Part two is upon us, here I'll be going through the iOS section.
Evidence: 00008110-000925383620A01E_files_full.zip
Why are your messages green?
On what date did Rocco and Chadwick first meet in person according to their conversations? YYYY-MM-DD format
Via iLEAPP we can check out the SMS messages. We see some messages about meeting at city hall and then later confirming after meeting on 2023-12-17.
Figure 1: SMS via iLEAPP
Where /r u going on safari?
What subreddit was visited in a browser?
Hit the the Safari browser history in iLEAPP and we can see that Twitch subreddit was visited.
Figure 2: Safari History via iLEAPP
Don't ghost me
At what time did Chadwick get annoyed at MYAI? YYYY-MM-DD HH:MM:SS UTC
I did a quick search for "myai" in AXIOM and found some Snapchat messages between Chadwick and the AI. We can see towards the bottom of the conversation he gets a bit angry with MYAI.
Figure 3: Snapchat conversation via AXIOM
We can see his message was sent on 2023-12-26 23:27:45 after proper formatting. We could also go to the source in the arroyo.db to find the answer on the "conversation_message" table.
00008110-000925383620A01E_files_full.zip\private\var\mobile\Containers\Data\Application\9A0EF110-47F4-45D4-B96D-C3EF301F18FC\Documents\user_scoped\29312c28c183c406b035a7b3d40e2c6921a13c1a99a71dca20d0062085989beb\arroyo\arroyo.db
IMAGEine living in pain
Chad seemed to be searching for pain relief medicine in a store, how much did it cost?
The hint here is IMAGE. From the Photos parsed in iLEAPP we can browse through to see a picture Arnicare Gel for $10.99.
Figure 4: Photos via iLEAPP
You can also find the image from the folder path at:
00008110-000925383620A01E_files_full.zip\private\var\mobile\Media\DCIM\100APPLE\IMG_0017.HEIC
Your keyboard is salt-y
How many words were typed on the device?
I original thought this was looking for something based off the user dictionary but this only will show unique words typed. Some research from Salt4n6 from a few years ago dives into a database that isn't parsed by any tool that I know of.
00008110-000925383620A01E_files_full.zip\private\var\mobile\Library\Keyboard\user_model_database.sqlite
In the "usermodeldurablerecords" table, we get some interesting statistics on the usage of the keyboard including the total amount of words typed, which was 1797.
Figure 5: user_model_database.sqlite > usermodeldurablerecords table
This is now parsed in the latest iLEAPP build as I made the parser after the CTF competition ended.
Build me up, buttercup
What is the current build version?
You can get the build version from the Device Details in iLEAPP or via the path:
00008110-000925383620A01E_files_full.zip\private\var\installd\Library\MobileInstallation\LastBuildInfo.plist
We see that the build version was 20F75.
Figure 6: Build Version via Device Details in iLEAPP
Answer the call
What is the guild ID of the discord server Chad was in?
Cached items for Discord live at the path:
00008110-000925383620A01E_files_full.zip\private\var\mobile\Containers\Data\Application\FE27BB5E-D91E-4417-8669-C68FD6C67A97\Library\Caches\com.hammerandchisel.discord\Cache.db
If you do a filter on "guild" in DB Browser for SQLite we see two different possibilities. The one on the bottom appears to be a profile so I tried the other and it worked, the answer was 136986169563938816.
Figure 7: Discord Cache in DB Browser for SQLite
Warning Signs
How many days did it take Chad to be warned about his Data Usage?
There are two locations that came to mind instantly, notifications or SMS. When I saw SMS earlier I noticed a welcome message from Boost Mobile on 2023-11-29.
Figure 8: SMS via iLEAPP
On 2023-12-17 there was a warning which would be 18 days later.
Figure 9: Warning in SMS via iLEAPP
Watching streams to stay current
What is the name of Chad's streaming channel?
Since we know Chadwick was on Discord previously I looked through the chats there and came across a YouTube link which lead to Chadwick's channel. It was named ChadwickGames which was actually his Discord name as well and it worked.
