Cellebrite CTF 2021 - Marsha's iPhone

Previous: Heisenberg's Android | Beth's iPhone

Round 3 goes to Marsha's iPhone X.

Evidence: https://d17k3c8pvtyk2s.cloudfront.net/CTF21/CTF21_Marsha_iPhoneX_FFS_Premium_2021_07_29.zip.001
https://d17k3c8pvtyk2s.cloudfront.net/CTF21/CTF21_Marsha_iPhoneX_FFS_Premium_2021_07_29.zip.002
https://d17k3c8pvtyk2s.cloudfront.net/CTF21/CTF21_Marsha_iPhoneX_FFS_Premium_2021_07_29.zip.003

Password: 02DB2ECE91DB67E8FA939FC3DC15D16B

Location Artifacts-FFS (20 points)

A new reminder was set with pictures attached, in what city was Marsha when the reminder was set?

There were two different reminders that had pictures attached, one with pictures created on 4/4/2021 08:07 pm with the reminder set for 4/6/2021 and another with pictures created 4/7/2021 02:38pm with no actual reminder date. Knowing the approximate dates, I went to the DCIM folder to see what pictures were taken that had location metadata still intact to see if we can get any clues. No photos fell within hours after of the 4/4/2021 reminder so I shifted focus to the other.

On 4/7/2021 at 5:11:08pm a picture was captured near Baltimore, the answer.

Figure 1: DCIM picture near Reminder date range

Settings and Notifications-FFS (20 points)

How many keyboards were set on Marsha’s device?

This was another one of those questions where if you knew the file to look in you'd get it right away. After much searching high and low, I came across the one I was looking for:

private\var\mobile\Library\Keyboard\UserWords.ctrl

Opening the file in a reader, we can see there were 3 keyboards installed, English, Emoji, and Hebrew (Israel).

Figure 2: UserWords.ctrl file with installed keyboards

Native Applications-FFS (20 points)

On Marsha's iPhone, what is the Ascii representation of the keyboard language that is not an Emoji or from the United States?

After finding the previous answer, this one was a breeze. They're looking for "he_IL", as seen above.

Location Artifacts (20 points)

Marsha ordered a beer on vacation. "Aloha! How much is a Blonde?" (no $ sign needed)

As a fellow beer lover myself, I went way too deep to look for this answer. I had noticed Marsha was in Hawaii at one point and what a better place to take a vacation.

In pandemic times, lots of restaurants have used QR codes to hand out their menus instead of paper copies. There were plenty of pictures of QR codes so I went through them to see if it would be an easy find. There was one for Maui Brewing found below in IMG_1788.heic:

Figure 3: Maui Brewing Co. QR code menu

After going to the menu, clear as day was their Year Round Beers featuring a Bikini Blonde for $7, which I came to find quickly that was incorrect, hmmm.

Figure 4: Maui Brewing Co. Bikini Blonde beer

I felt so dumb afterwards because a few minutes later I came across the real answer, another picture from Kaka'ako Brewery featured an Aloha Blonde, for $6.50.

Figure 5: Kaka'ako Brewery Aloha Blonde

Moral of the story, don't overthink your beer choices.

Device Connections (20 points)

Marsha connected her iPhone to one car make more than any other. Once you have determined which make, you can answer the name of the CarPlay system in use.

CarPlay settings can be found here:

mobile\Library\Preferences\com.apple.carplay.plist

Here we can see different pairings that have been available with CarPlay. We get ID strings as well as name strings of what was connected. Out of the 13 connects the one that appeared the most was SYNC 3, which relates to Ford vehicles.

Figure 6: Carplay preferences and pairings

Application Analysis (20 points)

What was the title of the most recent podcast playing while connected to a vehicle?

I had to get them to clarify if they wanted the Podcast name or the title of the episode which was the biggest confusion point. After a brief rewording of the question I dug further. I noticed that CarPlay's Recent App History showed it was connected to Podcasts on 7/13/2021 at 09:01:49. This is pulled from:

mobile\Library\Preferences\com.apple.CarPlayApp.plist

I made an iLEAPP parser for Apple Podcasts a few months back so I quickly ran that through to see what was parsed for that date. We want to look at the last Date Last Played field which shows us the title we are looking for was Commercial Pilot Systems.

Figure 7: Apple Podcasts episode list

Device Identification-FFS (100 points)

What is the MAC address of an action camera used by Marsha?

Marsha was just plain cruel for this question, by far the hardest out of all the rest. She really was just showing off. There is only one location on the whole phone that shows the answer to my knowledge. You have to navigate to the sysdiagnose logs found here:

mobile\Library\Logs\CrashReporter\DiagnosticLogs\sysdiagnose\sysdiagnose_2021.03.18_14-44-04-0700_iPhone-OS_iPhone_18D61.tar.gz

You would then have to extract out the contents and navigate to the Wifi folder and extract the contents of "AnalyticsStoreDump_2021-03-18-144431501.txt.tgz" to get to the text file. Inside is what appears to be wifi connection information with SSID's and BSSIDS. We can see that the ONE R camera had a MAC address of 10:2c:6b:30:df:5c.

Figure 8: AnalyticsStoreDump file from SysDiagnose

Guess it goes to show that examiners need to be aware of sysdiagnose and how it can be leveraged in an investigation. Check out Mattia Epifani's research on the subject. For good measure the MAC address could be found under the Bluetooth Other LE report in iLEAPP, just didn't seem to be paired.

Figure 9: Bluetooth Other LE report in iLEAPP