Cellebrite held their yearly CTF last month and this year the challenge featured 4 devices, belonging to 4 different suspects. In this blog, We will use ArtiFast to answer the questions associated with one of the suspects devices (Abe Rudder's Apple iPhone X).
Terror attacks were planned for Southport, NC in June of 2023. Russell, the primary suspect, lives locally in that area and seems to have been introduced to Abe via Sharon. Russell and Sharon go way back, and she seems to be the linchpin who tied Abe to Russell. So, who is Abe? How is he involved with Felix? Why would Felix be feeding a US person with information on nuclear power plants and weapons? Complete challenge details can be found Here
Q: Abe used a unique email address for his iCloud account. What is that email address?
Apple Accounts artifact shows that Abe used the iCloud account [email protected]
Q: Abe used different types of communication channels, through different applications. What communication application was used the most?
Of all the messages parsed from messaging apps or iOS OS categories, the one with the most messages was Telegram with 1308 parsed.
Q: A payment card was used on Abe's device - Wallet. What are the last 4 digits of that card?
Wallet card information can be found within the Apple Wallet Passes artifact. The card number is 7438.
Q: Abe's phone was setup using iCloudBackup method. What is the Date & Time for that (UTC+0 time)? [YYYY-MM-DD HH:MM:SS]
iOS Backup-Restore artifact shows that the device was restored using iCloud and the date was 2023-02-20 01:43:14.
Q: Abe was suspicious about being tracked. After searching the rental vehicle he was using while in NJ, he found a device attached to his vehicle. What was the make & model of the device? [Please provide the make and model as provided by the manufacturer]
Searching with the keyword "rental" returns a safari search history for "hertz rental geotab go9 lte" which is a GPS tracking device. Which makes the answer Geotab G09.
Q: Abe was not really active, on June 24, 2023 local time, how many steps were recorded?
Checking iOS Health Steps, we see that there are 12 records of steps on June 24, 2023 UTC. But because the question refers to local time, the 2 above are ignored. When we add the steps up the answer is 755 steps.
Q: Abe pairs his iPhone with few different Bluetooth devices. How many unique bluetooth connections were paired?
We check iOS Bluetooth Paired LE which shows 2 unique devices and iOS Bluetooth Paired Devices artifacts to answer this question. We can see that there are 10 unique connections.
Q: Abe got notified by Harold of a potential arrest. Abe then opened which app?
A search for the keyword "arrest" shows that Abe recieved the message notification from Signal app on June 27 2023 23:58:04. Application Usage artifact shows that Signal was launched 2 minutes later on June 27 2023 00:00:44.
Q: Abe went to a party at RAIN Event Space. What is the name of the street (just the street name) for where he parked his vehicle?
If we check RAIN Event Space on Google maps we find out that the space is located on the street Water but to confirm he parked there, we get its coordinates of 40.88833107819406, -74.02059816598867. Using field value filtering in ArtiFast we can check for coordinates with similar values. In iOS Routined Location - Vehicle Park History artifact we see that it has coordinates with just slight difference after the decimal point 40.8880659236816, -74.0203191037432 when we search for this, it confirms that Abe parked just ahead of the space on the same street.
Q: What was Abe Rudder’s "About" bio on Whatsapp?
WhatsApp User Information shows the answer is World peace.
Q: Abe is paranoid and not always giving access to everything. One of the apps Abe used on the iPhone received access to Photos however as an “Add Photos Only” permission. What is the name of the app? (one word i.e: Starbucks)
The answer is Chrome. If we run a search for “Photos” in the Apple Application Permissions artifact we find 1 service “PhotosAdd” allowed for “com.google.chrome.ios”
Q: Abe used a specific method to find/check/share locations via an app. In order to keep privacy up, Abe signed up with a different email address which keeps it isolated to that vendor. What is that email address?
Going through Abe’s emails we see a few oddly unique @privaterelay.appleid.com emails used for yelp, bumble and what3words. what3words is a geocode system which makes the answer [email protected].
Q: Abe got suspicious when he had to deal with some shady people almost as if a crime was known to be committed. He wanted to leave no traces. Abe was looking to create an anonymous email. Where did Abe search for that?
He used DuckDuckGo. Finding nothing under Safari and Chrome, we look into other possible traces and find that DuckDuckGo search tool was installed. Navigating to the Files tab in ArtiFast we run a search for “duck” to find files associated with the app. There is a Snapshots folder and an application saved state folder so we extract them to check them further. The [email protected] image file is a snapshot of the search Abe ran.
Q: Abe was navigating while driving, on June 26, 2023. What was the destination address on the navigation?
Apple Maps Synced Data shows that on that day, the destination was “284 Central Way, Kirkland”.
Q: Abe used MOB to send/receive crypto currency within Signal. Find the Recovery Phrase for Signal Mobile Coin wallet! What is it? (keep correct order of all the words)
A search for “Mobile Coin wallet” led to an Apple Notes artifact entry titled “Signal mobile coin wallet” with an embedded image. The Recovery Phrase for the wallet is “pet element blast mix trumpet usual leg aim office jaguar emerge fatigue tent volcano other unfair absent hope power annual banana speak initial gold” as shown in the image below.
Q: Abe loves taking pictures and videos on the iPhone, the problem is when Abe is trying to look for a picture, he is having hard time finding it. He therefore utilizes the Search within the Apple Photos app. If Abe would have searched for pictures of: Myself, Pawel, Hat He would end up with one photo. Can you name that filename?
iOS Photos Assets artifact allows us to see what was tagged in a photo. A search for "Myself" returns 86 photo entries and "Pawel" 14. A comparison of the 2 results leads us to 4 of the photos both were tagged in. There was no tag with "Hat" but on viewing the 4 photos we find that IMG_1100.HEIC is the answer.
Q: Abe went for some shady meeting on an island but tried to conceal as a vacation so he took a boat tour and tracked dolphins. He then decided to mark a location with “dolphins”. What was the timestamp for that location? [HH:MM:SS] written in UTC time
A search for “dolphin” yields a single result under GPX Waypoints artifact. We can see below that the location was marked at 2023-06-02 17:57:35.
Q: Within the last month before Abe got arrested (and his device was extracted), Abe used to wake up naturally however, there was one day the phone did. What was the day and (local) time? [YYYY-MM-DD HH:MM:SS]
Knowing we are looking for an alarm, in User Notification Events we can see that there was a notification for one on the 2023-06-16 06:00:00 local time.