Figure 10: Chadwick's YouTube channel
One is The Loneliest Number
What question did Chadwick ask to AI?
We know that he previously had conversations with AI in Snapchat but I didn't seen anything that stuck out as an answer. Via the Installed Apps in iLEAPP I noticed that OpenAI was installed.
Figure 11: Installed Apps via iLEAPP
ChatGPT is one of the most popular AI tools out so far. The app folder location lives at:
00008110-000925383620A01E_files_full.zip\private\var\mobile\Containers\Data\Application\6BFA5EA3-61CB-4652-A60A-2A955B651E05
Inside one of the subfolders is a folder named "conversations-b5c12911-e3c0-4961-bbe7-aec0a3ec3dd6" which gives a clue about the contents. Inside that are 3 different JSON files, one of which had the answer.
Figure 12: B00981C1-4A49-4F45-B4D8-59DFF84412CA.json
We can see he asked How to make online friends.
Watch me sUAVely win this game
How many kills did Chad have on his CoD Mobile winning game?
Having already found the video on Chadwick's YouTube channel, we can watch it to the 1:14 mark to see that he had 7 kills.
Figure 13: Chadwick's YouTube video
For when I cant Find My gear
What outdoor activity store did Chadwick Visit?
The hint here in the title is Find My, so we can look at the parsed locations in AXIOM under the Connected Devices section. One entry is for an iPhone device, with coordinates of 39.9840710007878, -105.249781880352 which if put into Google Maps plants us near Neptune Mountaineering.
Figure 14: Google Maps coordinates from Find My
Just a couple steps away
How many steps did Chad take on 12/3/2023?
Apple Health tracks steps so we just have to filter down to the day. This can be done in iLEAPP or AXIOM as both parse it.
Figure 15: Apple Health steps from iLEAPP TSV output
If we total up the 4 entries we get a grand sum of 968 steps.
Another regularly scheduled program
What Tattoo shop was visited on 12/27/2023?
In AXIOM we can do a date filter to check locations. The previously used location from Find My occurred during that day as well. If we do a nearby search with Google Maps we see a hit for Auspicious Tattoo, which as an educated guess was in fact the answer.
Figure 16: Google Maps results
I hear Stanley cups are all the rage
What was the final score of the hockey game Chad went to? (home - away)
Having looked through Chadwick's Snapchat messages prior I had seen he sent some pictures of a hockey game to MYAI.
Figure 17: Snapchat picture
We see that the Avalanche are home for this game. In one of the messages after the picture he comments on the final score of 6-4, which was the answer.
Figure 18: Snapchat message
Devil is in the details
Whose bitmoji is dressed like a devil?
One of the harder questions in my opinion in the whole CTF was this one. A keyword search for bitmoji in AXIOM did reveal any quick results so I went over to iLEAPP to see if anything hit and there were a few results in iOS Notifications. If we copy the one JSON dump out to a better viewer we can see a URL link to a bitmoji image from Sofiakhan.
Figure 19: Embedded JSON in iOS Notifications
If we navigate to the URL we see this user was the devil.
Figure 20: Devil dressed bitmoji
Excuse Moi? What did you say?
What is the content of the 2nd message that Chad deleted on Dec 18, 2023
This this one, you had to dive deep into the sms.db off the filesystem. You can find it at path:
00008110-000925383620A01E_files_full.zip\private\var\mobile\Library\SMS\sms.db
Figure 21: SMS.db in DB Browser for SQLite
We can see the message of the text in the hex contents.
Figure 22: SMS.db blob
The answer was "Excuse me?! That's quite a bold statement considering I'm the one who walked away with a black eye and spent $30 last night on products to avoid one!"
Boost this server
What is the 16 character carrier code?
