ART200 – Analyze the system log on macOS

Notice

공지사항

Recent Posts

Recent Comments

Link

« 2025/01 »
일	월	화	수	목	금	토
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31

Tags more

Archives

Today

Total

관리 메뉴

Information Security

ART200 – Analyze the system log on macOS 본문

CTF/2019 ART - 200

ART200 – Analyze the system log on macOS

HackingPractice 2020. 7. 27. 11:03

1) The MacBook’s model, OS version (10 points)

2019-04-29 11:21:31.491768+0900 0x3483 Default 0x0 344 7 CalendarAgent: (CalendarFoundation) [com.apple.calendar:calendar] [com.apple.calendar.store.log.caldav.http] [X-MMe-Client-Info: <MacBookPro15,1> <Mac OS X;10.14.2;18C54> <com.apple.AuthKit/1 (com.apple.CalendarAgent/416)>]

model : MacBookPro15

OS version : Mac OS X10.14.2

2) iCloud account and suspect’s name (10 points)

2019-04-29 11:31:53.090396+900 0xf42 Default 0x0 344 7 CalendarAgent: (CalendarFoundation) [com.apple.calendar:calendar] [com.apple.calenda.store.log.caldav.queue] [NSErrorFailingURLStringKey=https://jack.dfc2019%40gmail.com@p51 - caldav.icloud.com/1091198233/principal]

iCloud 계정 : jack.dfc2019@gmail.com

name : jack

3) All devices’ information (e.g. model, unique identifier, owner, method, etc.) connected or mounted with MacBook (5 points per correct answer)

2019-04-29 11:16:09.840002+0900 0x2fa Default 0x0 96 3 bluetoothd: (IOBluetooth) [com.apple.bluetooth:IOBluetoothDevice] Update serviceMask Jack's AirPods 524424

2019-04-29 11:16:09.839896+0900 0x2fa Default 0x0 96 3 bluetoothd: (IOBluetooth) [com.apple.bluetooth:IOBluetoothDevice] Update serviceMask Jack's Apple쟙atch 0

2019-04-29 11:16:09.840019+0900 0x2fa Default 0x0 96 3 bluetoothd: (IOBluetooth) [com.apple.bluetooth:IOBluetoothDevice] Update serviceMask Jack's iPad 0

2019-04-29 11:16:09.840044+0900 0x2fa Default 0x0 96 3 bluetoothd: (IOBluetooth) [com.apple.bluetooth:IOBluetoothDevice] Update serviceMask Jack's iPhone 0

2019-04-29 11:16:09.839983+0900 0x2fa Default 0x0 96 3 bluetoothd: (IOBluetooth) [com.apple.bluetooth:IOBluetoothDeviceConfigUserLib] AAP Device: Setting ServiceMask to 524424

Apple Watch, AirPods, iPad, iPhone 연결

1. Apple Watch

<SFAutoUnlockDevice: 0x7fab12339060, uniqueID:13FCA8C3-5940-404E-B6A3-1594E4569EA1, bluetooth ID:6F3C193B-918C-4642-B299-CF39AA68F1F8, cloud paired:YES, modelIdentifier:Watch4,1, name:Jack's Apple Watch, unlockEnabled:YES>

모델명 : Apple Watch 4

식별자 : 13FCA8C3-5940-404E-B6A3-1594E4569EA1

블루투스 : 6F3C193B-918C-4642-B299-CF39AA68F1F8

소유자 : Jack

"Jack's Apple Watch", 13FCA8C3-5940-404E-B6A3-1594E4569EA1, Watch4,1, 16T225, BT=6f3c193b-918c-4642-b299-cf39aa68f1f8

빌드 : 16T225

2019-04-29 11:17:10.139209+0900 0x2fa Default 0x0 96 3 bluetoothd: (IOBluetooth) [com.apple.bluetooth:bluetoothd] Device Connected with address: 08-f4-ab-4f-b1-62 and classOfDevice 0x000000 and connectionHandle 0x0042

주소 : 08-f4-ab-4f-b1-62

2019-04-29 11:16:59.958746+0900 0x2fa Default 0x0 96 7 bluetoothd: (IOBluetooth) [com.apple.bluetooth:magicpairing] [saveNewKeys] Setting VID for Jack's AirPods to 0x004C

