Cellebrite CTF 2022 - Marsha's iPhone

Previous: Marsha's PC | Heisenberg's Android | Beth's iPhone

Marsha's phone took forever to actually load but had the least amount of questions. Overall, her phone was easier this time around than last year which was a great relief to me.

#44 🍎 ID

Criminals tend to keep their business private. The suspects used an App that hides data (photos/video/contacts) behind an ordinary calculator. Provide icloud address used to purchase this app

iLEAPP shows what applications were purchases in the Apps - Itunes & Bundle Metadata report. Looking for a calculator type app we can see one called "Secure Private Calculator". It was downloaded/purchased by the email address masrhamellos@icloud.com.

Figure 1: Apps - Itunes & Bundle Metadata report in iLEAPP

#45 📱 Name

What is the device vendor's internal model name?

At the base of the forensic image folder was a document called PhoneInfo.txt. Inside contains some details about the phone including the internal model name of D22AP.

Figure 2: PhoneInfo.txt contents

#46 ⏳ session

Which 3rd party app had the longest active session? provide app identifier such as: com.ubercab.UberClient

In Physical Analyzer, they have a section called Aggregated Application Usage. We can sort "Active Time" and see that com.apple.SleepLockScreen had the most usage but here we're looking for a third party app. The second highest was com.google.photos (Google Photos).

Figure 3: Aggregated Application Usage in Physical Analyzer

#47 MD5 #️⃣

What is the MD5 hash value for the file classified as Type: Images with a file size of 68147 bytes?

Physical Analyzer makes this one easy, all we have to do is open the parsed Images and sort by size. Once we find the proper bytes we see the image was of John Stamos.

Figure 4: Image with 68147 bytes in size

We can see the MD5 hash was d9777bb03efb817bb6eaeec026a5b0c2.

#48 🍕 Time

The suspect had Pizza for lunch, what was the date and time of the order? Format: MM-DD-YYYY HH:MM, e.g. 01-22-2019 19:46

I first looked at messages and saw some references to eating pizza and pictures but not from Marsha herself. I then pivoted to looking in email to see if there were any digital receipts but nothing came up.

My last resort was to look at pictures and I stumbled across the answer finally. It was a picture taken with the phone of a receipt.

Figure 5: Pizza receipt with order timestamp

The date and time of the order was 03-08-2021 12:11. The photo can be found at the path:


#49 Stolen 🚘

The investigators were looking for a specific Kia stolen by the gang. They were missing 3 digits of the license plate (left most). Find the first 3 digits they were missing.

Another one of those questions where I looked in all the wrong places and if all else fails flip through the images. I ended up finding a picture at the path:

Universal_iOS Generic.zip/root/private/var/mobile/Media/DCIM/101APPLE/IMG_1615.HEIC

You can see that the first 3 digits of the license plate were 508.

Figure 6: Picture of a Kia vehicle

#50 Frequent 📞

What is the most frequently interacted phone number over a call? format should be +[country_code][number] for example: +97243501234

We can look at the call history from the file at the following path:


iLEAPP parses this for us so we can just sort the phone number interacted with and count which number had the most interactions.

Figure : Call history in iLEAPP

We can count that the number +15162879924 had the most with 12.