Magnet Virtual Summit 2021 CTF - iPhone


Previous: Chromebook | Hunt!

The third category for the MVS2021 CTF was probably my most well versed category, iPhone. I did a good amount of prepwork in parsing this image including those hinted at by Jessica Hyde such as the keychain parsing. This allowed me to fly through some of the higher point questions quickly. Let's take a look at the way I did things to get to the solutions.

Question 1 - Breaking Quarantine (5 points)

When does Eli go to a neighboring state? Answer in MM/DD/YYYY

Using a combination of Significant Locations and Significant Locations Visits, we can filter down to the only hit outside of Vermont, which was New York. 

Figure 1: Significant Locations

We see two different dates that the phone was possibly there. Let's look at Significant Locations Visits to narrow it down. Sorting by Vicinity Entry Date/Time we don't see any hits for the later date so I went with 02/20/2021, which ended up being the answer.
Figure 2: Significant Locations Visits

Question 2 - Burger Time (5 points)

What fast food restaurant has an application is installed on the device?

Going through Installed Applications we can look at Display Names and Package Names. Nothing sticks out right away with the Display Name but the Package Name was fairly obviously. The food app that was installed was for Chick-fil-A.

Package Name: com.engauge.Chick-fil-A

Display Name : CFAOne 

Figure 3: Installed food app

Question 3 - Get Zucked! (5 points)

What is Eli's facebook password?

 This required parsing the provided keychain plist file or by manually pulling it out. AXIOM shows that the password value was fix_my_flatt2!.

Figure 4: Facebook password from keychain.plist

Question 4 - New Watch Who Dis (5 points)

What is the MAC address of Eli's apple watch?

In Connected Devices > Bluetooth Devices we only see one option, an Apple Watch. The MAC address was 50:A6:7F:8F:A5:B6.

Figure 5: Apple watch info

Question 5 - Sanik Speed (5 points)

What was the fastest heart rate recorded for Eli?

We can check the Apple Health Heart Rate under Connected Devices and sort the Heart Rate column to see what was recorded as the fastest. We see that 146.0 was record on 2/20/2021 at 19:41:57 UTC.

Figure 6: Heart Rate from Apple Health

Question 6 - Sunny Side Up (5 points)

How does John like his eggs? (2 words)

Having previously gotten a feel for the chat content I instantly knew to look at the TikTok Messages. John likes his eggs in "chicken form".

Figure 7: TikTok message chat

Question 7 - Beefstew isn't a Stroganoff Password (10 points)

How many Apple Notes did Eli Encrypt?

I honestly expected harder questions to come from the encrypted notes but alas, it didn't seem so. We can look Apple Notes category in AXIOM and see that 3 notes were encrypted.

Figure 8: Encrypted Apple Notes

Question 8 - Big Spender (10 points)

How much (after tax) was Eli's Chick-fil-A order? Exclude Dollar sign

I had found the digital receipt in email with the subject "Chick-fil-A® Mobile Ordering Receipt" but for some reason AXIOM had encoding and preview issues for me so I went over to Cellebrite Physical Analyzer to see if it would show. We can see the total was 27.24. Now I want a sandwich!

Figure 9: Chick-fil-A digital receipt

Question 9 - Getting The Bag (10 points)

When was the first time Eli got Chipotle? mm/dd/yyyy

This one I had to dig a little for. While browsing through Live Photos I came across a to-go bag of food found at the following path:

518e8d766f9b3e76db216f35fdb6b0604e50f61b_files_full.zip\private\var\mobile\Media\DCIM\100APPLE\IMG_0001.HEIC

Upon further inspection we can see the Chipotle logo on the bottom right.

Figure 10: Chipotle order

Using photo metadata, we can see that it was taken on 02/12/2021, the answer.

Figure 11: IMG_0001.HEIC metadata

Question 10 - News Flash (10 points)

Who may have the toughest job in Washington?

