Magnet User Summit 2022 CTF

This year's phone of choice for the Magnet User Summit CTF was something special. We were provided an iOS 15 GrayKey image, which unless you're law enforcement most people don't have a chance to analyze these.

Personal List!

How many items were on Patrick's shopping list?

When lists come to mind on iOS I think Apple Notes. They live at the following path:

private\var\mobile\Containers\Shared\AppGroup\B7A0EA29-86E3-464A-B2A4-D4199FAD7FA5\NoteStore.sqlite

We can parse the database in DB Browser or just take a look at the report from iLEAPP. We can see one note titled "Grocery list" that had 4 items:

Energy drinks
Bread
Hand soap
Birthday card

Figure 1: Notes in iLEAPP report

Cache Me if You Can

What was the last position of the phone? Flag should be formatted like the following: XX.XXXXXXXX, -XX.XXXXXXXX

Per the SANS FOR585 poster, you can find cached location data in the RoutineD area:

private\var\mobile\Library\Caches\com.apple.routined\Cache.sqlite

Inside the "ZRTCLLOCATIONMO" table we see cached locations with latitude and longitude coordinates along with a timestamp. With a simple SQLite query we can see that the last position was 38.84412765, -77.28686523.

Figure 2: RoutineD Cache.sqlite in DB Browser

Take your left shoe off... Now put it back on

When was the last reboot performed? Answer is a local timestamp in military format (ex. YYYY-MM-DD HH:MM:SS)

Mobile Installation logs provide a list of timestamps when the phone was rebooted. iLEAPP makes this a cake walk. The last reboot was on 2022-02-14 11:44:13.

Figure 3: Mobile Installation Logs in iLEAPP

Red or Alive

What time was Patrick's Reddit account created? Flag is UTC and formatted in military time: HH:MM:SS

First you need to find where the Reddit folder lives on the forensic image. From the SANS iOS Third-Party apps poster and in correlation with the iLEAPP Bundle report it lives in:

private\var\mobile\Containers\Shared\AppGroup\C0D4CE88-705C-4BBD-9900-0CC64DAF8243

Insides the "Library\Application Support\accounts" folder were some extension-less files which appear to be related to account details, which were listed on the SANS poster.

Figure 4: Reddit account files

The file is actually a serialized plist file that we can deserialize (for easier reading purposes, use Yogesh's). We can see an account created timestamp.

Figure 5: Account created timestamp for Reddit

Because we are just looking for the time the answer is 21:59:38 UTC.

Hanging on by a thread

Which application was uninstalled?

We can once again get this from the Mobile Installation logs through iLEAPP. We can see there is only one app that was uninstalled.

Figure 6: Mobile Installation logs - Uninstalled report in iLEAPP

A quick Google search for the bundle name com.tencent.xin reveals the app was WeChat.

Was the message Redd(it)?

What was the content of the message in the last notification received from Reddit?****

Notifications live in the plist found at the path:

private\var\mobile\Library\UserNotifications\Library.plist

iLEAPP of course makes quick work of this one too, which we can filter for Reddit specific notifications and sort by the timestamp. The last notification was for Kornbread and Jorgeous are still Making Fun of Cynthia's Car Crash...

Figure 7: iOS Notification report for Reddit in iLEAPP

Pigment of your imagination

What is the hex code of the color assigned to work events? Format: #XXXXXXXX

The calendar file of interest is found at the path:

private\var\mobile\Library\Calendar\Calendar.sqlitedb

iLEAPP for the win again, the Work events color code in hex was #CC73E1FF.

Figure 8: Calendar list report in iLEAPP

To infinity, and beyond!

What alarm sound did Patrick choose?

Alarm details are found inside a plist at the path:

private\var\mobile\Library\Preferences\com.apple.mobiletimerd.plist

Guess what, iLEAPP pulls these details too. The sound for Patrick's alarm was "Radar".

Figure 9: Alarm report in iLEAPP

Poor Reception

When did the cellular service of this device expire? Format: DD/MM/YY

This one took me forever to find. I at first was thinking maybe there was some sort of plist or configuration file somewhere that contained SIM card details but everywhere I looked I couldn't find what I was expecting.

Lo and behold after pondering for a bit, and looking at the SMS database there was a text from Total Wireless. You had to do some math to determine that cell service would expire 1 day after the message date, in the proper format being 05/02/22.

Figure 12: SMS report in iLEAPP

The SMS database lives at:

private\var\mobile\Library\SMS\sms.db

TLDR: Kigurumis are scary

What animal was Patrick's Reddit avatar wearing?

The context of the question threw me off. I previously saw an email from Reddit in the Gmail search that showed the user name for Reddit was "pogprogrammer".

Figure 13: Reddit email from Gmail

The current avatar was wearing a dog (a doge) outfit but it was incorrect because of the past tense verbiage in the question.

Figure 14: current Reddit avatar

Back to the drawing board, I took a look at the file system folder again for Reddit found here:

private\var\mobile\Containers\Shared\AppGroup\C0D4CE88-705C-4BBD-9900-0CC64DAF8243\Library\Application Support\accounts

In the same file we looked at earlier, we can see the avatar URL in the plist.