This question was fairly vague so I didn't exactly know where to begin. I started looking at SIM related artifacts on the SANS poster and I thought I found a possible answer at the path:
private\var\wireless\Library\Preferences\com.apple.commcenter.plist
Figure 23: com.apple.commcenter.plist
The easy way or the hard way
What is the timestamp of the message Chad sent to Rocco but was never received? YYYY-MM-DD HH:MM:SS UTC
Figure 24: SMS via AXIOM
I couldn't find a specific flag in the iOS SMS.db that would indicate it was never received but I guess the flags are more geared to those with the same OS (blue bubble/green bubble conversation).
Its been a long time
When did Chad last login to Facebook? YYYY-MM-DD HH:MM:SS UTC
We were given a dump of a Facebook Return but I found out quickly that this return was for Rocco and not Chad based off the last login report.
Figure 25: Facebook Return
Since we didn't have a return for Chad back to the iOS extraction. Per the historical app report in iLEAPP, the Facebook app lived at the path:
00008110-000925383620A01E_files_full.zip\private\var\mobile\Containers\Data\Application\BF2FEA88-C397-405D-90EE-A56B2720896C
Figure 26: time_in_app files for Facebook
Given we are looking for the last login I went with the newest file. Of note, you will need to apply the -wal for the most recent results (see the modified dates). On the "metadata" table was a entry for "last_logging_timestamp", a unix epoch timestamp. Converting it lead to the answer of 2023-12-27 21:34:55.
Figure 27: Last login for Facebook
Can anyone Kelp?
What game was Chad asking to know the strategy to?
I just did keyword search for "strategy" and the results were slim but produced the answer. In a screenshot of application activity from Rocco's phone showed a Facebook status update from Chadwick.
Figure 28: Facebook update from Android app activity
He was looking for help with Terrarium. Sometimes it's helpful to search across all of your evidence and not just one specific to the question category.
Chat GPT is my PREFERENCE for AI
What is the ChatGPT userID associated with chawickmr95@gmail.com?
00008110-000925383620A01E_files_full.zip\private\var\mobile\Containers\Data\Application\6BFA5EA3-61CB-4652-A60A-2A955B651E05
Usually preferences are saved in plists on iOS so I filtered on subfolders for just plists to start. There were a few in the Preferences folder with one leading to the answer. The file was com.openai.chat.StatsigService.plist and the answer was user-xurgQ0xumvrujH5ESG17Yhcw.
Figure 29: com.openai.chat.StatsigService.plist file
You can see the email address there as well.
Read my mind
What message was sent to Rocco in a video game?
Based off the apps installed, there were only a handful of games, Call of Duty, Clash of Clans, and Subway Surf. Having not played any of them on mobile, I just did a quick search to see if they even supported it and Call of Duty does, so I started with that. Based off the iLEAPP report, the folder was at:
00008110-000925383620A01E_files_full.zip\private\var\mobile\Containers\Data\Application\3690AAA8-713A-482B-92F1-3F7D3BCC73E6
In just browsing the subfolders there was a little too obvious choice of folder titled ChatCache. In the extensionless file 2023-12-20 is a JSON formatted content with the chat.
Figure 30: Call of Duty ChatCache
The answer was "I know youre reading my messages".
Season's Greetings
What was the first emoji that was sent to Susan?
I previously saw messages to and from Susan in the SMS.db. There was a message that AXIOM parsed that failed to interpret the emoji sent on 2023-12-25 at 19:06:24.
Figure 31: Missing emoji SMS.db
I just copy and pasted the character into Google and it was able to interpret quickly to show that it was supposed to be the Potted Plant.
Figure 32: Potted Plant Google Search
Follow the Breadcrumbs
How many times did Chad's keyboard become visible within the Amazon app on 12/24/2023?
iLEAPP has a quick and dirty parser for text input sessions via Biomes. We can filter for Amazon and for the timestamp to see the keyboard was used 2 times that day.
Figure 33: Biome Text Input Sessions via iLEAPP
It's much easier to go this route than the manual breadcrumb approach of sifting through embedded JSON.
And that wraps the iOS evidence questions!