Part 1: Walk-Through of Answers to the 2021 CTF – Investigating Heisenberg’s Android Device
We would like to say thank you to everyone who participated in the Capture the Flag event. There were many late evenings and lots of hard work put in by many people involved. The CTF annual event is Cellebrite’s way of giving back to the DFIR community and providing continuously helpful resources to upskill expertise.
In this and upcoming CTF follow-up articles, we will present a walk-through of how we came to the answers. There will be times in the blog that we reference blogs written by various community members who provided their own write-up about the CTF. We found it interesting how some paths to the answers weren’t the same as ours.
In essence, the beauty of digital forensics is the scope of possibilities that can take us on different paths to the same conclusions.
Beth Dutton had been invited by Heisenberg to the Vienna Inn in Vienna, VA on July 21st at 5:00 PM where she was arrested by local Police for grand theft.
Under questioning, Beth revealed that her sister, Marsha Mellos, had introduced Heisenberg to her and had stated that he was responsible for stealing cars whereas she and her sister were innocent.
She also confirmed that both women are in the cattle business in Montana and had simply got mixed up with the wrong guy.
Marsha has both a PC and an iPhone, Beth an iPhone, and Heisenberg an Android device. They are being held with suspicion of committing auto theft for the purpose of selling on the black market. So, the investigation was looking for digital evidence of cash transfers.
Let’s dive into questions concerning Heisenberg’s Android Device.
Question 24: Device Identification (10 points)
What is the Bluetooth MAC Address of the first vehicle Heisenberg’s Android was connected to?
If you are using Physical Analyzer, navigate to Device & Networks -> Device -> Bluetooth Devices the answer is there, 34:c7:31:f8:61:3b. If you look at the other entries it’s clear that this is the right one.
If you are manually looking at this through the file system, look at /data/misc/bluedroid/bt_config.conf
Question 25: Application Analysis (20 points)
Who was the originator (friendly name) of the phrase “I plead the fifth” found on Heisenberg’s Android device?
Hint: Keyword search “fifth” and review the results
This question raised many questions on discord and by email. We do admit that it could have been worded a bit better, which would have lessened the confusion about the flag we were looking for.
If you do a keyword search for the phrase, “I plead the fifth” it would bring you to entries within the email inbox of Heisenberg. The email was from redditmail. The answer we were looking for was ‘reddit.’ Within Physical Analyzer if you look at the email entry of this, ‘reddit’ is listed as the friendly name.
Question 26: Device Usage (20 points)
What is the date and time of Heisenberg’s confession/arrest? (Format YYYY-MM-DD HH:MM:SS)
Flag: 2021-07-20 19:03:34
This question was a bit of a tough one, but if you followed the timeline and the messages, and the usage history of the device, it could have led you to the time frame. You would have needed to look at the media section of the extraction, specifically the DCIM folder and the videos.
In this video, Heisenberg tries to offload a stolen car to a woman who turns out to be a police officer. In the video, which is about 1 minute long, the woman confronts Heisenberg about the car being stolen, and without much resistance, he voluntarily spills the beans on the others. The flag was the modified time of the video.
Keep in mind, depending on how your computer displays time, it needs to be adjusted to fit the required format of YYYY-MM-DD HH:MM:SS.
Question 27: Application Usage (20 points)
Which applications did Heisenberg use to secure (hide) files and/or pictures?
- Anti Spy
The difficulty of this question depended on you. You could have dived into each application or used the ‘Installed Applications’ under ‘Analyzed Data’ in Physical Analyzer. HideX is the only one listed there.
Question 28: Application Analysis (10 points)
Which website did Heisenberg look for with regards to guidance on how to mount a USB drive on his phone? (The answer should be the full website i.e www.XX.com)
In this question, we were clearly looking at browsing history since the flag must contain a URL of a website. With that in mind, it should have led you to his browsing history.
If you search ‘mount’ in the browsing history, it will bring you to a Google search of ‘how to mount a pen drive on an android.’ If you open that link, it will bring you to tomsguide.com.
Question 29: Settings and Notifications (20 points)
Were notifications visible on the lock screen while Heisenberg’s Android was locked? What was the file that stored the Notification settings? (Only the file name is needed. Not the full path.)
This is one of those questions we needed to modify on the fly due to the results of initial submissions from players.
The notification settings are in the secure_settings.xml, which you could have known if you had looked at the SANS585 Poster (for585.com/poster). The question was designed to make you dig deeper into the clues. One person also found notification_policy.xml as a possible answer. We were looking for settings_secure.xml.
Question 31: Application Analysis (20 points)
Which website was accessed by the user on Heisenberg’s Android device using DuckDuckGo?
- none of the above
Flag: none of the above.
So, there are a couple of ways to look at this one. One very straightforward way was to search for all three entries, and since none show up, answer the question with ‘none of the above.’ The true path of least resistance.
