Metaspike Email Forensics CTF 2020 - 2021

Archived Challenges

1 - It's About Time
  • Part 1
  • Part 2
Part 1

You have received the email below in connection with a legal action. The timing of the email is critical. Examine the email and determine if it is more likely to be legitimate or fake.

Enter L for legitimate, F for fake. More to come based on your answer.

Draft_Agreement.eml

(SHA-256: 42B6FD78DAF38C03E1A744ECA1A0CB44F6859AB892E0F32B01763EFD835B5648)

Part 2

Congrats on making that determination! You are now asked to take this a step further, and determine the earliest date and time the email could have been sent based on the timing information you can locate within the file.

You will be examining the same email as in Part 1.

Enter the timestamp in UTC in the following format: yyyy-mm-dd hh:mm (e.g., 2005-11-20 13:17)

2 - Space Invaders
  • Part 1
  • Part 2
  • Part 3
  • Part 4
Part 1

You are being asked to examine an email between two colleagues within the same corporation. The email contains an important business document known to have been created and maintained on a volume formatted with the NT File System (NTFS).

Based on your examination of the email, are the creation and last modification timestamps of the attachment more likely to be legitimate or fake? Enter L for legitimate, F for fake.

FW__New_Finite_Curvature_Product_Line_Specs.msg

(SHA-256: FB42631EC43891EE2D877E02D911A1FFB95E9B31825986F09DEFE8B9A55F2614)

Part 2

Regardless of whether you believe it is legitimate or fake, what is the last modification timestamp you were able to find for the attachment in Part 1?

Enter the timestamp in UTC with 0.1 microsecond precision in the following format: yyyy-mm-dd hh:mm:ss.fffffff (e.g., 2005-11-20 13:17:48.1234567)

Part 3

It is believed that the email you examined in Part 1 and Part 2 of this challenge was the last message in a conversation thread that comprises multiple messages. Based on the information available to you, when was the initial message in this conversation thread likely sent?

Enter the timestamp in UTC in the following format: yyyy-mm-dd hh:mm:ss (e.g., 2005-11-20 13:17:48)

Part 4

Based on the information available to you, what is the maximum amount of time Vivian Alyse could have spent composing the final message in the thread that you examined? That is, time elapsed from the moment she pressed the "Reply" or "Forward" button, to the moment she hit "Send".

Assume that the following is true:

1. Vivian used Outlook to compose and send the message

2. All of the computers involved in the email conversation keep perfectly accurate time

Enter the duration in minutes rounding up. For example, enter 46 for 45 minutes and 31 seconds.

3 - Veni, Vidi, Mapi
  • Part 1
  • Part 2
Part 1

You have received an email production in Personal Storage Table (PST) format. You suspect that one of the produced emails has been manipulated. What is the 24-byte entry ID (i.e., PR_ENTRYID) of the manipulated email in hexadecimal form?

Enter the value without any spaces between bytes.

Email_Export_20201221.pst [~76.5 MB]

(SHA-256: 2F4685FD398B6FECB182EF033E8B01AC4565CB59542628D6ED192282B04BD692)

Part 2

Nice work! You have been informed that the manipulated email you identified in Part 1 contains a hidden message. Uncover the hidden message and enter it below.

4 - Mind The Gap
  • Part 1
  • Part 2
  • Part 3
  • Part 4
  • Part 5
Part 1

You have been asked to examine an IMAP mailbox. You will be interfacing with the Yahoo! Mail IMAP server directly.

Before you start, you need to verify the public key reported by Yahoo's IMAP server. Enter the last 28 bytes of the server's public key in PEM-encoded form—excluding the post-encapsulation boundary and any line breaks.

Part 2

The server welcomes you with the following message:

* OK [CAPABILITY IMAP4rev1 SASL-IR AUTH=PLAIN AUTH=XOAUTH2 AUTH=OAUTHBEARER ID MOVE NAMESPACE XYMHIGHESTMODSEQ UIDPLUS LITERAL+ CHILDREN X-MSG-EXT OBJECTID] IMAP4rev1 Hello

You are given the following credentials:

Login: metaspikectf@yahoo.com

App Password: asdh1391ho1h2

Enter the IMAP command you would use to log in.

Note: The credentials above can only be used in the CTF environment and are not valid to authenticate with Yahoo.

Part 3

The IMAP server responds back with the following:

A01 OK LOGIN completed

Enter the command you would use to select the mail folder named documents in a read-only manner.

Part 4

The server responds as follows:

* 147 EXISTS

* 0 RECENT

* OK [UIDVALIDITY 1544554554] UIDs valid

* OK [UIDNEXT 40794] Predicted next UID

* FLAGS (\Answered \Deleted \Draft \Flagged \Seen $Forwarded $Junk $NotJunk)

* OK [PERMANENTFLAGS ()] No permanent flags permitted

* OK [HIGHESTMODSEQ 1410]

* OK [MAILBOXID (6)] Ok

A02 OK [READ-ONLY] EXAMINE completed; now in selected state

Enter the command you would issue to get a list of only the UID and INTERNALDATE values of all the items in this folder.

Part 5

The server returns the following list of UID and INTERNALDATE values when sorted chronologically by internal date. One of the messages on the list makes you suspicious. Enter its UID.

Message_List.txt

(SHA-256: E512134EE8C90D49EB58ABE431DD9328B4FE0C3C0E4D2F471D720011DA15155F)

5 - Paranoid Android
  • Part 1
  • Part 2
  • Part 3
Part 1

You have been asked to examine the attached email message. The apparent author of the message, Vivian Alyse, claims that she did send an email while she was at a conference, but that the contents of the message were manipulated by the outside recipient. The recipient claims that the attached message is legitimate.

