Cellebrite CTF 2022 - Beth's iPhone

Previous: Marsha's PC | Heisenberg's Android | Marsha's iPhone

Next up was Beth's iPhone. I think this was the strongest category for me. I was able to get all but one of the answers during the live competition and was able to figure out the last one shortly after. It's always good to brush up on analyzing iOS images.

#30 🦊

An analyst generated a list of the codes used by the gang members. f0x is one of the code names. You think you know what f0x is? Provide the name that appears on one of f0x related images.

A quick search for the word "f0x" came back with some Chat messages between Heisenberg and Beth. One message sent had an image of a tractor trailer that read "Werner".

Figure 1: Chat message picture attachment

Figure 2: Chat message

The file could be located at the path:


#31 ⛰πŸŒ„

Beth wanted to meet her partner in an isolated place in the mountains to close a deal. Which email address did she send to?

In Physical Analyzer I just opened the Messages > Emails and filtered on the "To" field. Besides Beth's address there was only one other email address sent to, and that was livingstonhank11@gmail.com.

Figure 3: Email sent To

The file of interest lives at the following path:


#32 πŸ‘©πŸ»‍πŸ’ΌπŸ“²πŸ™ŽπŸ»‍♀️

Where was Beth on June 29th 2021 when she made a call to Marsha? (Provide only the city in your answer)

First we can filter on phone calls outgoing to Marsha to see what time it took place.

Figure 4: Outgoing call to Marsha

We see it was make approximately at 4:10pm UTC. Now we can move over to Device Locations and filter on the date and similar time to see one entry in the time frame. It was placed in New York City.

Figure 5: Device Locations for 6/29/2021

You could pull this same information from the RoutineD file:


#33 πŸ’³

Two of the suspects use the same app to facilitate money transfers without handling fees. Who are they? Provide first names separated by a comma: [AAA],[BBB]

Looking through the installed apps via iLEAPP report there weren't any obvious installed apps that would handle money transfers. I reverted back to Apple owned apps and that would be Apple Passbook/Wallet. The app folder lives here:


I could find any transactions but the presumptions was that this is what was being used (later confirmed via the hint). Since two of the 3 people had iPhones I assumed the users were Marsha,Beth, which was the answer.

#34 container πŸ—ƒ

What is the version of the extraction container format in the provided evidence file?

In the base of the zip extraction is a file called "version". Inside is a simple line that shows the version was CLBX-0.3.1.

Figure 6: version file in the base of the extraction

#35 event πŸ“…

What is the only "event" that happened on February 17, 2015?

Here we can just filter on the day in the timeline view in Physical Analyzer and see only one entry, Solid_purple.jpg. It hit on the capture time.

Figure 7: Only entry for 2/17/2015

#36 Hotel 🏨

Who was Beth supposed to meet at the Vienna Inn?

A quick search for "Vienna Inn" shows a chat between Beth and Heisenberg White planning to meet.

Figure 8: Chat message referring to Vienna Inn

It was inside the Instagram chat.

#37 🚢🏻‍♀️distance

What was Beth's furthest walking distance?

For this we can open the parsed Health events and filter on only those "Distance Traveled" in the Measurements. Sorting the Distance Traveled we can see Beth furthest walking distance was 2482.28.

Figure 9: Health distance traveled

This can be correlated from the health database at:


#38 IMEI β„Ή

What is the IMEI number of the device?

The IMEI is pulled out right in the Device Info main screen of Physical Analyzer. It was 359405082912450.

Figure 10: Device Info details

If you want to view it natively you can parse it from the path:


You have to extract the AccountToken from the plist first and then decode using Base64.

Figure 11: IMEI from activation_record.plist

#39 πŸπŸ†”

What is the Apple ID associated with the device?

Account details can be found in the Accounts3.sqlite database found at the path:


In the "ZACCOUNT" table we can see the email account associated with iCloud was tornadobeth@gmail.com.

Figure 12: Accounts3.sqlite in DB Browser

#40 inode πŸ“

Inode number 63433 belongs to a directory with an extended attribute com.apple.ubd.prsid. What is the decoded value associated with this extended attribute?

This one gave me issues all over. I wasn't quite sure how to search for Inode numbers so I just did a deep search for "com.apple.ubd.prsid" which lead me to the following metadata file:


Because msgpacks are basically compressed JSON we can use a decoder to get the contents in a more readable version. Using this script from jakm on Github we can unpack it quickly into a large JSON file. Searching across it for the Inode 63433 we get to this entry:

Figure 13: msgpack to JSON entry

We see the attribute with a value at the bottom that needs decoded. Feeding it into CyberChef we see it was Base64 and decodes to 17551872901.CloudDocs.
Figure 14: Attribute decoded in CyberChef

#41 ☁πŸŒ‘πŸ™

What is the city found in the installed "Weather Underground: Local Map" mobile application?

From the Bundle ID report in iLEAPP we can see that the Weather Underground app location was:


Figure 15: Bundle ID info for Weather Underground

After digging through the subfolders we come to the preferences plist file. Opening in a view we see that some of the data is Base64 encoded.

Figure 16: Weather Underground preferences plist

Copying out the data section into CyberChef and decoding shows us that the only city listed was Key Largo.

Figure 17: CyberChef decoding Base64

You could have also just opened up the plist file in a hex editor to see the decoded data as well.

Figure 18: plist opened in HxD

#42 - Chip πŸ†”

What is the Exclusive Chip Identification (ECID) of the mobile device?

In the base of the zip extraction is a Log.txt file with the extraction log from UFED. Inside there are a few references to the ECID which was 000469E20847002E.

Figure 19: ECID in Log.txt

#43 πŸ¦†πŸ¦†πŸ”

What was the search query in the open tab of the DuckDuckGo Privacy Browser?

Based off the iOS Third-Party poster from SANS there is a plist file for DuckDuckGo that houses some preferences. Using the Application State report from iLEAPP I was able to find the app folder and the file in question:


In Physical Analyzer the plist is more readable as it does some analysis for us. You can see an open tabs section which is actually an embedded plist.

Figure 20: Embedded plist in DuckDuckGo preferences

We can see an AsciiString which is the URL of what was searched. 


You can read that the search query was "daphne bridgerton actress".