We would like to thank everyone who participated in the Capture the Flag event. And special thanks to Ian Whiffin for helping solve the questions. There were many late evenings and lots of hard work by many people involved. Ronen Engler was the fearless leader of this effort, and on his behalf, I want to thank you for playing this game. This is Cellebrite’s way of giving back to the community and providing resources to keep learning!

We wanted to provide a walkthrough on how we arrived at the answers. There will be times in the blog that we mention, and reference, blogs written by various community members who provided their own write-up about the CTF and some paths to get to the answers that aren’t the same way we got there, which is the beauty of forensics. The paths we take may differ, but the results are the same.

The backstory:

Beth Dutton was invited to the Vienna Inn in Vienna, VA on July 21st at 5:00 PM and was arrested while there. She was invited by someone called Heisenberg. Police arrested her for grand theft. Upon questioning Beth, she revealed that her sister, Marsha Mellos, introduced her to Heisenberg and that he was responsible for stealing cars and she and her sister were innocent. They are in the cattle business in Montana and got mixed up with the wrong guy. Marsha has both a PC and an iPhone, Beth has an iPhone, and Heisenberg has an Android.  The interest here is auto theft and selling. Cash transfers matter.

Marsha’s iOS Questions:

Question 44: Identification (10 points) – Criminals tend to keep their business private. The suspects used an App that hides data (photos/video/contacts) behind an ordinary calculator. Provide an iCloud address used to purchase this app.

Flag: marshamellos@icloud.comStart with examining the installed applications which will lead you to Secure Private Calculator. The iTunesMetaData.plist stored the AppleID associated with the app. You could have also found this in the Device Info in Physical Analyzer. 

Question 48: Timestamps (20 points) – The suspect had pizza for lunch. What was the date and time of the order? (Format: MM-DD-YYYY HH:MM, e.g. 01-22-2019 19:46).

Hint: Find the Receipt 
Flag: 03-08-2021 12:11

Image Classification in Physical Analyzer is also helpful for this question. It is that or a manual inspection of the photos for a receipt. The file IMG_0489.HEIC contains the answer. 

Question 49: Stolen (20 points) – The investigators were looking for a specific Kia stolen by the gang.  They were missing 3 digits of the license plate (left side). Find the first 3 digits they were missing

Hint: use similar images to find the car with the full license number
Flag: 508

Image Classification in Physical Analyzer worked well for this question. Once you run the parser, you can examine all vehicles which will lead you to the Kia saved as IMG_1718.HEIC.

Question 50: Frequent Calls (20 points) – What is the most frequently interacted phone number over a call? (Format should be +[country_code][number] for example: +97243501234).

Flag: +15162879924

In Physical Analyzer, go to the Call Log in Analyzed Data and then filter on Parties. Here you can easily track the number of calls made to see the most frequent.

Question 45: Name (10 points) – What is the device vendor’s internal model name?

Flag: D22AP

The Device Info in PA Ultra contains what you need. Sometimes the summary makes it simple. 

Question 46: Session Time (10 points) – Which 3rd party app had the longest active session? Provide app identifier such as: com.ubercab.UberClient.

Flag: com.google.photos

In Physical Analyzer, go to Aggregated Application usage in Analyzed Data. Next, order by Active Time and Ignore non apps. The answer is highlighted in yellow below.

Question 47: Hash (10 points) – What is the MD5 hash value for the file classified as Type: Images with a file size of 68147 bytes?

Flag: d9777bb03efb817bb6eaeec026a5b0c2

Go to Images in Physical Analyzer and filter by bytes. Once you find 68147 bytes you will find one result, which is the correct hash value.

We also want to give credit to others who took the time to share their walk-throughs. It’s important to read these blogs as the author may have derived the answer via a different file, artifacts, or using another tool.

Thank you for taking the time to share your results!

https://www.stark4n6.com/2022/06/cellebrite-ctf-2022-marshas-iphone.html

Cellebrite CTF May 2022 Writeup. Here, I will share all my correct… | by Williams Kosasi | Jun, 2022 | Medium

https://www.dfirblog.com/cellebrite-2022-ctf-writeup/

Read and follow the other walk-throughs at the following links:

Share this post