Magnet 2022 CTF – iOS15

One of the evidence items during the 2022 Magnet User Summit CTF was a full file system extraction of an iPhone running iOS 15. Recently the CTF creators made the evidence (and corresponding challenge questions) available at CyberDefenders.org. You can register for a free account and then download the evidence. There’s several recommended tools listed in the challenge summary. For me the tools used were:

Once you’re registered, process the evidence with Magnet and iLEAPP. The other tools we’ll touch on coming up.

WARNING: SPOILERS AHEAD

Don’t read ahead if you’re still working on the challenges. If you get stuck and want to see how I chose to solve it… then read on friend.

#1Personal List! ->
How many items were on Patrick’s shopping list?

We can answer this pretty quickly using Axiom or iLEAPP. Most forensicators will support a ‘multiple tool (toolbox)’ approach. As good as a tool is, it won’t always be the right tool for the job. Additionally, there’s value in being able to validate your findings across your different tools.

To answer this with Axiom, navigate to Apple Notes under Documents.

Grocery list in Apple Notes

The answer is just as accessible using iLEAPP. Scroll down until you see Notes on the left…

Notes in iLEAPP

Both tools identify a note with the contents: Grocery list, Energy drinks, Bread, Hand soap, Birthday card. If you look closely you can see that both tools are extracting the data from NoteStore.sqlite (validation.) So if we count up the items on the list (excluding the list title) we get 4.

#2Cache Me if You Can ->
What was the last position of the phone?

Hmm. Where does iPhone store cached location info? Enter Google. A search for “iPhone last cache location AND forensics” (the “AND” being needed otherwise results were all for clearing the cache on the device) led me to an interesting article about using a particular cache.sqlite to calculate location information. The article references the ZRTCLLOCATIONMO table in com.apple.routined > Cache.sqlite.

I navigated to the SQLite database in the File system view of Axiom, and then selected the ZRTCLLOCATIONMO table.

ZRTCLLOCATIONMO table in Cache.sqlite

There’s a timestamp value stored as ZTIMESTAMP. (Zis could be vaht we are looking for, ya?). The format isn’t human readable. As we’re looking for the ‘most recent’ entry, I sorted the column based on the ZTIMESTAMP value.

I take the timestamp from the top of the column and enter it in Dcode.

Dcode results

We see an Apple Absolute Time value that’s consistent with the other activities in the CTF, specifically to 2022-02-07 (7-February-2022). Heading to the other end of the column the ZTIMESTAMP value is 666555963.105048.

Dcode value 2

When we enter that value into Dcode we get a date of 2022-02-14 (14-February-2022). So now that we know which of the value extremes are the most recent, we can go back to the ZRTCLLOCATIONMO table and grab ZLATITUDE and ZLONGITUDE.

ZLATITUDE and ZLONGITUDE

The answer: 38.84412765, -77.28686523

#3Take your left shoe off… Now put it back on ->
When was the last reboot performed?

iLEAPP makes this one a cinch. Scroll down on the left until you get to State – Reboots

iLEAPP State – Reboots

We can see the last detected reboot was 2022-02-14 11:44:13. We can also verify this information by going to the source directly in Axiom.

Last detected reboot
#4Red or Alive ->
What time was Patrick’s Reddit account created?

Axiom can provide a lot of insight into different user accounts detected during analysis. This information is surfaced in the User Accounts Refined Results.

Reddit account info

We see from the artifact that the Reddit account for PogProgrammer was created on 1/21/2022 at 9:59:38 PM.

#5Hanging on by a thread ->
Which application was uninstalled?

The KnowledgeC Application Install States will show us what applications are added/removed from the device.

We can see that the only application that lists a state of Uninstalled is com.tencent.xin.

iLEAPP also presents this information in Apps – Uninstalled report.

iLEAPP Uninstalled Apps

A quick Googling of com.tencent.xin identifies that it is the bundle ID associated with the application WeChat.

#6Was the message Redd(it)? ->
What was the content of the message in the last notification received from Reddit?

A global search in Axiom for “Reddit” yields a fair amount of results. We need to keep in mind the question called for the last notification the user received. If we head to User Notification Events (maintaining our global search on “Reddit”), then sort the results by recorded date…

Reddit Notifications

Looking at the most recent entry we see that the message content was Kornbread and Jorgeous are still Making Fun of Cynthia’s Car Crash…

The same can be ascertained from iLEAPP (you’ll have to translate/filter on the BUNDLE id.)

#7Pigment of your imagination ->
What is the hex code of the color assigned to work events?

The answer for this one is most easily found with iLEAPP. If we look under Calendar and then List, we see the listing of Calendars stored on the device.

Calendar List report

We see that the calendar titled “Work” has an assigned color of purple with the hex value of #CC73E1FF.

#8Sponsored post ->
How many promotion emails were left unread?

I had a bit of trouble with the answer being accepted for this one. Within iLEAPP if you navigate to Gmail – Label Details we can see all the different label/tags assigned. Using the Search filter I looked for “promo”.

Gmail – Label Details report

23 was the number of messages with the ‘promo’ tag and listed as ‘Unread’. To my dismay this was not accepted for the answer. I’ll admit I did a brute force on this one and started incrementing in both directions. I didn’t have to get far until 21 was accepted. Obviously this isn’t something you can do in a real-world investigation. I learn a lot from playing CTFs. Every once in a while there’s a situation where you may have the answer, but don’t know WHY it is the answer. There’s always an opportunity to learn more.

