Cellebrite is back with another CTF competition and this year's takes it up a notch. I want to start by giving major props to Heather, Paul, Ronen, Sahil and Ian for putting on a great competition.
Now lets get started with the walkthroughs. First up, is the Samsung Note 10 owned by "Heisenberg".
Evidence: https://d17k3c8pvtyk2s.cloudfront.net/CTF21/CTF21_Heisenberg_SM-N970U1_QualcommLive_2021-07-22.zip
Password: 02DB2ECE91DB67E8FA939FC3DC15D16B
Device Identification (10 points)
What is the Bluetooth MAC Address of the first vehicle Heisenberg's Android connected to?
Pulled from the file at the following path:
Dump\data\misc\bluedroid\bt_config.conf
We get bluetooth connections which we can easily see in the ALEAPP report below that the answer was "34:C7:31:F8:61:3B".
Figure 1: Bluetooth connections report in ALEAPP Application Analysis (10 Points)
Which website did Heisenburg look for guidance on how to mount a USB drive on his phone? (The answer should be the full website i.e www.XX.com)
We can look at the Chrome web history for guidance:
Dump\data\data\com.android.chrome\app_chrome\Default\History
A quick filter on "mount" and we get one entry, a Google search:
Figure 2: Chrome History report in ALEAPP
If we open the URL, we can see the top hit leads to a page on www.tomsguide.com.
Figure 3: Google search URL
Device Identification (10 points)
What Gmail account is set up on the device?
Let's open the file at the following path:
Dump\data\data\com.google.android.gm\shared_prefs\Gmail.xml
We see lots of references to the account heisenbergcarro@gmail.com.
Figure 4: Gmail account configuration
Application Analysis (20 points)
Who was the originator (friendly name) of the phrase “I plead the fifth” used on Heisenberg's Android?
The "easy" way was to do a searching Cellebrite Physical Analyzer to find where it is. It came from an email in Gmail via Reddit.
Figure 5: Gmail email with "I plead the fifth"
The "hard" way. Since we know it's in a Gmail email, we can open the database that contains emails:
Dump\data\data\com.google.android.gm\databases\bigTopDataDB.-1285600966
We can go to the "items" table and filter on the "item_summary_proto" column for "plead" we get one hit. Because this column is a protobuf blog we need to do a little more manipulation to make any sense of it. We can copy out the hex from DB Browser and put it into CyberChef, and use the recipe of From Hex > Protobuf Decode (
test it out here).
Figure 6: Protobuf parsed in CyberChef
Some assumptions can be made but we can see the sender information with the "friendly name" of Reddit.
Device Usage (20 points)
What is the date and time of Heisenberg’s confession/arrest? (Format YYYY-MM-DD HH:MM:SS)
This one took awhile for us to find but in the last hour or so of the CTF we came across it. The DCIM folder is the key to the answer found in the following file:
Dump\data\data\media\0\DCIM\Camera\20210720_150222.mp4
To summarize the video, the user films himself attempting to sell a stolen vehicle to a woman, who is found to be an undercover police officer. Towards the end he confesses and blames Beth.
Figure 7: Screencap of the suspected video
The only timestamp on the video was the modified date which was the answer, 2021-07-20 19:03:34.
Application Usage (20 points)
Which applications did Heisenberg use to secure (hide) files and/or pictures?
- SecureVault
- HideX
- Signal
- Anti Spy
Looking at the Installed Apps (Vending) report in ALEAPP, I didn't see anything for SecureVault so maybe it went by another name. I went to the next entry HideX to see where the application folder was. The main database can be found at the following path:
\Dump\data\data\com.flatfish.cal.privacy\databases\hidex.db
Navigating to the "p_lock_app" table, we can see some application names for WhatsApp and the Samsung Photo Gallery.
Because of the references to files and pictures in the question, my assumption of HideX being the answer worked out.
Settings and Notifications (20 points)
Notifications were visible on the lock screen while Heisenberg's Android was locked. What is the file that stores the Notification settings? Only the file name is needed. Not the full path.
Another question we really had to dig into the system files to find as no tools parse it out directly. With some direction from the
FOR585 poster we can see some secure settings found in the following file:
Dump\data\system\users\0\settings_secure.xml
The first thing we can see is the setting for lockscreen notifications which is set to true.
