After a year hiatus Cellebrite was back in full force with another lengthy CTF challenge. This year featured 4 different phones, 2 iPhones and 2 Android devices.
Challenge details can be found on Cellebrite's blog. We are going to start with Abe since in my opinion was the easiest of the bunch and one of the only ones where our team completed 100% (shout out to Heather and Alexis).
Evidence Download: Abe
Abe 01 - iCloud ☁️π§ (10 points)
Abe used a unique email address for his iCloud account. What is that email address?
Using iLEAPP you can head over tot he Accounts > Account Data report and see the email address littered across multiple accounts, Abe used the iCloud account email aberudder@icloud.com.
Figure 1: Account Data report in iLEAPP
You could also find these from the database file at the path:
filesystem2\mobile\Library\Accounts\Accounts3.sqlite
Abe 02 - Comm App π¬π¨️ (10 points)
Abe used different types of communication channels, through different applications. What communication application was used the most?
The quickest way to determine this was looking at the Chats data in PA Ultra. You can see that Telegram had significantly more messages than any other app.
Figure 2: PA Ultra Chats
Abe 03 - Wallet π³ (10 points)
A payment card was used on Abe's device - Wallet. What are the last 4 digits of that card?
There are multiple locations you can find payment card information on an iOS file system but the path we were looking for here was:
filesystem2\mobile\Library\Passes\Cards\XaAL3KIU7J8fcgu2qnZRA6fGIaU=.pkpass\pass.json
Inside we can see that a card was set up for Apple Cash, the last four digits being "7438".
Figure 3: pass.json card details
Alternatively you could look at Physical Analyzer under Finance & Purchase > Credit Cards for the same answer.
Figure 4: Credit Cards in PA Ultra
Abe 04 - iCloudBackup πΌ (10 points)
Abe's phone was setup using iCloudBackup method. What is the Date & Time for that (UTC+0 time)? [YYYY-MM-DD HH:MM:SS] e.g: 2022-04-25 05:59:12
This date and time can be parsed from the path:
filesystem2\root\Library\Preferences\com.apple.MobileBackup.plist
In iLEAPP you can look at the Mobile Backup report and see the RestoreDate of "2023-02-20 01:43:14".
Figure 5: iLEAPP Mobile Backup report
This detail can also be found in PA Ultra's Data Details View.
Figure 6: PA Ultra Data Details View
Abe 05 - Tracking π (10 points)
Abe was suspicious about being tracked. After searching the rental vehicle he was using while in NJ, he found a device attached to his vehicle. What was the make & model of the device? [make model]
A quick keyword search for "rental" provided some hits. Looking through the Searched Items results was a search for "hertz rental geotab go9 lte". If you Google "geotab go9" you'll see that it is a GPS tracking device. The result came from the Safari Tabs at the path:
filesystem2\mobile\Library\Safari\SafariTabs.db
Figure 7: Safari Tabs search
Abe 06 - steps π£πΆπ»♂️ (30 points)
Abe was not really active, on June 24, 2023 local time, how many steps were recorded?
First step is to take a look at the samples from the Apple Health database found at:
filesystem2\mobile\Library\Health\healthdb_secure.sqlite
You can use either PA Ultra or iLEAPP to pull the Steps data. You will need to total up all the steps taken for that day but remember that this is local time so careful with those timestamps as they are in UTC!
Figure 8: Apple Health steps
We see the top two entries would fall off because of the timezone difference so if we add up all the rest we get to 755 steps for that day.
Abe 07 - Bluetooth π΅π¦· (30 points)
Abe pairs his iPhone with few different Bluetooth devices. How many unique bluetooth connections were paired?
filesystem2\containers\Shared\SystemGroup\2CF38A4C-FE38-40D1-85C2-C478DC223554\Library\Preferences\com.apple.MobileBluetooth.devices.plist
filesystem2\containers\Shared\SystemGroup\2CF38A4C-FE38-40D1-85C2-C478DC223554\Library\Database\com.apple.MobileBluetooth.ledevices.paired.db
Between the two there were a total of 10 devices paired.
Figure 9: Bluetooth Paired LE report in iLEAPP
Figure 10: Bluetooth Paired report in iLEAPP
Abe 08 - App Notification π (30 points)
Abe got notified by Harold of a potential arrest. Abe then opened which app?
The Notifications Duet report gives details about notifications from the phone. We can filter on arrest and see there was a notification from Harold via a Signal message.
