Skip to content

Document Analysis⚓︎

Elf: Piney Sappington
Direct link: exif terminal
Objective: Where in the World is Caramel Santaigo?

Request⚓︎

Piney Sappington

Hi ho, Piney Sappington at your service!
Well, honestly, I could use a touch of your services.
You see, I've been looking at these documents, and I know someone has tampered with one file.
Do you think you could log into this Cranberry Pi and take a look?
It has exiftool installed on it, if that helps you at all.
I just... Well, I have a feeling that someone at that other conference might have fiddled with things.
And, if you help me figure this tampering issue out, I'll give you some hints about OSINT, especially associated with geographic locations!

Solution⚓︎

Welcome message
HELP! That wily Jack Frost modified one of our naughty/nice records, and right 
before Christmas! Can you help us figure out which one? We've installed exiftool
for your convenience!

Filename (including .docx extension) >

Using exiftool we can check the Last Modified By field in each document's metadata to verify who tampered with it last. For convenience we pipe the output to tail -7 to only print the last 7 lines. 2021-12-21.docx stands out from the rest because it shows that Jack Frost was the one who made the final edit and not Santa Claus.

Finding Jack

Instead of manually checking each file, we can also write a short Bash script which loops over each file (line 2) and retrieves the Last Modified By property from the document's metadata if it doesn't contain the word santa (line 3). When there's a match, the filename and the Last Modified By information are printed (lines 5-6).

find_file.sh

1
2
3
4
5
6
7
8
#!/usr/bin/env bash
for f in $(ls *.docx); do 
    match=$(exiftool $f | grep -i 'last modified by' | grep -iv 'santa')
    if [[ ! -z "$match" ]]; then 
        echo $f;
        echo $match;
    fi
done

Bash script

Looking at the file's revision history, it appears that Jack Frost added Noxious O. D'or to the top of the Nice list!

Track changes

Answer

2021-12-21.docx

Response⚓︎

Piney Sappington

Wow, you figured that out in no time! Thanks!
I knew they were up to no good.
So hey, have you tried the Caramel Santaigo game in this courtyard?
Carmen? No, I haven't heard of her.
So anyway, some of the hints use obscure coordinate systems like MGRS and even what3words.
In some cases, you might get an image with location info in the metadata. Good thing you know how to see that stuff now!
(And they say, for those who don't like gameplay, there might be a way to bypass by looking at some flavor of cookie...)
Oh, and don't forget to learn about your target elf and filter in the Interrink system!