Previous: Chromebook | Hunt! | iPhone | Mac
Last but certainly not least, we have the Google Takeout evidence from the MVS2021 CTF.
Question 1 - You got mail (5 points)
How many emails were received from notification@service.tiktok.com?
Switching over to Cloud Gmail Messages and filtering on the From Address to "TikTok", we see 6 resulting emails.
Question 2 - Hungry for directions (10 points)
Where did the user request directions to on Mar 4, 2021 at 4:15:18 AM EDT?
Under Google Map Queries we can sort by Destination Address and see only one across the whole evidence. It was for Chick-fil-A, 400 NY-3, Plattsburgh, NY 12901.
Question 3 - I got three subscribers and counting (10 points)
How many YouTube channels is the user subscribed to?
Opening the File System, we can navigate to the following path:
Takeout\YouTube and YouTube Music\subscriptions\subscriptions.json
The file didn't contain any contents which would mean that Eli had 0 subscriptions on YouTube. If he had some it would look similar to this:
Question 4 - Time flies when you're watching YT (10 points)
What date was the first YouTube video the user watched uploaded? (Format: month day, year) (Example: Feb 3 2020)
From Cloud Google Activity we can filter on Action item "Watched" to show what videos were watched. We can see that Eli watched a lacrosse highlights video on February 3rd of 2021 but we are looking for when the video was uploaded to YouTube.
Question 5 - Who defines essential? (10 points)
What was searched on Mar 4, 2021 at 4:09:35 AM EDT?
Since we know the format is in EDT, we can set the date format to Eastern Time since I keep it at UTC (UTG||GTFO). In the Google Searches parses we see a search for "is travelling to get chicken essential travel" at that time.
Question 6 - How much? (50 points)
What is the price of the belt?
Chrome browser history reveals this fairly quickly with a keyword search of "belt". We can see Eli was shopping at Vineyard Vines for a pebbled leather belt at the cost of $98.50.