Figure 11: Notifications Duet report in iLEAPP
The original file path was:
filesystem2\mobile\Library\DuetExpertCenter\streams\userNotificationEvents\local\698550421257054
Abe 09 - Parked π Ώ️ (30 points)
Abe went to a party at RAIN Event Space. What is the name of the street (just the street name) for where he parked his vehicle? e.g: main
First we can do a Google Map search for where the RAIN Event Space is located. It shows a latitude and longitude of 40.8883034,-74.0208911 and address of 399 Water St, Teaneck, NJ 07666. In PA Ultra under the Locations there is a Vehicle Parked section that we can zone in on. There was only one location that was close to this address.
Figure 12: Vehicle Parked location in PA Ultra
filesystem2\mobile\Library\Caches\com.apple.routined\Local.sqlite
Abe 10 - About π¨π»π¦± (30 points)
What was Abe Rudder’s "About" bio on Whatsapp?
The WhatsApp preferences file can be found at the path:
filesystem2\mobile\Containers\Shared\AppGroup\6FF228A4-E82F-4E85-A27F-159687F96EF3\Library\Preferences\group.net.whatsapp.WhatsApp.shared.plist
It's not the easiest to decipher but there is a field for "CurrentStatusText" that fits the bill for a bio. It was set to a value of "World peace π".
Figure 13: WhatsApp preferences plist
Abe 11 - Permissions ❌ (30 points)
Abe is paranoid and not always giving access to everything. One of the apps Abe used on the iPhone received access to Photos however as an “Add Photos Only” permission. What is the name of the app?(one word i.e: Starbucks)
filesystem2\mobile\Library\TCC\TCC.db
If we do a quick filter on "photos" there is only one entry for "PhotosAdd" which was for "com.google.chrome.ios" which is Google Chrome.
Figure 14: Permissions in iLEAPP
Abe 12 - Email π¨ (50 points)
Abe used a specific method to find/check/share locations via an app. In order to keep privacy up, Abe signed up with a different email address which keeps it isolated to that vendor. What is that email address?
There were a few different location apps installed on the phone but one was used the most and across the other phone images as well. The app is called What3Words which I had never heard before this CTF but it seems like a cool concept. This app utilizes RealmDB, which I don't believe is natively viewable in any forensic tool at this point. The file of interest is at the path:
filesystem2\mobile\Containers\Data\Application\016859D5-A1E7-42B4-A070-B743BF01686D\Documents\default.realm
We can use RealmStudio to open this file and view it.
Figure 15: default.realm file for What3Words
We can see that in the DataProfile tab there was a column for user email which was Abe's address, j9by422yjc@privaterelay.appleid.com.
Abe 13 - Search π (50 points)
Abe got suspicious when he had to deal with some shady people almost as if a crime was known to be committed. He wanted to leave no traces. Abe was looking to create an anonymous email. Where did Abe search for that?
There aren't many places you can do searches and have it not be recorded by the phone. I looked into Safari but didn't see any results. After seeing that DuckDuckGo was installed I knew it had to be located there as it's more security conscious than others.
Luckily we have this nice handy cheat sheet from Mattia for third party apps to show us what file to look at:
filesystem2\mobile\Containers\Data\Application\63663962-9D48-4080-9D58-66DE13B95970\Library\Preferences\com.duckduckgo.mobile.ios.plist
Inside we get a blob of Base64 encoding information for open tabs.
Figure 16: DuckDuckGo preferences plist
Decoding in CyberChef we get a binary plist as output.
Figure 17: Base64 decode in CyberChef
We can either deserialize the bplist using Yogesh Khatri's library or view it Ian Whiffin's Mushy tool.
Figure 18: Deserialized bplist in Mushy
All that work just to confirm that it was indeed "duckduckgo" where the search was done.
Abe 14 - Navigationπ§ (50 points)
Abe was navigating while driving, on June 26, 2023. What was the destination address on the navigation?
This one wasn't as difficult as it probably should have been (in my opinion). Inside the App Snapshots on the day of question was a Apple Maps navigation showing that they were going to "284 Central Way, Kirkland".
