Part 5: And That’s a Wrap for the 2021 Capture the Flag (CTF)
At Cellebrite, we want to provide an annual CTF to enhance what you already know and hopefully teach you something new with each challenge.
Whether you are new to DFIR or a seasoned veteran, this CTF had something for you to learn. The questions were written so that some were easier while others were extremely challenging but not impossible.
Our hope was that you had fun and enjoyed the effort we put into creating solid data sets that you can also use after the CTF for your own testing and validation needs.
It is OK to not have been able to answer all the questions and if you missed the CTF altogether, don’t fret, we are providing the datasets and the walkthroughs for you to continue learning.
The datasets: This year we introduced a PC into our scenario. Due to sizing, some images were split into multiple .E01 files and some could have existed as several .zip files for easy download so make sure to put the .zip files into the same directory for unzipping.
The Solutions:
We wrote a blog for each dataset to include walkthrough solutions.
Read the backstory in part 1 and follow the previous walk-throughs at the following links:
- Part 1: Walk-Through of Answers to the 2021 CTF – Investigating Heisenberg’s Android Device
- Part 2: Walk-Through of Answers to the 2021 CTF – Marsha’s PC
- Part 3: Walk-Through of Answers to the 2021 CTF – Marsha’s iPhone (FFS and Backup)
- Part 4: Walk-Through of Answers to the 2021 CTF – Beth’s iPhone
After writing the first four blogs, a new post was released featuring iLEAPP and how useful it is in this CTF. Watch the DFIRScience video here: https://www.youtube.com/watch?v=Cp9QMauTRaM
Beth’s iPhoneX:
https://d17k3c8pvtyk2s.cloudfront.net/CTF21/CTF21_Beth_iPhoneX_FFS_checkm8_2021-07-29.zip
MD5: 7094E2C584FCFBB1CCC346EBAB4D0A21
Heisenberg Note10:
https://d17k3c8pvtyk2s.cloudfront.net/CTF21/CTF21_Heisenberg_SM-N970U1_QualcommLive_2021-07-22.zip
MD5: DC68897A3F1690E9671048BDC75EBE8D
Marsha iPhoneX:
https://d17k3c8pvtyk2s.cloudfront.net/CTF21/CTF21_Marsha_iPhoneX_FFS_Premium_2021_07_29.zip.001
MD5: B5960A524E10469E6E6C01A6FAD1A917
https://d17k3c8pvtyk2s.cloudfront.net/CTF21/CTF21_Marsha_iPhoneX_FFS_Premium_2021_07_29.zip.002
MD5: B8233A33CBCDC15A23B7FF3AFDDE3D38
https://d17k3c8pvtyk2s.cloudfront.net/CTF21/CTF21_Marsha_iPhoneX_FFS_Premium_2021_07_29.zip.003
MD5: E5D8DD9C223C3424B04A377E023E0D37
Marsha PC:
https://d17k3c8pvtyk2s.cloudfront.net/CTF21/CTF21_Marsha_PC_Physical_DC_2021-07-29.zip.001
MD5: BB935C146EE6CB7B976D66902428C2BE
https://d17k3c8pvtyk2s.cloudfront.net/CTF21/CTF21_Marsha_PC_Physical_DC_2021-07-29.zip.002
MD5: F1A11B91291EB09D27E2B7635CE9D777
https://d17k3c8pvtyk2s.cloudfront.net/CTF21/CTF21_Marsha_PC_Physical_DC_2021-07-29.zip.003
MD5: C272FA79389D0A0A42E1F659998AD7AF
https://d17k3c8pvtyk2s.cloudfront.net/CTF21/CTF21_Marsha_PC_Physical_DC_2021-07-29.zip.004
MD5: D0D9924BA82127453E044522FF8F2E1C
https://d17k3c8pvtyk2s.cloudfront.net/CTF21/CTF21_Marsha_PC_Physical_DC_2021-07-29.zip.005
MD5: 2F843CF18B14F6C81C71A3DF2028F000
For those who need instructions or help on leveraging Cellebrite Physical Analyzer in an examination, please check out the following resources:
- Fundamentals Matter Webinars – Getting started in a mobile investigation, leveraging key capabilities, and digging deeper.
- Ask The Expert – Many videos on how to leverage Cellebrite solutions.
- Cellebrite Blog – Dive into key topics of interest.
- Tip Tuesday – Weekly tips provided by Heather Mahalik
Stay tuned for the next CTF in 2022!