2019-04-29 11:16:59.958754+0900 0x2fa Default 0x0 96 7 bluetoothd: (IOBluetooth) [com.apple.bluetooth:magicpairing] [saveNewKeys] Setting PID for Jack's AirPods to 0x2002

제조사 ID : 0x004C

제조사 제품 : 0x2002

소유자 : Jack

2. iPhone

2019-04-29 11:16:24.826353+0900 0xa35 Default 0x0 274 0 secd: [com.apple.securityd:accountLogState] PI: [name: Jack's iPhone] [mASrBKV] [type: iPhone] [spid: 0XmFliKW] [os: 16E227] [devid: Unknown] [serial: F17X5B9BJWLM]

2019-04-29 11:16:24.832620+0900 0xa35 Default 0x0 274 0 secd: [com.apple.securityd:accountLogState] PI: [name: Jack's iPhone] [mASrBKV] [type: iPhone] [spid: X79AGAvV] [os: 16C104] [devid: 7984006F] [serial: C38SHFW1HFY7]

- iPhone 1

시리얼 : F17X5B9BJWLM

빌드 : 16E227

소유자 : Jack

- iPhone 2

디바이스 ID : 7984006F

시리얼 : C38SHFW1HFY7

빌드 : 16C104

소유자 : Jack

Keychain Items: ("handoff-own-encryption-key","handoff-decryption-key-D7042AF5-F3AB-4DEE-9F68-EFD776783B3E","handoff-decryption-key-7984006F-AA1F-4836-8691-D6A9FBBD5E34","handoff-decryption-key-EB4FEB12-B08C-4D7B-AF05-5D3FB013BD9D","handoff-decryption-key-13FCA8C3-5940-404E-B6A3-1594E4569EA1")

- iPhone 2

식별자 ID : 7984006F-AA1F-4836-8691-D6A9FBBD5E34

"Jack's iPhone", EB4FEB12-B08C-4D7B-AF05-5D3FB013BD9D, iPhone10,5, 16E227, BT=2b89ed4b-7a7d-4d5f-b4e6-c723bd89c6d0

모델명 : iPhone 10, 5

식별자 ID : EB4FEB12-B08C-4D7B-AF05-5D3FB013BD9D

블루투스 ID : b89ed4b-7a7d-4d5f-b4e6-c723bd89c6d0

osver = "iphone 18.5.0 (16E227)";

OS 버전 : iphone 18.5.0

"f1-18-98-c2-cd-40" = {

Address = <f01898c1 cd49>;

AddressType = 0;

CloudTimeStamp = 45262273529;

EDIV = <0000>;

IDSDeviceID = "EB4FEB12-B08C-4D7B-AF05-5D3FB013BD9D";

IRK = <f31385da 7df3e1af f8768c51 211bca86>;

LTK = <22b2ac6e cb95faf1 7887b82e 313183c0>;

LTKLength = <10>;

MITMProtection = 1;

OriginalAddressType = 1;

RAND = <00000000 00000000>;

SecureConnection = <01>;

}

Device Address : f1-18-98-c2-cd-40

3. iPad

2019-04-29 11:16:24.826109+0900 0xa35 Default 0x0 274 0 secd: [com.apple.securityd:accountLogStat] PI: [name: Jack's iPad] [mASrBKV] [type: iPad] [spid: yJ0zVscV] [os: 16D57] [devid: D7442AF5] [serial: DLXV32RFJ262]

디바이스 ID : D7442AF5

시리얼 : DLXV32RFJ262

소유자 : Jack

빌드 : 16D57

2019-04-29 11:16:27.242141+0900 0xef5 Default 0x0 373 3 cloudpaird: [com.apple.bluetooth:idsCloudPairing] cloudpaird: checkIDSDeviceList: Already paired to device Jack's iPad with uniqueID: D7042AF5-F3AB-4DEE-9F68-EFD776783B3E

식별자 ID : D7042AF5-F3AB-4DEE-9F68-EFD776783B3E

"Jack's iPad", D7042AF5-F3AB-4DEE-9F68-EFD776783B3E, iPad7,1, 16D57, BT=d1e20052-43f9-4686-b1e5-5c78c5bb033b

