Cellebrite CTF 2023 - Felix

Posted by

Previous: Abe

Round 2 goes to Felix (not the cat as seen above 😂) as part of the Cellebrite CTF 2023. We get another iPhone image to analyze.

Evidence Download: Felix | Official Cellebrite Writeup

Felix 01 - Voicemail 📼 (10 points)

Felix received a voicemail from +1-416-435-5684. How many seconds in length was the voicemail message?

The voicemail database lives at the path:

filesystem2\mobile\Library\Voicemail\voicemail.db

We can see on the "voicemail" table that there was one entry for the number above, and the duration was 27 seconds.

Figure 1: Voicemail.db

There is now an iLEAPP report that will parse this as well

Figure 2: Voicemail report in iLEAPP

Felix 02 - Picture 📷 (10 points)

Please look at the following picture: IMG_0026.HEIC. How many times do you see this picture on the device? (including thumbnails)

If you use a keyword search on the file name across the image we can see it hits on 5 different instances, one in the normal DCIM folder, one for the thumbnail of DCIM, 2 in SMS, and one as a SMS attachment preview.

Figure 3: IMG_0026.HEIC search in PA Ultra

Felix 03 - Confirmation📨 (10 points)

Felix confirmed receiving "everything". When Felix sent the confirmation, which account did he send it from?

Based off the hints in the title and question, we can head directly over to email. In Apple Mail we see two emails with a subject of "Confirmation". Felix sent an email using the account felix.davey@orange.fr where he states he "received everything".

Figure 4: Mail report in iLEAPP

Felix 04 - Photo🔑  (10 points)

Private Photo Vault is an application that is installed on the phone. What is the passcode to the application?

In PA Ultra if you hit the "User Accounts & Details > Passwords" section, you can filter on "vault" to narrow down results. We can see the Private Phot Vault pincode was "2510".

Figure 5: Pincode in PA Ultra

Felix 05 - Location 🔎 (10 points)

Felix always had an interest in the USA. What application did he use to search an address in New Jersey USA?

A quick keyword search for "New Jersey" in PA Ultra resulted in an entry found at the path:

filesystem2\mobile\Containers\Shared\AppGroup\9D0D81A2-4452-43AD-AAC7-BC762C91EADA\Maps\MapsSync_0.0.1

The path relates to Apple Maps and showed one entry:

Figure 6: MapsSync entry in iLEAPP

Felix 06a - Size📁  (10 points)

What is the size (in bytes) of the ChatStorage.sqlite-wal file? (Answer with numeric digit(s) only)

The -wal file of interest can be found at the path:

filesystem2\mobile\Containers\Shared\AppGroup\5F021CDF-1E49-45A3-A3EF-02BE149681AC\ChatStorage.sqlite-wal

We see that size is 0 bytes.

Figure 7: ChatStorage.sqlite-wal file

Felix 06b - Time 📅 (30 points)

(Since you answered correct about ChatStorage.sqlite-wal file) What is the date and time the –WAL file committed to the main database [YYYY-MM-DD HH:MM:SS] (correct time should be converted to UTC+0)

After answering 06a this question gets unlocked. I originally looked to see if there was a way to query the database file to see if there are timestamps when the -wal gets ingested back into the database but nothing was found. Instead I assumed the modified timestamp of the database would be when it changed so I went with that. Since my evidence was already set to UTC, I didn't need to convert. As you can see the file was modified on 2023-07-01 05:49:55.

Figure 8: ChatStorage.sqlite timestamps

Felix 07 - Active📳 (30 points)

When was the SIM card information on Felix's phone last updated? (Raw data, not converted)

From the SANS FOR585 poster, we can see SIM information can be pulled from the database at the path:

filesystem2\wireless\Library\Databases\CellularUsage.db

If we look at "subscriber_info" table, we can see a last update timestamp of 709888384.063589.

Figure 9: SIM info from CellularUsage.db

Felix 08 - Missing💬 (30 points)

The WhatsApp chat database appears to be missing some chat messages. Assuming the highest number is the last message, how many messages are missing?

A quick way to find the path of the WhatsApp database is using iLEAPP. We already parse the chat database so if you go to the report we can see the path is:

filesystem2\mobile\Containers\Shared\AppGroup\5F021CDF-1E49-45A3-A3EF-02BE149681AC\ChatStorage.sqlite

If we dive into the database and go to the "ZWAMESSAGE" table, we see the rough listing of messages. The Z_PK column shows an incremental count of each chat message.

Figure 10: WhatsApp ChatStorage.sqlite chats

We see a total of 10 messages, and a Z_PK of 29, so we are missing 19 messages.

Felix 09 - wiped 🧹 (30 points)

When was Felix's phone last wiped? [YYYY-MM-DD HH:MM:SS]

One of my favorite artifacts for showing wipes of iOS devices is the ".obliterated" artifact (yes I have a t-shirt for that). If the file is available it can be found at the path:

filesystem2\root\.obliterated

What we look at is the created timestamp of the file and we can tell that Felix's phone was wiped around 2022-12-01 17:16:55

Figure 11: .obliterated timestamps in PA Ultra

Felix 10 - Cruise 🛳️ (30 points)

Felix was researching / surveilling a ship as a possible target and downloaded a photo of it. What is the name of the cruise ship?

Inside the Safari web browsing history we see some hits on pexels.com for yachts.

Figure 12: Safari history in iLEAPP

We got lucky by searching for "pexels" and one fit the bill for a cruise ship.

filesystem2\mobile\Library\Mobile Documents\com~apple~CloudDocs\Downloads\pexels-helena-jankovičová-kováčová-7372476.jpg

If we zoom in on the ship you can see it was named Crystal Serenity.

Figure 13: Crystal Serenity cruise ship

Felix 11 - data 📶 (50 points)

Which process on Felix's phone used the most cellular data (network traffic INTO the device)?

Application data usage via the network (wifi or wireless) can be calculated from the database at the path:

filesystem2\wireless\Library\Databases\DataUsage.sqlite

In the Data Usage report we can sort the Cellular Data In field to see that the process CumulativeUsageTracker had the most data coming in.

Figure 14: Data Usage report in iLEAPP

Felix 12 - H is mean 😈 (100 points)

Felix was referred information about pension reform. What is the SID associated with that artifact?

I think everyone hated this question a lot. What does a SID have to do with iOS?! Well you're about to find out.

At first I did a keyword search for "pension reform" which kicked back 4 results in the Apple News cachedata. Nothing resulted from these as they all appeared to be text descriptions of images. I decided to look for other references to the Apple News widget and low and behold there was a path after a "referralItems" folder.

filesystem2\mobile\Library\News\com.apple.news.public-com.apple.news.private-production\referralItems\com.apple.news.widget

There were 8 subfolders each containing an "entry" file. If you open one up you can quickly see that it was just a JSON file.

Figure 15: entry file in Apple News widget

The "resultsData" key has data that is Base64 encoded so we can dump that into CyberChef to decode. The result is a bplist file which needs deserialized. You could use Mushy but I like using Yogesh's library to convert it to JSON so it's easier to read. Partially the way down we get another Base64 encoded blob so let's decode that.

Figure 16: Deserialized bplist in JSON format

We see we finally get to our finish line, and see the SID was "c5141308-e98c-11ed-8f70-ea4e37ab9147". I don't think I'd ever find this without a little coaxing. Maybe someone will find this useful for a case in the future? Who knows.

And that's the end for Felix.