#9To infinity and beyond! ->
What alarm sound did Patrick choose?

Another quick one for iLEAPP. Looking at the Alarms section we see that the user had one alarm configured, possibly looking to score a new coffee machine from Bed, Bath and Beyond.

Alarms report

The entry shows the the alarm is set to use system:Radar as the alert notification sound.

#10Poor Reception ->
When did the cellular service of this device expire?

A global search in Axiom for “expire” narrows the results to 32. That’s a manageable number to dig through. Within the Gmail Emails we see a communication from the user’s wireless carrier, Total Wireless.

Total Wireless email

The email says “your service expires in 7 days.” The email was received on 1/30/2022 at 7:35:33 PM. 7 days from the email would be 2/5/2022. Pay attention to the time format requested for the answer. The correct answer is 05/02/22.

#11Locate how you spend your time ->
Which application had the most amount of screentime?

Within Axiom, I went to Application Usage – Screen Time Application Usage. Do a quick sort on Total Time (Seconds) and bam – Maps is at the top for most screen time.

Screen Time Application Usage

But Maps was not the right answer. As I looked back at the display I saw that there were several applications (Tweetie2, AllTrails, Bumble) that had multiple entries. I needed to group the total time by application.

With the entries in Screen Time Application Usage highlighted, right click and Create Report / Export.

Report Export Menu

Enter everyone’s favorite Office application.. no it isn’t “Clippy” – it’s Excel.

I used the Pivot Table function to group by Row Label Application Name and then Total Time (Seconds).

Looking at the data grouped cumulatively, we see that Bumble has the most combined screen time usage (2686 seconds.)

#12TLDR: Kigarumis are scary ->
What animal is Patrick’s Reddit avatar wearing?

If we go back to the Reddit account information we identified with Axiom earlier, we can see that it is pulling the account information from ~\private\var\mobile\Containers\Shared\AppGroup\C0D4CE88-705C-4BBD-9900-0CC64DAF8243\Library\Application Support\accounts\ivu21eum

Reddit account information

Using the source link in Axiom brings us direct the location in the file system.

File system location

If we expand the details in the right panel we see an ‘avatar’ entry with a url of https://i.redd.it/snoovatar/avatars/4087a416-0590-445b-ac6a-28b3e810b763.png

Reddit avatar

I’m going to go ahead and call that an Owl.

#13A day without sunshine ->
What is the name of the GIF sent to Patrick in a message on Bumble?

Bumble Messages is an artifact called out specifically by iLEAPP.

Bumble – Messages report

If we look around the table we see one of the incoming messages where the content is a url for giphy.com.

https://giphy.com/embed/cXCVTR1wUn1a8

Clicking through the image will bring you to glyphy.com.

giphy.com

The name of the gif is above the image. This one threw me as the answer format was requested as ******************.***

If you drop the spaces and include a “.” , you get ThirstySteveMartin.GIF

#14What the .heic? ->
Which cardinal direction was Patrick moving when he took a live photo?

There’s only one Live Photo identified in the dataset by Axiom, so I guess that starts us off pretty good.

Live Photo in Axiom

There isn’t any GPS information included in the metadata, but zooming in to the picture we can see that it’s a business with the name “The Edge….(something)” and has an address that begins with “142 West Twin…” Additional details are hard to make out due to the placement of the columns. I remembered seeing a similar address in Apple Maps Trips.

Having the full address of 142 W Twin Oaks Terr,South Burlington, VT  05403 I head over to Google Maps and jump onto street view.

Google Street view

Comparing the street view images and the photo in the evidence, I suspect that the Edge (Sports and Fitness) is on the right side of the building. Aligning that with the compass at the bottom of the screen, (north = bottom) that would indicate that you would be facing West as you faced the entrance. But wait. Don’t hit submit just yet. The question asked which direction was Patrick MOVING when he took the picture.

Live Photo Preview

Back on the Live Photo evidence, If we use the preview window to play the image, we can see that the person taking the picture is doing so while moving AWAY from the doors. If we’re facing West when facing the doors, that means we’d be moving East as we moved away from them.

#15Location, Location, Location ->
When did Patrick first search for a website revealing his IP address?

Phew. We made it to the last question. Are you still with me?

Here’s another one that seems like the answer is straight forward, but then how easy can it be to be a top scoring question for 50 points?

Google Searches

If we take a look at the Google Searches Refined Result in Axiom, we can see several searches for http://www.whatismyip.com. The earliest one appears to be 1/21.

Google search string

If we copy the full search URL and bring it over to Unfurl, we can break it up into its respective elements.

Unfurl decoded URL

Unfurl breaks the search string down into multiple elements. One of those is the ei Timestamp value which represents when the session began. In this URL we have an e1 Timestamp value of 1642341682789711.

Unix time decode

If we take that value back to Dcode we get a Unix timestamp (Chrome doesn’t use Apple Time) of 2022-01-16 09:01:22. Reformat to match the question format and you have 16/01/22 09:01:22.

Final score

So that’s how I completed the iOS 15 questions for the Magnet 2022 CTF. Hopefully you picked up a thing or two along the way. Have an alternate solution for any of the questions? Drop a line in the comments.

2 thoughts on “Magnet 2022 CTF – iOS15

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s