Since DuckDuckGo may not be parsed in some tools, you need to dig into the database of the application. If you don’t know the file path or the associated databases you need to view ‘Installed Applications’ in Physical Analyzer.
You can navigate to the file tree and then to the folder containing the Application files. Another option is to go to Databases and search ‘DuckDuckGo.’ This will filter all database files associated with the application.
Upon reviewing the Visit Entries table, you can see that none of the sites listed were visited, hence the answer is ‘none of the above.’
Interesting note, tyga-auto-repairs.co.za does come up as an entry in a false-positive domain. As of Physical Analyzer 7.49, this artifact is parsed.
Question 32: Internet Artifacts (20 points)
When, and in which city, did Heisenberg search for rental properties on his Android? (Answer Format: YYYY-MM-DD HH:MM:SS NameOfCity)
Flag: 2021-05-16 04:26:51 Blacksburg
- Searching locations is a great start. (0 points deducted)
- If you find a search hit for rental property, follow that location then review the timeline. (5 points)
This is another example of how members of the community found other legitimate possible answers for this one. For this question, you should start off by looking at the “Searched items” under “Search and Web” in Physical Analyzer.
This will bring you to the search history of Google Chrome. There is a search entry for ‘properties for rent near me.’ Right after that, there is a search for Raines Property Management. A quick Google search of Raines Property Management returns ‘Blacksburg VA.’
We had one person reach out saying that they found another possible answer, they found a ‘property near me’ search with a zip code. Upon reverse searching the zip code, it led to Blacksburg but at a different time.
Question 38: Application Analysis (20 points)
As Heisenberg has a clear interest in Cryptocurrency, what is the Topic ID Hash for $ETH on his Android device?
Hint: The application of interest is Twitter.
There are several ways to reach this flag. One of the easiest ways is to do a search for ‘$ETH.’ This will bring you to Twitter. If you look at the “interest_topic” table, you can see the answer contained within the database.
Question 39: Device Identification (10 points)
What Gmail account is set up on the device?
You can use several approaches to this question, depending on how deep you want to dive into the data. You can view the extraction summary page within Physical Analyzer. You can also look under User Accounts & Details and see the answer.
Another approach is looking at: /data/system_ce/0/accounts_ce.db
Question 40: Device Identification (20 points)
On Heisenberg’s Android device, where else can you find the IMSI number, other than in the Checkin.xml file?
- All of the Above
Hint: All of the above.
Flag: All of the above
This question’s intent is to show different locations where you could find the IMSI of the SIM Card on the device.
You can approach this in various ways. Since you already know the IMSI number from the Checkin.xml file, you can open up each file listed as an option to see if the IMSI is listed there. You can also do a string search of the IMSI and see which files it appears in.
Looking specifically at the mmsms.db file could be beneficial where SIM card swapping is happening and there is an investigative need to determine what number the message was sent from.
Question 48: Logging (100 points)
How many times did Heisenberg’s Android device power off due to the battery being fully depleted between May and August? The answer must be an integer (i.e 4).
Hopefully, you paid attention to the hints we provided throughout the duration of the CTF. Josh Hickman @josh_hickman1 recently released a very comprehensive blog on detecting Android wipe events.
If you read it, you would see that there is a section on Shut Down events. Based on the blog and the research, this should have brought you to /data/system/users/services/data/eRR.P.
Looking at the file in its native format might be quite difficult, so you would likely need to export it.
Once you look within the log file, you can search for ‘power.’ It will return 10 results, all between May and August.
The player, @Stark4n6, took a different approach and reviewed data\log\batterystats. When he searched from ‘shutdown,’ he found 10 hits. Another option was looking at ‘power_off_reason.txt’ and ‘power_off_resets_reason_backup.txt.’ Again, different ways to get to the right answer.
Question 49: Application Analysis (50 points)
Heisenberg was looking for cars. Which vehicle did he not search for?
- Honda CRV
- Toyota Avalon
- Lexus ES
- Ford Escape
- Leveraging the fuzzy model plugin in Physical Analyzer and the App Genie may help. (0 points cost)
- Think of an application that may provide details about the vehicle. The word “car” may be in the application name. (5 point cost)
Flag: Ford Escape
There could be various ways to look at this one. You could do a search for every entry in the browsing history, but we took a slightly different approach.
If you look at the ‘Installed applications,’ you can see that there is a CarFax application installed on the phone as well as many others. You need to look inside the database under: /data/data/com.carfax.consumer/room-ucl.db. Then look at the ‘searchedVehicles’ table. The only entry that is not there is Ford Escape.
So that’s it for Mr. Heisenberg! We hope you enjoyed it and are ready for another round of CTF questions in the spring of 2022.
We also want to give credit to others who took the time to share their walk-throughs. It’s important to read these blogs as the author may have derived the answer via a different file, artifact, or by using another tool.
Thank you for taking the time to share your results and for your participation in the CTF.