Part 4: Walk-Through of Answers to the 2021 CTF – Beth’s iPhone
We would like to say thank you to everyone who participated in the Capture the Flag. There were many late evenings and lots of hard work by many people involved. This is Cellebrite’s way of giving back to the community and providing resources to keep learning!
Read the backstory and previous walk-throughs here:
- Part 1: Walk-Through of Answers to the 2021 CTF – Investigating Heisenberg’s Android Device
- Part 2: Walk-Through of Answers to the 2021 CTF – Marsha’s PC
- Part 3: Walk-Through of Answers to the 2021 CTF – Marsha’s iPhone (FFS and Backup)
Question 9: Device Connections – Beth’s Phone (50 points)
When did Beth connect her device to Marsha’s laptop? Show answer in the following format YYYY-MM-DD HH:MM:SS
Flag: 2021-04-06 22:32:21
This one is a multiple-step question. So unlike the question on Marsha’s computer when we were talking about trust, this one is a straight connection.
First, you will need to know what you are looking for, so we’ll go to the extraction summary, and note down the Unique ID of the phone.
Once you have this, we need to go over to Marsha’s PC extraction. Here in Digital Inspector, you can easily look up Device Connections and find the Unique ID of the phone and the time if was connected.
You can manually do this by going in through the registry and looking at the mounted devices, or the Setup.api.dev.log file. In Inspector, we show this under the Device Connections in Actionable Intel.
Question 10: Location Artifacts – Beth’s Phone (20 points)
Where was Beth on June 17th, 2021 when she was “with friends”?
- Think about ways that users announce their location to the world. (0 points)
- Keyword searching will help. Consider “in content” search. (5 points deducted)
Flag: Amani’s BYOB Downingtown
The easiest way to get to this one, was to search for ‘with friend’. This will bring you to a Facebook ‘Check in’ where Beth checked-in at “Amani’s BYOB Downingtown.”
An interesting note here is that depending on the keyboard you are using, the apostrophe character ‘ is not the same as ‘ across various languages. We made some manual modifications on the fly. No apostrophe’s for the next CTF.
Question 12: Device Connections – Beth’s Phone (10 points)
What is the name of the vehicle Beth’s phone connected to on April 6th 2021?
This question should bring you to the Bluetooth Devices and connections. Manual review would bring you to com.apple.mobilebluetooth.devices.plist.
Question 13: Health and Exercise – Beth’s Phone (20 points)
How many meters did Beth travel on February 28th, 2021 in her local time?
Hopefully, this one made you think of activity and movement. Beth’s true colors are starting to come out. This one is a bit of a tricky question. The best way to approach this is to look at Beth’s health data and filter down to February 28th, 2021.
Keep in mind that it needs to be adjusted to local time. You can then add up all the Distance Travelled entries for the day which will give you the answer. Rather than manually adding them all, you could also just export the entries as an excel and do a simple =sum command to calculate it all for you.
Question 14: Communication and File Sharing – Beth’s Phone (10 points)
For the picture IMG_0488.heic, which database identifies the person who shared the photo?
Sharing of pictures can occur in various ways. Since we know the image we are looking for, and we know it was shared, starting off in the Chats, and searching for the image, we can see that it came from Marsha. There are two source files listed, and one was your answer.
Question 15: Communication and File Sharing – Beth’s Phone (20 points)
Where was Beth on June 29th, 2021 when she made a call to Marsha (only provide the city in your answer)?
- Locate the phone number(s) for Marsha and then filter on the call logs for the date in question (0 points)
- Timelines help. Filter on the data in question, find the call and look for a location artifact that makes sense. (5 points deducted)
Flag: New York
This one could be easy if you let the tools help you. First, you need to find the numbers for Marsha that were used. You can then filter the call logs based on those numbers for that date. Next, go to location data to see if there are any corresponding location points at that time. That would bring you to the answer.
Now, what if there was a way to collectively look at all the relative data in a simple view? How about the timeline? It holds quite a bit of data. You can pick your time frame, then the artifacts you are looking for, and there is your answer.
Question 17: Application Analysis – Beth’s Phone (20 points)
What permissions did Beth grant for Telegram on her iPhone? Select all that are correct.
- Location, iCloud, Calls, Contacts
- Location, iCloud, Siri, Contacts
- Location, iCloud, Calls
- Calls, iCloud, Siri, Contacts
- This application was not installed
- The name of the app may be listed by the vendor.
- Make sure you translate the service to the real meaning, ie; – photos, location, calls, etc. (5 points deducted)
Flag: Location, iCloud, Siri, Contacts
This question was a little on the harder end if you didn’t know where to look. The hints should have helped a little bit, but looking at additional resources might have also been beneficial, like the SANS 585 Mobile Forensic Poster/Cheat sheet.
Hopefully, it brought you to /private/var/mobile/Library/TCC/TCC.db.
Once you got to the database you could find the answer. If you looked up Telegram prior to diving into the database, you knew the name of the app is ph.telegra.Telegraph. kTCCServiceLiverpool is used for location and Ubiquity is used for iCloud.
