Part 1 - Desktop
For part 2, we will take a look at the mobile image and the Google Takeout data to solve more questions.
MOBILE
1. Image Type - What type of mobile image do you have?
The file name of the zip export gives you a hint at to what type of image we are working with. It is a Quick Image.
Under the Operating System > Android Device Information field we can see the IMSI should be 311480460682294.
3. Basic Info - What is the phone number for the device in the format 2125551212?
Another question that can be answered by looking at the Android Device Information, the phone number 3153165956.
4. Google Search - Which Google search was made on the phone on Dec 4, 2018?
For this we can look at the Cloud Google Activity and filter down to the date as well as the action as “Searched”. We see 3 results, but only one that matches any answers, so it is “iguana potty training”.
5. User Name - What is mobile device owner’s username on Kik?
A quick keyword search for “Kik” brings up some SMS messages that show a user name of "selmabspring".
6. Travel - What country was the mobile phone in on December 7th?
A quick timeline analysis for the date brings up a SMS message from TravelPass that shows the user was in Australia.
7. Pictures - What is the file name of the largest picture taken with the phone camera?
This is fairly simple, we can go Media > Pictures and then use the Make column to filter on “samsung”. We can then sort on size and get the picture name "20181209_144014.jpg".
8. Email Address - What is the home email address for the user that is texted on Feb 13, 2019?
Viewing the chat SMS messages, we only see one user was contacted on that day, Phoebe Washington. Under Identifiers, we can look at Phoebe’s contact information and see her home email address is phoeb5042002@icloud.com.
9. Invite - What email address sent the Mega invite?
A quick keyword search for “Mega” leads us to an Gmail message in the Inbox showing that “wdoobner@putinsangels.com” sent the invite.
10. Kik User Photo - Which imagery is part of the user’s kik avatar?
A quick search for Kik pulls up a few media files associated with the Kik folder on the phone:
This picture is a picture of a penguin swimming.
11. Domestic Travel - What state was the phone in on December 25th, 2018?
Timeline analysis reveals that a few searches were performed:
“Best tacos in orlando”
“Iguanas in orlando”
We also see a picture was taken of Bubblebee Man’s Taco truck.
A quick Google search reveals it to be in Orlando as well, so presumption and correct answer is Florida.
12. Theme Park - What theme park was the mobile device in on Dec 25, 2018?
After getting the last question correct, this question pops up. Since we knew the user visited Bumblebee Man’s Taco truck, we can infer that they were at Universal Studios.
13. App Download Methods - Which of the following apps was NOT downloaded from Google Play?
This one was a little tough, the only thing I could tell was that the install dates for Facebook, Skype and Kik all aligned together:
Where as for YouTube was installed around Samsung and Google default apps, which made me think it was installed from a base image and not through the Google Play store (which I was correct).
14. Timezone - What time zone was the phone in on Dec 9th?
Using timeline analysis we see a bunch of pictures being taken on that day. An interesting clue that we see is the exif data for some.
We can see the created dates are a bit stomped but the Last Accessed compared to the Date/Time - Local Time is exactly 12 hours ahead. I looked to see what countries were in that zone and New Zealand fit the mold but that was on 12/4 so that couldn’t be the answer. I did see evidence of travel to Australia on 12/7. This was later confirmed by looking at the pictures taken on 12/9 more closely and seeing the Sydney Opera House in the background.
Going off that I assumed we were set in UTC+11, which ended up being the answer.
15. What is the last name of the user whose email is pangolinsrock@outlook.com?
A quick keyword search for the email address brings up the full name of the user, Bri Frazier.
16. Content Distributor - What account posted the video that the mobile device visited on 4 Dec 2018 at 06:23 am UTC?
Looking at the Cloud Google Activity for that day and time we see a YouTube video for “Iguana Taming” was watched with the URL.
We can see that the account that published the video is DesertedReptile98.
