Previous: Cipher | Android (Part 1)
Time for part 2 of the Android writeup, now for the difficult stuff!
Evidence: Google Pixel 3a XL
Tools Used:
ALEAPP v3.1.7
Magnet AXIOM v7.0
NotePad++ v8.4.8
Timeline Explorer v1.3.0.0
Would you like a free battery? Free of charge. (15 points)
When was the FIRST time in UTC this phone shut down because it ran out of battery? (FORMAT YYYY-MM-DD HH:MM:SS based on 24 hour clock)
Another parser I made for ALEAPP so I knew instantly where to head to. Check out my previous blog on shutdown checkpoints to give you a hint that it is in:
data\system\shutdown-checkpoints\checkpoints-1673244230163
We can see from the ALEAPP report that the first time the phone was shutdown because of battery drain was on "2023-01-03 12:11:26".
Figure 1: Shutdown Checkpoints report in ALEAPP
PineappleOnPizzaIsGreat! (25 points)
What WiFi network was the registered user connected to at the time the document ""Banana_split_(1).pdf"" was added to google drive?
With the hint from the title and looking at Wifi Profiles report in ALEAPP one instantly stood out because the PreSharedKey was Pepperoni (get it? pizza). So I tried "Abo South" and it worked.
Figure 2: Wifi Profiles report in ALEAPP
I assume there is another location to correlate between wifi network and the Google Drive file, which had a created date of 2023-01-03 02:34:45. Maybe I just got lucky?
How to not be suspicious (25 points)
Who needs information regarding inbound and outbound communication with high risk countries?
A quick keyword search in AXIOM for "risk" provided results instantly via Gmail. Tina Louis was looking for information.
Figure 3: Gmail email about "risk"
We've GotTa change the password (25 points)
What was the password that the user used to log into fiverr with?
In browsing for another question I came across the login data for Chrome and saw some passwords. I went back to look at what origins they came from and one was for Fiverr. The password used was "Goty2Sell".
Figure 4: Chrome Login report in ALEAPP
Chrome Login data can be found at path:
data\data\com.android.chrome\app_chrome\Default\Login Data
How many flags can you find? (25 points)
At 10:48, How many flags did Tina get correct?
I getting familiar with the ALEAPP output I had found the Sporcle screenshot that had world flags on it via the Google Photos cache. Tina had 19 correct out of 197 at 10:48.
Figure 5: Google Photos cache in ALEAPP
It could also be found in the screenshots folder at:
data\media\0\Pictures\Screenshots\Screenshot_20221206-104819.png
How many is too many... (25 points)
It seems that this user may have received a document with some PII. How many different individuals are listed in this document?
There are multiple locations that someone could have received files. I looked at Native Downloads with no help. Chrome downloads, nope. Emulated Storage did though, as the External.db file has a large file listing of files all across the phone.
data\data\com.google.android.providers.media.module\databases\external.db
There was only one document, the Banana_split__(1).pdf file from before.
Figure 6: Emulated Storage metadata report in ALEAPP
Opening the file we can see 5 different individuals listed on page 2.
Figure 7: Banana_split__(1).pdf page 2
Italian beast! (25 points)
What animal killed the figure who was renowned for his strength?
This one was a wild card that I hunted all over for during the live competition. I tried brute forcing it thinking it was Hercules or something. After scrolling through the images on the phone I came across a museum artwork that fit. The figure was Mil of Croton and the killer animal were wolves.
Figure 8: Milo of Croton art description
The picture in question was found at the path:
data\media\0\DCIM\Camera\PXL_20221207_103000790.jpg
You always forget something when traveling... (25 points)
This user seems to have been shopping for some sort of personal hygiene item, what was the price of the red item?
In the Google Now & Quicksearch > Recent Searches & Google Now report, the user was looking for deodorants for women. In one screenshot we could see a red item that costs $23.99.
Figure 9: Google Now & Quicksearch results in ALEAPP
The file could be found at:
data\user\0\com.google.android.googlequicksearchbox\files\recently\tlouis@kurvalis.com-7133291355466100338.jpg
These new phones battery life can sure last a long time... (25 points)
What was Tina's battery % when she entered the Copenhagen timezone?
I always get giddy when I see battery items because I wrote most of the parsers for that in ALEAPP. This one comes from "Turbo" which resides at:
data\data\com.google.android.apps.turbo\databases\turbo.db
If we do a filter for Copenhagen it will narrow down our results because the parser pulls timezone locations. We can see the first battery % in that timezone was 83.
Figure 10: Turbo Phone Battery report in ALEAPP
Traveling is fun! (25 points)
What road is the canyon visited by Tina accessible on?
I looked for EXIF metadata on images found in the DCIM folder but it looks like they were turned off so this made it slightly more difficult to find. There was a photo of a canyon but no markers. That same day some others were taken but one in particular caught my eye. It looked like a gift shop of sorts that had portraits on the wall, with multiple having "Palo Duro" in them.
data\media\0\DCIM\Camera\PXL_20221229_165933558.MP.jpg
Figure 11: Gift shop image
A quick Google search led me to Palo Duro Canyon State Park. There is only one road leading to the ravine and that's Park Road 5.
