Magnet Virtual Summit 2024 CTF - Android

Cipher | iOS

Now for the last section, the Android phone.

Evidence: Google Pixel 3a XL Logical Image - Data.tar | Facebook Return

Press x to Respawn

On what platform did Rocco share his Call of Duty Username?

I switched over to Conversation view to possibly narrow the scope to just communications. Out of Android Messages, SMS, Discord, Facebook, and Twitter, Twitter was the winning application. In the DMs Rocco sends his username to Chadwick.

Figure 1: Twitter DMs in AXIOM

Warm Up

What Southern state's sports team did Rocco search up?

In Chrome search history, Rocco looked for "ragin cajuns football record".

Figure 2: Chrome search history in ALEAPP

The results lead to the Louisiana Rajin Cajuns.

Figure 3: Search for "ragin cajuns"

Source path:

Google Pixel 3a XL Logical Image - Data.tar\data\data\\app_chrome\Default\History

Can you Handle this

What was Rocco's Twitter account name?

From the Twitter DMs above we could see that his Twitter handle was @RoccoSachs96775. You could also see account authorization in ALEAPP with the account name.

Figure 4: Accounts_ce report in ALEAPP

Need to reach those heights

What is the SIM operator name?

Based off the telephony.db and parsed in the SIM info report in ALEAPP, it appeared that there were two possible answers, Boost and T-Mobile.

Figure 5: SIM info via ALEAPP

Seeing as Boost Mobile was listed as the US ISO code, I went with that and it worked.

Source path:

Google Pixel 3a XL Logical Image - Data.tar\data\user_de\0\\databases\telephony.db

Not to be basic but...

What is the default Internet Browser?

This isn't a given but since it was Android, I guess Chrome and it was the default still. This was also verified later on via the roles.xml file at path:

Google Pixel 3a XL Logical Image - Data.tar\data\misc_de\0\apexdata\\\roles.xml

Figure 6: Defaults via roles.xml

Survival Mode Activated

What conference did Rocco show interest in?

Based off Rocco's Chrome web searches he was researching going to Preppercon.

Figure 7: Chrome search history via ALEAPP

Source path:

Google Pixel 3a XL Logical Image - Data.tar\data\data\\app_chrome\Default\History

Sign me up!

What email is associated with the device?

Littered throughout the accounts_ce and accounts_de databases you can see that was frequently utilized.

Figure 8: accounts_ce authtokens report via ALEAPP

Sources being:

Google Pixel 3a XL Logical Image - Data.tar\data\system_ce\0\accounts_ce.db
Google Pixel 3a XL Logical Image - Data.tar\data\system_de\0\accounts_de.db

Not so popular

How many messages were sent from Rocco in Twitter Direct Messages?

In AXIOM we can filter on sender of Twitter DM's and see he sent 8 messages.

Figure 9: Twitter DMs sent, via AXIOM

The source being:

Google Pixel 3a XL Logical Image - Data.tar\data\data\\databases\1719897971716685824-66.db

No two cents about them

According to exCHANGEs in Discord with Chad, what did Chad want back from Rocco?

After scrolling through the conversations we can see he wanted money back.

Figure 10: Discord chats via ALEAPP

These were pulled from:

Google Pixel 3a XL Logical Image - Data.tar\data\data\com.discord\files\kv-storage\@account.1185636389107273799\a

You can never be too ready

How many additional survival tips were provided in the $9 book Rocco was looking into

Pricing was specific to pictures on the iOS image so I pivoted to see if there were any taken by the phone in the DCIM folder. The answer was 72 found on the image at path:

Google Pixel 3a XL Logical Image - Data.tar\data\media\0\DCIM\Camera\PXL_20231215_202654750.jpg

Figure 11: Survival tips book in DCIM

Tag your're it!

What city was the user in when they identified an AirTag on them?

Android now has some built in features that can detect AirTag like devices. Not sure if commercial forensic tools are parsing this yet but ALEAPP does from path:

Google Pixel 3a XL Logical Image - Data.tar\data\user\0\\databases\personalsafety_db

Figure 12: AirTag scans via ALEAPP

We see coordinates that we can search with Google Maps to see it was located near Windsor, Ontario.

Figure 13: Lat/Long Google Maps search

A game of Cat and Mouse

What game did two beloved cartoon characters promote in an Ad? 
I instantly thought of Tom & Jerry but wasn't sure what the game may be so I did a quick search in AXIOM for images and videos. After much scrolling I found the ad lodged deep in the path:

Google Pixel 3a XL Logical Image - Data.tar\data\data\\files\download\asset\83c4649ef9ea3b1825f2ee682accc363a31a0e5d

Figure 14: Tom and Jerry video ad

We can blurrily see the name of the game was Tom and Jerry: Chase.

