Solving Cellebrite CTF 2024 (Otto's iOS)
15/11/2024 Friday
Cellebrites CTF follows up on Russell, Sharon, and Felix after Abe's arrest in last years CTF. Things start to take a turn when the new character Otto goes missing on a cruise trip. This blog covers solutions for the questions related to Otto's iOS device using ArtiFast.
Artifacts Covered in this Challenge:
- Apple Photos Assets Basic
- Apple Photos Hidden Assets
- EXIF
- Apple Photos Asset Comments
- Apple AccountsD Cloud Service Enable Log
- Apple Powerlog Battery Level
BOLO
Q: Investigators received a tip that a file could be critical to their investigation and would like you to locate and tag file(s) with the matching hash. Investigators were able to provide you with the MD5 hash: 2c89452167d58c9fee26facba4a4271d. How many times does this file appear across all devices?
Answer: 5. Using the filter md5:=2C89452167D58C9FEE26FACBA4A4271D on all the 4 cases from ArtiFast File View, returns a list of the matches which were found in Otto (4) and Sharons (1) cases. This will only work if md5 calculation option was selected at the case creation stage.
Can You See Me?
Q: Is IMG_0517.JPEG visible within the Photos application camera roll on Otto’s device? (Answer "Yes" or "No")
Answer: Yes. Thanks to the queries provided by Scott Koenig, under Apple Photos Assets Basic the Visibility State column for IMG_0517.JPEG shows that it is visible.
???
Q: How did the user of Otto's phone save the file IMG_0517.JPEG?
Answer: Manually. The image is also associated with the name Resized_Snapchat-348354225_1721069242295.jpeg. From Apple Photos Assets Basic artifact under the Syndication State column, we can see that it is set to 2-SyndPs-Manually-Saved_SWY_Synd_Asset.
All About That (Data) Base
Q: What database in Otto's phone provided the information indicating the media file ResizedSnapchat-3483542251721069242295.jpeg was added to the photos application camera roll via user actions? Include the file path and file extension of your answer. Assume the file path starts with /root/private/var/mobile/ and start your answer from there.
Answer: Library/Photos/Libraries/Syndication.photoslibrary/database/Photos.sqlite. The source of the answer in the previous question is the photos.sqlite file under Syndication.photoslibrary folder.
Decode Or Nah?
Q: Is the database you located in question three about Resized_Snapchat-348354225_1721069242295.jpeg decoded in by Physical Analyzer? (Answer "Yes" or "No")
Answer: No. Answered by checking Cellebrite Physical Analyzer.
Peek-A-Boo
Q: Otto may be hiding something. How many media files found in *\PhotoData\Photos.sqlite is Otto trying to hide?
Answer: 7. The number of entries returned by Apple Photos Hidden Assets.
...
Q: What is the software version installed on the device that was used when IMG_4329.heic was captured? (Answer should contain numbers and periods only. E.g., 11.5.6)
Answer: 17.4.1. On running a search for “IMG_4329.heic” results show that it was the original filename, the filename as seen below is “IMG_0389.HEIC”. Searching for that, we can find the answer under EXIF artifact software column.
The Meme Stands On Its Own
Q: What is the bundle ID for the application used to import IMG_4329.heic into the photo library?
Answer: com.apple.sharingd. As seen under the column “Imported By Bundle ID” in Apple Photos Assets Basic artifact.
Caption This!
Q: When Otto finished breakfast, he wanted to describe the scene captured with IMG_0323.HEIC. What is the phrase he used to described and caption the moment? (Answer should be copied exactly as it's found including any spaces, punctuation, or special characters)
Answer: Breakfast. Done. Search for the image name and the answer is found in Apple Photos Asset Comments under the long description column.
HDD In The Sky
Q: Are Otto’s photos being synced via iCloud Photos Synced Data? (Answer "Yes" or "No")
Answer: Yes. Under Apple AccountsD Cloud Service Enable Log, we can see that the service type CPL (Cloud Photo Library) is enabled.
On/Off/On
Q: When was iCloud Photos Sync last turned on?
Answer: 2023-08-31 03:17:33. From the previous answer, the last log shows CPL (Cloud Photo Library) is enabled.
The 1 W
Q: Where was Otto on August 10, 2024 around 13:44 UTC? Answer must be in the format of Street name, City, State (e.g., Orange St, Nantucket, MA)..
Answer: Eaglehead Drive, Linganore, MD. Selecting location related artifacts and filtering the timeline to the date in question shows Otto in Linganore-Bartonsville, Maryland. There were 2 streets the coordinates showed, Lake Linganore Blvd and Eaglehead Drive. Although I arrived at the. Address “Eaglehead Drive, Linganore-Bartonsville, MD”, the answer field accepted only Linganore not Linganore-Bartonsville. MD is the abbreviation for Maryland.
Need. Juice.
Q: Shortly after 10:00 PM local time, what was Otto’s battery percentage on 2024-08-23? Answer should be a whole number. Round if applicable.
Answer: 33. Filtering the timeline to the date to get an idea of where Ottos device was on that day. It shows him in Salt Lake City, Utah which gives the timezone GMT-7. Converting the local time given to UTC gives 2024-08-24 5:00. Checking the date and time under Apple Powerlog Battery Level artifact shows the answer.
Where's Waldo?
Q: Otto went on a cruise. Which island did he visit on July 17, 2024?
Answer: Jamaica. Could not find a specific location on Ottos device but we already knew he was with Sharon and she tagged him multiple times on Facebook. Filtering the artifacts of her device for that day gives multiple image artifacts with location data. Checking one of the image coordinates under EXIF artifact with google maps gives the correct answer.
×