Figure 12: Palo Duro Canyon State Park
How low did we go? (25 points)
It seems Tina did a lot of traveling. What was Tina's battery percentage when she left the Copenhagen timezone?
Figure 13: Turbo Phone Battery report in ALEAPP
Easy Peasy (50 points)
What was the "Ease of Root Install Rank" of this device?
When I read root I had a feeling it had something to do with the installed app Root Checker. Inside the Recent Activity report in ALEAPP was an entry that had a snapshot of a task showing a screenshot of the application. In small print you can see that the Ease of Root Install Rank was 5737.
Figure 14: Root Checker task screenshot
Recent tasks are pulled from the path:
data\system_ce\0\recent_tasks
Thr answrr is right infront of you! (50 points)
This user installed an app on the phone related to checking privileges. What did the user specifically search for in the appstore when looking for it?
As we know from the previous question, Root Checker was installed on the phone. But what did the user search for you ask? Well, one could find the Google Play searches in the database here:
data\data\com.android.vending\databases\suggestions.db
Via the ALEAPP parser report we see see that they misspelled it as "root chrcker".
Figure 15: Google Play searches report in ALEAPP
Shhhhh it's a secret (50 points)
It seems that Tina wants to avoid mentioning something she's doing with Shawn. What is this?
This one took me a while to search across chats and emails but I never could find it in those locations. One thing I did ahead of the competition was work on new parsers for ALEAPP so I had a custom one done for an app called Todoist that's installed on the phone. The database in question is at:
data\data\com.todoist\databases\database.db
The answer was "heavy conversations". The Todoist parser will be in an ALEAPP release in the near future.
Figure 16: Todoist - Items report in ALEAPP (unreleased)
Here is the entry in DB Browser from the database itself:
Figure 17: Todoist DB, items table entry in DB Browser
Secret plans... (50 points)
It seems that Tina has been having conversations with someone she's working with. On 12/28/2022, it seems they made plans for a video call. When is this call in UTC? (FORMAT YYYY-MM-DD HH:MM:SS based on 24 hour clock)
Another unparsed artifact that AXIOM doesn't do but ALEAPP does to a certain extent. I found an error (incorrect path) which will be fixed in a future release but Google Chat is where we needed to look for this one.
data\data\com.google.android.apps.dynamite\databases\user_accounts\tlouis@kurvalis.com\dynamite.db
There were conversations back and forth between Tina and Shawn. One message she states about having availability on "the 31st at noon EST".
Figure 18: Google Chat Messages report in ALEAPP
Given the timestamp of when the message was sent it can be assumed the date as December 31st. With it being noon in Eastern Standard Time we have to add 4 hours to make it UTC. So the answer was "2022-12-31 16:00:00".
Quite a lenient game! (50 points)
It seems this user downloaded a game. How many hints were they allowed in the game?
I knew that there was only one game installed on the phone and that was Flags of All World Countries. I didn't see the answer in any screenshots so I dove into the file system folder to look around. I ended up finding the answer in a preferences file at:
data\data\com.asmolgam.flags\shared_prefs\progress_data.xml
Right at the top of the XML file we can see a key/value pair showing "hints" was 75.
Figure 19: Flags of All World Countries progress file
Old mans geolocation (75 points)
This user traveled to Denmark, and downloaded a few applications on the same day. Of these applications, only one has a UTM_campaign parameter set in google searches relating to the application. What is the user's AppUserID for this application?
I know there was probably multiple ways to get this answer but I took the dire route. I ended up doing a full keyword search across the image for "AppUserID" and it hit on a file inside the Fiverr app folder structure.
data\data\com.fiverr.fiverr\shared_prefs\appsflyer-data.xml
I had previously narrowed it down to Fiverr and another app in the timeframe the user was in Denmark based off of SMS and other artifacts so I knew I was close. If we open the XML file we can see in the "savedProperties" tag that their was a AppUserID of "16700361718571309309164|139363547".
Figure 20: Fiverr apps preferences
I am feeling thirsty... (75 points)
What popular destination spot did Tina visit on 12/04/2022?
When people travel they usually will take pictures like a normal tourist does. I first set off in looking at the DCIM images to see if any fit the timestamp and sure enough there were three different photos.
Figure 21: DCIM photos taken on the day of interest
All of them were basically the same photo and knowing from previous questions, there wasn't any latitude or longitude EXIF data for them. If we zoom in we can see flags on the building. A quick Google search led me to results that this was Denmark.
Figure 22: Denmark flags on a building
A complete wild guess based off of timestamp led me to look for famous Christmas markets in Denmark. Entry number 2 on the list from visitdenmark.com was for Tivoli Gardens, the answer.
And with that, part two is complete. I hope you enjoyed the writeups for this years Magnet User Summit CTF!