Based on the information available to you, do you believe the message is more likely to be legitimate or fake?

Enter L for legitimate, F for fake.

When_Can_We_Start.eml

(SHA-256: FD40B562E25B40B62D7AC06AAE84D7B973F380A4306B1C73DC5C065B2B9540B3)

Part 2

Congrats on solving that mystery!

Oolleo has a company policy that requires employees to use a VPN to access the internet while at conferences and hotels. Based on the email you examined in Part 1, does it look like Vivian Alyse complied with that company policy? Enter Y for Yes, N for No.

Part 3

You are being asked to examine another email from an Oolleo employee to an outside address. This time, there are concerns that parts of the message body were altered after the message had been sent.

Based on the information available to you, body text represented by which lines are more likely to have been altered than not? Use only the line numbers 120 through 142 in the attached message to reference lines of body text.

Enter the list of line numbers separated by spaces. For example, if you believe body text represented by lines 139 and 140 were altered, enter the following: 139 140

TQR_Project_Discussion_and_First_Steps.eml

(SHA-256: 68280478B88C4AFC52CF4BBB21928D22D5905C95FF7751E8D90A65896C816568)

6 - Superfrog

Your team has been investigating cryptocurrency transactions for several months. You have received the following email with timing information that would be critical for your case.


Both participants in the email conversation are believed to be in Pacific Time. Having taken a quick look at the email, you suspect that the email has been manipulated.


Dig deeper and determine the correct origination date of the email (i.e., the value in the "Date:" header field).


Enter the timestamp in UTC in the following format: yyyy-mm-dd hh:mm:ss (e.g., 2005-11-20 13:17:11)

Re Correct Destination for Transfers.eml

(SHA-256: 9E580B1BB3EFEF0C47A41147C80D599E872DE8746DCF06E06DE216C5BF900C4B)

7 - You're So Vain!

Your email forensics skills are starting to get noticed within your organization! You are now asked to examine 5 PDF printouts of email conversations in connection with a civil action. Regrettably, it is not feasible to obtain any further information or data at this point.

The files are numbered from 1 to 5. Visually inspect each PDF, and determine if the contained email is more likely to be legitimate or fake based on the information available to you. Combine your determination for each file in a single string in filename order and submit it. Enter L for legitimate, F for fake for each file.

For example, if you believe that all five messages are more likely to be fake than not, enter FFFFF. If you believe that only message #4 (i.e., 4.pdf) is more likely to be fake than not, enter LLLFL

Messages.zip

(SHA-256: 11194841ED1C2639C2A0CD9DCCFD5389F64C12DB9A7CDDDC1741E217823EBBFF)

Note: You will find that the PDFs themselves contain little internal metadata. This is because you obtained them through discovery and their metadata was "inadvertently" stomped. Do not let the lack of internal PDF metadata affect your judgment of the contained messages.

8 - Steampunk
  • Part 1
  • Part 2
  • Part 3
Part 1

You are asked to examine an email that was sent between two colleagues within the same organization. It is believed that the email contained a Powerpoint presentation.

Locate the Powerpoint file and enter its CRC32 value.

Slides for CTM Presentation.msg

(SHA-256: 008C44C86EAA81066E1E142F4A6D5518CEA7CF6609A6FDC7892402BF23574BE7)

Part 2

Based on the information available to you, when was the attachment likely removed from the email you examined in Part 1?

Enter the timestamp in UTC in the following format: yyyy-mm-dd hh:mm (e.g., 2005-11-20 13:17)

Part 3

Congrats on determining the removal time of the attachment!

Now, you are asked to fully recover the Powerpoint presentation. When you do, enter its MD5 hash value.

9 - (Un)authorized Access

During a recent search & seizure, you were able to extract the following information from a suspect's devices:

Client ID: 182818710541-mn63dksdjh44sho1fs3jaiinljoj1lnh.apps.googleusercontent.com

Client Secret: GBhMGNPcZiqXLfOMxT7v7Ur0

Refresh Token: 1//046bBdeBO3lKOCgYIARAAGAQSNwF-L9IrqpEIAFpemGwws1LtNvyiF4BPL7mHJf2OU5b6GG9SbCpO_c8xGRZZmdMRddUxajpi_dQ

Email: ornatdilwen@gmail.com

Scope: https://www.googleapis.com/auth/gmail.readonly

Leveraging Google's OAuth 2.0 Playground, authenticate with the suspect's mailbox and list the forwarding addresses for their account. Enter the forwarding email address that has a verification status of "pending".

10 - The REST is History
  • Part 1
  • Part 2
Part 1

Your work on the last challenge, (Un)authorized Access, paved the way to a detailed investigation of the suspect's online activity.

One data point that is of interest now is a message in the suspect's Gmail mailbox. The message was believed to have been labeled with the "PFAS" label at some point in time.

Find the message and enter its Message-Id*. You can use the same authentication technique as you did during (Un)authorized Access.

* The unique identifier found in the "Message-Id" header field. Not the "id" field used in Gmail API to address messages.

Part 2

Congratulations on locating that crucial message! You are now asked to determine the earliest time the "PFAS" label could have been removed from the message based on the information available to you.

Enter the timestamp in UTC in the following format: yyyy-mm-dd hh:mm:ss (e.g., 2005-11-20 13:17:51)

© 2021 Metaspike. All rights reserved. Los Angeles, CA.