This is the third walk-through explaining how we arrived at the answers to the recent Capture the Flag event.

Keep in mind that in this article we reference blogs written by various DFIR community members who wrote about the CTF and proposed alternative paths to the answers which we arrived at. This is great and demonstrates the versatility and effectiveness of digital forensics skillsets to achieve the same results. 

Read the backstory and previous walk-throughs here:

Let’s dive into questions concerning Marsha’s iPhone data.

Marsha iPhone – Backup and FFS

Hopefully, you caught Marsha’s iTunes Backup reference. The data collection provided was a Full File System extraction. You could find the Backup on Marsha’s PC image.

To obtain the iOS Backup, you need to export it from the PC image and parse it separately or leave it in Cellebrite Inspector and have it parsed within the program.

Honestly, you could have answered some of the questions based on the Full File System, but we were trying to entice you to look for the Backup of the phone.

The backup was stored on the PC under: C:\Users\marsh\Apple\MobileSync\Backup\efa747380975b4d412f13c149ffae7d09614393c\

Question 2: Marsha’s iTunes Backup General Identifiers (10 points)

What phone numbers were used by Marsha on the iPhone X? 
(Make sure to enter the + and country code and use the delimiter “and” in-between the answer – ie, +17032226666 and +13012224444)

Hint: Examine the extraction summary in Cellebrite Physical Analyzer

Flag: +19735203731 and +12068996918, or +12068996918 and +19735203731

This question was straightforward as the information is listed on the extraction summary page within Physical Analyzer. If you were reviewing this manually, you could examine the CellularUsage.db file for the information.

Please note this answer must be from the iTunes Backup and not from the Full Filesystem extraction.

Question 3: Marsha’s iTunes Backup for Health and Exercise (20 points)

How many steps did Marsha take on December 22nd, 2020? (Enter the answer as an integer – i.e. 15).

Hints:

  • Even though health data may not be present in the backup, traces have been left behind. (0 points cost)
  • Time zones and offsets matter.

Flag: 6410 or 9683

Here, you would think going after the health data is what you’re looking for, but if you sift through the extraction you would notice that there was a screenshot taken of the health summary page.

The file you were looking for was IMG_0117.PNG  which has a creation time of 12/23/2020 05:07:33 (UTC + 0) but locally it would be 9:07 PM on 12/22/2020. The joys of time zones. This was a bit of a curveball but made you work for it.

We added another acceptable answer during the CTF as some stumbled upon this screenshot, which was also acceptable.

Question 4: Marsha’s iTunes Backup Application Analysis (20 points)

On March 3rd, 2021, at 7:38 AM local time, Marsha received a notification.  What is the first word listed for that notification?

Hints:

  • Twitter was the application that sent the notification. (0 points)
  • Consider the screenshots of notifications. (5 points cost)

Flag: Recommended

Like the previous question, the answer will be in the screenshots. This question comes with a bit of a twist, we make you do some math. If you got the last question, you were already looking at the notifications so hopefully, it led you down the right path.

The screenshot you were looking for was IMG_0467.PNG. The created date on the screenshot is 3/3/2021 4:22:22PM (UTC + 0) which is 3/3/2021 8:22 AM. Since the time we are looking for is 7:38 AM (local time). The Twitter notification is 44 minutes ago. 44 mins. from 8:22 is 7:38.

Question 4: Marsha’s iTunes Backup Settings and Notifications (20 points)

What sound was detected on January 2nd, 2021, at 9:18 PM local time?

Hints:

  • Research ‘sound recognition’ and where notifications may be stored. (0 points)
  • Screenshots are helpful. (5 points cost)

Flag: baby crying

Going with the same theme you would have seen the screenshots of the notifications of the sound recognition. The picture you were looking for was  IMG_0138.png.

The file was created 1/5/2021 at 11:06:50 (UTC+0) which is Tuesday, so the previous Saturday is January 1st, 2021.

You could have also looked at: /private/var/mobile/Library/Preferences/com.apple.HearingAids.plist file for the information.

Question: Marsha’s iTunes Backup Location Artifacts (10 points)

When was Marsha in Washington County, Oregon? State the answer YYYY-MM-DD

Hints: Application insights might be helpful here.

