord的聊天记录文件
有提到在The Mob Museum