Tuesday, December 2, 2014

Kaizen - Android Forensics #3 (find and read the cached contents of previously viewed webpages)

File: android-forensics.zip

Here's the challenge text from Android Forensics #3:

Prior to backing up his phone, the user visited a website using his phone to generate a password. What password did he generate?

Hmm, so this one it looks like we'll need to view the content of previously fetched web browser data. Figuring there must be directories that hold the cached browser content somewhere, I navigated to the /data/data/com.android.browser/ directory.

Hoping that just searching for the text "password" somewhere within the files of this directory would lead me in the right direction, I ran grep -r "password" * and got back some interesting results.

After reading through a few of the cached webpages, it was clear that the user had used a website to generate random password strings. Eventually, I looked in the cache/webviewCache/c992b966 file, which contains the following snippet:

 29 <CENTER><H1>1 Random Password</H1></CENTER>
 30 <FONT SIZE=6>
 31 <PRE>
 32 <UL>
 33 <LI><B>eb8hapvo</B></LI>
 34 </UL>
 35 </PRE>

This is it! We've got the password.

No comments:

Post a Comment