17. Analysis - What country was the mobile device owner in when reading a document that was "IN MEMORY OF MOE"?
I did a search for the phrase across the images with no results which removed any documents locally out of the equation. I need took a look at browser history to see if anything popped up. There weren’t many actual articles so didn’t take too long to stumble across http://www.iguanaresource.org/pottytraining.html (as absurd as that article is).
Doing a date/time filter +-2 days, I was able to figure out that the user was in New Zealand, from an SMS message.
18. BONUS: HOLY COW BATMAN! - Congratulations! While searching the mobile device you found a bitlocker password! Here it is:
<REDACTED> I wasn’t just going to give you the password, finish the mobile section and get it yourself! (Or bribe me on Twitter)
6. Travel - What country was the mobile phone in on December 7th?
A quick timeline analysis for the date brings up a SMS message from TravelPass that shows the user was in Australia.
7. Pictures - What is the file name of the largest picture taken with the phone camera?
This is fairly simple, we can go Media > Pictures and then use the Make column to filter on “samsung”. We can then sort on size and get the picture name "20181209_144014.jpg".
8. Email Address - What is the home email address for the user that is texted on Feb 13, 2019?
Viewing the chat SMS messages, we only see one user was contacted on that day, Phoebe Washington. Under Identifiers, we can look at Phoebe’s contact information and see her home email address is phoeb5042002@icloud.com.
9. Invite - What email address sent the Mega invite?
A quick keyword search for “Mega” leads us to an Gmail message in the Inbox showing that “wdoobner@putinsangels.com” sent the invite.
10. Kik User Photo - Which imagery is part of the user’s kik avatar?
A quick search for Kik pulls up a few media files associated with the Kik folder on the phone:
This picture is a picture of a penguin swimming.
Timeline analysis reveals that a few searches were performed:
“Best tacos in orlando”
“Iguanas in orlando”
We also see a picture was taken of Bubblebee Man’s Taco truck.
A quick Google search reveals it to be in Orlando as well, so presumption and correct answer is Florida.
12. Theme Park - What theme park was the mobile device in on Dec 25, 2018?
After getting the last question correct, this question pops up. Since we knew the user visited Bumblebee Man’s Taco truck, we can infer that they were at Universal Studios.
13. App Download Methods - Which of the following apps was NOT downloaded from Google Play?
This one was a little tough, the only thing I could tell was that the install dates for Facebook, Skype and Kik all aligned together:
Where as for YouTube was installed around Samsung and Google default apps, which made me think it was installed from a base image and not through the Google Play store (which I was correct).
14. Timezone - What time zone was the phone in on Dec 9th?
Using timeline analysis we see a bunch of pictures being taken on that day. An interesting clue that we see is the exif data for some.
We can see the created dates are a bit stomped but the Last Accessed compared to the Date/Time - Local Time is exactly 12 hours ahead. I looked to see what countries were in that zone and New Zealand fit the mold but that was on 12/4 so that couldn’t be the answer. I did see evidence of travel to Australia on 12/7. This was later confirmed by looking at the pictures taken on 12/9 more closely and seeing the Sydney Opera House in the background.
Going off that I assumed we were set in UTC+11, which ended up being the answer.
15. What is the last name of the user whose email is pangolinsrock@outlook.com?
A quick keyword search for the email address brings up the full name of the user, Bri Frazier.
Looking at the Cloud Google Activity for that day and time we see a YouTube video for “Iguana Taming” was watched with the URL.
We can see that the account that published the video is DesertedReptile98.
17. Analysis - What country was the mobile device owner in when reading a document that was "IN MEMORY OF MOE"?
I did a search for the phrase across the images with no results which removed any documents locally out of the equation. I need took a look at browser history to see if anything popped up. There weren’t many actual articles so didn’t take too long to stumble across http://www.iguanaresource.org/pottytraining.html (as absurd as that article is).
Doing a date/time filter +-2 days, I was able to figure out that the user was in New Zealand, from an SMS message.
18. BONUS: HOLY COW BATMAN! - Congratulations! While searching the mobile device you found a bitlocker password! Here it is:
<REDACTED> I wasn’t just going to give you the password, finish the mobile section and get it yourself! (Or bribe me on Twitter)