Magnet User Summit 2023 CTF - Android (Part 1)

Previous: Cipher | Android (Part 2)

I was a bit anxious to get my hands on a new Android image because it's one of my favorite types of evidence to examine. This year's onsite Magnet User Summit CTF used another Pixel image with a plethora of questions to answer. As such I have broken the writeup into two parts, the first covering 21 questions ranging from 5-10 points. The second covers 18 questions ranging from 15-75 points. Here is part one:

Evidence: Google Pixel 3a XL

Tools Used:

ALEAPP v3.1.7

Magnet AXIOM v7.0

Timeline Explorer v1.3.0.0

So much social media... Need a good handle... (5 points)

What username was used for Twitter?

This information can be found in two locations:

data\system_ce\0\accounts_ce.db

data\system_de\0\accounts_de.db

Both show listings for Twitter authentication. We can see the account name used was "LTina1900".

Figure 1: Accounts_ce report in ALEAPP

Generic web surfing (5 points)

What was the default browser used on this device?

The device was Android and a Google Pixel so I just assumed the answer was Chrome, and it was. You could also look at the Installed Apps report and check for other browser, which were none.

64 bits of cellular privileges... (5 points)

What is the IMSI of this device?

The IMSI can be found in many files but for this we can go to:

data\data\com.android.providers.telephony\databases\telephony.db

The Device Info report in ALEAPP parses this and shows only one IMSI, "272023204347291".

Figure 2: Device Info report in ALEAPP

Out with the old and in with the new! (5 points)

What version of Android was on the system?

In ALEAPP you can see this information on Report Home > Case Information > Device details or inside the Usage Stats > OS Version report. Via Usage Stats we can see the version was "12".

data\system_ce\0\usagestats\version

Figure 3: Usage Stats > OS Version report in ALEAPP

Let's address this question (5 points)

What is the bluetooth mac address of this device?

Bluetooth adapter settings reside at the path:

data\misc\bluedroid\bt_config.conf

In the Bluetooth Adapter Information report in ALEAPP we see the bluetooth MAC address was "58:cb:52:4e:67:55".

Figure 4: Bluetooth Adapter Information report in ALEAPP

Somebody is picky! (5 points)

What timezone was selected for the users Calendar?

The calendar database file can be found at:

data\data\com.android.providers.calendar\databases\calendar.db

Parsing it out in ALEAPP we can see the timezone was set to "UTC" for the only calendar available.

Figure 5: Calendar report in ALEAPP

Wa-was that a gh-gh-ghost? (5 points)

What is the Android ID of this device?

In ALEAPP, the Device Info > Settings_Secure_0 report shows this pulled from:

data\system\users\0\settings_secure.xml

The answer is "b00fd41a87f574ce".

Figure 6: Device Info > Settings_Secure_0 report in ALEAPP

Built Different (5 points)

What is the build version of this device?

The build version can also be pulled from Usage Stats:

data\system_ce\0\usagestats\version

In the Usage Stats > OS Version report in ALEAPP we see the build version was "8177914".

Figure 7: Usage Stats > OS Version report in ALEAPP

Charge your devices! (5 points)

What was the last recorded battery percentage of this device?

I was sure that the answer was to be pulled from the Device Health Services > Turbo - Phone Battery report (because I wrote it!) but the answer didn't work. So I went to my second option of battery location in via Settings Services (which I also wrote) pulled from:

data\data\com.google.android.settings.intelligence\databases\battery-usage-db-v4

The last percentage was 78.

Figure 8: Settings Services - Batter Usage report in ALEAPP

What is three's address? (5 points)

What phone number sent the most Android SMS messages?

SMS messages can be found at the database at path:

data\data\com.android.providers.telephony\databases\mmssms.db

You can either count the amount of address and see which has the highest sender count or you can do it another way. Because ALEAPP exports reports in TSV file format as well as HTML, we can open the SMS message TSV file in Timeline Explorer and do a grouping on the Address column.

Figure 9: SMS message TSV report from ALEAPP in Timeline Explorer

As you can see the number "50333" had the most sent messages with 11.

Let me [auto]fill you in on the deets (5 points)

What name is set in Chrome autofill entries?

Chrome Autofill entries are pulled from:

data\data\com.android.chrome\app_chrome\Default\Web Data

In the Chromium > Chrome - Autofill - Entries report we see only one entry with the Field listed as "name". That was "Operation Outsource".

Figure 10: Chrome Autofill report in ALEAPP

Just a second (10 points)

How many motion photos were taken with the devices own camera?

I'm not sure if there is a metadata flag on an image but the quickest way I could think to find the answer was this to go to the DCIM folder at:

data\media\0\DCIM\Camera

If you filter for files that have "MP" in the file name these should be motion photos. We can see 5 were on the device, the answer.

Figure 11: DCIM folder in the Pixel evidence

Alternatively, you could do a similar filter in the Google Photos (gphotos*) - Local Media report in ALEAPP for the same results.

