Previous: Marsha's PC | Heisenberg's Android | Marsha's iPhone
Next up was Beth's iPhone. I think this was the strongest category for me. I was able to get all but one of the answers during the live competition and was able to figure out the last one shortly after. It's always good to brush up on analyzing iOS images.
#30 π¦
An analyst generated a list of the codes used by the gang members. f0x is one of the code names. You think you know what f0x is? Provide the name that appears on one of f0x related images.
A quick search for the word "f0x" came back with some Chat messages between Heisenberg and Beth. One message sent had an image of a tractor trailer that read "Werner".
Figure 1: Chat message picture attachment
Figure 2: Chat message
The file could be located at the path:
root/private/var/mobile/Containers/Shared/AppGroup/2436BD7E-5956-425A-B38F-A40F20089674/Attachments/0001BF05-8174-408C-848D-111DC8E79456.jpeg
#31 ⛰π
Beth wanted to meet her partner in an isolated place in the mountains to close a deal. Which email address did she send to?
In Physical Analyzer I just opened the Messages > Emails and filtered on the "To" field. Besides Beth's address there was only one other email address sent to, and that was livingstonhank11@gmail.com.
Figure 3: Email sent To
The file of interest lives at the following path:
root/private/var/mobile/Library/Mail/MessageData/67/full.emlx
#32 π©π»πΌπ²ππ»♀️
Where was Beth on June 29th 2021 when she made a call to Marsha? (Provide only the city in your answer)
First we can filter on phone calls outgoing to Marsha to see what time it took place.
Figure 4: Outgoing call to Marsha
We see it was make approximately at 4:10pm UTC. Now we can move over to Device Locations and filter on the date and similar time to see one entry in the time frame. It was placed in New York City.
Figure 5: Device Locations for 6/29/2021
You could pull this same information from the RoutineD file:
root/private/var/mobile/Library/Caches/com.apple.routined/Local.sqlite
#33 π³
Two of the suspects use the same app to facilitate money transfers without handling fees. Who are they? Provide first names separated by a comma: [AAA],[BBB]
Looking through the installed apps via iLEAPP report there weren't any obvious installed apps that would handle money transfers. I reverted back to Apple owned apps and that would be Apple Passbook/Wallet. The app folder lives here:
root/private/var/mobile/Containers/Data/Application/8C7CEA81-D5A4-4F87-A9B2-52FBEFC02F1D
I could find any transactions but the presumptions was that this is what was being used (later confirmed via the hint). Since two of the 3 people had iPhones I assumed the users were Marsha,Beth, which was the answer.
#34 container π
What is the version of the extraction container format in the provided evidence file?
In the base of the zip extraction is a file called "version". Inside is a simple line that shows the version was CLBX-0.3.1.
Figure 6: version file in the base of the extraction
#35 event π
What is the only "event" that happened on February 17, 2015?
Here we can just filter on the day in the timeline view in Physical Analyzer and see only one entry, Solid_purple.jpg. It hit on the capture time.
Figure 7: Only entry for 2/17/2015
#36 Hotel π¨
Who was Beth supposed to meet at the Vienna Inn?
A quick search for "Vienna Inn" shows a chat between Beth and Heisenberg White planning to meet.
Figure 8: Chat message referring to Vienna Inn
It was inside the Instagram chat.
#37 πΆπ»♀️distance
What was Beth's furthest walking distance?
For this we can open the parsed Health events and filter on only those "Distance Traveled" in the Measurements. Sorting the Distance Traveled we can see Beth furthest walking distance was 2482.28.
Figure 9: Health distance traveled
This can be correlated from the health database at:
root/private/var/mobile/Library/Health/healthdb_secure.sqlite
#38 IMEI βΉ
What is the IMEI number of the device?
The IMEI is pulled out right in the Device Info main screen of Physical Analyzer. It was 359405082912450.
Figure 10: Device Info details
If you want to view it natively you can parse it from the path:
root/private/var/containers/Data/System/CD3F488B-D2C8-4C34-8E77-BB97E9822E11/Library/activation_records/activation_record.plist
Figure 11: IMEI from activation_record.plist
#39 ππ
What is the Apple ID associated with the device?
Account details can be found in the Accounts3.sqlite database found at the path:
root/private/var/mobile/Library/Accounts/Accounts3.sqlite
In the "ZACCOUNT" table we can see the email account associated with iCloud was tornadobeth@gmail.com.
Figure 12: Accounts3.sqlite in DB Browser
#40 inode π
Inode number 63433 belongs to a directory with an extended attribute com.apple.ubd.prsid. What is the decoded value associated with this extended attribute?
This one gave me issues all over. I wasn't quite sure how to search for Inode numbers so I just did a deep search for "com.apple.ubd.prsid" which lead me to the following metadata file:
metadata1/metadata.msgpack
Because msgpacks are basically compressed JSON we can use a decoder to get the contents in a more readable version. Using this script from jakm on Github we can unpack it quickly into a large JSON file. Searching across it for the Inode 63433 we get to this entry:
Figure 13: msgpack to JSON entry
We see the attribute with a value at the bottom that needs decoded. Feeding it into CyberChef we see it was Base64 and decodes to 17551872901.CloudDocs.
Figure 14: Attribute decoded in CyberChef
#41 ☁π‘π
What is the city found in the installed "Weather Underground: Local Map" mobile application?
From the Bundle ID report in iLEAPP we can see that the Weather Underground app location was:
root/private/var/mobile/Containers/Shared/AppGroup/BD720AA4-E9F4-4DE6-848F-620706AF5779
Figure 15: Bundle ID info for Weather Underground
After digging through the subfolders we come to the preferences plist file. Opening in a view we see that some of the data is Base64 encoded.
Figure 16: Weather Underground preferences plist
Copying out the data section into CyberChef and decoding shows us that the only city listed was Key Largo.
Figure 17: CyberChef decoding Base64
You could have also just opened up the plist file in a hex editor to see the decoded data as well.
Figure 18: plist opened in HxD
#42 - Chip π
What is the Exclusive Chip Identification (ECID) of the mobile device?
In the base of the zip extraction is a Log.txt file with the extraction log from UFED. Inside there are a few references to the ECID which was 000469E20847002E.
Figure 19: ECID in Log.txt
#43 π¦π¦π
What was the search query in the open tab of the DuckDuckGo Privacy Browser?
Based off the iOS Third-Party poster from SANS there is a plist file for DuckDuckGo that houses some preferences. Using the Application State report from iLEAPP I was able to find the app folder and the file in question:
root/private/var/mobile/Containers/Data/Application/1CFB7BE5-990B-4971-908A-10C2EC94080B/Library/Preferences/com.duckduckgo.mobile.ios.plist
In Physical Analyzer the plist is more readable as it does some analysis for us. You can see an open tabs section which is actually an embedded plist.
Figure 20: Embedded plist in DuckDuckGo preferences
We can see an AsciiString which is the URL of what was searched.
https://duckduckgo.com/?q=daphne+bridgerton+actress&t=ddg_ios&atb=v266-3mc&ko=-1&iax=images&ia=images
You can read that the search query was "daphne bridgerton actress".