Evidence Link: UserB2.7z
That's a lot - 5 points
Question: What animal was in the TikTok sent via text?
You might recognize this video from some of the other evidence items. If we filter for “tiktok” in SMS we see one text.
Figure 1: SMS text with TikTok link via ALEAPP
If you watch the video you see a bunch of deer.
Figure 2: Deer from the shared TikTok video
The source file being:
data\data\com.android.providers.telephony\databases\mmssms.db
When you C it - 5 points
Question: What was the name of the geocacheing app used?
You could find this in multiple locations but the easiest might be the packages.list because it also gives you a potential link to the Play Store.
Data\system\packages.list
There is one entry for a bundle cgeo.geocaching with a link to https://play.google.com/store/apps/details?id=cgeo.geocaching
Figure 3: Google Play Links for Apps report via ALEAPP
If you click the link it leads to c:geo.
Figure 4: c:geo via the Play Store
Finding a good book - 5 point
Question: What location was the user looking for on 2024-11-11 at 2:46:10 PM UTC?
Since the date and time are pretty specific we can open the timeline database in ALEAPP and filter via DB Browser for SQLite. We see a handful of Chrome artifacts, including a keyword search for “library champlain college”.
Figure 5: Timeline from ALEAPP filtered
Get in Contact - 5 points
Question: What is the user's TikTok username?
In AXIOM we can quickly navigate to the TikTok Contacts artifacts and see the only entry was “mary.jones7358”.
Figure 6: TikTok account via AXIOM
The source being:
\data\data\com.zhiliaoapp.musically\databases\db_im_xx
Highspeed Internet - 5 points
Question: What is the SIM display name?
SIM name can be found quick via ALEAPP’s Device Details tab. It was “Ultra”.
Figure 7: SIM display name via ALEAPP
This is also found in AXIOM’s Communication > Android SIM Card Information section.
Figure 8: SIM info via AXIOM
The source location is:
\data\data\com.google.android.apps.messaging\shared_prefs\sim_state_tracker.xml
Some Connections - 5 points
Question: What device did the user connect to on 2024-11-05?
You can filter using the ALEAPP timeline here again for the date and see a Bluetooth Connections entry where it connected a Google Pixel Watch 02N0.
Figure 9: ALEAPP timeline entry for Bluetooth Connections
The source file can be found at path:
\data\misc\bluedroid\bt_config.conf
The Era of Pop Stars - 5 points
Question: What song was the user listening to on 2024-11-30 at 8:45:00 AM?
One of the parsers I made and did research on was for Google’s Now Playing history. If we check out ALEAPP Now Playing report with the filter on the date/time we see one entry for Taylor Swift’s “Fortnight”.
Figure 10: Now Playing history via ALEAPP
The source path being:
data\user\0\com.google.android.as\databases\history_db
Get Educated - 10 points
Question: What degree does Mary have?
If you do a quick search for “resume” you can find Mary’s is available in a downloads folder at path:
\data\data\com.google.android.gm\files\downloads\d49287f2a867bab727521232c693a59c\attachments\d_0_0_142c08bd_50a37f8b_d0c87303_667402f4_9577393e\marysresume.pdf
If you open it you can see her degree was an Associate of Applied Science
Marketing from Champlain College.
Figure 11: Mary’s resume education
That would look good in a Frame - 10 points
Question: What is the name of the structure seen in the picture taken at night?
Pictures taken on the phone typically reside in the DCIM folder at path:
\data\media\0\DCIM\Camera\
Here we see one photo titled PXL_20241112_024249328.jpg that fits the description.
Figure 12: PXL_20241112_024249328.jpg
A Google Image search reveals it to be the Moran Frame.
Figure 13: Moran Frame Google image search
I love Natur - 10 points
Question: What language was the nature website in?
The hint was in the title, “natur” can be used to keyword filter down to a Potential Browser Activity URL of http://photo-natur.de/licence.html. Based on the top level domain and just reading through the page you can see that it’s in German.
Figure 14: photo-natur.de website
Striking Some Keys - 10 points
Question: What singer appeared in a TikTok video watched on 2024-11-15 at 1:01:26 AM UTC?
If we head over to the TikTok Media artifacts in AXIOM, we can sort by timestamp and find the specific video in question. The cached file can be found at path:
\data\user\0\com.zhiliaoapp.musically\cache\cachev2\v12025gd0000crdf5evog65ml3ljflpg_bytevc1_720p_604678.mdl
You may have to do some OSINT to figure out who the singer actually is by the lyrics or his looks but that is singer Teddy Swims.
Figure 15: Teddy Swims in a cached TikTok video
Wearing out your SNEAKERS
Question: Who congratulated Mary on walking 10,000 steps?
There were a handful of fitness apps installed on the device including FitBit, Nike, Strava to name some. If you search for “10,000” or even “steps” you would find an email from FitBit in Gmail congratulating here for earning a badge.
Figure 16: FitBit congratulatory email
Lets Get Famous - 25 points
Question: How many followers does Mary have on TikTok?
Since we had Mary’s username from one of the previous questions we can do a search or use commentpicker.com to find her profile.
Figure 17: commentpicker.com lookup
Sad to say Mary had 0 followers. You could also pull that information from the database in the evidence at path:
\data\data\com.zhiliaoapp.musically\databases\db_im_contact
Figure 18: db_im_contact database
Would you like an extended warranty? - 25 points
Question: How many spam numbers were created on 2024-11-27 at 02:42:52.972 UTC?
Looking for spam numbers, you would want to head over to the native phone app folder at path:
\data\data\com.google.android.dialer\databases
Inside is a database called “normalized_spam.db”. On the “server_spam_table” we get a list of numbers that are recognized as spam. Since we are provided dates in Unix epoch in the DB we would need to convert them first then filter to that specific date/time.
Figure 19: normalized_spam_db filtered
We can see 32 unique phone numbers listed here.
YOU Watch a Lot of space Videos - 25 points
Question: What's the numerical rating for the app with the most installs?
This one was very specifically looking for a number in a database. A bunch of people were pulling the rating of the app from the Play Store but that was incorrect for this.
Two hints in the title are “YOU” for YouTube and “space” which indirectly hinted at a file found at path:
\data\data\com.google.android.as\databases\nasa_ps_db
NASA, space, get it? Opening in DB Browser for SQLite there is a table called “play_app” that has a list of applications. If you sort by the “installs” column you see YouTube is the highest with an average rating of 4.23982000350952, how super specific of them.
Figure 20: nasa_ps_db database
ICONic green bubbles - 50 points
Question: What is the hex code for the Profile Picture with the number (802) 495-9063?
The hint here is “ICON”. In ALEAPP, you can go to the Installed Apps > App Icons and filter on Messages, there are a few icons to be found. If you highlight over them it shows the associated number attached.
Figure 21: Messages icons via ALEAPP
If you paste the image into a color picker application we see that the hex code of that reddish color is #ee675c.
Figure 22: Hex color picker
These app icons are found at the path:
\data\data\com.google.android.apps.nexuslauncher\databases\app_icons.db