Figure 19: App Snapshot for Apple Maps
There were a few snapshots of this navigation but generally can be found:
filesystem2\mobile\Containers\Data\Application\704312FF-8D41-4943-B907-47BF573BB88C\Library\SplashBoard\Snapshots\sceneID_com.apple.Maps-2ED10C52-C511-4BEF-91D2-EF9372D8B5C4\downscaled\DB9003E4-D50F-451F-81E3-1EFECACC3D97@3x.ktx
Abe 15 - Crypto πͺ (50 points)
Abe used MOB to send/receive crypto currency within Signal. Find the Recovery Phrase for Signal Mobile Coin wallet! What is it? (keep correct order of all the words)
A quick keyword for "mobile coin wallet" produced an encrypted Apple Note that had an image embedded inside.
Figure 20: Signal wallet recovery phrases in Apple Notes
After typing these in order you get an answer of "pet element blast mix trumpet usual leg aim office jaguar emerge fatigue tent volcano other unfair absent hope power annual banana speak initial gold".
Abe 16 - Picture π (50 points)
Abe loves taking pictures and videos on the iPhone, the problem is when Abe is trying to look for a picture, he is having hard time finding it. He therefore utilizes the Search within the Apple Photos app.
If Abe would have searched for pictures of: Myself, Pawel, Hat He would end up with one photo.
Can you name that filename?
I knew where to go but not exactly how to go about pulling out the data with a query. I first found the Photos.sqlite file at:
filesystem2\mobile\Media\PhotoData\Photos.sqlite
Jared Barnhart has a blog on some of the research he did for the DFIR Summit a few years back so that was a good starting point. With a few tweaks to the query I came up with this:
SELECT DISTINCT ZPERSON.ZFULLNAME AS FULL_NAME, ZASSET.ZFILENAME AS FILENAME, ZASSET.ZDATECREATED + 978307200 AS DATECREATED
FROM ZPERSON
INNER JOIN ZDETECTEDFACE ON ZPERSON.Z_PK=ZDETECTEDFACE.ZPERSON
INNER JOIN ZASSET ON ZDETECTEDFACE.ZASSET=ZASSET.Z_PK
WHERE ZPERSON.ZFULLNAME LIKE "Pawel"
ORDER BY ZASSET.ZDATECREATED DESC
Figure 21: Apple Photos search for Pawel
Then onto "Myself" aka Abe. After comparing the file names of each there were only 4 different files that both were tagged in.
IMG_1100.HEIC
39EE4FC3-3EA6-4E44-94F9-26FE1B32AD31.HEIC
30BA39A2-99F6-4B9D-A54F-9B782CB5A62B.HEIC
CD046869-A0D4-4D9E-90C5-E8252501D8BC.HEIC
Figure 22: Pawel, Abe and hat
Abe 17 - Location π¬ (50 points)
Abe went for some shady meeting on an island but tried to conceal as a vacation so he took a boat tour and tracked dolphins. He then decided to mark a location with “dolphins”. What was the timestamp for that location? [HH:MM:SS] written in UTC time"
filesystem2\mobile\Containers\Data\Application\A6655F24-1B16-4EC4-9DFA-2D55B562CB05\Library\open-gpx-tracker-session.sqlite
In the "ZCDWAYPOINT" table there is an entry that matches.
Figure 23: GPX Tracker entry for location
It was strictly written to say UTC time so I just assumed what was shown in the description might be local. We can see an Apple Absolute timestamp in the embedded JSON so I put that into a converter to confirm.
Figure 24: DCode timestamp verification
We can see that the UTC timestamp is different so the answer we were looking for was "17:57:35".
Abe 18 - BokerTov⏰π΄ (100 points)
Within the last month before Abe got arrested (and his device was extracted), Abe used to wake up naturally however, there was one day the phone did. What was the day and (local) time? [YYYY-MM-DD HH:MM:SS] e.g: 2021-09-19 08:35:00
If we search in Notifications Duet for "alarm" we see a few for the day of June 16, 2023.
Figure 25: Notifications Duet report in iLEAPP
The only problem is this is UTC so we need to find local timezone offset for that day. In the App Snapshots we get a screenshot from the day before that shows an alarm set for 6:00 AM.
Figure 26: Alarm timer App Snapshot
filesystem2\mobile\Containers\Data\Application\73B09176-74A6-4676-AE95-0769BC8603D3\Library\SplashBoard\Snapshots\sceneID_com.apple.mobiletimer-default\17FA1799-E1EF-42E8-A76F-91F7E63319E4@3x.ktx
Based off of both these items the answer was "2023-06-16 06:00:00".
And that's it for Abe!