Flags: 2020-12-26 or 2020-12-07 since we are asking about times around a location event, it should have pointed you towards decoded location data.

Within Physical Analyzer under the location artifacts and under the application Waze, you can see a navigation entry to address, SW Lundgren Ter, 3265, Beaverton, OR, United States.

A member of the community also found that there is metadata on a picture that shows that Marsha was at Starbucks in Tigard, Oregon which is in fact part of Washington County. Marsha does like her Starbucks and based on the metadata of the file, it showed the visit being December 7th, 2020. The picture was IMG_0072.HEIC.

We had to make some changes on the fly, but both ended up being acceptable answers. ??

Question 30: Marsha’s iPhone – Device Identification – FFS (100 points)

What was the MAC address of an action camera used by Marsha?

Flag: 10:2C:6b:30:df:5c

To start with, this is a 100-point question, so clearly, the easily found GoPro was not the correct answer. Where we wanted you to go was to the sysdiagnose logs. For those not aware, these logs can hold tons of information about the device, bugs, but all are volatile.

To add to the difficulty, these logs are also .tar and then .gzip. AnalyticsStoreDump_2021-03-18-144431501.txt.gz which is within the WiFi subfolder under the sysdiagnose_2021.03.18_14-44-04-0700_iPhone-OS_iPhone_18D61.tar.gz. The camera was a One R C99VBH.

Under Bluetooth in Physical Analyzer, for the file: Marsha’s iPhone/containers/Shared/SystemGroup/systemgroup.com.apple.bluetooth/Library/Database/com.apple.MobileBluetooth.ledevices.other.db, you can see a MAC which is 10:2C:6B:30:DF:5D but is not the correct one.

It is a clue as many vendors create MAC addresses that are off by a digit or a byte just to make it easier for their records I assume.

If you search for the first 3 bytes (10:2C:6B) it would be a vendor address which would probably help you find the other one. However, as it is encapsulated within a zip file within another zip file it is much harder to find. We wanted you to learn how to find files that are easily missed.

Question 34: Marsha’s iPhone (20 points)

A new reminder was set with pictures attached, in what city was Marsha in when the reminder was set?

Hints: Start with the metadata date in the photo files and see if any get you to the right location. (0 points)

Flag: Renton or Baltimore

With the free hint, it should bring you to look at location data. Since we are talking about media, it should narrow it down quite a bit.  Another option is to go straight to reminders. Depending on which path you take, the answer may differ. For the Baltimore answer, a reminder is flagged by Physical Analyzer and includes photo attachments.

If you started your examination in the Location artifacts, this may have been the logical answer you came upon. If you view the timeline for that event, you will find location artifacts for Baltimore immediately before and after the reminder was set.

To get the Renton answer, the reminders may show another story.

From this reminder item, you are able to find IMG_0579 which was taken at 9:08 PM (UTC) on March 27th at Downtown Bellevue.  We realize this question isn’t about where the photo was taken but where the device was when a reminder was set. Let’s keep digging.

In reminders, you will come across record in Data-181DF1E0-D1B6-4BFD-954B-CE67901178AB.sqlite.

This hit shows a CreationDate of April 4th, 2021, at 20:07 (UTC), which is 13:07 local time.

When you look for device locations on April 4th, you will find two results for Washington. One location is from FourSquare and should be ignored as we have not validated the reliability of that location. There is a photo (IMG_0607.HEIC) that was taken approximately 1 hour after the reminder was created.

From the EXIF of the photo, file system timestamps, and the Photos.sqlite database, it can be determined that the photo was taken with an iPhone X, which is consistent with Marsha’s device.

The EXIF shows that the:

  • Original File Name is the same as the current name. (IMG_0607.HEIC).
  • Creator and Editor Bundle IDs are blank.
  • Time Zone of the photo is GMT-0700 as is the phone.
  • EXIF in the photo shows the Renton Airport.

    This all points to a strong suggestion that the photo was taken using this device.

