Cellebrite CTF 2023 - Abe


After a year hiatus Cellebrite was back in full force with another lengthy CTF challenge. This year featured 4 different phones, 2 iPhones and 2 Android devices.

Challenge details can be found on Cellebrite's blog. We are going to start with Abe since in my opinion was the easiest of the bunch and one of the only ones where our team completed 100% (shout out to Heather and Alexis).

Evidence Download: Abe

Abe 01 - iCloud ☁️πŸ“§ (10 points)

Abe used a unique email address for his iCloud account. What is that email address?

Using iLEAPP you can head over tot he Accounts > Account Data report and see the email address littered across multiple accounts, Abe used the iCloud account email aberudder@icloud.com.

Figure 1: Account Data report in iLEAPP

You could also find these from the database file at the path:


Abe 02 - Comm App πŸ’¬πŸ—¨️ (10 points)

Abe used different types of communication channels, through different applications. What communication application was used the most?

The quickest way to determine this was looking at the Chats data in PA Ultra. You can see that Telegram had significantly more messages than any other app.

Figure 2: PA Ultra Chats

Abe 03 - Wallet πŸ’³ (10 points)

A payment card was used on Abe's device - Wallet. What are the last 4 digits of that card?

There are multiple locations you can find payment card information on an iOS file system but the path we were looking for here was:


Inside we can see that a card was set up for Apple Cash, the last four digits being "7438".

Figure 3: pass.json card details

Alternatively you could look at Physical Analyzer under Finance & Purchase > Credit Cards for the same answer.

Figure 4: Credit Cards in PA Ultra

Abe 04 - iCloudBackup πŸ“Ό (10 points)

Abe's phone was setup using iCloudBackup method. What is the Date & Time for that (UTC+0 time)? [YYYY-MM-DD HH:MM:SS] e.g: 2022-04-25 05:59:12

This date and time can be parsed from the path:


In iLEAPP you can look at the Mobile Backup report and see the RestoreDate of "2023-02-20 01:43:14".

Figure 5: iLEAPP Mobile Backup report

This detail can also be found in PA Ultra's Data Details View.

Figure 6: PA Ultra Data Details View

Abe 05 - Tracking πŸš— (10 points)

Abe was suspicious about being tracked. After searching the rental vehicle he was using while in NJ, he found a device attached to his vehicle. What was the make & model of the device? [make model]

A quick keyword search for "rental" provided some hits. Looking through the Searched Items results was a search for "hertz rental geotab go9 lte". If you Google "geotab go9" you'll see that it is a GPS tracking device. The result came from the Safari Tabs at the path:


Figure 7: Safari Tabs search

Abe 06 - steps πŸ‘£πŸšΆπŸ»‍♂️ (30 points)

Abe was not really active, on June 24, 2023 local time, how many steps were recorded?

First step is to take a look at the samples from the Apple Health database found at:


You can use either PA Ultra or iLEAPP to pull the Steps data. You will need to total up all the steps taken for that day but remember that this is local time so careful with those timestamps as they are in UTC! 

Figure 8: Apple Health steps

We see the top two entries would fall off because of the timezone difference so if we add up all the rest we get to 755 steps for that day.

Abe 07 - Bluetooth πŸ”΅πŸ¦· (30 points)

Abe pairs his iPhone with few different Bluetooth devices. How many unique bluetooth connections were paired?

There are two different files that we need to look at to see connections, one for LE or low energy and the normal bluetooth list. They can be found at:



Between the two there were a total of 10 devices paired.

Figure 9: Bluetooth Paired LE report in iLEAPP

Figure 10: Bluetooth Paired report in iLEAPP

Abe 08 - App Notification πŸ”” (30 points)

Abe got notified by Harold of a potential arrest. Abe then opened which app?

The Notifications Duet report gives details about notifications from the phone. We can filter on arrest and see there was a notification from Harold via a Signal message.

Figure 11: Notifications Duet report in iLEAPP

The original file path was:


Abe 09 - Parked πŸ…Ώ️ (30 points)

Abe went to a party at RAIN Event Space. What is the name of the street (just the street name) for where he parked his vehicle? e.g: main

First we can do a Google Map search for where the RAIN Event Space is located. It shows a latitude and longitude of 40.8883034,-74.0208911 and address of 399 Water St, Teaneck, NJ 07666. In PA Ultra under the Locations there is a Vehicle Parked section that we can zone in on. There was only one location that was close to this address.

Figure 12: Vehicle Parked location in PA Ultra

One thing to note, the address lookup uses Bing which showed the incorrect address from Google Maps as Cedar Lane. As we can see from the screenshot, it was on Water Street, so the answer was "water". The source appears to be from RoutineD.


Abe 10 - About πŸ‘¨πŸ»‍🦱 (30 points)

What was Abe Rudder’s "About" bio on Whatsapp?

The WhatsApp preferences file can be found at the path:


It's not the easiest to decipher but there is a field for "CurrentStatusText" that fits the bill for a bio. It was set to a value of "World peace πŸ•Š".

Figure 13: WhatsApp preferences plist

Abe 11 - Permissions ❌ (30 points)

Abe is paranoid and not always giving access to everything. One of the apps Abe used on the iPhone received access to Photos however as an “Add Photos Only” permission. What is the name of the app?(one word i.e: Starbucks)

Permissions for iOS are found in the TCC.db file at path:


If we do a quick filter on "photos" there is only one entry for "PhotosAdd" which was for "com.google.chrome.ios" which is Google Chrome.

