The Magnet Capture The Flag event was held from February 27th to March 7th as part of their Virtual Summit. The CTF questions were divided into three groups, iOS, Android & Ciphers. This challenge will be solved with ArtiFast (Full Version). This is part 3 of 3 the Android section of the challenge.
Q: On what platform did Rocco share his Call of Duty Username?
Twitter. We can find the message he sent under Android Twitter Conversations.
Q: What Southern state's sports team did Rocco search up? (STATE ONLY)
Louisiana. Android Chrome Search Terms shows Rocco searched for “ragin cajuns football record”. They are a college football team that represents the University of Louisiana.
Q: What was Rocco's Twitter account name?
RoccoSachs96775. Parsed under Android Twitter Users
Q: What is the SIM operator name?
Boost Mobile. Android Device Last Sim provides the IMSI number of the last SIM used. This then is used to look up the operators name from Android SIM Information artifact
Q: What is the default Internet Browser?
Chrome. Checking the preferences files of the installed browsers starting with chrome com.android.chrome_preferences.xml has the entry applink.chrome_default_browser set to true
Q: What conference did Rocco show interest in?
Preppercon. The are entries under Android Google Search Terms for the conference, one of which was looking up the dates.
Q: What email is associated with the device?
roccotsachs@gmail.com. Found under Android Last Account artifact.
Q: How many messages were sent from Rocco in Twitter Direct Messages?
8 messages. Filtering out his user ID in Android Twitter Messages shows the answer.
Q: How many additional survival tips were provided in the $9 book Rocco was looking into?
72. Searched for the keywords "book", "tips" and "survival" finally yielded results from an amazon visit under Android Chrome artifacts. We find the link to the book “How to Fight a Bear...and Win: And 72 Other Real Survival Tips We Hope You'll Never Need”.
Q: What city was the user in when they identified an AirTag on them?
Windsor. On Android Twitter Tweets Rocco mentioned the AirTag after a user larissajenna9 “You re lucky I m not also at the Ciao Cafe”. On Chadwicks device we see below a screenshot of his chat with Rocco confronting him about the AirTag. In the image is a receipt of a supermarket, on closer look we can see the address has “Windsor ON” on it. We also find the screenshot of Rocco’s location “Ciao Cafe” also located in Windsor.
Q: What game did two beloved characters promote in an Ad?
Tom and Jerry: Chase. Ad video location is data/data/com.google.android.apps.tips/files/download/asset/83c4649ef9ea3b1825f2ee682accc363a31a0e5d.
Q: What was the new score achieved on the video game Rocco watched on Youtube?
5187. Chadwick tweeted about his new highscore on the game with a link to the youtube video.
Q: What fun outdoor activity location was searched for?
Big Water Campground. Found under Google Maps Search Queries.
Q: When was the last shutdown that was initiated by Rocco? (YYYY-MM-DD HH:MM:SS) UTC 24 hour time.
2023-12-28 23:47:29. We can find shutdown requests logged, under Android Shutdown Checkpoints artifact.
Q: According to exCHANGEs in discord with Chad, what did Chad want back from Rocco?
Money. From the Discord messages exchanged between Chadwick and Rocco under Android Discord Chat Messages Artifact.
Q: What two sports did rocco capture in a photo (__ and __)
Golfing and Skiing.
Q: What is the most recent score in Subway Surfer
1899. A snapshot of the game can be found here "data/system_ce/0/snapshots/256.jpg".
Q: What is the handle of the person who is talking about how upset they are with Rocco?
@larissajenna9. She tweeted about it.
Q: What did Rocco search in the App Store to download the app used to hide photos?
calculator vault. Found among the queries in Android Playstore Search History. Calculator vault is an application used to hide photos.
Q: What was added using photoshop
Success Sticker. Navigating to the photoshop data folder folder we find 2 images one with "Next Time!" on it and the other without. But looking at the created timestamps it seems the text was removed not added. Searching through the device images, a similar one is found under the screenshots folder without the success sticker and its timestamp is earlier than the other 2.
Q: When is Rocco's Bday? (YYYY-MM-DD)
1974-09-29. Pre-parsed Facebook results were provided. It holds the answer in the profile_information.html file.
Q: Shortly after logging into Facebook with IP address 72.38.231.98, a photo was taken. Where was this photo taken?
Devonshire Mall, 3100 Howard Ave Unit B7, Windsor, ON N8X 3Y8, Canada. Still using the provided Facebook data, a search for the IP address in the file ip_address_activity.html reveals the activity and its time of occurrence Dec 27, 2023 11:16:01am. Looking through the device images for one taken shortly after, we find that PXL_20231227_163049844.jpg was taken about 14 minutes later. After obtaining the longitude and latitude information from Exif artifact, the address is obtained.