Now for the last section, the Android phone.
Evidence: Google Pixel 3a XL Logical Image - Data.tar | Facebook Return
Press x to Respawn
On what platform did Rocco share his Call of Duty Username?
I switched over to Conversation view to possibly narrow the scope to just communications. Out of Android Messages, SMS, Discord, Facebook, and Twitter, Twitter was the winning application. In the DMs Rocco sends his username to Chadwick.
Figure 1: Twitter DMs in AXIOM
Warm Up
What Southern state's sports team did Rocco search up?
In Chrome search history, Rocco looked for "ragin cajuns football record".
Figure 2: Chrome search history in ALEAPP
The results lead to the Louisiana Rajin Cajuns.
Figure 3: Search for "ragin cajuns"
Source path:
Google Pixel 3a XL Logical Image - Data.tar\data\data\com.android.chrome\app_chrome\Default\History
Can you Handle this
What was Rocco's Twitter account name?
From the Twitter DMs above we could see that his Twitter handle was @RoccoSachs96775. You could also see account authorization in ALEAPP with the account name.
Figure 4: Accounts_ce report in ALEAPP
Need to reach those heights
What is the SIM operator name?
Based off the telephony.db and parsed in the SIM info report in ALEAPP, it appeared that there were two possible answers, Boost and T-Mobile.
Figure 5: SIM info via ALEAPP
Seeing as Boost Mobile was listed as the US ISO code, I went with that and it worked.
Source path:
Google Pixel 3a XL Logical Image - Data.tar\data\user_de\0\com.android.providers.telephony\databases\telephony.db
Not to be basic but...
What is the default Internet Browser?
This isn't a given but since it was Android, I guess Chrome and it was the default still. This was also verified later on via the roles.xml file at path:
Google Pixel 3a XL Logical Image - Data.tar\data\misc_de\0\apexdata\com.android.permission\com.android.permission\roles.xml
Figure 6: Defaults via roles.xml
Survival Mode Activated
What conference did Rocco show interest in?
Based off Rocco's Chrome web searches he was researching going to Preppercon.
Figure 7: Chrome search history via ALEAPP
Source path:
Google Pixel 3a XL Logical Image - Data.tar\data\data\com.android.chrome\app_chrome\Default\History
Sign me up!
What email is associated with the device?
Littered throughout the accounts_ce and accounts_de databases you can see that roccotsachs@gmail.com was frequently utilized.
Figure 8: accounts_ce authtokens report via ALEAPP
Sources being:
Google Pixel 3a XL Logical Image - Data.tar\data\system_ce\0\accounts_ce.db
Google Pixel 3a XL Logical Image - Data.tar\data\system_de\0\accounts_de.db
Not so popular
How many messages were sent from Rocco in Twitter Direct Messages?
In AXIOM we can filter on sender of Twitter DM's and see he sent 8 messages.
Figure 9: Twitter DMs sent, via AXIOM
The source being:
Google Pixel 3a XL Logical Image - Data.tar\data\data\com.twitter.android\databases\1719897971716685824-66.db
No two cents about them
According to exCHANGEs in Discord with Chad, what did Chad want back from Rocco?
After scrolling through the conversations we can see he wanted money back.
Figure 10: Discord chats via ALEAPP
These were pulled from:
Google Pixel 3a XL Logical Image - Data.tar\data\data\com.discord\files\kv-storage\@account.1185636389107273799\a
You can never be too ready
How many additional survival tips were provided in the $9 book Rocco was looking into
Pricing was specific to pictures on the iOS image so I pivoted to see if there were any taken by the phone in the DCIM folder. The answer was 72 found on the image at path:
Google Pixel 3a XL Logical Image - Data.tar\data\media\0\DCIM\Camera\PXL_20231215_202654750.jpg
Figure 11: Survival tips book in DCIM
Tag your're it!
What city was the user in when they identified an AirTag on them?
Android now has some built in features that can detect AirTag like devices. Not sure if commercial forensic tools are parsing this yet but ALEAPP does from path:
Google Pixel 3a XL Logical Image - Data.tar\data\user\0\com.google.android.gms\databases\personalsafety_db
Figure 12: AirTag scans via ALEAPP
We see coordinates that we can search with Google Maps to see it was located near Windsor, Ontario.
Figure 13: Lat/Long Google Maps search
A game of Cat and Mouse
What game did two beloved cartoon characters promote in an Ad?
I instantly thought of Tom & Jerry but wasn't sure what the game may be so I did a quick search in AXIOM for images and videos. After much scrolling I found the ad lodged deep in the path:
Google Pixel 3a XL Logical Image - Data.tar\data\data\com.google.android.apps.tips\files\download\asset\83c4649ef9ea3b1825f2ee682accc363a31a0e5d
Figure 14: Tom and Jerry video ad
We can blurrily see the name of the game was Tom and Jerry: Chase.
