Capture the Flag logo - 2023

We would like to thank everyone who participated in the Capture the Flag event. There were many late evenings and lots of hard work by many people involved. This is Cellebrite’s way of giving back to the community and providing resources to keep learning!

We want to provide a walkthrough on how we arrived at the answers. There may be situations where we show a method of deriving the answer which may differ from the method you used. This is the beauty of forensics—the paths we take may differ, yet the results are the same.

Backstory/Scenario:

Terror attacks were planned for Southport, NC in June of 2023. Russell, the primary suspect, lives locally to that area and seems to have been introduced to Abe via a Sharon. Russell and Sharon go way back, and she seems to be the linchpin who tied Abe to Russell. So, who is Abe? How is he involved with Felix? Why would Felix be feeding a US person with information on nuclear power plants and weapons? We intend to leave this scenario open-ended but wanted to give you some backstory.

Note: Most screenshots are from PA Ultra, so you may see a slight variation from what you are used to viewing with PA 7.

Sharon’s Android Questions:

Sharon 01 – Chipset – Level 1 (10 points)

What is the chipset of Sharon’s Android?

Answer: universal2100_r

Navigate to the location where your extraction is saved for Sharon’s device and open the directory UFED Samsung GSM SM-G991B Galaxy S21 5G 2023_06_29 (001). Open the FileSystem 01 directory, right click on the samsung_SM-G991B.ufd, and open the file with any text editor/viewer. Here you will find the answer and more as UFED tracks details about the device during the extraction process. 

Within UFED Ultra, this can be found in Analyzed Data > Device Info > Native. Notice the source is the .UFD file mentioned above. 

Sharon 02 – What Happened – Level 1 (10 points)

What happened to the device on June 16, 2023, at 8:45:48 Eastern Daylight Time? (Think of a setting change). Simply answer with the value field.

Answer: The device was plugged in.

This can be found in Device Events under Analyzed Data. Since the results are most likely shown in UTC, you must account for UTC to Eastern Time or UTC -4.  You can scroll to the result or filter on the Start time. 

Another easy way to solve this is to go into Timeline and filter on Type for Device Events and Timestamp for the date in question. Here you will see the Samsung Rubin results for the device that is plugged in. 

Sharon 03 – Chat – Level 2 (30 points)

Sharon likes secure chat apps. When was the last time she entered a PIN to unlock a secure chat app?

Answer: 2023-06-04 10:17:47

A good first step is looking at the installed apps. From here, you need to dive into the file system and look for databases of interest. In UFED Ultra, we have the Embedded icon in the column that will uncover additional information. 

From here, we click on the embedded icon for signal-key-value.db to reveal a decrypted database. Click that file again to open it. Here you will find the answer in key_value. Take the provided UNIX Epoch millisecond value, 1685917067303, and convert it using an epoch converter of your choice. Ultra provides the conversion tab right next to the Text value. However, validation is helpful especially if you are unsure if the value is stored in UTC or localtime. 

Above you can see the conversion within PA Ultra. Below shows the use of the Epoch Converter.

Sharon 04 – Address – Level 2 (30 points)

Sharon had a meeting with a co-conspirator near The Copper Penny on June 7, 2023. What is the exact street address of Sharon’s device when The Copper Penny was near? (Ex. 123 Main Street)

Answer: 485 N Water Street

First, you need to find the screenshot that contains the map with The Copper Penny. This can work by searching the DCIM directory or timelining in PA Ultra. 

The File info tab confirms the date. In Timeline, filter on the timestamp to narrow down the results. You can also filter Type for location and images. 

Once the screenshot taken by the device is found, the location coordinates must be converted to decimal degrees before searching on Google Maps. This website can be of use: https://www.fcc.gov/media/radio/dms-decimal.

Copy the converted coordinates and paste them into Google Maps as seen below.

Sharon 05 – Secure Message – Level 2 (30 points)

A one-word text message was received with a photo that was stored as Private in a secure messaging app. What was the one-word text message?