Figure 15: PogProgrammer user details

If you head to the URL (https://i.redd.it/snoovatar/avatars/4087a416-0590-445b-ac6a-28b3e810b763.png) you can see that Patrick's old Reddit avatar was actually an owl.

Figure 16: Old avatar for Reddit

A day without sunshine

What is the name of the GIF which was sent to Patrick in a message on Bumble? Answer is three words

While prepping for the in-person CTF I did some extra work on looking a certain applications that stuck out to me as potential evidence areas, Bumble was one of them. Since no commercial tool parsed Bumble chat messages anyhow I figured I'd make something for iLEAPP anyhow.

The database of interest was found at:

private\var\mobile\Containers\Data\Application\F6664A1F-E4CE-412A-B6F6-825A08EDCC34\Library\Caches\Chat.sqlite

Pulling from the "database2" table and "data" column are embedded plist blobs. To save time you can read my research here. From the iLEAPP report you can see only one URL (https://giphy.com/embed/cXCVTR1wUn1a8)

Figure 17: Bumble chat messages in iLEAPP

You can either pull the name from the tab title bar or clicking on the GIF to head to the main page for the image of "Thirsty Steve Martin".

Locate how you spend your time

Which application had the most amount of screentime?

From experience, I knew that screentime was tracked in the KnowledgeC database at:

private\var\mobile\Library\CoreDuet\Knowledge\knowledgeC.db

A simple query can be used to group the apps for each entry and SUM the inFocus entries by seconds.

select

zobject.zvaluestring as App_Bundle,

sum(zobject.zenddate-zobject.zstartdate) as Usage_Seconds

from zobject

where zstreamname is '/app/inFocus'

group by zobject.zvaluestring

order by usage_seconds desc

We can see that the Bumble app had the most screentime.

Figure 18: KnowledgC app inFocus SUM in DB Browser for SQLite

What the .heic?

Which cardinal direction was Patrick moving when he took a live photo?

User created photos and videos are found in the DCIM folder at the path:

private\var\mobile\Media\DCIM\100APPLE

There was only one photo that was a live photo. We can tell this because there was only only .MOV file that also had the same name as the photo, IMG_0002. Opening the photo and zooming in gives a building and partial address to work with.

Figure 19: IMG_002 from DCIM

Google Maps shows the location as The EDGE Sports & Fitness, 142 West Twin Oaks Terrace, South Burlington, VT. Using street view we can line up the door with how it looked in the Live Photo. Since the user was moving backwards while filming, they were going away from the door directionally.

Figure 20: The EDGE via Google Maps

The user was moving East.

Location, Location, Location

What time did Patrick first search for a website that would reveal his IP address? Local Time DD/MM/YY HH:MM:SS

On an iPhone, the most common place to look for web search history is in Safari. We can find the database of interest at:

private\var\mobile\Library\Safari\History.db

For ease of use, I looked at the iLEAPP report for Search Terms to see one entry that fit the mold for the question. "whatsmyip.com" had a visit timestamp of 2022-01-21 20:42:23 UTC. But we're not looking for the visit timestamp, we are looking for the first search timestamp. For this we can take the correlated URL visited and enter it into Ryan Benson's Unfurl tool.

https://www.google.com/search?q=whatsmyip.com&client=safari&hl=en-us&ei=MiXkYc-ZMLOfptQPgvCg2Ak&oq=whatsmyip.com&gs_lcp=ChNtb2JpbGUtZ3dzLXdpei1zZXJwEAMyBQgAEIAEMgUIABCABDIFCAAQgAQyBwgAEIAEEAoyBggAEAoQHjIECAAQHjIGCAAQChAeMgQIABAeOgcIABBHELADOg0ILhDHARCjAhCwAxBDOgcIABCwAxBDOg4IABCPARDqAhCMAxDlAjoFCAAQkQI6DgguEIAEELEDEMcBENEDOgsILhCABBDHARCjAjoOCC4QgAQQsQMQxwEQowI6CwguEIAEELEDEIMBOhEILhCABBCxAxCDARDHARDRAzoECAAQQzoLCC4QgAQQxwEQrwE6BwgAELEDEEM6CAgAEIAEELEDOgoIABCxAxCDARBDOgcILhCABBAKOggIABCxAxCDAToLCAAQgAQQsQMQgwE6BAgAEAM6CAgAEIAEEMkDOgUIABCSAzoLCAAQgAQQsQMQyQM6BwgAELEDEAo6CggAELEDEIMBEApKBAhBGABQ7A9YuEdg4lBoCnABeACAAasBiAGlDJIBBDE0LjOYAQCgAQGwAQ_IAQvAAQE&sclient=mobile-gws-wiz-serp

It expands to a lot of different fields but one specifically is the timestamp of the search, "ei Timestamp".

Figure 21: URL search in Unfurl

If you use the command line version it will auto-convert it for you.

Figure 22: URL search in Unfurl CLI

Be aware that this is in UTC and the question asked for local so we have to offset it by 5 hours as the phones timezone was Easter Standard Time. In the proper format the answer was 16/01/22 09:01:22.

Search This Blog