Solving Cellebrite CTF 2024 (Sharons Android)
22/11/2024 Friday
Cellebrites CTF follows up on Russell, Sharon, and Felix after Abe's arrest in last years CTF. Things start to take a turn when the new character Otto goes missing on a cruise trip. This blog covers solutions for some of the questions related to Sharons Android device using ArtiFast.
Artifacts Covered in this Challenge:
- Android Timezone
- Android SIM Info
- Android WhatsApp
- Samsung CMHProvider Images
- MP4 Files Metadata
- Android MMS
- Android Application Roles
- Android GMail Mail
- EML(X) Email
- Android Google Drive Items
Outta Time
Q: What time zone was the device set to when extracted?
Answer: UTC-07:00. Found the timezone America/Denver under Android Timezone artifact.
Can You Hear Me Now
Q: What is the last Network Service Provider that was used by Sharon?
Answer: T-Mobile. Under Android SIM Info 2 providers are found with no indication of which was last used. Luckily SQLite automatically creates the sqlit_sequence table which keeps track of the largest row ID of tables that have AUTOINCREMENT columns. As seen below the Row ID 2 belongs to T-Mobile.
Chatter Box
Q: Which messaging application was used the most on Sharon's device?
Answer: WhatsApp. It had the most messages.
Halp!
Q: Otto was lost. What phone number was provided if he was found? This answer can be found on Sharon’s device. Type the answer exactly as it is found.
Answer: +1 (516) 287-9924. The hint for this question was “Heather did a Tip Tues on how to leverage a feature in PA to know which pictures were taken by the device.”. From that we knew it was a picture taken by the device, so checking File Categories Image section, we find the image 20240806_103000.jpg which had the phone number.
...
Q: Where was Sharon’s device when Otto’s phone was found? (List city and state in this format Philadelphia, PA).
Answer: New Market, MD. When the image name “20240806_103000” is searched the result under the artifact Samsung CMHProvider Images provides the coordinates and address metadata.
I'm On A Boat
Q: Sharon likes boating. Which body of water was Sharon in when she witnessed a plane flying by and when did this occur in her localtime on that date? (Date must be in YYYY-MM-DD HH:MM:SS format so the answer will look like: Atlantic Ocean 2024-02-14 11:45:11)
Answer: Potomac River 2024-06-20 12:42:28. Among the videos on Sharons device is 20240620_124221.mp4 which captures the plane taking off. Running a search for the file name in the Artifacts section, we can find coordinates associated with the video and its creation date under MP4 Files Metadata. Looking up the coordinates on google maps reveals the body of water.
Sharing Is Caring
Q: When did Sharon share the Resized_Snapchat-348354225_1721069242295.jpeg with Otto? (Date must be in YYYY-MM-DD HH:MM:SS format and in UTC)
Answer: 2024-07-16 16:08:26. Searching for the image name returns the message entry under Android MMS where the date information can be retrieved.
(A) Typical
Q: What application is set on Sharons device as the default messaging application? (provide full APK name)
Answer: com.samsung.android.messaging. The answer can be found in the Android Application Roles artifact under android.app.role.SMS role.
Throwback
Q: Sharon is obsessed with dolphins. We remember she found her dolphin in Miami in 2023. While on vacation with Otto, Sharon found her dolphin! Where was her dolphin this time? List the locality and country. (i.e., Frederick, United States).
Answer: Quintana Roo, Mexico. Starting by searching for the keyword dolphin reveals a message Sharon sent to Russell on 07/15/2024. Using the timeline to filter the date, we can get an idea of what she was up to on the day. One of the image data being parsed under Samsung CMHProvider Images artifact contains location coordinates and the address “P.º de los Sentidos, 77730 Q.R., Mexico”.
This Is...
Q: Sharon and Russ work for Howee Dewit. They receive files to assist with marketing others’ businesses. Someone sent files and requested they be removed from the company repository. Sharon didn’t remove them. Instead, they were shared. Who was the last person to receive the files and when? Answer should be the individual's username/phone/email address and time in YYYY-MM-DD HH:MM:SS in UTC. NOTE - It' s only one identifer, the name, the email, or the username that specifically ties to the answer.
Answer: felix.davey@orange.fr, 2024-08-16 15:58:08. On Sharons device is an email from Heather requesting she remove files she had accidentally uploaded. Checking Android Google Drive Items we can see quite a few documents shared by hmahalik@gmail.com. Running a search for “drive.google.com” to find share links, leads to the link sent to Heather where she could make her uploads. Using that, we could now try to track the people Sharon shared the link with. On checking Otto, Russell and Felix’s device, the one with the confirmed received and latest date was Felix. Under EML(X) artifact was the email forwarded to him by Otto who had also received the link from Russell via WhatsApp but the timestamp was wrong. The Message Date (UTC) field had the send date which can be confirmed by the fact that it was the same date on Ottos device results. The actual date Felix received the email can be retrieved from the Headers field of the EML(X) artifact as shown in the last image below.
×