Answer: mahalo

There are many methods for approaching this question. One would be to keyword search for private and then look for applications that have a private directory.  

You will see WhatsApp has a private directory. There are two images stored in this directory. 

Next, you can timeline for the June 1, 2023, and June 7, 2023 image timestamps and you will see that the one that contains a one-word text occurred on June 1, 2023.

Sharon 06 – Facebook – Level 2 (30 points)

When did Sharon become friends with Abe Rudder on Facebook? (Answer must be in YYYY-MM-DD).

Answer: 2023-06-01

First, start with what the tools parsed for you. In PA Ultra, if you go to Social Media and then Facebook, you can filter by Abe Rudder and then follow the source file to get to where you need to be. 

This will lead you to /data/data/com. Facebook.katana/databases/ssus.100093324994023.android_facebook_contacts_db where you will see the contacts table. Find Abe Rudder and look for the Unix Epoch timestamp in the added_time_ms  column, and convert it to milliseconds from UTC 1970.

Sharon 07 – Boat – Level 2 (30 points)

Sharon decided to crash the “Life at Cellebrite” party and took a train. The day after the party, she left on June 24, 2023, around 9:00 AM EDT and arrived at her final destination around 11:25 AM EDT. In which cities did she start and end? (Answer must be in the following format: Las Vegas, White Fish.)

Answer: New York, Exton

Samsung Rubin is really helpful here. PA Ultra parses locations from Samsung Rubin under Points of Interest in the Locations Model. Once there, filter through Timestamp for June 24, 2023.

Once you filter, you can find the starting location based on time and the end. Right-click on each finding and Retrieve addresses. You will see the device was in New York at 12:51 PM UTC and Exton at 3:23 PM UTC. 

Sharon 08 – Location – Level 2 (30 points) – This unlocks Question 12

On June 16, 2023, Sharon was at “the home of the havoc” and shared her location with another suspect. Who did she share it with? (Answer must be first and last name).

Answer: Abe Rudder

Within PA Ultra, start with the timeline and filter by Timestamp for 06/16/2023 and review the results. 

Look at the results on the pane on the right and you will see the answer.

There is another way to find the answer to this question. You can look at where Sharon was on the date above and you will see that she had many hits for New Jersey. If you do some Google searching, you should find the location.

When you right-click in PA Ultra and Retrieve Addresses you will see the location of 601 Holly Dell Dr., Sewell, NJ. “Home of the Havoc” in the question refers to the Ice Hockey team that plays in Holly Dell.

Sharon 09 – Hotspot – Level 3 (50 points)

Sharon connected to an iPhone mobile hotspot.  What was the name of the mobile hotspot and the MM-DD the connection first occurred? (Answer must look like Jared Tesla, 06-09).

Answer: Heather’s iPhone, 05-13

The file iwc_dump.txt tracks wireless networks, frequency of connection, and lost connection status and is exclusively on Samsung devices.  This file builds over time as the phone connects to additional wireless networks.  This row of data from the file shows the first connection with the iPhone, “[05-13 12:48:39.759] setConnectionAttemptInfo: nid=-1 byUser=true configKey=”Heather’s iPhone”WPA_PSK callingUid=1000(com.android.settings) cNid=4.” 

Sharon 10 – PowerOn – Level 3 (50 points)

How many times did Sharon’s phone boot (power on and start up) while she was in Paris? 

Answer: Two or 2

Josh Hickman did a lot of research on Digital Wellbeing, so this should have been a clue we would take this path. In PA Ultra, you can get to Digital or Samsung Wellbeing by going to Application > Applications Usage Log and then following the source file. Nothing really parses the level of detail required to answer this question. The database of interest is dwbCommon.db, which is located at /data/data/com.samsung.android.forest/databases/dwbCommon.db 

Digital Wellbeing is helpful here as it will tell you timezone changes (New York to Paris and Paris to New York) and the proper date ranges. The user landed in both Paris on March 19, 2023, and the New York timezone on March 28, 2023.  