Figure 14: Permissions in iLEAPP

Abe 12 - Email πŸ“¨ (50 points)

Abe used a specific method to find/check/share locations via an app. In order to keep privacy up, Abe signed up with a different email address which keeps it isolated to that vendor. What is that email address?

There were a few different location apps installed on the phone but one was used the most and across the other phone images as well. The app is called What3Words which I had never heard before this CTF but it seems like a cool concept. This app utilizes RealmDB, which I don't believe is natively viewable in any forensic tool at this point. The file of interest is at the path:


We can use RealmStudio to open this file and view it.

Figure 15: default.realm file for What3Words

We can see that in the DataProfile tab there was a column for user email which was Abe's address, j9by422yjc@privaterelay.appleid.com.

Abe 13 - Search πŸ”Ž (50 points)

Abe got suspicious when he had to deal with some shady people almost as if a crime was known to be committed. He wanted to leave no traces. Abe was looking to create an anonymous email. Where did Abe search for that?

There aren't many places you can do searches and have it not be recorded by the phone. I looked into Safari but didn't see any results. After seeing that DuckDuckGo was installed I knew it had to be located there as it's more security conscious than others.

Luckily we have this nice handy cheat sheet from Mattia for third party apps to show us what file to look at:


Inside we get a blob of Base64 encoding information for open tabs.

Figure 16: DuckDuckGo preferences plist

Decoding in CyberChef we get a binary plist as output.

Figure 17: Base64 decode in CyberChef

We can either deserialize the bplist using Yogesh Khatri's library or view it Ian Whiffin's Mushy tool.

Figure 18: Deserialized bplist in Mushy

All that work just to confirm that it was indeed "duckduckgo" where the search was done.

Abe 14 - Navigation🧭 (50 points)

Abe was navigating while driving, on June 26, 2023. What was the destination address on the navigation?

This one wasn't as difficult as it probably should have been (in my opinion). Inside the App Snapshots on the day of question was a Apple Maps navigation showing that they were going to "284 Central Way, Kirkland".

Figure 19: App Snapshot for Apple Maps

There were a few snapshots of this navigation but generally can be found:


Abe 15 - Crypto πŸͺ™ (50 points)

Abe used MOB to send/receive crypto currency within Signal. Find the Recovery Phrase for Signal Mobile Coin wallet! What is it? (keep correct order of all the words)

A quick keyword for "mobile coin wallet" produced an encrypted Apple Note that had an image embedded inside.

Figure 20: Signal wallet recovery phrases in Apple Notes

After typing these in order you get an answer of "pet element blast mix trumpet usual leg aim office jaguar emerge fatigue tent volcano other unfair absent hope power annual banana speak initial gold".

Abe 16 - Picture πŸ” (50 points)

Abe loves taking pictures and videos on the iPhone, the problem is when Abe is trying to look for a picture, he is having hard time finding it. He therefore utilizes the Search within the Apple Photos app. 
If Abe would have searched for pictures of: Myself, Pawel, Hat He would end up with one photo.
Can you name that filename?

I knew where to go but not exactly how to go about pulling out the data with a query. I first found the Photos.sqlite file at:


Jared Barnhart has a blog on some of the research he did for the DFIR Summit a few years back so that was a good starting point. With a few tweaks to the query I came up with this:


We can pull a list that matches "Pawel" first and see what we get.

Figure 21: Apple Photos search for Pawel

Then onto "Myself" aka Abe. After comparing the file names of each there were only 4 different files that both were tagged in.


The only one that had a "hat" was IMG_1100.HEIC, the answer.

Figure 22: Pawel, Abe and hat

Abe 17 - Location 🐬 (50 points)

Abe went for some shady meeting on an island but tried to conceal as a vacation so he took a boat tour and tracked dolphins. He then decided to mark a location with “dolphins”. What was the timestamp for that location? [HH:MM:SS] written in UTC time"

A hex search for "dolphins" lead me directly to a database file for the app GPX Tracker.


In the "ZCDWAYPOINT" table there is an entry that matches.

Figure 23: GPX Tracker entry for location

It was strictly written to say UTC time so I just assumed what was shown in the description might be local. We can see an  Apple Absolute timestamp in the embedded JSON so I put that into a converter to confirm.

Figure 24: DCode timestamp verification

We can see that the UTC timestamp is different so the answer we were looking for was "17:57:35".

Abe 18 - BokerTov⏰😴 (100 points)

Within the last month before Abe got arrested (and his device was extracted), Abe used to wake up naturally however, there was one day the phone did. What was the day and (local) time? [YYYY-MM-DD HH:MM:SS] e.g: 2021-09-19 08:35:00

If we search in Notifications Duet for "alarm" we see a few for the day of June 16, 2023.

Figure 25: Notifications Duet report in iLEAPP

The only problem is this is UTC so we need to find local timezone offset for that day. In the App Snapshots we get a screenshot from the day before that shows an alarm set for 6:00 AM.

Figure 26: Alarm timer App Snapshot


Based off of both these items the answer was "2023-06-16 06:00:00".

And that's it for Abe!