Evidence Link: takeout-20241129T224833Z-001.zip
Taking a break - 5 points
Question: How many emails were in the inbox at 2024-11-19, 12:21:26 PM EST?
The thing with Takeouts are that there are a lot of files that are html files that can be opened natively. Here we want to find the MyActivity file found under Chrome at path:
\data\Takeout\My Activity\Chrome\MyActivity.html
Here we get Chrome activities, including one that shows accessing mail.google.com at the date and time indicated in the question. We can see the inbox had 16 emails.
Figure 1: Chrome MyActivity.html entry for inbox
Boorrriiiinnggg - 5 points
Question: What was searched 2024-11-12, 20:17:13 EST?
Search activity can be found in two places, one for normal Search and one for Image Search. The only one that had an entry for that date/time was the MyActivity file at path:
\data\Takeout\My Activity\Image Search\MyActivity.html
We see they searched for “iphone aesthetic wallpaper”.
Figure 2: Image Search MyActivity.html
Drive those ads away - 5 points
Question: What was the model of the Kia in the advertisement?
You could do a full keyword search across the Takeout folder for “kia” to find any hits. We see there were some in YouTube MyActivity as well as YouTube search history.
Here we pulled from \data\Takeout\My Activity\YouTube\MyActivity.html.
Figure 3: YouTube MyActivity.html entry
The Kia model was a Sorento.
Friends or Foe? - 5 points
Question: Who did this user communicate with most frequently?
There was only one user in the My Contacts.vcf and that was Mary.
Figure 4: My Contacts.vcf
Source file at path:
\data\Takeout\Contacts\My Contacts\My Contacts.vcf
Nice kicks - 5 points
Question: What is the name of the shoes created?
Another one you could keyword search to find. If you search “shoe” there is a hit in MyActivity for Gemini at path:
\data\Takeout\My Activity\Gemini Apps\MyActivity.html
Opening reveals the shoe was called Floppers.
Figure 5: Floppers via Gemini activity
Your shirt your way - 5 points
Question: What was the name of the shirt company?
In the same Gemini MyActivity file was the shirt company name, which was TypeShirt.
Figure 6: TypeShirt via Gemini activity
Shoe will have fun with this one - 5 points
Question: What is the shoe image named with file extension?
If we go into the Gemini Apps folder we see the image for the shoe was called f12cb76daad6c8d1.png.
Figure 7: shoe from Gemini
Path being:
\data\Takeout\My Activity\Gemini Apps\f12cb76daad6c8d1.png
Identify yourself! - 5 points
Question: What is the account user ID?
You can find Google subscriber info in the file at path:
\data\Takeout\Google Account\ruthonthego98.SubscriberInfo.html
Opening the file we see Ruth’s user ID was 252838291214.
Figure 8: ruthonthego98.SubscriberInfo.html
Back in my day - 5 points
Question: What was the user’s birthday? YYYY-MM-DD
ruthonthego98.SubscriberInfo.html also had the birthday, listed as 1998-12-18 in the proper format.
Figure 9: Ruth’s set birthday
King Town - 5 points
Question: What was the last app installed from the Play Store?
RLEAPP parses this (because I did the parser!) so if you sort by Install Timestamp we can see that Clash Royale was the last one.
Figure 10: Google Play Store Installs report via RLEAPP
Cat Nap - 10 points
Question: How long is the video watched on 2024-11-17 10:04:45 PM EST? Format: MM:SS
YouTube watch history can be found at path:
\data\Takeout\YouTube and YouTube Music\history\watch-history.html
If we go to the timestamp we see a video for “The Stalking Begins” was watched.
Figure 11: YouTube watch history
If we click the link we see the video in question was 29:24 long.
Figure 12: YouTube video watched
I need your approval - 10 points
Question: Who was the user’s boss? FIRSTNAME LASTNAME
This is more insinuated so you have to read into it a little bit. If you view the emails from the mbox we can see a few emails from Gregory Fields who appears to work with Ruth and appears upset about her work.
Figure 13: Email from Mbox
Source parsed from:
\data\Takeout\Mail\All mail Including Spam and Trash.mbox
Help, I don't want to work! - 10 points
Question: What was the marketing website used after the shameless search?
In the Chrome MyActivity we see Ruth searched for “how to cheat the system and make a marketing job easier with AI” and then visited the website pipedrive.com.
Figure 14: Chrome MyActivity
Stranger Danger - 10 points
Question: What was the IP address attached to the sketchy email address?
If you look through the mailbox you may come across an email that came from the address hackergotyou@proton.me. If we read the header information for that email we see that it originated from the IP address 185.70.40.130.
Figure 15: IP header info from suspicious email
Wandering Around - 10 points
Question: At the following time 2024-09-26 21:21:03 what was the geolocation of this user’s IP Address? Country, State, City
Back to the subscriber information as it tracks IP activity for a given Google account. If we look through the list to find the date and time we see that the geolocation was US, District of Columbia, Washington.
Figure 16: IP Activity from subscriber information