Week 3 was an absolute doozy and what a relief to knock it out! Given 3 chances (now 4) to answer it, I definitely needed a few extra to get it correctly.
Challenge 3 (OCT 19-25) Cargo Hold (40)
Which exit did the device user pass by that could have been taken for Cargo?
A few things come to mind when reading this question:
- Maps or directions related artifact potentially?
- Photos related most likely
- Geolocation?
The first place I thought of to go was inside the user created pictures. They most likely had EXIF information relating to latitude and longitude to place a location. Taking a peak here:
MUS_Android.tar\data\media\0\DCIM\Camera
No obvious pictures stuck out to me except MVIMG_20200305_145544.jpg, a picture of a truck (they haul cargo right?!).
Is that an exit sign in the top left?! Pulling EXIF from the picture, I found coordinates for 42°42'39.97" N, 73°49'26.94" W, placing me here in Google Maps:
I see two exits, so I tried "2E" and "2W", both wrong! This is when the panic sets in, and I go back to the drawing board.
I waited for some hints, and Jessica Hyde delivered on here Cache Up show (with Shannon). She hinted that the answer can be found from some of the research she presented with Chris Vance on their webinar comparing artifacts from iOS and Android. One thing they touched on was Motion Photos for Android. Each photo that has motion on it is named as such with a a prepended "MV" to the photo filename. Back to AXIOM can filter for "MVIMG" and see 8 images that have motion.
The key with these is that each image has an embedded MP4 video file inside. So I exported all these and re-ingested into AXIOM as a folder and chose to carve for videos from these so it split out the video for me automatically. Pulled from "MVIMG_20200307_130326.jpg" we can see a blink and you'll miss it glimpse of a road sign.
We can clearly see a reference to "Cargo" on the sign with the exit number being E16, the answer.