모델명 : iPad 7,1

블루투스 ID : d1e20052-43f9-4686-b1e5-5c78c5bb033b

4. iamsuperiPad

2019-04-29 11:17:22.514785+0900 0x1732 Default 0x0 454 0 System Preferences: (IOBluetoothUI) Bluetooth property update notification for iamsuperiPad - VendorID=0x004C VendorIDSrc=0x0001 ProductID=0x7010 ColorID=0xFF

mIOService - 130835

mIOConnection - 0

mIONotification - 100747

Device Address - d0-82-7b-f3-d1-2b

mName - iamsuperiPad

display Name - (null)

mServiceClassMajor - 350

mDeviceClassMajor - 1

mDeviceClassMinor - 4

mPageScanRepetitionMode - 1

mPageScanPeriodMode - 0

mPageScanMode - 0

mClockOffset - 0

mConnectionHandle - b

mLinkType - 1

mEncryptionMode - 0

mRFCOMMConnection - 0x0

manufacturerName - f

lmpVersion - 8

lmpSubversion - 6103

제조사 ID(Vendor ID) : 0x004C
제조사 제품(Product ID) : 0x7010
Device Address : d0-82-7b-f3-d1-2b
연결 방법(Method) : BlueTooth
이름(Name) : iamsuperiPad
Display Name : (null)

5. USB

2019-04-29 11:22:42.009736+0900 0x820 Default 0x0 0 0 kernel: (IOUSBFamily) USBMSC Identifier (non-unique): 4C532000000205114490 0x781 0x5566 0x126, 2

시리얼(serial) : 4C532000000205114490
제조사 ID(Vendor ID) : 0x781
제조사 제품(Product ID) : 0x5566
버전(Version) : 0x126
최초 연결 시간 : 2019-04-29 11:22:42(UTC+9)

6. Wi-Fi

2019-04-29 11:16:21.505987+0900 0x328 Default 0x0 54 0 configd: (IPConfiguration) [com.apple.IPConfiguration:Server] en0: SSID iptime BSSID 0:8:9f:cb:db:40

SSID : iptime
BSSID : 0:8:9f:cb:db:40

2019-04-29 11:21:47.379902+0900 0x328 Default 0x0 54 0 configd: (IPConfiguration) [com.apple.IPConfiguration:Server] en0: SSID STARBUCKS_5G BSSID 91:9f:33:c7:ab:63

SSID : STARBUCKS_5G
BSSID : 91:9f:33:c7:ab:63

4) Downloaded apps using App Store (10 points)

{

BackgroundState = 2;

BundleID = "com.readdle.smartemail-mac";

Hide = 0;

Path = "/Applications/Spark.app";

{

BackgroundState = 2;

BundleID = "ru.keepcoder.telegram";

Hide = 0;

Path = "/Applications/Telegram.app";

{

BackgroundState = 2;

BundleID = "com.apple.appstore";

Hide = 0;

Path = "/Applications/App Store.app";

{

BackgroundState = 2;

BundleID = "com.apple.systempreferences";

Hide = 0;

Path = "/Applications/System Preferences.app";

{

BackgroundState = 2;

BundleID = "com.apple.finder";

Hide = 0;

Path = "/System/Library/CoreServices/Finder.app";

}

2019-04-29 11:19:09.819527+0900 0x26b2 Default 0x0 431 0 storeassetd: [com.apple.commerce:default] SoftwareMap: Found app at <CKSoftwareProduct: 0x7fa92c644120>: (com.readdle.smartemail-Mac, 2.3.2, 1176895641:830686819 VPP:NO md:0x7fa92c50ace0 /Applications/Spark.app) using SoftwareMap to upgrade to 2.3.2

2019-04-29 11:18:51.649525+0900 0x256a Default 0x0 431 0 storeassetd: [com.apple.commerce:default] SoftwareMap: Found app at <CKSoftwareProduct: 0x7fa92e113940>: (ru.keepcoder.Telegram, 5.1.1, 747648890:830924319 VPP:NO md:0x7fa92c72ee80 /Applications/Telegram.app) using SoftwareMap to upgrade to 5.1.1

Spotlight 기능이란?
Mac 에서 앱이나 문서 및 기타 파일을 검색 하거나 제안을 이용해서 여러 정보를 얻을 수 있습니다.