Always achieving new heights

What was the new score achieved on the video game Rocco watched on Youtube?

A quick search for Youtube led me to a Twitter Tweet showing a link to a video for Subway Surfers High Score.

Figure 15: Twitter tweet

Going to the link we see it was on Chadwick's channel, and the high score was 5,187.

Figure 16: Subway Surfer high score

LIVE your life

What two sports did Rocco capture in a photo (__ and ___)?

You can't have a Magnet CTF without having a question that requires hunting down a live photo. There were only a handful on the image and only one that really fit the requirements. It was at path:

Google Pixel 3a XL Logical Image - Data.tar\data\media\0\DCIM\Camera\PXL_20231220_234032213.MP.jpg

If you pause it just at the right moment you can see the two sports were golf and skiing.

Figure 17: Motion photo screenshot

Remember your floaties

What fun outdoor activity location was searched for? 

Google Maps had only one search term in the history at path:

Google Pixel 3a XL Logical Image - Data.tar\data\user\0\\databases\gmm_storage.db

We see that Big Water Campground, Ontario 655, Timmins, ON was the place of interest.

Figure 18: Google Maps searches via ALEAPP

R-E-J-E-C-T-E-D Rejected

When was the last shutdown that was initiated by Rocco? (YYYY-MM-DD HH:MM:SS) UTC 24 hour time.

I knew where to go for this one quickly as I wrote a blog on it a few years back and also wrote the parser into ALEAPP. If you hit the Shutdown Checkpoints parser you can sort the timestamps and see 2023-12-28 23:47:29 was the last user requested entry.

Figure 19: Shutdown checkpoints via ALEAPP

Source path was: 

Google Pixel 3a XL Logical Image - Data.tar\data\system\shutdown-checkpoints\checkpoints-1703807249418

Out of Stock

What is the most recent score in Subway Surfer?

Recent activity is commonly tracked on stock Android phones at path:

Google Pixel 3a XL Logical Image - Data.tar\data\system_ce\0\recent_tasks

Searching for Subway Surfer we can see there is an entry with a screenshot showing that the score was 1,899.

Figure 20: Recent Activity via ALEAPP

So Salty!

What is the handle of the person who is talking about how upset they are with  Rocco?

In looking for the previous question I came across another Recent Activity in ALEAPP that answers this question. It was from Twitter showing that Rocco was upset with Larissa who's handle was @larissajenna9.

Figure 21: Twitter Recent Activity

Don't let them see you down

What was added using photoshop?

I assumed Photoshop would save altered files in a specific folder so I just navigated the file system to check. I found a few at:

Google Pixel 3a XL Logical Image - Data.tar\data\media\0\Pictures\Photoshop Express

These would need to be compared to the original photos. I first thought they just removed the Next Time but that wasn't it.

Figure 22: Photoshop photos from Media folder

Going to the Screenshots folder I found a similar image that removed the Success sticker.

Figure 23: Original screenshot

Google Pixel 3a XL Logical Image - Data.tar\data\media\0\Pictures\Screenshots\Screenshot_20231226-154230.png

It's the eye of the tiger

When is Rocco's Bday? (YYYY-MM-DD)

Well we got some return packages so we might as well use them. You can find the Profile information file at path:\personal_information\profile_information

Insides shows Rocco's birthday as 1974-09-29.

Figure 24: Facebook return profile information

Secrets Secrets are no Fun

What did Rocco search in the App Store to download the app used to hide photos

Google Play store searches can be found at:

Google Pixel 3a XL Logical Image - Data.tar\data\data\\databases\suggestions.db

There are many similar type apps that you can use to hide photos but calculator vault is a common one.

Figure 25: Google Play searches via ALEAPP

Stalker Alert

Shortly after logging into Facebook with IP address, a photo was taken. Where was this photo taken?

Back to the Facebook return to see what we can find. IP activity can be found in the file:\security_and_login_information\ip_address_activity.html

Looking for that IP address we see the timestamp was December 27, 2023 at 11:16:01am.

Figure 26: Facebook IP activity

Heading back over to the Android image, we can locate a photo timestamp for that period making sure to take into account for local timezone offset.

Figure 27: Photo metadata via ALEAPP

If we search Google Maps for those coordinates we get a location of Devonshire Mall, 3100 Howard Ave Unit B7, Windsor, ON N8X 3Y8, Canada.

Figure 28: Google Maps coordinates

And with that answer that wraps up the Magnet Virtual Summit CTF for 2024. I hope those that competed had fun!