The third category for the MVS2021 CTF was probably my most well versed category, iPhone. I did a good amount of prepwork in parsing this image including those hinted at by Jessica Hyde such as the keychain parsing. This allowed me to fly through some of the higher point questions quickly. Let's take a look at the way I did things to get to the solutions.
Question 1 - Breaking Quarantine (5 points)
When does Eli go to a neighboring state? Answer in MM/DD/YYYY
Using a combination of Significant Locations and Significant Locations Visits, we can filter down to the only hit outside of Vermont, which was New York.
Question 2 - Burger Time (5 points)
What fast food restaurant has an application is installed on the device?
Going through Installed Applications we can look at Display Names and Package Names. Nothing sticks out right away with the Display Name but the Package Name was fairly obviously. The food app that was installed was for Chick-fil-A.
Package Name: com.engauge.Chick-fil-A
Display Name : CFAOne
What is Eli's facebook password?
This required parsing the provided keychain plist file or by manually pulling it out. AXIOM shows that the password value was fix_my_flatt2!.
Question 4 - New Watch Who Dis (5 points)
What is the MAC address of Eli's apple watch?
In Connected Devices > Bluetooth Devices we only see one option, an Apple Watch. The MAC address was 50:A6:7F:8F:A5:B6.
Question 5 - Sanik Speed (5 points)
What was the fastest heart rate recorded for Eli?
How does John like his eggs? (2 words)
Having previously gotten a feel for the chat content I instantly knew to look at the TikTok Messages. John likes his eggs in "chicken form".
Question 7 - Beefstew isn't a Stroganoff Password (10 points)
How many Apple Notes did Eli Encrypt?
I honestly expected harder questions to come from the encrypted notes but alas, it didn't seem so. We can look Apple Notes category in AXIOM and see that 3 notes were encrypted.
Question 8 - Big Spender (10 points)
How much (after tax) was Eli's Chick-fil-A order? Exclude Dollar sign
I had found the digital receipt in email with the subject "Chick-fil-A® Mobile Ordering Receipt" but for some reason AXIOM had encoding and preview issues for me so I went over to Cellebrite Physical Analyzer to see if it would show. We can see the total was 27.24. Now I want a sandwich!
Question 9 - Getting The Bag (10 points)
When was the first time Eli got Chipotle? mm/dd/yyyy
This one I had to dig a little for. While browsing through Live Photos I came across a to-go bag of food found at the following path:
Upon further inspection we can see the Chipotle logo on the bottom right.
Question 10 - News Flash (10 points)
Who may have the toughest job in Washington?
Question 11 - There's No Sign of Intelligent Life Anywhere (15 points)
Eli was sent a flat earth meme. Give the last 5 characters of the MD5 hash of the file.
What was the temperature in Burlington on March 3rd at approximately 3pm? Answer in degrees fahrenheit.
Another one I found before the competition started so I knew where to go (**Hint, if you get time ahead of the live CTF, make as many notes as possible!**). Back to the iOS Snapshots, we can see from Apple Maps, they phone owner was looking up information on Wendy's. In the bottom right corner of the map we see the temperature was 27 degrees. The date and time of the snapshot show that the date/time were accurate.
What was the order number for the Chick-fil-A mobile order
From our prior question about the order total cost, we can get the order number from the same email. The order number was 1003871. My AXIOM email encoding was a little wonky (Tips & Tricks coming soon from Magnet!), but you can still see it in plain text.
Okay, so we know Eli likes Chick-fil-A, what 2 other chain fast food restaurants were visited? Include both in answer, formatting will not be an issue.Example: DFA-Diner and Magnet Cafe
We know from the previous questions that we had a Chipotle order as well as some maps entries looking at Wendy's. I tried both and they worked, so Wendy's and Chipotle.
Question 15 - DFIRFit Target (25 points)
On which day were the most steps recorded with an Apple Watch? Answer in MM/DD/YYYY.
Checking out the parsed Apple Health Steps, sorting on Steps Taken and then filtering Model ID to Watch, we can see the most steps were taken on 03/03/2021, my birthday!
Question 16 - Fowl language (25 point)
Who was mentioned outside the Chick-Fil-A?
So there was a bit of a debacle about this question after the live CTF. Needless to say I ended up getting the points for it after reviewing it with Jessica Hyde.
Experience from the past Weekly CTF from Magnet, live photos came into play. Knowing there weren't many audio clips on this image I went through live photos to see if any had sound. I knew one image was taken near Chick-fil-A because I could see the red and white sign.
Question 17 - Give me a signal (25 points)
What was the link sent to Eli on Signal?
Having prior gotten myself full acquainted with encrypted chat apps and how to decrypt with the keychain, this one came pretty easy. The URL sent in Signal was https://vm.tiktok.com/ZMejtu5mG/.
Question 18 - Peek-a-boo (25 points)
What app was used to let Eli know it is Burrito Time?
Another one that was parsed by decrypting using the keychain. You can find the Burrito Time in the Snapchat Received Videos.
Question 19 - The Epitome of Health (25 points)
What time did the health database last sync? Answer in GMT and HH:MM:SS format
This one was pretty difficult as it took time to manual parse the healthdb.sqlite database for Apple Health. Navigating to the "cloud_sync_stores" table we see a column for "last_sync".
What user was Eli texting on Wickr?
Another one of those that needed to be pulled by decrypting with keychain information. If you decrypted properly you can easily see that Eli was messaging account "jchipps723".
Eli was telling his friend about a sandwich he got. When was the message sent where he said he got the sandwich? Answer in yyyy-mm-dd HH:MM:SS GMT
I couldn't find any hints of what it could have been through AXIOM but when sifting through Cellebrite Physical Analyzer I had noticed it pulled out Snapchat messages that AXIOM did not. Lo and behold, the last message appears to not have been parsed properly but we have a timestamp so I went for it and it ended up being correct. The answer was 2021-03-04 21:33:11.
Further research may be needed to find out if more information can be pulled.
Question 22 - TikTokClock (75 points)
When was the tiktok sent in signal posted? Answer in yyyy-mm-dd hh:mm:ss GMT
Did I already stress that using Jessica Hyde's hints yielded great results? Well this is one of those. She had mentioned that some of her Forensic 4:Cast nominations may play a part. Her pick for blog post of the year was Ryan Benson's Tinkering with TikTok Timestamps. He has done plenty of research into how the timestamps are read and added it to his Unfurl tool.
Opening the TikTok shortlink URL found earlier in Signal produces the URL:
That's pretty ugly but after reading Ryan's blog and knowing to pull out the GUID 6903950172120730885, we can feed that into Unfurl to parse: