Cellebrite CTF 2021 Writeup
Here, I will share all my correct answers for Cellebrite CTF 2021 and how I got the answers. My team name in this competition is trying2learn. However, I participated as an individual because my main reason to participate in this competition is to learn more about digital forensics. I got 47th place with 710 points as the total score (same as 46th place). Autopsy and Artifact Examiner are the main tools I used. Actually, the participant of Cellebrite CTF 2021 were given free license (trial) for Cellebrite tools like Physical Analyzer and Inspector which were very useful for this CTF competition according to Heather Mahalik (Cellebrite). Unfortunately, it seems that I registered to this CTF competition a bit late. I registered for this competition after the competition has been started. Therefore, I couldn’t get the free license (trial) of Cellebrite Physical Analyzer and Inspector. On the main page, they said that the free license (trial) is out of stock.
Heisenberg’s Android
Heisenberg’s Android — Device Identification (10 points)
What is the Bluetooth MAC Address of the first vehicle Heisenberg’s Android connected to?
The history of Bluetooth connection on android device can be seen on bt_config.conf located in /data/misc/bluedroid/bt_config.conf. If we look at the content of bt_config.conf found on Heisenberg’s Android, we will found that there are 3 devices connected with Heisenberg’s Android which are SPEN 01 (B4F7) ZK, CAR MULTIMEDIA, and Bose SoundTouch CE2D10. Among those devices, CAR MULTIMEDIA is the only vehicle device. Besides, we can also see that CAR MULTIMEDIA has the earliest timestamp among those three devices. MAC Addresses of those devices are also shown in the file. The MAC Address of CAR MULTIMEDIA is shown below.
Flag: 34:c7:31:f8:61:3b
Heisenberg’s Android — Application Analysis(10 points)
Which website did Heisenburg look for guidance on how to mount a USB drive on his phone? (The answer should be the full website i.e www.XX.com)
Using Autopsy, we can see web history of Heisenberg’s Android on the extracted content. The web history has 1203 entries. After analyzing all the entries, we will found 3 entries with interesting title which is How to Connect USB Storage Devices to Your Android Phone | Tom’s Guide. The referrer URL for these entries is https://www.google.com/amp/s/www.tomsguide.com/amp/us/connect-usb-drive-to-android,news-21213.html. From this URL, we can see that the website Heisenburg look for guidance on how to mount a USB drive is www.tomsguide.com.
Flag: www.tomsguide.com
Heisenberg’s Android — Device Identification (10 points)
What Gmail account is set up on the device?
There are some files that can be used to find the Gmail account. One of the files is Gmail.xml located on /data/data/com.google.android.gm/shared_prefs/Gmail.xml. There, we can see the Gmail account used which is heisenbergcarro@gmail.com.
Flag = heisenbergcarro@gmail.com
Heisenberg’s Android— Application Usage (20 points)
Which applications did Heisenberg use to secure (hide) files and/or pictures?
- SecureVault
- HideX
- Signal
- Anti Spy
We can go to /data/data, look, and analyze the packages of four files mentioned above. After analyzing these packages, SecureVault was not found and Anti Spy (com.antispycell.free) didn’t store any interesting thing. Meanwhile, HideX (com.flatfish.cal.privacy) and Signal (org.thoughtcrime.securesms) are two files which is interesting because of its data. After analyzing both applications deeper, I believe that Signal only secure the chat between the user. So, I can conclude that HideX is the application Heisenberg use to secure (hide) files and/or pictures because this app even hide another app (catching.cheatingspouseapp.app) and (com.whatsapp).
Flag = HideX
Heisenberg’s Android — Application Analysis (20 points)
Which website was accessed by the user on Heisenberg’s Android using DuckDuckGo?
- tyga-auto-repairs.co.za
- tyga-aut0-repairs.co.za
- tyga-auto-repairs.com
- none of the above
The method that can be used to answer this question is by analyzing all 1203 entries of the web history on extracted content using Autopsy. To make it easier for me, I am using three of the website above as the keywords to search on Autopsy. After I did the searching, nothing was found. So none of the website is accessed by the user on Heisenberg’s Android.
Flag = none of the above
Heisenberg’s Android — Internet Artifacts (20 points)
When and in which city did Heisenberg search for rental properties on his Android? (Answer Format: YYYY-MM-DD HH:MM:SS NameOfCity)
In order to answer this problem, we will go to extracted content again on Autopsy and find the web history. We need to sort the date accessed to see the timeline of the searching. As we can see from the figure below, Heisenberg search for ‘raines property management’ 2 seconds after he search for ‘properties for rent near me’. This indicates that ‘raines property management’ is the location near Heisenberg when he search for rental properties.
If we look up at the internet, ‘raines property management’ is located in Blacksburg. So, the name of the city is Blacksburg. We can see from Figure 3 that Heisenberg search for ‘properties for rent near me’ on 2021–05–16 11:26:51 in my local time (UTC+7). We need to convert it to UTC time zone. So, the time will be 04:26:51 UTC.
Flag = 2021–05–16 04:26:51 Blacksburg
Heisenberg’s Android — Device Identification (20 points)
On Heisenberg’s Android, where else can you find the IMSI number on the device, other than the Checkin.xml file?
- netpolicy.xml
- mmssms.db
- telephony.db
- All of the Above
To answer this question, we need to check all three files above. But, we have to check the IMSI number on Checkin.xml first. Checkin.xml is located in /data/data/com.google.android.gms/shared_prefs/Checkin.xml. IMSI number on this file can be found on the second part of CheckinService_lastSim value (first and second part divided by (:). The file netpolicy.xml is located in /data/system/netpolicy.xml. On netpolicy.xml, the value of subscriberId is 310260275793897 which shows us the IMSI number on the device. The file telephony.db can be found on /data/user_de/0/com.android.providers.telephony/databases/telephony.db. Table siminfo on telephony.db has a column named ‘imsi’ which stored the IMSI number of the device (310260275793897). We don’t need to analyze mmssms.db again because netpolicy.xml and telephony.xml stored the IMSI number information. It means that the only possible answer is ‘All of the Above’
Flag = All of the Above
Heisenberg’s Android —Application Analysis (50 points)
Heisenberg was looking for cars. Which vehicle did he not search for?
- Honda CRV
- Toyota Avalon
- Lexus ES
- Ford Escape
The method I use to answer this problem is by going to the extracted content on Autopsy and look for EXIF Metadata. There are 111 pictures shown here. After viewing all 111 pictures, I found pictures related to Honda CRV, Toyota Avalon, and Lexus ES. However, I couldn’t find any picture related to Ford Escape. So, I believe that Ford Escape is the vehicle that Heisenberg didn’t search for.
Flag = Ford Escape
Beth’s iPhone
Beth’s iPhone — Device Connections (10 points)
What is the name of the vehicle Beth’s phone connected to on April 6, 2021?
The first thing that we have to do is find all vehicle connected to Beth’s phone. The information can be found on com.apple.carplay.plist located in /filesystem1/private/var/mobile/Library/Preferences/com.apple.carplay.plist.
The name of the vehicles are MY-QX80, Kia Motors, Toyota Camry, MyLink, IntelliLink, and Uconnect. Next, we need to find out which one is connected with Beth’s phone on April 6, 2021. I used Artifact Examiner to find out if there is photo(s) taken on April 6, 2021. The result is shown in the figure below.
After that, we need to go to the folder stored this photo which is \filesystem1\private\var\mobile\Media\DCIM\100APPLE. Then we will look for IMG_0022.HEIC. The photo is shown below. After I searched on the internet, the car shown below is MY-QX80. So, I conclude that this car is connected to Beth’s iPhone on April 6, 2021.
Flag = MY-QX80
Beth’s iPhone — Communication and File Sharing (10 points)
For the picture IMG_0488.heic, which database identifies the person who shared the photo?
If we look at ‘Photos’ using Artifact Examiner, we couldn’t find IMG_0488.heic. This means that the image is not listed on Photos.db. There must be another database which has information about IMG_0488.heic. One of another database that might store photos are sms.db. The photos sent using SMS are listed here. To check it, we will search for ‘Communication’ especially ‘SMS’ in Artifact Examiner. After analyzing the result, IMG_0488.heic was found. We can see from the Figure below that the database that identifies the person who shared the photo is sms.db.
Flag = sms.db
Beth’s iPhone — Health and Exercise (20 points)
How many meters did Beth travel on February 28, 2021 in her local time?
We will use Artifact Examiner to help us solve this problem. First, we need to make sure that we will only accept information on February 28, 2021 in her local time (change the time zone to her local time detected when artifact examiner are extracting the file at the beginning) which is UTC-5. Then we need to look for Health Activity in Artifact Examiner. There, we can see information of the user health activity including walking/running distance. So, we just need to calculate the total walking/running distance on February 28, 2021 in her local time.
Flag = 2938.8
Beth’s iPhone — Communication and File Sharing (20 points)
Where was Beth on June 29, 2021 when she made a call to Marsha (only provide the city in your answer)?
We will use Artifact Examiner again here. Remember to change back the time zone into UTC+0. First, we need to set the time to June 29, 2021. After that, we will look for call history in communication. There are 2 calls history shown as the result. One of the call is incoming and the other one is outgoing. The outgoing one is a call to Marsha. From the figure below, we can see that we got information about the start time and end time of the call. So, we will keep it and go to the location tab. After that, we will match the time with the location.
After we found the latitude and longitude, we can input it to google to help us find the city name. Below is the result I found on google maps.
Flag = New York
Beth’s iPhone — Native Applications (20 points)
Which cards were saved in the Apple Wallet?
- Visa
- Capital One and Amex
- None
The artifact related to Apple Pay is located on /filesystem1/private/var/mobile/Library/Passes/. In order to find which cards were saved, we can open passes23.sqlite and start analyzing. After analyzing all the tables on passes23.sqlite, there is no cards found. So, we can conclude that none of the cards were saved in the Apple Wallet.
Flag = None
Beth’s iPhone — Settings: Auto-lock (20 points)
How long does Beth’s phone need to be inactive for the screen to auto-lock?
The artifact that will be used is /filesystem1/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/PublicEffectiveUserSettings.plist. To solve this problem, I still use Autopsy because it can parse this plist file. The value that we are looking for is in maxInactivity which is the subkey of restrictedValue. This subkey’s value will shows us the maximum inactivity time before Auto-lock. As we can see from Figure 11, the value shown is 2147483647 which is the max value for integer. This value has the same meaning with Never. So, there will be no Auto-lock screen.
Flag = Never
Beth’s iPhone —Settings and Notifications (20 points)
When does Beth’s iPhone require a password to unlock the device after locking it?
The artifact that will be used is /filesystem1/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/PublicEffectiveUserSettings.plist. To solve this problem, I still use Autopsy because it can parse this plist file. The value that we are looking for is in maxGracePeriod which is the subkey of restrictedValue. This subkey’s value will shows us the maximum period to unlock the phone without entering passcode. As we can see from the figure below, the value of maxGracePeriod is 0 which means the device will require passcode immediately after the user lock the screen. In iPhone, the option is ‘Immediately’ instead of 0.
Flag = Immediately
Beth’s iPhone — Device Connections (50 points)
When did Beth connect her device to Marsha’s laptop? Show answer as YYYY-MM-DD HH:MM:SS
I don’t know if my method to find the answer for this question is legal or not because I use Marsha’s PC datasets to answer this question. So, I check the connected event between Beth’s iPhone and Marsha’s laptop using SYSTEM hive file found on Marsha’s PC. The file is located in /vol_vol6/Windows/System32/config/SYSTEM. The key that we are looking for is USB key located in SYSTEM/ControlSet001/Enum/USB. There, we can see a lot of devices connected to Marsha’s laptop including two iPhone devices. One of the devices must be Beth’s iPhone. Next, we need to extract Beth’s iPhone using Artifact Examiner to see when Beth and Marsha meet each other. We need to go to Timeline tab and choose all subcategory in Communication category. After we run it, we can go to Chat View tab and choose conversation with +19735203731 [Marsha M]. After we analyzed the chat, we will found something interesting where Marsha and Beth met each other on 2021–04–06. The approximate time of their meeting is between 2021–04–06 20:32:54 and 2021–04–06 23:03:51. If we look at the USB key we analyzed before, the first iPhone device connected to Marsha’s laptop on 2021–04–06 22:32:21 and the second iPhone device connected to Marsha’s laptop on 2021–04–15 04:34:24. This indicates that the first iPhone device connected to Marsha’s laptop is Beth’s iPhone because the device is connected between their meeting time.
