One of the evidence items during the 2022 Magnet User Summit CTF was a full file system extraction of an iPhone running iOS 15. Recently the CTF creators made the evidence (and corresponding challenge questions) available at CyberDefenders.org. You can register for a free account and then download the evidence. There’s several recommended tools listed in the challenge summary. For me the tools used were:
Once you’re registered, process the evidence with Magnet and iLEAPP. The other tools we’ll touch on coming up.
WARNING: SPOILERS AHEAD
Don’t read ahead if you’re still working on the challenges. If you get stuck and want to see how I chose to solve it… then read on friend.
|#1||Personal List! ->|
How many items were on Patrick’s shopping list?
We can answer this pretty quickly using Axiom or iLEAPP. Most forensicators will support a ‘multiple tool (toolbox)’ approach. As good as a tool is, it won’t always be the right tool for the job. Additionally, there’s value in being able to validate your findings across your different tools.
To answer this with Axiom, navigate to Apple Notes under Documents.
The answer is just as accessible using iLEAPP. Scroll down until you see Notes on the left…
Both tools identify a note with the contents: Grocery list, Energy drinks, Bread, Hand soap, Birthday card. If you look closely you can see that both tools are extracting the data from NoteStore.sqlite (validation.) So if we count up the items on the list (excluding the list title) we get 4.
|#2||Cache Me if You Can ->|
What was the last position of the phone?
Hmm. Where does iPhone store cached location info? Enter Google. A search for “iPhone last cache location AND forensics” (the “AND” being needed otherwise results were all for clearing the cache on the device) led me to an interesting article about using a particular cache.sqlite to calculate location information. The article references the ZRTCLLOCATIONMO table in com.apple.routined > Cache.sqlite.
I navigated to the SQLite database in the File system view of Axiom, and then selected the ZRTCLLOCATIONMO table.
There’s a timestamp value stored as ZTIMESTAMP. (Zis could be vaht we are looking for, ya?). The format isn’t human readable. As we’re looking for the ‘most recent’ entry, I sorted the column based on the ZTIMESTAMP value.
I take the timestamp from the top of the column and enter it in Dcode.
We see an Apple Absolute Time value that’s consistent with the other activities in the CTF, specifically to 2022-02-07 (7-February-2022). Heading to the other end of the column the ZTIMESTAMP value is 666555963.105048.
When we enter that value into Dcode we get a date of 2022-02-14 (14-February-2022). So now that we know which of the value extremes are the most recent, we can go back to the ZRTCLLOCATIONMO table and grab ZLATITUDE and ZLONGITUDE.
The answer: 38.84412765, -77.28686523
|#3||Take your left shoe off… Now put it back on ->|
When was the last reboot performed?
iLEAPP makes this one a cinch. Scroll down on the left until you get to State – Reboots
We can see the last detected reboot was 2022-02-14 11:44:13. We can also verify this information by going to the source directly in Axiom.
|#4||Red or Alive ->|
What time was Patrick’s Reddit account created?
Axiom can provide a lot of insight into different user accounts detected during analysis. This information is surfaced in the User Accounts Refined Results.
We see from the artifact that the Reddit account for PogProgrammer was created on 1/21/2022 at 9:59:38 PM.
|#5||Hanging on by a thread ->|
Which application was uninstalled?
The KnowledgeC Application Install States will show us what applications are added/removed from the device.
We can see that the only application that lists a state of Uninstalled is com.tencent.xin.
iLEAPP also presents this information in Apps – Uninstalled report.
A quick Googling of com.tencent.xin identifies that it is the bundle ID associated with the application WeChat.
|#6||Was the message Redd(it)? ->|
What was the content of the message in the last notification received from Reddit?
A global search in Axiom for “Reddit” yields a fair amount of results. We need to keep in mind the question called for the last notification the user received. If we head to User Notification Events (maintaining our global search on “Reddit”), then sort the results by recorded date…
Looking at the most recent entry we see that the message content was Kornbread and Jorgeous are still Making Fun of Cynthia’s Car Crash…
The same can be ascertained from iLEAPP (you’ll have to translate/filter on the BUNDLE id.)
|#7||Pigment of your imagination ->|
What is the hex code of the color assigned to work events?
The answer for this one is most easily found with iLEAPP. If we look under Calendar and then List, we see the listing of Calendars stored on the device.
We see that the calendar titled “Work” has an assigned color of purple with the hex value of #CC73E1FF.
|#8||Sponsored post ->|
How many promotion emails were left unread?
I had a bit of trouble with the answer being accepted for this one. Within iLEAPP if you navigate to Gmail – Label Details we can see all the different label/tags assigned. Using the Search filter I looked for “promo”.
23 was the number of messages with the ‘promo’ tag and listed as ‘Unread’. To my dismay this was not accepted for the answer. I’ll admit I did a brute force on this one and started incrementing in both directions. I didn’t have to get far until 21 was accepted. Obviously this isn’t something you can do in a real-world investigation. I learn a lot from playing CTFs. Every once in a while there’s a situation where you may have the answer, but don’t know WHY it is the answer. There’s always an opportunity to learn more.
|#9||To infinity and beyond! ->|
What alarm sound did Patrick choose?