You can convert the timeStamp column by right-clicking and selecting milliseconds from UTC 1970. 

From there, you can look at Digital Wellbeing for BOOT_COMPLETED. You will see that there were two successful boots completed during the trip the Paris. 

Sharon 11 – Note – Level 3 (50 points)

The user made a note on June 4, 2023, Eastern Daylight Time. What did the note say?

Answer: Testing audio app or testing the audio app

A WhatsApp voice note was created and is an .opus audio file.  The file must be played to hear the answer. 

In PA Ultra, if you search for the word “Note” in the All-Project Search, you will get many hits.  Click the button within the search result to display a tab of all the results.  Within the newly opened tab of the results, table search “WhatsApp” or “opus” and you will see an Audio file with the .opus extension.  Select this file and press play, and PA Ultra will play the audio file where you can hear the answer. 

Sharon 12 – Favorite – Level 3 (100 points)

As a reference to the previous question of Sharon sharing her location on June 16, 2023, with Abe, when did Abe favorite this location? The answer must be YYYY-MM-DD HH:MM:SS local time to where Abe was when he saved it). (Show answer as 2021-12-18 13;11:09 PST).

Answers: 2023-06-16 14:43:10 EDT or 2023-06-16 14:43:08 EDT

You must solve question 08 to unlock this question. Once you locate the Holly Dell location in NJ, you need to timeline to see how that was shared with the other user. You will see that the user shared the location with Abe via WhatsApp. 

From here, look at the details in the right pane. You will see what3words was used to create the three random words representing the address of acted.depends.cobbled which is how the user shared her location.  

Next, you need to pivot to Abe’s device. You can’t take it any further on Sharon because she simply created and shared the location. Abe is the one who saved it. We recommend timelining in Abe and then digging deeper. 

Now you have to think about the application of interest, which is what3words. That is how the data was shared via WhatsApp from Sharon to Abe.  

If you search for traces of application data in What3Words, you will eventually find the realm database that needs to be examined. The path for this file is: EXTRACTION_FFS.zip/root/private/var/mobile/Containers/Data/Application/016859D5-A1E7-42B4-A070-B743BF01686D/Documents/default.realm.  

Export out the default.realm. We used Realm Studio to examine this database. 

In the DataPlace Table you will see the location shared was saved as “Rinkkkk” on June 16, 2023, at 18:43:10 UTC+0. This timestamp must be converted to where Abe was on that day, which was the America/New York timezone or UTC-4. If you examine Locations > Places and filter on Timestamp for June 16, 2023, you will find several locations from NY, NJ, and GA. All are in this timezone.  

The second answer involved examining the free pages of a write-ahead-log (-WAL) file.  The database Events-Qae

Sharon 13 – Take a break – Level 3 (100 points)

Sharon needed a break from the northeastern winter and headed south for a girl’s trip for five days. While on her vacation, she saw her own dolphin. Where was she when she saw her dolphin?

Answer: Miami, FL

This question involves a little bit of OSINT.  If you recall, Heather mentioned that players could stalk the Dream Team on social media for clues, and Heather had one for this question in her Twitter feed.

Notice the timestamp in the post on X(Formerly Twitter).  There was also a picture of a suitcase in Sharon’s phone from 2023-01-25. 

Combining the knowledge that Heather was in Miami in January with the subtle clue in the question (“dolphin”) should give a clue as to where to focus efforts.  PA’s location carving function comes in handy here in that it will carve for locations in a given area.  Simply drop the pin on the map, set the radius, and start carving.

Once you have finished carving, examine the results.  There is one result in particular that is right next to The Dolphin Expressway in Miami, FL.

Note the source file for the coordinates.   Sharon’s phone was served an ad, which contained the location of her phone at the time the ad was served. 

We hope you enjoyed this CTF. Please feel free to provide feedback on your experience and feedback on PA Ultra to ctf@cellebrite.com. Stay tuned for the next blog and a webinar where we go over the hardest questions to solve and show you how we did it and why we created it.

Share this post