Flag = 2021–04–06 22:32:21
Beth’s iPhone — Device Identification (50 points)
Which iOS version was running on Beth’s iPhone on May 7, 2021?
- 14.4
- 14.5.1
- 14.5
- 14.6
The artifact that I use to solve this problem is restore.log located on /filesystem1/private/var/mobile/MobileSoftwareUpdate/restore.log. We can see the iOS version history from this file. We need to find the log entries that contain ‘eventTime’. So, we will use ‘eventTime’ as the keyword search. Below is the figure shows entries I summarize. The timestamp shown is not the exact time of the iOS update. The iOS updated before the timestamp shown. However, we can still use it because these iOS update log entries was created shortly after the iOS updated.
This file record the history of 5 iOS updates. From each entry, we can see the information about iOS version before and after it is updated. The timestamp shown is in UNIX format, so we need to convert it to UTC.
- The first entry’s timestamp is 1613513504061 (Feb 16 2021 22:11:44 UTC). This entry record the update from 18B92 (iOS 14.2) to 18D52 (iOS 14.4)
- The second entry’s timestamp is 1615298916695 (Mar 09 2021 14:08:36 UTC). This entry record the update from 18D52 (iOS 14.4) to 18D61 (iOS 14.4.1)
- The third entry’s timestamp is 1617036440200 (Mar 29 2021 16:47:20 UTC). This entry record the update from 18D61 (iOS 14.4.1) to 18D70 (iOS 14.4.2)
- The fourth entry’s timestamp is 1621342082093 (May 18 2021 12:48:02 UTC). This entry record the update from 18D70 (iOS 14.4.2) to 18E212 (iOS 14.5.1)
- The fifth entry’s timestamp is 1623385881490 (Jun 11 2021 04:31:21 UTC). This entry record the update from 18E212 (iOS 14.5.1) to 18F72 (iOS 14.6)
We are asked to find out the iOS version running on Beth’s iPhone on May 7, 2021. So, it must be between 14.4.2 and 14.5.1 (the iPhone might be updated to 14.5.1 before it’s timestamp). If we look at the question, 14.4.2 is not listed as the answer option. So, we can conclude that 14.5.1 is the iOS version running on Beth’s iPhone on May 7.
Flag = 14.5.1
Beth’s iPhone — Location Artifacts (50 points)
Which time zones were visited while the device was on iOS 14.4. Select all that apply.
- Central, Eastern, Mountain
- Pacific, Eastern
- Central, Pacific, Eastern
- Eastern
We will still use the iOS version history we found before on previous problem. Approximate time of the device running iOS 14.4 is Feb 16 2021 22:11:44 UTC until Mar 09 2021 14:08:36 UTC. Next, we need to find out the time zone changes occur on this device. The artifact that will be used is logd.0.log located on /filesystem1/private/var/db/diagnostics/logd.0.log. Time zone changes were logged on this file. There are a lot of entried in this file, we just need to see the entries stated ‘Time zone changed, updating file headers’. Below is the summarize I made by filtering the time with Approximate time of the device running iOS 14.4.
- 2021–02–16 14:13:21–0500 logd[30]: Time zone changed, updating file headers
- 2021–02–27 14:20:00–0600 logd[32]: Time zone changed, updating file headers
- 2021–02–28 09:47:53–0700 logd[32]: Time zone changed, updating file headers
- 2021–03–04 15:14:04–0600 logd[32]: Time zone changed, updating file headers
- 2021–03–05 08:51:59–0500 logd[32]: Time zone changed, updating file headers
The first entry I summarize above is included because the timestamp is very close with the iOS 14.4 update log on restore.log.
There are 3 time zone found here which are UTC -5 (Eastern), UTC -6 (Central), and UTC-7 (Mountain).
Flag = Central, Eastern, Mountain
Marsha’s iPhone
Marsha’s iPhone — Settings and Notifications-FFS (20 points)
How many keyboards were set on Marsha’s device?
The artifact that will be used is /filesystem2/mobile/Library/Keyboard/. This folder store keyboards set on Marsha’s device. Below is the figure shows the list of the files.
We can see from the figure above that there are English keyboard used (en-dynamic.lm), Hebrew keyboard used (he_IL-dynamic-text.dat), and Emoji keyboard used (inside langlikelihood.dat, there is a table named EmojiByApp).