Another quick one for iLEAPP. Looking at the Alarms section we see that the user had one alarm configured, possibly looking to score a new coffee machine from Bed, Bath and Beyond.
The entry shows the the alarm is set to use system:Radar as the alert notification sound.
|#10||Poor Reception ->|
When did the cellular service of this device expire?
A global search in Axiom for “expire” narrows the results to 32. That’s a manageable number to dig through. Within the Gmail Emails we see a communication from the user’s wireless carrier, Total Wireless.
The email says “your service expires in 7 days.” The email was received on 1/30/2022 at 7:35:33 PM. 7 days from the email would be 2/5/2022. Pay attention to the time format requested for the answer. The correct answer is 05/02/22.
|#11||Locate how you spend your time ->|
Which application had the most amount of screentime?
Within Axiom, I went to Application Usage – Screen Time Application Usage. Do a quick sort on Total Time (Seconds) and bam – Maps is at the top for most screen time.
But Maps was not the right answer. As I looked back at the display I saw that there were several applications (Tweetie2, AllTrails, Bumble) that had multiple entries. I needed to group the total time by application.
With the entries in Screen Time Application Usage highlighted, right click and Create Report / Export.
Enter everyone’s favorite Office application.. no it isn’t “Clippy” – it’s Excel.
Looking at the data grouped cumulatively, we see that Bumble has the most combined screen time usage (2686 seconds.)
|#12||TLDR: Kigarumis are scary ->|
What animal is Patrick’s Reddit avatar wearing?
If we go back to the Reddit account information we identified with Axiom earlier, we can see that it is pulling the account information from ~\private\var\mobile\Containers\Shared\AppGroup\C0D4CE88-705C-4BBD-9900-0CC64DAF8243\Library\Application Support\accounts\ivu21eum
Using the source link in Axiom brings us direct the location in the file system.
If we expand the details in the right panel we see an ‘avatar’ entry with a url of https://i.redd.it/snoovatar/avatars/4087a416-0590-445b-ac6a-28b3e810b763.png
I’m going to go ahead and call that an Owl.
|#13||A day without sunshine ->|
What is the name of the GIF sent to Patrick in a message on Bumble?
Bumble Messages is an artifact called out specifically by iLEAPP.
If we look around the table we see one of the incoming messages where the content is a url for giphy.com.
Clicking through the image will bring you to glyphy.com.
The name of the gif is above the image. This one threw me as the answer format was requested as ******************.***
If you drop the spaces and include a “.” , you get ThirstySteveMartin.GIF
|#14||What the .heic? ->|
Which cardinal direction was Patrick moving when he took a live photo?
There’s only one Live Photo identified in the dataset by Axiom, so I guess that starts us off pretty good.
There isn’t any GPS information included in the metadata, but zooming in to the picture we can see that it’s a business with the name “The Edge….(something)” and has an address that begins with “142 West Twin…” Additional details are hard to make out due to the placement of the columns. I remembered seeing a similar address in Apple Maps Trips.
Having the full address of 142 W Twin Oaks Terr,South Burlington, VT 05403 I head over to Google Maps and jump onto street view.
Comparing the street view images and the photo in the evidence, I suspect that the Edge (Sports and Fitness) is on the right side of the building. Aligning that with the compass at the bottom of the screen, (north = bottom) that would indicate that you would be facing West as you faced the entrance. But wait. Don’t hit submit just yet. The question asked which direction was Patrick MOVING when he took the picture.
Back on the Live Photo evidence, If we use the preview window to play the image, we can see that the person taking the picture is doing so while moving AWAY from the doors. If we’re facing West when facing the doors, that means we’d be moving East as we moved away from them.
|#15||Location, Location, Location ->|
When did Patrick first search for a website revealing his IP address?
Phew. We made it to the last question. Are you still with me?
Here’s another one that seems like the answer is straight forward, but then how easy can it be to be a top scoring question for 50 points?
If we take a look at the Google Searches Refined Result in Axiom, we can see several searches for http://www.whatismyip.com. The earliest one appears to be 1/21.
If we copy the full search URL and bring it over to Unfurl, we can break it up into its respective elements.
Unfurl breaks the search string down into multiple elements. One of those is the ei Timestamp value which represents when the session began. In this URL we have an e1 Timestamp value of 1642341682789711.
If we take that value back to Dcode we get a Unix timestamp (Chrome doesn’t use Apple Time) of 2022-01-16 09:01:22. Reformat to match the question format and you have 16/01/22 09:01:22.
So that’s how I completed the iOS 15 questions for the Magnet 2022 CTF. Hopefully you picked up a thing or two along the way. Have an alternate solution for any of the questions? Drop a line in the comments.