Blog >> Cellebrite's September 2023 CTF (Russell)

Solving Cellebrite's September 2023 CTF (Russell's Android device) Using ArtiFast

22/12/2023 Friday

Cellebrite held their yearly CTF last month and this year the challenge featured 4 devices, belonging to 4 different suspects. In this blog, We will use ArtiFast to answer the questions associated with one of the suspects devices (Russell Philby's Google Pixel 6a).


The Scenario:

Terror attacks were planned for Southport, NC in June of 2023. Russell, the primary suspect, lives locally in that area and seems to have been introduced to Abe via Sharon. Russell and Sharon go way back, and she seems to be the linchpin who tied Abe to Russell. So, who is Abe? How is he involved with Felix? Why would Felix be feeding a US person with information on nuclear power plants and weapons? Complete challenge details can be found Here


Artifacts Covered in this Challenge:


Russell 01 – Call


Q: Russell got a FaceTime call.  When did he join it (UTC)? 


It’s an android device which have no FaceTime application therefore he must have joined the call via a chromium based browser. In Web activity we find that Russell has Brave browser installed. Looking through its browser history artifact we find the URL used to join the call at 2023-06-07 23:24:39


Russell 02 – Bluetooth


Q: Which user profile on Russell’s phone last connected to his Bluetooth speaker?


Profile 0. In Bluetooth devices artifact there is a JBL Flip 6 with Mac address 2c:fd:b4:b0:23:14 that has been connected to the phone at 2023-06-03 at 17:34:40 UTC. To determine the last profile we take a look at the ArtiFast timeline for the date 2023-06-03 we can see that the phone recorded multiple activities presented under usage events artifact with their paths showing “data/data” instead of “data/user/10” including a device unlock event. Hence we can assume the profile used was 0.






Russell 03a - App


Q: What app did Russell use to send location information to the group?


The answer is What3Words. So far in the other suspects we have seen usage of the application What3Words. A text found on Abes phone sent to their Signal group chat which contained the text ‘Detonated Stammered Showing’ was also found while analysing Russells What3Words QafeEcXOSgScVMMQLRC3GA_analytics-wal file. The authors number +19106995488 belongs to Russell.


Russell 03b - Directions


Q: Did Russell get directions to the location described in the previous question (Russell 03a)?  If so, when (UTC)?


Similar to question 12 in Sharon, we analyse the QafeEcXOSgScVMMQLRC3GA_analytics-wal for events in the application. The message he sent had the words ‘Detonated Stammered Showing’ searching for the strings in the -wal file, we find 2 event names of interest “view_nav” and “directions” events. “Directions” also includes his distance from the location and we can see that he used Waze application for the action. The timestamp associated with the event is 1687791762.932 which is 2023-06-26 15:02:43


Russell 04 – Signal


Q: Was Signal used under Profile 10?


Yes. Under Android Google Files App Usage Information artifact we can see that it was recorded.


Russell 05 – Phone


Q: Associate the phone number(s) of the phone with the correct ICCID, IMSI, and Carrier.


The phone numbers are +19106995488, +19199037779. The answer can be found in Android SIM Information artifact.


Russell 06 – Navigate


Q: Russell went on a coastal vacation. Where did he stay (actual residential address)? [Street address, City, State ZIP]


The answer is 913 Ocean Drive, Emerald Isle, NC 28594. Found 2 messages one from Sharon on the 2023-06-17 at 20:12:53 UTC that said “Beach-bound.” Sent via WhatsApp with an image and another from Abe Rudder sent via Telegram on the 2023-06-21 at 00:51:40 UTC that said “Hope you’re enjoying your beach time”. Further inspecting the events around those dates we find a number of pictures taken by Russell on the 2023-06-21 some of which are images of the ocean, a beer and a snake. Using the EXIF artifact, we can get the longitude and latitude of the beer can image that looks like the deck of the house. Converting them to decimals and running a search on google maps we get the answer.












Russell 07 – Meetup


Q: Sharon, Abe, and Russell all met in-person. When & where (name and location)?


The answer is Cloud 9 Rooftop Bar, Wilmington, NC, 2023-06-05 19:03. On Sharons device we find a picture of Abe (Ronen) and Russell (Josh) the metadata of the image has the coordinates 34°14'32.2"N 77°57'08.2"W inputting that on google maps shows the address 9 Estell Lee Pl, Wilmington, NC 28401, USA where a bar called cloud 9 is located.






Russell 08 - Mjolnir


Q: Mjolnir makes an appearance on Russell’s phone. Which app did it come from?


Reddit is where the image was obtained from. An extensive search reveals the image is Screenshot_20230622-093735.png found in a screenshots folder. To find the application it was taken from we can filter and check the timeline around the time it was taken. The image was taken at 13:37:35 the timeline shows the activity happening surrounding that time was by the application Reddit and Android markup tool.




Russell 09 - Signal


Q: When was the last time Signal was launched (opened) under Profile 10?


2023-06-28 23:27:24 Answer is from carved SimpleStorage database.


Russell 10 - Big MAC


Q: Russell liked to cover his tracks while traveling and connecting to WiFi. What was the MAC address used on 2023-06-07 at approximately 23:27 UTC?


The answer is b2:6a:79:dc:9f:08 (Fat Tony's Italian Pub). A look at the Wifi Information Artifact shows us a number of SSIDs with their randomised MAC addresses but no date and time to tie a single connection to the question.

Checking the timeline for activities around the mentioned time, we find that a screenshot was taken at that exact time which we know from question 1 is from the FaceTime call that started just about 3 minutes ago.





Since we know he was with Abe at the time we can check Abe’s device for their location. On Abe’s device, under the iOS Routined Location Visit artifact we can see that he was at “Shuckin' Shack Oyster Bar” when the FaceTime call was happening.

Putting the coordinates on google maps shows that the pub beside it is in the list of SSIDs he had connected to “Fat Tony's Italian Pub”.


Russell 11 – Navigate


Q: Russell went on a coastal vacation. What time did Russell first navigate to his coastal vacation house?


We know from question 6 that Russells address is 913 Ocean Dr. Emerald Isle, in North Carolina. The answer can be found in the google maps search history file new_recent_history_cache_navigated.cs because it is a protobuf, we used Mushy tool to analyse its contents. Within the file is the timestamp of the search the address and coordinates. The answer is 2023-06-17 20:10:40.


Russell 12 – Location


Q: Russell called an audible and sent Abe a new location.  What was the location?


Russell sent a message to Abe “Change of plans.  New spot: “Lions Awake Faced”” from previous questions and knowing how What3Words presents its addresses we can assume that “Lions Awake Faced” is a location. ArtiFast wasn’t able to find the message, but checking the default.realm file under the What3Words data folder in Abes device confirms that. The coordinates gives us the answer “Our Lady of Heaven Chapel Mausoleum”