I did a search for news and Washington and it hit on a bunch of emails but nothing of interest. While parsing images with OCR didn't hit on anything either got me suspicious. Eventually looking for other questions I stumbled upon the iOS Snapshots and the answer was clear as day. As part of the Apple News app we get a snapshot that shows Janet Yellen was the answer.
Figure 12: Apple News snapshot

The file could be found at the path:

518e8d766f9b3e76db216f35fdb6b0604e50f61b_files_full.zip\private\var\mobile\Containers\Data\Application\7C697B4F-C50B-485D-995A-BF398410E212\Library\SplashBoard\Snapshots\sceneID:com.apple.news-E184E70E-289B-41C9-AC90-57102F4F1910\2C4F2B4D-FB03-4451-80DC-57DA93D60945@2x.ktx

Question 11 - There's No Sign of Intelligent Life Anywhere (15 points)

Eli was sent a flat earth meme.  Give the last 5 characters of the MD5 hash of the file.

Having found this image before the competition I knew exactly where to navigate to. A Snapchat Received Video contained an astronaut floating above Earth with the caption "The Earth is Flat". The The last 5 digits of the MD5 hash were 889aa.

Figure 13: Snapchat video shared

Figure 14: Snapchat video details

Question 12 - What falls but never hits the ground? (15 points)

What was the temperature in Burlington on March 3rd at approximately 3pm? Answer in degrees fahrenheit.

Another one I found before the competition started so I knew where to go (**Hint, if you get time ahead of the live CTF, make as many notes as possible!**). Back to the iOS Snapshots, we can see from Apple Maps, they phone owner was looking up information on Wendy's. In the bottom right corner of the map we see the temperature was 27 degrees. The date and time of the snapshot show that the date/time were accurate.

Figure 15: Apple Maps snapshot

Figure 16: Snapshot details

Question 13 - What's your number? (15 points)

What was the order number for the Chick-fil-A mobile order

 From our prior question about the order total cost, we can get the order number from the same email. The order number was 1003871. My AXIOM email encoding was a little wonky (Tips & Tricks coming soon from Magnet!), but you can still see it in plain text.

Figure 17: Email order receipt

Cellebrite views it pretty easy.

Figure 18: Email order receipt in Physical Analyzer

Alternatively, if you dig deep into the default.realm database file for Chick-fil-A app, you can find it appended to what looks like the timestamp. Maybe this can be pulled out more easily from the application itself?

Figure 19: default.realm DB from Chick-fil-A app

Question 14 - Chicken on a Sunday? (25 points)

Okay, so we know Eli likes Chick-fil-A, what 2 other chain fast food restaurants were visited?  Include both in answer, formatting will not be an issue.   

Example: DFA-Diner and Magnet Cafe

We know from the previous questions that we had a Chipotle order as well as some maps entries looking at Wendy's. I tried both and they worked, so Wendy's and Chipotle.

Question 15 - DFIRFit Target (25 points)

On which day were the most steps recorded with an Apple Watch? Answer in MM/DD/YYYY.

Checking out the parsed Apple Health Steps, sorting on Steps Taken and then filtering Model ID to Watch, we can see the most steps were taken on 03/03/2021, my birthday!

Figure 20: most steps by Apple Watch

Question 16 - Fowl language (25 point)

Who was mentioned outside the Chick-Fil-A?

So there was a bit of a debacle about this question after the live CTF. Needless to say I ended up getting the points for it after reviewing it with Jessica Hyde. 

Experience from the past Weekly CTF from Magnet, live photos came into play. Knowing there weren't many audio clips on this image I went through live photos to see if any had sound. I knew one image was taken near Chick-fil-A because I could see the red and white sign. 

Figure 21: Live Photo outside Chick-fil-A

I hit play on the audio and submitted "Johnathan" with an H because that's how I had seen the contact name on prior traversal of the image. Further inspection there were actually two spellings of the name, both with the H and without (Jonathan) throughout, but only without was originally rewarded points. I'm grateful that I went back and checked my work and questioned it as it ultimately gave me enough points for first place.

Question 17 - Give me a signal (25 points)

What was the link sent to Eli on Signal?

