Background

Note: This post was originally written and posted on Medium. It has been copied here for posterity.

On September 23rd Magnet announced that they would be holding a weekly CTF challenge based on Android forensics. As an avid competitor in CTFs, this was deeply interesting to me and I knew I needed to compete. Additionally, bonus points would be offered for blogging how you did each solve so that will be the point of this blog series. Every week I will cover how the previous week’s challenge was solved. Hope everyone enjoys it.

The Challenge

The challenge for week one asked to identify the access time for the file responsible for mapping names to IP addresses. I immediately knew this to be the etc/hosts file and did a quick search for it in the parsed evidence. The screenshot can be seen below with the file and associated date.

For reference, the file was located at /data/adb/modules/hosts/system/etc/hosts and the access time was 03/05/2020 05:50:18 UTC