App Store 에서 Spark.app 과 Telegram.app을 설치

5) Attachments of email and their source (10 points)

2019-04-29 11:26:08.406237+0900 0x50ef Default 0x0 669 0 Mail: (Mail) [com.apple.mail:Library] Attachment already exists at /Users/Jack/Library/Mail/V6/8340C421-1D4A-4EA1-B3B4-C453ABBA1939/[Gmail].mbox/Drafts.mbox/60E3CB0F-1633-4264-8EF5-FF29A36A5C46/Data/5/Attachments/5384/2/simon-rattle.pdf

2019-04-29 11:26:08.905412+0900 0x5302 Default 0x0 669 14 Mail: (IMAP) [com.apple.mail:IMAPSyncActivity] [yolo.sunflower@gmail.com - All Mail] <Sync> Operation {<IMAPSyncSkeletonsOperation: 0x600003beb0c0> message numbers: 4 including labels} finished

첨부파일 : simon-rattle.pdf

이메일 : yolo.sunflower@gmail.com

6) Someone seems to have received the material. Phone number and email address of a suspect and the receiver (10 points)

SFAppleIDAccount AppleID: BTS.army@dfchallenge.org, AltDSID: 000727-05-3bbb2f73-0f80-44fc-b360-e79b32ba0c07, Certificate Token: NULL, Certificate Token Creation Date: NULL, Contact Info: SFAppleIDContactInfo First Name: bumin, Last Name: na, Validated Email Addresses: [ "BTS.army@dfchallenge.org" ], Validated Phone Numbers: [ "8210111112019" ], Creation Date: 2018-09-07 13:28:11.145, Identity: SFAppleIDIdentity Account Identifier: com.apple.idms.appleid.prd.000727-05-3bbb2f73-0f80-44fc-b360-e79b32ba0c07, AltDSID: 000727-05-3bbb2f73-0f80-44fc-b360-e79b32ba0c07, AppleID: BTS.army@dfchallenge.org, Certificate Expiration Date: 2020-09-06 13:18:55.000, Certificate Persistent Reference: 0x00007FAB0FD14460, Intermediate Certificate Persistent Reference: 0x00007FAB0FD14500, Invalid: no, Last Validation Attempt: 2018-09-07 13:29:17.974, Last Validation: 2018-09-07 13:29:17.974, Last Modification: 2018-09-07 13:29:17.974, Linked To Current User: yes, Needs Renewal: no, Serial Number: 54e6f9f01db<??

-- SDAppleIDAgent --

Creation Date: 2019-04-29 02:16:25.720

Enabled: yes

Push Environment: production

Apple ID: BTS.army@dfchallenge.org

First Name: bumin

Last Name: na

AltDSID: 000727-05-3bbb2f73-0f80-44fc-b360-e79b32ba0c07

Validation Record (VR) Available: yes

VR AltDSID: 000727-05-3bbb2f73-0f80-44fc-b360-e79b32ba0c07

VR Valid Start Date: 2019-04-23 07:32:19.000

VR Suggested Valid Duration: 2592000

VR Next Check Date: 2019-04-28 07:32:19.310

VR Needs Update: yes

VR Invalid: no

Validated Email Addresses: BTS.army@dfchallenge.org

Validated Email Hashes: e13ed...afca2

Validated Phone Numbers: 8210111112019

Validated Phone Hashes: 3b67e...f3f2d

Temporary Private Key Reference: no

Private Key Persistent Reference: yes

Certificate Available: yes

Certificate Account Identifier (AI): com.apple.idms.appleid.prd.000727-05-3bbb2f73-0f80-44fc-b360-e79b32ba0c07

Certificate Expiration Date: 2020-09-06 13:18:55.000

Certificate Serial Number: 54e6f9f01db18c46

Certificate Token: NULL

Certificate AI and VR AltDSID match: yes

Intermediate Certificate Available: yes

Identity Available: yes

Identity Invalid: no

Identity Needs Renewal: no

Apple ID Linked To Current User: yes

Device Unlocked Once: yes

Old Agent Identity Queried: yes

Old Agent Identity Used: no

Last Sign In Date: 2018-09-07 13:27:55.461

Last Sign Out Date: NULL

Last Apple ID To Sign Out: NULL

Last All Good Date: 2019-04-26 03:27:11.372

Account state: All Good

피의자 : bumin na

이메일 주소 : BTS.army@dfchallenge.org

전화번호 : 82 10111112019

저작자표시 비영리 변경금지

Information Security

ART200 – Analyze the system log on macOS 본문

ART200 – Analyze the system log on macOS

티스토리툴바