Evidence Link: 00008110-0008196A2299401E_files_full.zip
Peak Performance - 5 points
Question: What version of iOS
The iOS version can be found in multiple places but the easiest may be from iLEAPP or AXIOM. In the Device Details on iLEAPP you can see the iOS version can be pulled from lastBuild and systemVersionPlist, both showing that the device was running iOS 18.0.
Figure 1: Device details > Device Information via iLEAPP
In AXIOM it would be under the Application Usage > iOS Device Information > OS Version field. The source files being either of these:
private\var\installd\Library\MobileInstallation\LastBuildInfo.plist
System\Library\CoreServices\SystemVersion.plist
Connect The Digits - 5 points
Question: What is the device's phone number?
Another one easily found in iLEAPP or AXIOM. In iLEAPP you can find it under Device Details under the Cellular category. The Reported Phone Number pulled from celWireless was 18024959063.
Figure 2: Device details > Cellular via iLEAPP
In AXIOM it can be found under the Operating System > Owner Information > Device Phone Number field. The source file being:
private\var\wireless\Library\Preferences\com.apple.commcenter.plist
In The Name of Friendship - 5 points
Question: What was the contact name stored on 2024-11-13 5:45:05.000 PM
There was only one contact stored in the Address Book on the phone. Under the iLEAPP Contacts > Address Book report, we see one contact for Mary that was modified on 2024-11-13 17:45:02+00:00 UTC. If you convert to a 12 hour format that would be accurate for the timestamp.
Figure 3: Address Book report via iLEAPP
In AXIOM you can find it under the Communication > Apple Contacts - iOS field.
The source file is:
private\var\mobile\Library\AddressBook\AddressBook.sqlitedb
Call Me, Maybe - 5 points
Question: Out of all the incoming calls, how many were answered?
iLEAPP parses Call History nicely. In the Answered column we can see that 0 calls were actually answered.
Figure 4: Call History report via iLEAPP
In AXIOM you can find it in Communication > iOS Call Logs.
Source file is:
private\var\mobile\Library\CallHistoryDB\CallHistory.storedata
Correct Me If I'm Wrong.. - 10 points
Question: How many words typed were autocorrected?
In iLEAPP this is parsed undere the User Activity > Keyboard Usage Stats. The key of interest is “tium.totalWordsAutocorrected” with a value of 51.
Figure 5: Keyboard Usage Stats report via iLEAPP
The source file for this is:
private\var\mobile\Library\Keyboard\user_model_database.sqlite
Where Are We Meeting? - 10 points
Question: What time did Ruth plan to meet Mary at Black Cap?
Communication artifacts can be found in many different apps and locations. If you do a keyword search for “Black Cap” you can see that a Discord message is parsed showing Ruth asked about meeting at 2:15.
Figure 6: Discord message report via iLEAPP
Figure 7: Discord messages via AXIOM
It can be found in two different cached source files:
private\var\mobile\Containers\Data\Application\1FA1287E-E3B0-4565-98DB-FD0E488A434D\Library\Caches\com.hammerandchisel.discord\fsCachedData\21227280-52BC-4786-BBA5-D9C9032A8E5E
private\var\mobile\Containers\Data\Application\1FA1287E-E3B0-4565-98DB-FD0E488A434D\Library\Caches\com.hammerandchisel.discord\fsCachedData\70B7CE99-8702-484B-BE16-42566F47035F
The Root of The Problem - 10 points
Question: What color hair does Ruth's Bitmoji have?
Bitmoji is commonly paired up with the app Snapchat. In iLEAPP if we go to Installed Apps > App Snapshots report and filter for the Snapchat bundle name of “com.toyopagroup.picaboo” we can see a few files are available.
Figure 8: iOS Snapshots filtered in iLEAPP
Three of them have the user’s Bitmoji icon in the top left of the screen showing her hair color was Blond[e].