Having prior gotten myself full acquainted with encrypted chat apps and how to decrypt with the keychain, this one came pretty easy. The URL sent in Signal was https://vm.tiktok.com/ZMejtu5mG/.

Figure 22: Signal message URL

Question 18 - Peek-a-boo (25 points)

What app was used to let Eli know it is Burrito Time?

Another one that was parsed by decrypting using the keychain. You can find the Burrito Time in the Snapchat Received Videos.

Figure 23: Snapchat video

Question 19 - The Epitome of Health (25 points)

What time did the health database last sync? Answer in GMT and HH:MM:SS format

This one was pretty difficult as it took time to manual parse the healthdb.sqlite database for Apple Health. Navigating to the "cloud_sync_stores" table we see a column for "last_sync".

Figure 24: Apple Health database

Converting it to Apple datestamp format we can see it was last synced at 05:35:53.

Figure 25: Last sync time converted

Question 20 - You can't beat encryption right? (25 points)

What user was Eli texting on Wickr?

Another one of those that needed to be pulled by decrypting with keychain information. If you decrypted properly you can easily see that Eli was messaging account "jchipps723".

Figure 26: wickr messages

Question 21 - Lettuce insert a sandwich pun here (50 points)

Eli was telling his friend about a sandwich he got.  When was the message sent where he said he got the sandwich? Answer in yyyy-mm-dd HH:MM:SS GMT

 I couldn't find any hints of what it could have been through AXIOM but when sifting through Cellebrite Physical Analyzer I had noticed it pulled out Snapchat messages that AXIOM did not. Lo and behold, the last message appears to not have been parsed properly but we have a timestamp so I went for it and it ended up being correct. The answer was 2021-03-04 21:33:11.

Figure 27: Snapchat messages

Digging into the database there were messages inside the arroyo.db but I couldn't read the contents, not sure if they are encrypted or in some format I'm not aware of. I can see that the final message aligns with what Cellebrite parsed.

518e8d766f9b3e76db216f35fdb6b0604e50f61b_files_full.zip\private\var\mobile\Containers\Data\Application\4BE54906-7CC7-4281-B1EB-055263F14F17\Documents\user_scoped\c410029b87cd535dcda1e773b850ea8cc8b07ca206320a03937260a995463acf\arroyo\arroyo.db

Further research may be needed to find out if more information can be pulled.

Question 22 - TikTokClock (75 points)

When was the tiktok sent in signal posted? Answer in yyyy-mm-dd hh:mm:ss GMT

Did I already stress that using Jessica Hyde's hints yielded great results? Well this is one of those. She had mentioned that some of her Forensic 4:Cast nominations may play a part. Her pick for blog post of the year was Ryan Benson's Tinkering with TikTok Timestamps. He has done plenty of research into how the timestamps are read and added it to his Unfurl tool.

Opening the TikTok shortlink URL found earlier in Signal produces the URL:

https://www.tiktok.com/@ivanantoniochacon/video/6903950172120730885?_d=secCgYIASAHKAESMgowqBEL1OZCWiBfK0%2FTLgzKZOKJuTGi8fyoYp0t%2BTi4qk7%2BISUZomCc1xPWKd2AMwRMGgA%3D&language=en&preview_pb=0&sec_user_id=MS4wLjABAAAA0zHwgnlIlWmP2KKWttRjRkUDP-pXbv6pNQM_CI_klRwycmFS9YJt44HeKAbk4Kzl&share_item_id=6903950172120730885&share_link_id=336FE193-3C3A-4308-98A4-BC615D0D2586&timestamp=1614577095&tt_from=more&u_code=dh18jaeb4gf3dc&user_id=6926340596702823430&utm_campaign=client_share&utm_medium=ios&utm_source=more&source=h5_m&_r=1

That's pretty ugly but after reading Ryan's blog and knowing to pull out the GUID 6903950172120730885, we can feed that into Unfurl to parse:

We can see that the video posted on 2020-12-08 18:12:42.


Comments