We would like to thank everyone who participated in the Capture the Flag event. And special thanks to Ian Whiffin for helping solve the questions. There were many late evenings and lots of hard work by many people involved. Ronen Engler was the fearless leader of this effort, and on his behalf, I want to thank you for playing this game. This is Cellebrite’s way of giving back to the community and providing resources to keep learning!

We wanted to provide a walkthrough of how we arrived at the answers. There will be times in the blog that we mention, and reference, blogs written by various community members who provided their own write-up about the CTF and some paths to get to the answers that aren’t the same way we got there, which is the beauty of forensics. The paths we take may differ, but the results are the same.

The backstory:

Beth Dutton was invited to the Vienna Inn in Vienna, VA on July 21st at 5:00 PM and was arrested while there. She was invited by someone called Heisenberg. Police arrested her for grand theft. Upon questioning Beth, she revealed that her sister, Marsha Mellos, introduced her to Heisenberg and that he was responsible for stealing cars and she and her sister were innocent. They are in the cattle business in Montana and got mixed up with the wrong guy. Marsha has both a PC and an iPhone, Beth has an iPhone, and Heisenberg has an Android.  The interest here is auto theft and selling. Cash transfers matter.

Beth’s iOS Questions:

Question 30: Fox (10 points) – An analyst generated a list of the codes used by the gang members. f0x is one of the code names. Do you think you know what f0x is? Provide the name that appears on one of f0x related images.

Flag: Werner

A logical keyword search for “f0x” reveals several messages, two of which are images. Look closely at the images to reveal the answer.

Question 31: Scenic (10 points) – Beth wanted to meet her partner in an isolated place in the mountains to close a deal. Which email address did she send to?

Flag: livingstonhank11@gmail.com

A logical keyword search for “mountain” reveals a hit that contains the correct email address.

Question 32: Location (10 points) – Where was Beth on June 29th, 2021, when she made a call to Marsha? (Provide only the city in your answer)

Flag: New York City or New York or NYC

In Physical Analyzer, start with examining the call logs. You can filter if you feel this is needed to narrow your search. As shown in step 3 below, you can hop right to the timeline if you prefer.

Once you find the time of the call log, switch to locations and determine where the user was when the call took place. Timelining in the Locations view is helpful here.

Question 33: Transactions (10 points) – Two of the suspects use the same app to facilitate money transfers without handling fees. Who are they? Provide first names separated by a comma: [AAA],[BBB]

Flag: Beth, Marsha, or Marsha, Beth

If you take the hint, you will learn that the application used was Passbook/Wallet, which is a native app to iOS devices.

The process of elimination helps here. Heisenberg is an Android user, so the answer must be Beth and Marsha.

Question 34: Version (10 points) – What is the version of the extraction container format in the provided evidence file?

Flag: CLBX-0.3.1 or CLBX 0.3.1 or CLBX0.3.1 or 0.3.1

The answer is not provided by parsing with a tool. You simply must examine the zip file provided with the image to reveal the version.

Question 40: Attributes (20 points) – Inode number 63433 belongs to a directory with an extended attribute com.apple.ubd.prsid. What is the decoded value associated with this extended attribute?

Hint: might need to utilize other methods
familiar with the hex view?

Flag: 17551872901.CloudDocs

A logical search for “com.apple.ubd.prsid” results in showing the directory information but lacks in showing the system information.

To see this, you must examine within the files. The file metadata.msgpack contains the answer when it’s viewed in Hex. This could also be found by conducting a Hex search for “com.apple.ubd.prsid”.

A good reference is  https://github.com/cellebrite-srl/clbx

metadata1/metadata.msgpack

private/var/mobile/Library/Mobile Documents

Question 41: Locations (20 points) – What is the city found in the installed “Weather Underground: Local Map” mobile application?

Flag: Key Largo or keylargo

A search for “weather” will lead you on the right path. You should find a realm database for WeatherUnderground. One method I like to use is to go to Databases in the Analyzed Data model and conduct a search within the results window. Below, I searched for “weather”.

As you search through the data column, you will find that viewing may be complex and export of the data may assist.

Another option was to use a tool like MongoDB Realm Studio to view the database, which leads to the correct city. The database is located at /private/var/mobile/Containers/Data/Application/048964E3-AF70-421E-B515-D2AE25C63CD3/Documents/v6db.realm.

https://github.com/realm/realm-studio
Class: LocationModel
 Key: City

Question 42: Identification (20 points) – What is the Exclusive Chip Identification (ECID) of the mobile device?

Hint: We accept either Hex or Decimal. You might need to dig for it.

Flag:  000469E20847002E or 1242319429238830

The log file of the acquisition contains this answer. Simply open with Notepad to examine.

Question 43: Browser (20 points) – What was the search query in the open tab of the DuckDuckGo Privacy Browser?

Hint: some SANS poster might become handy

Flag: daphne+bridgerton+actress or daphne bridgerton actress

Examining the plist associated with this app provides the answer.

Question 35: Events (10 points) – What is the only “event” that happened on February 17, 2015?

Flag: Solid Purple image or Solid_purple.jpg or image or Solid Purple

Timelining in Physical Analyzer for February 17, 2015, shows a simple purple image referencing “Memories.”

Question 36: Location (10 points) – Who was Beth supposed to meet at the Vienna Inn?

Flag: Heisenberg White or Heisenberg or White

Searching chats for “Vienna” provides an Instagram message with Heisenberg White arranging to meet at the Vienna Inn.

Question 37: Movement (10 points) – What was Beth’s furthest walking distance?

Hint: Look at Physical Activities

Flag: 2482.28

Health is one of my obsessions. I was happy to see this question here. To start, go to Health Data in Physical Analyzer and sort by Distance Travelled. The answer is right there!

Question 38: Device Identifiers (10 points) – What is the IMEI number of the device?

Flag: 359405082912450

The extraction summary in Physical Analyzer provides the answer.

Question 39: Identifiers (10 points) – What is the Apple ID associated with the device?

Flag: tornadobeth@gmail.com

The extraction summary in Physical Analyzer provides the answer.

We also want to give credit to others who took the time to share their walk-throughs. It’s important to read these blogs as the author may have derived the answer via a different file, artifacts, or using another tool. Thank you for taking the time to share your results!

https://www.stark4n6.com/2022/06/cellebrite-ctf-2022-beths-iphone.html

Cellebrite CTF May 2022 Writeup. Here, I will share all my correct… | by Williams Kosasi | Jun, 2022 | Medium

https://www.dfirblog.com/cellebrite-2022-ctf-writeup/

Read and follow the other walk-throughs at the following links:

Share this post