Previous: Windows 11 | Cipher | Windows Server
Like last year's iOS 15 image, we get one of the first full file system "test" images for iOS 16 publicly available. Let's see what we get.
Tools used:
A few too many (5 points)
How many email accounts did the user own? (not counting privaterelay)
This one required a bit of correlation. Via the Refined Results > User
Accounts artifact in AXIOM we can see 3 distinct email addresses:
- blueisth3best@gmail.com
- pulled from Accounts3.sqlite / Apple Mail
- borchardtmichael78@gmail.com
- pulled from Chrome Login Data
- michaelkborchardt@proton.me
- pulled from Chrome Login Data
Figure 1: User Accounts via AXIOM
What we also need to account for is other communication methods too. Slack
was installed on the phone and if we check the Slack Accounts artifact we
see we get yet another different email address.
Figure 2: Slack Account details via AXIOM
So in total we have 4 different
email accounts from the owner of the phone.
autoFill me in on the deets (5 points)
Which email, other than their own, was autofilled in Chrome?
Heading over to the Chrome Autofill again, we can see only one other
email address that didn't belong to Michael Borchardt, and that was
tlouis@kurvalis.com.
Figure 3: Chrome Autofill in AXIOM
1 fish 2 fish, red fish blue fish (5 points)
According to the user's email accounts, what is his favorite color?
I way overlooked this one originally, just don't make it too
complicated. Michael's iCloud email address was
blueisth3best@icloud.com, his favorite color is
blue. It's littered all
over the Account Data.
Figure 4: Account Data report in iLEAPP
Q-uestion (5 points)
What Chinese networking website was associated with Linkedin?
I first did a keyword search on LinkedIn to narrow down the
scope to hopefully have a quick win in a path or something. My
first thought was to go directly to
QQ Chat
which appeared to be partially correct. Carved from potential
browser activity was a URL for QQ.
Figure 5: Potential Browser Activity for LinkedIn related
sites
QQ didn't work but
QZone took. As you can see
it's being pulled from the LinkedIn application folder location.
Chef Boyardee 2.0 (10 points)
At which market was the user viewing Chef Pasquale tomato sauce?
Figure 6: Pasquale's tomato sauce from DCIM
We can see 3 different varieties from Chef Pasquale. Looking at the
EXIF data of the image we get the latitude and longitude of where the
picture was taken.
Figure 7: Image EXIF via AXIOM
Plugging in the coordinates in Google Maps, we can see that it's roughly nearby the Marche Atwater market.
Figure 8: Google Maps using EXIF image data coordinates
Staying Stylish! (10 points)
What color shirt did the user choose to put their snapchat bitmoji in?
Via the Snapchat Chat Messages we can get the user's account name as the recipient of messages sent from Team Snapchat. It was "m_b227468".
Figure 9: Snapchat Recipient details
Using that info I just utilized my own personal phone to look up the
user account and check the avatar image. You can see the current shirt
was green, so I tried that
and it worked.
Figure 10: m_b227468 Snapchat avatar
private\var\mobile\Containers\Shared\AppGroup\F6809526-E8EE-4E16-8077-88B9A3B98C21\User\044aebd1-8c6d-48d9-976b-61574a1519bf\camera-lock-screen-widget\camera-lock-screen-widget-bitmoji
Figure 11: Snapchat Bitmoji
Picking up Steam (10 points)
What server was the user interested in making?
A keyword search for "server" yielded quick results found in
Google Searches and in Discord chat messages. He was looking to
set up a CSGO server.
Figure 12: Discord chats via iLEAPP
Figure 13: Google Search from Biome via AXIOM
Overlooking Excellence (10 points)
What Sports stadium was the user overlooking at Camilien-Houde belvedere?
I originally just did a Google Maps search for "Camilien-Houde
belvedere" and tried as many names as I could find around the
area on the map but nothing worked. I then pivoted to the DCIM
images because from previous questions I remember seeing some
hiking views. There were a few with some signage but one stuck
out.