Figure 9: Sample Snapchat snapshot
In AXIOM then can be found under Media > iOS Snapshots. Source file paths are as follows:
\private\var\mobile\Containers\Data\Application\CA6618F8-E002-4DE8-91EF-2097D7407250\Library\SplashBoard\Snapshots\sceneID:com.toyopagroup.picaboo-default\7040CA37-0D93-498A-A642-D2AE45DA13A7@3x.ktx
\private\var\mobile\Containers\Data\Application\CA6618F8-E002-4DE8-91EF-2097D7407250\Library\SplashBoard\Snapshots\sceneID:com.toyopagroup.picaboo-default\downscaled\9ACE90D2-CC1A-48EA-A8FC-BEDA7F9D4A64@3x.ktx
\private\var\mobile\Containers\Data\Application\CA6618F8-E002-4DE8-91EF-2097D7407250\Library\SplashBoard\Snapshots\sceneID:com.toyopagroup.picaboo-default\downscaled\45DE1AFA-C15F-484C-BB6B-C3DB79E6A2C2@3x.ktx
Artificially Crafted Designs - 10 points
Question: What was the first AI tool installed on the device?
We can look at the Installed Apps > Apps - Itunes Metadata report in iLEAPP to take a look at what applications were installed on the cellphone. Scrolling through the list we can see a handful of apps that utilized AI such as ChatGPT and maybe even Adobe Express but we can see that Canva: AI Photo & Video Editor was installed before those options.
Figure 10: Installed Apps > Apps - Itunes Metadata report via iLEAPP
In AXIOM you can look at the Application Usage > Installed Applications report and sort by Installed date.
Tracing The Envelope - 10 points
Question: What was the IP address logged from Discord?
If you do a keyword search for “IP address” and “Discord” you will see that there is a hit in Apple Mail. In the summary you can see an IP address of 184.171.159.153 tried logging in.
Figure 11: Apple Mail > Emails report via iLEAPP
You can find your answer in AXIOM via Email & Calendar > Apple Mail or EML(X) Files. The source paths are:
private\var\mobile\Library\Mail\Envelope Index
private\var\mobile\Library\Mail\Protected Index
Where's Nashville? - 10 points
Question: What is the Latitude of Nashville in the Weather App? Format: xx.xxxxxxx
The native Apple weather app is parsed via iLEAPP. If you go to the Locations > Weather App Locations report we can see that Nashville’s Latitude should be 36.1660667.
Figure 12: Locations > Weather App Locations report via iLEAPP
The source file is:
private\var\mobile\Containers\Shared\AppGroup\5A25F7AB-6542-44BF-BFF0-3A1B6E0EC1F1\Library\Preferences\group.com.apple.weather.plist
Important FACTor - 25 points
Question: What is the answer to the second equation in notes?
If we look at Documents > Apple Notes in AXIOM we can see a note that does have an equation in the title but the content appears to not show the object properly.
Figure 13: Apple Note via AXIOM
We at least get the file path that we can further examine. If we open the NoteStore.sqlite database in DB Browser and go to the ZICCLOUDSYNCINGOBJECT table, we can scroll to the right and look for column ZADDITIONALINDEXABLETEXT column.
There is one entry that has more information relevant to the note we found AXIOM.
Figure 14: NoteSecure.sqlite in DB Browser for SQLite
We see what we saw before with “12 x 18 = 216” but we also see the second equation of “216 x 2 = 432” with 432 being the answer. Source file being:
private\var\mobile\Containers\Shared\AppGroup\48006795-907F-4242-865D-11B66F78AC1E\NoteStore.sqlite
The Ghost That Couldn't Speak - 25 points
Question: What app was denied permission to use Microphone?
When we see a question on permissions on iOS, you should think about the TCC (Transparency Consent and Control) database. This is parsed in iLEAPP so we can find the App Permissions report and filter for the microphone as the service. There was only one entry and it had a bundle ID of com.toyopagroup.picaboo, commonly known as Snapchat.
Figure 15: App Permissions report in iLEAPP
The Sale Before the Sale - 25 points
Question: If Ruth bought an item for $40 or more, she gets her second one 40% off with what code?
With specifics like this we can do a quick keyword search for “40% off” and see some results are found via iMessage/SMS/MMS in AXIOM.