Always achieving new heights
What was the new score achieved on the video game Rocco watched on Youtube?
Figure 15: Twitter tweet
Going to the link we see it was on Chadwick's channel, and the high score was 5,187.
Figure 16: Subway Surfer high score
LIVE your life
What two sports did Rocco capture in a photo (__ and ___)?
You can't have a Magnet CTF without having a question that requires hunting down a live photo. There were only a handful on the image and only one that really fit the requirements. It was at path:
Google Pixel 3a XL Logical Image - Data.tar\data\media\0\DCIM\Camera\PXL_20231220_234032213.MP.jpg
If you pause it just at the right moment you can see the two sports were golf and skiing.
Figure 17: Motion photo screenshot
Remember your floaties
What fun outdoor activity location was searched for?
Google Maps had only one search term in the history at path:
Google Pixel 3a XL Logical Image - Data.tar\data\user\0\com.google.android.apps.maps\databases\gmm_storage.db
We see that Big Water Campground, Ontario 655, Timmins, ON was the place of interest.
Figure 18: Google Maps searches via ALEAPP
R-E-J-E-C-T-E-D Rejected
When was the last shutdown that was initiated by Rocco? (YYYY-MM-DD HH:MM:SS) UTC 24 hour time.
I knew where to go for this one quickly as I wrote a blog on it a few years back and also wrote the parser into ALEAPP. If you hit the Shutdown Checkpoints parser you can sort the timestamps and see 2023-12-28 23:47:29 was the last user requested entry.
Figure 19: Shutdown checkpoints via ALEAPP
Source path was:
Google Pixel 3a XL Logical Image - Data.tar\data\system\shutdown-checkpoints\checkpoints-1703807249418
Out of Stock
What is the most recent score in Subway Surfer?
Recent activity is commonly tracked on stock Android phones at path:
Google Pixel 3a XL Logical Image - Data.tar\data\system_ce\0\recent_tasks
Searching for Subway Surfer we can see there is an entry with a screenshot showing that the score was 1,899.
Figure 20: Recent Activity via ALEAPP
So Salty!
What is the handle of the person who is talking about how upset they are with Rocco?
In looking for the previous question I came across another Recent Activity in ALEAPP that answers this question. It was from Twitter showing that Rocco was upset with Larissa who's handle was @larissajenna9.
Figure 21: Twitter Recent Activity
Don't let them see you down
What was added using photoshop?
I assumed Photoshop would save altered files in a specific folder so I just navigated the file system to check. I found a few at:
Google Pixel 3a XL Logical Image - Data.tar\data\media\0\Pictures\Photoshop Express
These would need to be compared to the original photos. I first thought they just removed the Next Time but that wasn't it.
Figure 22: Photoshop photos from Media folder
Going to the Screenshots folder I found a similar image that removed the Success sticker.
Figure 23: Original screenshot
Google Pixel 3a XL Logical Image - Data.tar\data\media\0\Pictures\Screenshots\Screenshot_20231226-154230.png
It's the eye of the tiger
When is Rocco's Bday? (YYYY-MM-DD)
Well we got some return packages so we might as well use them. You can find the Profile information file at path:
facebook-61554919820462-2024-01-06-49fzodcA.zip\personal_information\profile_information
Insides shows Rocco's birthday as 1974-09-29.
Figure 24: Facebook return profile information
Secrets Secrets are no Fun
What did Rocco search in the App Store to download the app used to hide photos
Google Play store searches can be found at:
Google Pixel 3a XL Logical Image - Data.tar\data\data\com.android.vending\databases\suggestions.db
There are many similar type apps that you can use to hide photos but calculator vault is a common one.
Figure 25: Google Play searches via ALEAPP
Stalker Alert
Shortly after logging into Facebook with IP address 72.38.231.98, a photo was taken. Where was this photo taken?
Back to the Facebook return to see what we can find. IP activity can be found in the file:
facebook-61554919820462-2024-01-06-49fzodcA.zip\security_and_login_information\ip_address_activity.html
Looking for that IP address we see the timestamp was December 27, 2023 at 11:16:01am.
Figure 26: Facebook IP activity
Heading back over to the Android image, we can locate a photo timestamp for that period making sure to take into account for local timezone offset.
Figure 27: Photo metadata via ALEAPP
Figure 28: Google Maps coordinates
And with that answer that wraps up the Magnet Virtual Summit CTF for 2024. I hope those that competed had fun!