Magnet CTF Challenge Week 1 writeup

Android is based on the Linux kernel, and as such, system configuration files are sometimes located in the usual places. In order to answer the question above, we need to identify a few things;

1. The file which maps hostnames to IP addresses

2. The location of that file

3. The last accessed time of that file

1. If you're not familiar with the Linux operating system, it is possible to get a bit confused when it comes to DNS and/or hostname mapping. /etc/resolv.conf identifies nameservers to use for DNS lookups, however /etc/hosts is used to statically map hostnames to IP addresses. [1]

2. Android adb backups/dumps do not have the same file/folder structure as pure Linux operating systems. As a result, it may be difficult to find the exact location. On the right hand side of this image, make sure 'All subfolders' is selected. This will show the contents of the folder on the left (in this case, the 'data' folder) as well as recursively listing all of the contents. From here, we can search for 'hosts'.

On the right hand side of the screen, enter 'hosts' as a filter.

The file itself is routinely accessed by the operating system. The CTF question asks for accessed time, but the file itself does not have an accessed time recorded; only a modified time of 05/03/2020 05:50:18

[1] https://www.linode.com/docs/networking/dns/using-your-systems-hosts-file/

Thank you to Magnet Forensics for providing a temporary licence to use for both this and the DFIR Madness CTF writeup.