Question 18: Settings and Notifications – Beth’s Phone (20 points)
Was iCloud Photos turned on? If yes, when was it turned on? Answer must be in the following format YYYY-MM-DD HH:MM:SS.
Report the time exactly as shown inside the file.
Flag: 2021-02-03 17:46:27
What we were looking for here was the cpl_enabled_marker file. This file notes when iCloud Photos was turned on. The file is located at /private/var/mobile/Media/PhotoData/cpl_enabled_marker. You did need to tweak the time to reflect the requested time format.
Question 19: Device Identification – Beth’s Phone (50 points)
Which iOS version was running on Beth’s iPhone on May 7, 2021?
This one is not an easy one. The way we got to this was by going through crash logs. There is no easy way to do it. If you look at /private/var/wireless/Library/Logs/CrashReporter/Baseband/log-2021-05-07-stats.plist you can see there was an entry where a crash log was created and it lists the iOS on the device at the time.
Realistically, this is more for diagnostic information, but it could be useful for an investigation.
There were much easier ways to get to this answer, you could have looked at /pirvate/var/mobile/Library/mobileactivationd/ log files, as well as the lockdown logs. Health data often stores iOS versions as well.
Question 20: Native Applications – Beth’s Phone (20 points)
Which cards were saved in the Apple Wallet?
- Capital One and Amex
Hint: Look for files that store Apple Wallet Information. (0 points)
This question was meant to be a curveball. This one should have led you to passes23.sqlite file. It was empty, hence no cards were saved to the wallet. Ian Whiffin wrote a great blog post about payments using Apple Pay.
Question 21: Location Artifacts – Beth’s Phone (50 points)
Which time zones were visited while the device was on iOS 14.4. Select all that apply.
- Central, Eastern, Mountain
- Pacific, Eastern
- Central, Pacific, Eastern
- Consider native apps that track location artifacts. (0 points)
- Consider calendar entries and health data (5 points deducted)
Flag: Central, Eastern, Mountain
Beth starts to crank up the heat here. Sure, you could have mapped the locations of the device where it was, and cross-referenced the update on the previous question when we talked about the iOS version. This is often an overlooked source of location data in Health.
If you look at the healthdb_secure.sqlite (remember you need an encrypted backup or a Full File System to get this file), there is a table data_provenances that lists each version of the device and related time zone.
Based on the entries, of New York, Denver, and Chicago, the answer would be Central, Eastern, and Mountain.
Question 22: Settings: Auto-Lock – Beth’s Phone (20 points)
How long does Beth’s phone need to be inactive for the screen to auto-lock?
- New research was released on this by a DFIR blogger. (0 points)
- Look for plists and databases in the userConfigurationProfiles directory (5 points deducted).
Research never ends in DFIR. Scott Koenig did a great write-up about this specific topic. It should have led you to /private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/PublicEffectiveUserSettings.plist.
Upon reviewing the plist file, you can see the MaxInactivity value is 2147483647 which means the phone never auto-locks.
Question 23: Settings and Notifications – Beth’s Phone (20 points)
When does Beth’s iPhone require a password to unlock the device after locking it?
- After 1 min
- After 5 mins
- After 1 hour
- After 4 hours
If you got the answer to the previous question, you read the blog and should have known that you were looking for an answer in the same file. You were looking for the value for maxGracePeriod which was 0.
Question 33: Logging – Beth’s Phone (100 points)
On July 20th, 2021 at 20:06 PM local time, Beth’s iPhone received a System message regarding the state of the device. What is the name of the file that contains this information?
This question is tough. You can find the answer in the tools, but you need to know how to find it. In Inspector, you can parse logs and journals as Heather Mahalik hinted at in a Cellebrite Tip Tues. This processing doesn’t take long and provides access to System and Unified logs on the iPhone.
Filtering in Inspector will help a lot here. If you aren’t familiar with filtering, please refer to some Tip Tuesday recordings on filtering in Inspector.
For this one, we applied a few filters. First, we went to System, System Logs and then filtered on 2021-07-20, which does not reveal the correct time in the question. We must convert to UTC to get the correct answer.
I changed the filter to 2021-07-21 and looked for 00:06, which will be the correct time in UTC. I also filtered for the word ‘system’ and reviewed the results.
Finally, I added the term ‘thermal’ because I know the process needed is thermalmonitord.
From there, you can see the message was “System will Power On” and the file storing it is /Beth’s iPhone/filesystem1/private/var/db/diagnostics/Persist/0000000000000393.tracev3.
The file path is shown below.
In Physical Analyzer, a physical (Hex search) for terms like “power” or “system” will also lead you down the correct path, but it’s not as easy.
Beth is not an easy person! If you watched the Season premier of Yellowstone, you know she is one tough woman!
We also want to give credit to others who took the time to share their walk-throughs. It’s important to read these blogs as the author may have derived the answer via a different file, artifacts, or by using another tool.
Thank you for taking the time to share your results.