So the key for this one was afile that maps names to IP
. This immediately jumps out as a DNS related artefact, specifically, thehosts
file.
A hosts
file is a local file that your computer will check when resolving domain names before it reaches out to a DNS server. It is a list of FQDNs that map to IPs. For example, if I added an entry like below, it would mean that when I type magnetforensics.com
into my browser, it will resolve to whatever I'm hosting on my loopback address (127.0.0.1).
127.0.0.1 magnetforensics.com
Here are the locations of file on the major OSs.
- Windows:
C:\Windows\System32\drivers\etc\hosts
- Linux:
/etc/hosts
- MacOS:
/private/etc/hosts
- iOS:
/etc/hosts
(requires root access) - Android:
/system/etc/hosts
In MUS_Android.tar, there are 2 hosts files but the one the system would have been using is /data/adb/modules/hosts/system/etc/hosts
.
There is also a copy of this file in the downloads folder? Maybe the hosts file in the system was replaced by one that was downloaded?
We can see that the file was modified on Thursday, 5 March 2020, 4:50:18 PM (My time zone).
But the UTC timezone is 05/03/2020 05:50:18 or 03/05/2020 05:50:18 in American format.
If we peek inside, we see an unusual entry which could be covered in the next challenges…
Answer: 03/05/2020 05:50:18