Figure 16: SMS entry in AXIOM
The code and flag were “EARLYBF24”. Source file is:
private\var\mobile\Library\SMS\sms.db
TikTok on the Clock - 25 points
Question: In YYYY-MM-DD HH:MM:SS format, when was the TikTok video posted?
A quick keyword search for “tiktok” shows a video was shared in iMessage/SMS. The URL being “https://www.tiktok.com/@dochristmass/video/7436518844501347616?is_from_webapp=1&sender_device=pc”.
Figure 17: TikTok URL shared via SMS
One helpful tool for analyzing URLs is Unfurl. If we search this URL with it we can see a timestamp field which is the posted date/time. The answer being 2024-11-12 22:11:09.
Figure 18: TikTok URL parsed in Unfurl
Directional Navigation - 25 points
Question: What beach was searched for?
A quick keyword search for “beach” led to some location based results. If we look at the Apple Maps Trips we see that there was a search for “North Beach Park”.
Figure 19: Apple Maps Trips search in AXIOM
SERIALously Old! - 25 points
Question: Using format YYYY-MM, When was this device purchased?
Taking the hint in the title, we want to grab the serial number for the iPhone. iLEAPP parses that in the Device Details tab pulled from the following file:
private\var\root\Library\Caches\locationd\consolidated.db
Figure 20: Device details via iLEAPP
The serial is FH49Q1TVX6 which we can then look up more info via https://checkcoverage.apple.com/.
Figure 21: check coverage from Apple
We can see that the device had a purchase date of December 2022, or in the format of the flag 2022-12.
Artists write their names on the CANVAs - 25 points
Question: Who is the author of the October 2023 wallpaper?
Keyword searching here helps narrow the scope greatly. Looking for “wallpaper” and “October” results in some Safari history as well as a PDF document.
EXIF data from the PDF shows the author was named “nicole vranjican”.
Figure 22: PDF documents in AXIOM
Because the file was found on https://nikkivegan.com a secondary acceptable answer was “nikkivegan”.
Finding Your Grounds - 50 points
Question: What popular coffee company did Ruth get coffee from?
Back to looking for more location data, we can look at what was parsed from Apple Maps and significant locations.
MapsSync showed a handful of addresses, one of which was “1220 Williston Rd South Burlington, VT 05403 United States”. If you search that in Google Maps it leads to Dunkin’ Donuts.
Figure 22: MapsSync via iLEAPP
Significant Locations shows Dunkin’ as an entry, the only one that would fit as a coffee shop.
Figure 23: Significant Locations entry via AXIOM
Apple Maps - Biome App Intents show that navigation was started to the same Dunkin’ address as well.
Figure 24: Apple Maps - Biome App Intents via AXIOM
The SPIRITs are among us - 75 points
Question: What link redirects you to apply for a job?
The clue in the title has to mean something right? It may have been hard to see from a quick run through of the device but there is a single Live Photo that was taken outside of a Spirit Halloween store.
\private\var\mobile\Media\DCIM\100APPLE\IMG_0003.HEIC
Figure 25: Spirit Halloween store image
If you zoom into the left side of the image there is a QR code they used for hiring.
Figure 26: QR code on the Spirit store
If you scan the QR code it shows up as a link to https://delivr.com/2FSMR-QR.
Figure 27: Google Lens scan of the QR code
Dead Portrait Society - 75 points
Question: When was the last written record created? (format YYYY-MM-DD HH:MM:SS)
Where do we start with this one (sorry I made this difficult for a reason!)?! I tried to hint in the title a bit about “dead” and “portrait”.
The “portrait” refers to the personalization portrait which is utilized by Apple Photos and some other native apps to pull info from many sources together (such as photos, locations, events).
The “dead” refers to the tombstone inside the streams folder (where artifacts related to Biomes come from). At the path below is the SEGB file that needs to be analyzed:
private\var\mobile\Library\PersonalizationPortrait\streams\portraitFeedback\local\tombstone\749700481583195
Opening it in an appropriate viewer or parser such as Mushy or CCL_segb, you can see that the last entry has a date of 2024-11-20 20:02:02.
Figure 28: 749700481583195 SEGB via Mushy
Figure 29: 749700481583195 SEGB via CCL_segb script