Figure 9: settings_secure.xml file
So the answer we are looking for is "settings_secure.xml".
Application Analysis (20 points)
Which website was accessed by the user on Heisenberg's Android using DuckDuckGo?
- tyga-auto-repairs.co.za
- tyga-aut0-repairs.co.za
- tyga-auto-repairs.com
- none of the above
The main database in the Duck Duck Go application folder is the following:
Dump\data\data\com.duckduckgo.mobile.android\databases\app.db
The only reference to anything with "tyga" in it was the "https_false_positive_domain" table which didn't seem relevant. I went with "
none of the above" which ended up being correct.
Internet Artifacts (20 points)
When and in which city did Heisenberg search for rental properties on his Android? (Answer Format: YYYY-MM-DD HH:MM:SS NameOfCity)
For starters we can look at search history and look for any entries about renting. Let's take a look at Chrome History:
Dump\data\data\com.android.chrome\app_chrome\Default\History
We only see one real hit for rentals on 5/16/2021.
Figure 10: Chrome search terms from ALEAPP
Photo metadata puts location in Virginia at the time between 5/16 and 5/20.
Figure 11: Photo metadata
Newport was tried but it was incorrect so Blacksburg was tried and that ended up working with the search timestamp of 2021-05-16 04:26:51 Blacksburg.
Application Analysis (20 points)
Heinsenberg has a clear interest in Crypto Currency. What is the Topic ID Hash for $ETH on his Android device?
- 1754651901
- -334710119
- 1584308133
- 1811015990
Performing a keyword search for $ETH in Physical Analyzer leads to a database file from Twitter at the following path:
Dump\data\data\com.twitter.android\databases\1378525099184291843-61.db
We'll want to look at the "interest_topic" table and filter for $ETH. We can see that the topic ID hash was 1811015990.
Figure 12: Twitter database
Device Identification (20 points)
On Heisenberg's Android, where else can you find the IMSI number on the device, other than the Checkin.xml file?
- netpolicy.xml
- mmssms.db
- telephony.db
- All of the Above
This was an easy one, let's go through each file one by one and see if we can find the IMSI number. The netpolicy.xml file is found at the following path:
Dump\data\system\netpolicy.xml
Opening in NotePad++ we can see the subscriber ID pretty clearly.
Figure 13: netpolicy.xml
Next up we can find the mmssms.db file at this path:
Dump\data\data\com.android.providers.telephony\databases\mmssms.db
In the "sms" table we can see "sim_imsi" column matches with what we found in the netpolicy.xml.
Figure 14: mmssms.db
Onto the telephony.db file which can be found here:
Dump\data\user_de\0\com.android.providers.telephony\databases\telephony.db
In the "siminfo" table, there is a column called "imsi" with the same number so our answer is definitely all the above.
Figure 15: telephony.db simminfo table
Application Analysis (50 points)
Heisenberg was looking for cars. Which vehicle did he not search for?
- Honda CRV
- Toyota Avalon
- Lexus ES
- Ford Escape
Hiesenberg had all sorts of car related applications installed on the phone from CarGurus to Autotrader but our answer lies in the CarFax application database found at the following path:
Dump\data\data\com.carfax.consumer\databases\room-ucl-db
Navigating to the "searchVehicles" table, we see a bunch of searches for Honda CRV, Toyota Avalon, and Lexus ES but none at all for Ford Escape, the answer.
Figure 16: CarFax room-ucl-db database
Logging (100 points)
How many times did Heisenberg's Android power off due to the battery being fully depleted between May and August? The answer must be an integer (i.e 4).
This one was tricky (and for good measure for the points). No tools parsed what we want so digging directly into file structure we first came across this folder that contains some really good logs on battery:
Dump\data\log\batterystats
Each "newbatterystats" file contains a listing of battery percentage as well as other actionable items such as screen state or wifi status. After a brief analysis we thought we had it narrowed down across all files with a "shutdown" search, showing 10 hits of entries with 000 as battery percentage, and a shutdown status.
Figure 17: batterystats
An alternative method that we later discovered was you could look at the following files:
Dump\data\log\power_off_reset_reason.txt
Dump\data\log\power_off_reset_reason_backup.txt
These seem to contain more logs about power status and boot startups. With a quick look we can narrow it down with a search to see 10 entries here too with a shutdown with no power.
Figure 18: power_off_reset_reason files