Figure 12: Google Photos local media report in ALEAPP

My favorite kind of boot, other than cowboy boots of course (10 points)

What is the last boot time in UTC associated with this device? (FORMAT YYYY-MM-DD HH:MM:SS based on 24 hour clock)

A simple file holds the answer and key to this:

data\misc\bootstat\last_boot_time_utc

You can take the modified date and convert it for timezone format to get the answer. You could more easily just used the Power Events > Last Boot Time report in ALEAPP to get the answer of "2023-01-09 06:04:28".

Figure 13: Last Boot Time report in ALEAPP

Never track a user by their username... (10 points)

What was the GUID for the primary account registered to this device?

There were a few default apps that had this information in the "shared_prefs" folder. You could either pull this from Calendar or Google Photos. In AXIOM this can be found under User Accounts:

Figure 14: Google Accounts User ID in AXIOM

Danger is my middle name (10 points)

What was the danger type of magisk?

This was a fun one because I know for a fact that AXIOM doesn't parse this detail. There are two tools that I know of that do, Hindsight and ALEAPP, and only because I added it to ALEAPP after seeing the code from Ryan via Hindsight. Chrome categorizes downloaded files with ratings and determines if they are potential risks to the device. The database that downloads reside in is:

data\data\com.android.chrome\app_chrome\Default\History

Magisk was rated as a danger type of "Dangerous But User Validated".

Figure 15: Chrome Downloads report in ALEAPP

A love story? (10 points)

It seems that Tina had intentions of spawning some sort of office romance, as she searched for the legality behind it. What was the article called that gave her the answer to her question?

Chrome web visits show some evidence of navigating to sites that reference romances. What I originally failed to realize was the answer was supposed to be the title of the article not the URL, so the answer was "Can an Employer Prohibit Workplace Dating?".

Figure 16: Chrome Visits report in ALEAPP

One email isn't enough... (10 points)

What email address is associated with this device that is NOT a gmail account?

From browsing through the ALEAPP reports one email address popped up that wasn't a Gmail/Kurvalis work account. It was "wilts1991@protonmail.com" which was used as a username in Chrome Autofill:

Figure 17: Chrome Autofill report in ALEAPP

If we look at the ProtonMail messages report we can see some sender metadata that also shows this address was used.

Figure 18: ProtonMail messages report in ALEAPP

This one is plain and simple! (10 points)

What was the password of the hotspot on this device?

Hotspot details can be found at:

data\misc\apexdata\com.android.wifi\WifiConfigStoreSoftAp.xml

In ALEAPP in the Wifi Profiles > Wifi Hotspot repot, the passphrase was "enc8px7tpftac4c".

Figure 19: Wifi Hotspot report in ALEAPP

Not too popular... (10 points)

Out of all of the email accounts on Tina's system, which contact did Tina have 2 way communication, using her work email?

I wasn't too sure on this one. There weren't many places that Tina used a work email for communicating specifically. One place that lived under her "tlouis@kurvalis.com" account was for Google Chat. It wasn't parsed by AXIOM, but it is in ALEAPP (because once again I wrote a parser for it 😁). She communicated with two people, Shawn Garza (sgarza@kurvalis.com) and Michael Borchardt (mborchardt@kurvalis.com).

Figure 20: Google Chat users report in ALEAPP

The wording on the question was a bit confusing so I went back to email communications instead. There weren't any in Gmail but there was some metadata in ProtonMail. While Tina didn't use her work email she did use the account Wilts1991@protonmail.com to communicate back and forth with email address MichaelKBorchardt@proton.me.

Figure 21: ProtonMail messages metadata in ALEAPP

This was my least favorite question because the question itself was a bit muddled in confusion and it was literally the last one I did to complete the CTF 100%.

Who needs user privileges? (10 points)

What software that may aid in privilege escalation exists on this device?

The only thing I could think of for this was Magisk since we saw it all over the phone, and it was correct.

Com with me on an adventure (10 points)

What is the application package name of the messaging app with the most number of messages received?

There were only a handful of apps installed on the phone and only 2 that I saw that would be categorized as messaging. They would be Google Chat (dynamite.db) and Google Messages (bugle_db). 

data\data\com.google.android.apps.dynamite\databases\user_accounts\tlouis@kurvalis.com\dynamite.db

data\data\com.google.android.apps.messaging\databases\bugle_db

Google Chat only had 13 total messages received by Tina but Messages had 16 received by Tina. Based off the path as seen above for the "bugle_db" the package name would be "com.google.android.apps.messaging".

What time is it? Twitter time! (10 points)

When was the last time in UTC the Twitter account typed their password? (FORMAT YYYY-MM-DD HH:MM:SS based on 24 hour clock)

Under the Accounts_de report in ALEAPP, we see one entry for Twitter authentication. It occurred at "2022-12-18 09:42:51".

Figure 22: Accounts_de report in ALEAPP with Twitter login

This concludes part 1 of the Android writeup for the Magnet User Summit 2023 CTF, part 2 of the Android writeup coming right up!