While the reminder was indeed set in Baltimore, the evidence here strongly suggests Renton, which is why we decided to accept the answer. Essentially, these results show two locations, 50 mins apart and according to Google, a 35 min. drive. Location artifacts are difficult and must be validated.

Question 35: Native Applications – Marsha’s iPhone or Backup (20 points)

A text shortcut/replacement was set on Marsha’s device. What was the shortcut for the full phrase? (The answer must only be the shortcut)

Flag: omw

This one requires some deeper knowledge. This file was present in the backup and in the FFS extraction, and it’s the same file.

You were looking for the following:

  • FFS – Universal_iOS_Generic.zip/root/private/var/mobile/Library/Keyboard/TextReplacements.cache

  • Backup Marsha’s iPhone/mobile/Library/Keyboard/TextReplacements.cache

‘On my way’ is replaced with ‘omw’. This is one set by Apple as a default, so it may have been easier to find.


Question 36: Marsha’s iPhone – Settings and Notifications – FFS (20 points)

How many keyboards were set on Marsha’s device?

Flag: 3

Like the previous question, you needed to have some deeper knowledge of iOS devices, but if you knew how to find the data, it was fairly quick to get to it.

Your answer lies within: \private\var\mobile\Library\Keyboard\UserWords.ctrl. There are three keyboards installed: English (US), emoji, and Hebrew (Israeli).

Question 55: Native Applications – FFS – Marsh’s iPhone (20 points)

On Marsha’s iPhone, what is the Ascii representation of the keyboard language that has no emoji or from the United States?

Hint: When you find the file of interest, the answer is in the AsciiString (0 points deducted)

Flag: he_IL

Depending on the order of how you answered the questions, this could have been very easy for you. We were looking for the same file as the previous question, UserWords.ctrl, the correct answer was “he_IL”.

Question 56: Location Artifacts – Marsha’s iPhone (20 points)

Marsha ordered a beer on vacation. “Aloha! How much is a Blonde?” (no $ sign needed)

Hints:

  • Look for vacation spots. (0 points)
  • Eat like a king! (5 points deducted)

Flag: 6.50

Since we mentioned ‘vacationing’ in the question, we were trying to point you down the road of vacation spots. Marsha did travel a lot but did spend some time in Hawaii. There are about ~60 images taken while in Hawaii and 4 of them were taken while on King Street at a restaurant.

There is a photo of the drink menu (IMG_1814.HEIC). Aloha Blonde is one of the beers, and its price is 6.50, which is your answer.

It was interesting to see some people follow the QR codes to different restaurant menus. Bikini Blonde’s wasn’t the one we were after. Close and great thinking outside of the box though.

Question 60: Device Connections – Marsha’s iPhone (20 points)

Marsha connected her iPhone to one car make more than any other. Once you have determined which make, you can answer the name of the CarPlay system in use.

Hint: Heather Mahalik & Sarah Edwards did a presentation at the DFIR Summit a few years ago on Carplay. https://www.youtube.com/watch?v=IGhXsfZXL6g  (0 points deducted)

Based on the hint provided hopefully it led you to the relevant file at: Universal_iOS Generic.Zip/root/private/var/mobile/Library/Prefences/com.apple.carplay.plist.

Question 61: Application Analysis – Marsha’s iPhone (20 points)

What was the **title** of the most recent podcast playing while connected to a vehicle?

Hint: Knowledge is Power. Think about it. Sarah Edwards has a great blog on this that won a Forensic 4Cast Award. (5 points deducted).

Databases track a lot on iOS. Find the database of interest and filter. (0 points)

Flag: Commercial Pilot Systems

‘Now playing’ is part of the KnowledgeC database, amongst many other great artifacts. If you look at the ZSTRUCTUREDMETADATA table and filter based on ‘Podcast,’ and the time, it will bring you to Commercial Pilot Systems.

Marsha was a bit cruel, especially with the camera, but keeping an eye on social media and the discord chat, could prove to be helpful.

At this point, we also want to give credit to others who took the time to share their walk-throughs. It’s important to read these blogs as the author may have derived the answer via a different file, artifact, or tool.

Thank you for taking the time to share your results.

Reference links:

Share this post