Cellebrite CTF 2021 - Marsha's Backup

Posted by

Previous: Heisenberg's Android | Beth's iPhone | Marsha's iPhone | Marsha's PC

For the last piece of evidence for the CTF we get Marsha's Backup. No links were provided for the backup but it can be found in the forensic image for Marsha's PC. It can be found at the following path:

C:\Users\marsh\Apple\MobileSync\Backup\efa747380975b4d412f13c149ffae7d09614393c

Native Applications (20 points)

A text shortcut/replacement was set on Marsha's device, what was the shortcut for the full phrase? (your answer must only be the shortcut)

There are a few free tools that are helpful in reading iTunes backups. I like to use iCopyBot's iBackupBot. We can load the backup and hit the following path:

System Files\ KeyboardDomain\Library\Keyboard\textReplacements.cache

A simple replacement for On my way! is found to be shortened to "onw".

Figure 1: textReplacments.cache

General Identifiers (10 points)

What phone numbers were used by Marsha on the iPhone X? (Make sure to enter the + and country code and use the delimiter "and" in between the answer - ie, +17032226666 and +13012224444)

Subscriber information can be found in the database at the path:

System Files\WirelessDomain\Library\Databases\CellularUsage.db

Opening it in DB Browser we can go to the "subscriber_info" table to see two different mobile device numbers, +19735203731 and +12068996918.

Figure 2: subscriber information

Location Artifacts (10 points)

When was Marsha in Washington County, Oregon? State the answer as YYYY-MM-DD.

A Google search provides a better idea of where Washington County is, right outside of Portland.

Figure 3: Washington County in Google Maps

I ended up dumping the backup into Physical Analyzer and checking the parsed Locations map and zooming the the area. There was only one entry that was pulled from a Waze database putting the device there on 2020-12-26.

Figure 4: Parsed Locations in Physical Analyzer

Health and Exercise (20 points)

How many steps did Marsha take on December 22, 2020? (enter the answer as an integer - ie 15).

The usual health databases weren't found because they only show up in an encrypted backup which this was not. By chance I was looking for screenshots in the images and came across three different pictures with Health information. With a date of 12/23/2020 00:37:30 it showed 9,683 steps and a timestamp of 9:37pm. This ended up not being the answer for some reason so I went backwards to a picture with a date of 12/23/2020 00:07:33 that had 6,410 steps and a timestamp of 9:07 PM. I'm not sure why the first answer wasn't correct but we ended getting it right anyhow.

Figure 5: Health screenshot IMG_0117.PNG

Application Analysis (20 points)

On March 3, 2021 at 7:38AM local time Marsha received a notification. What is the first word listed for that notification?

Sticking to the images, we could look at the date and time and see a screenshot of the lock screen with a Twitter notification. The first word was "Recommended".

Figure 6: Twitter notification

Settings and Notifications (20 points)

What sound was detected by the device on January 2, 2021 at 9:18PM local time?

Screenshots seem to be a theme. We can look for any photos around the timestamp but only see one for 1/5/2021. But we do see notifications for Sound Detection. The calendar shows that 1/2/2021 was a Saturday which can be inferred from the screenshot. The screenshot shows that "Baby Crying" was the sound at 9:18PM.

Figure 7: Sound Recognition notification

And that is all the write-ups for the 2021 Cellebrite CTF. A big thank you to the team from Cellebrite for putting this on as well as a shout out to my awesome teammates, Eric and Josh. Looking forward to the next one!