00008101-0010541A1130001E_files_full-001.zip\private\var\mobile\Media\DCIM\100APPLE\IMG_0024.HEIC
Figure 14: DCIM image overlooking Montreal
You're going to crush this one! (10 points)
What light-hearted game did the user spend the most time on?
One of the first things I look at when assessing a mobile device is
the installed applications so I knew this one almost instantly. It
helped the question title kind of gave it away too, it was
Candy Crush.
Figure 15: Installed Apps report via iLEAPP
You are here (15 points)
Which airline lounge was viewed?
If you don't know what Biomes are read
Chris Vance's series, they're the new hotness for iOS, basically replacing
KnowledgeC artifacts. Anywho, back to reality. A quick keyword
search for "lounge" led me to entries in the Biome User
Activity that showed the answer, Lufthansa.
Figure 16: Biome User Activity via AXIOM
Out of this world (25 points)
Which terms and conditions site on Tik Tok is named after a space formation?
This one drove me absolutely crazy. I dug on the Tik Tok
website but didn't see anything so I went back to the evidence
and just did a keyword search for "tiktok" and "Tik Tok". Doom
scrolling through the WebKit carved history I found the answer
was "nebula" which
was of what looks like a URL for advertising T&C.
Figure 17: TikTok WebKit cared web history via AXIOM
Which way? (25 points)
Which cardinal direction was the user turning when driving towards RHEINFAHRE?
Knowing from past CTFs with cardinal directional questions,
I had to go directly to the Live Photos. Clicking through
one picture of some sort of overpass bridge had the named
RHEINFAHRE on it so it was definitely the one to look at
further.
Figure 18: Live Photos via AXIOM
00008101-0010541A1130001E_files_full-001.zip\private\var\mobile\Media\DCIM\100APPLE\IMG_0068.MOV
If we look at the video pulled from the Live Photo, we can
see that the user was turning in towards where the sign
showed.
Figure 19: Live Photo MOV
Using the GPS coordinates from EXIF data we can plug those
into Google Maps.
Figure 20: Google Maps coordinates from EXIF of Live Photo
We can see that the car was traveling south.
Boosting into a new era (25 points)
The user was trying to learn German through an application, what promotion featuring a rocket was most commonly shown to the user?
Looking through the Installed Apps previously I knew Duolingo, which helps you learn how to speak other languages, was installed on the phone.
Figure 21: Duolingo installed via iLEAPP report
Searching for "duolingo" led to some video results pulled from:
00008101-0010541A1130001E_files_full-001.zip\private\var\mobile\Containers\Data\Application\89A6AE48-C46D-4405-A187-C7FF439873F3\Documents\plus-ad-video
Figure 22: Duolingo rocket ads
Figure 23: Duolingo ad
As a river runs (50 points)
At which location did the user travel the most meters according to Apple? (City, Country)
The key hear is "according to Apple". What Apple apps track distance? Apple Health of course, which can be found at the path:
private\var\mobile\Library\Health\healthdb_secure.sqlite
Figure 24: Apple Health Distance via AXIOM
Applying a timestamp filter for approximately around the same time Health recorded the activity we see some cached locations pulled from RoutineD.
private\var\mobile\Library\Caches\com.apple.routined\Cache.sqlite
Figure 25: RoutineD Locations relative to Health event
Plugging in the lat/long into Google Maps shows the user was in Eltville, Germany.
Figure 26: Google Maps coordinates
Lo Siento Señor, its going to be a cold one (50 points)
What weather front was warned to the user by youtube?
Weather information from YouTube?! Back to the quick search to hunt "youtube" things. In the Duets Notifications we see one entry that looks to have a title all in Spanish.
Figure 27: Duet Notifications via AXIOM
I had search on YouTube for what this was.
I don't know why I just didn't use Google Translate but it led me to a Univision video showing people shoveling snow.
Figure 28: YouTube video from Univision
I tried "frente ártico" because that's what they had in the title and it worked. Translated to English it would be "artic front" which I believe was also accepted as an answer.
This ends the iPhone writeup and completes the 4 part series from the MVS 2023 CTF. Looking forward to the next one in-person in Nashville!