Flag = 3
Marsha’s iPhone — Location Artifacts (20 points)
Marsha ordered a beer on vacation. “Aloha! How much is a Blonde?” (no $ sign needed)
The first thing that I tried to find is the location of Marsha when she ordered a beer on vacation. The keyword here is ‘Blonde’ and ‘Beer’. The method I used to find the location is by analyzing all files on /filesystem2/mobile/Media/DCIM/100APPLE/ and /filesystem2/mobile/Media/DCIM/101APPLE/ because both folder store photos and videos taken by Marsha. Marsha might took a photo or record a video when she was ordering the beer with keyword ‘Blonde’ in her vacation. After analyzing all the photos, I found an interesting photo which is IMG_1814.HEIC.
From the figure above, we can see that there is a beer named ‘Aloha Blonde’. This related to the question where the word ‘Aloha’ and ‘Blonde’ was mentioned in the question and can be viewed in the figure above. Luckily, we can also see the price of the beer from the figure above which is 6.50 for a pint and 20 for 64 OZ. The first price that I tried as the answer is 6.50 because normally people on will just order a pint of beer instead of 64 OZ. My answer was correct.
Flag = 6.50
Marsha’s iPhone —Device Connections (20 points)
Marsha connected her iPhone to one car make more than any other. Once you have determined which make, you can answer the name of the CarPlay system in use
The artifact that will be used to answer this question is com.apple.carplay.plist located on /filesystem2/mobile/Library/Preferences/com.apple.carplay.plist. This file is parsed automatically in Autopsy, so we can see the details of all subkeys (devices) under pairing key to find out the mostly used CarPlay system. We just need to see the value of the name of each subkeys.
After analyzing all the subkeys, we found out that SYNC 3 is the value of the name of 4 subkeys which make this CarPlay system the most frequent CarPlay system connected to Marsha’s iPhone.
Flag = SYNC 3
Marsha’s iPhone — Application Analysis (20 points)
What was the title of the most recent podcast playing while connected to a vehicle?
The artifact that will be used to answer this problem is MTLibrary.sqlite located on /filesystem2/mobile/Containers/Shared/AppGroup/28DAC7A9–189D-42BA-A51B-5CC121658B7F/Documents/MTLibrary.sqlite. 28DAC7A9–189D-42BA-A51B-5CC121658B7F refered to apple podcast app in Marsha’s iPhone. We will focus on ZLASTDATEPLAYED column and ZTITLE column on ZMTEPISODE table. But, we need to find out the last time apple podcast app was connected to vehicle first. To find it out, we can use Artifact Examiner and look for CarPlay App Usage. Below is the figure of the records. We can see from the figure below that com.apple.podcasts is used once on 13–07–2021 13:01:49 UTC.
So, the we will back to ZMTEPISODE on MTLibrary.sqlite and check the entries which ZLASTDATEPLAYED happened after 13–07–2021 13:01:49 UTC. We need to convert the time format on ZLASTDATEPLAYED to UNIX timestamp first by adding the value with 978307200 and then convert it to UTC. We sort ZLASTDATEPLAYED and start from the most recent played.
- Z_PK = 32, ZLASTDATEPLAYED = 1626182166.99 (Jul 13 2021 13:16:06)
- Z_PK = 34, ZLASTDATEPLAYED = 1626181448.45 (Jul 13 2021 13:04:08)
- Z_PK = 7, ZLASTDATEPLAYED = 1626169546.61 (Jul 13 2021 09:45:46)
From three recent podcast played, the answer is either the most recent podcast played or the second most recent podcast played because the third most recent podcast played is started before the phone is connected to the vehicle. So, I tried to answer the question using the most recent played podcast (Z_PK = 32) which title is ‘Commercial Pilot Systems’. I got the answer correct.
Flag = Commercial Pilot Systems
Marsha’s iPhone or backup
Marsha’s iPhone or backup — Native Applications (20 points)
A text shortcut/replacement was set on Marsha’s device, what was the shortcut for the full phrase? (your answer must only be the shortcut)
The artifact that will be used to answer this question is TextReplacements.db located in /filesystem2/mobile/Library/KeyboardServices/TextReplacements.db. Text shortcut/replacement on iPhone can be found from this file. We will look at ZTEXTREPLACEMENTENTRY table. There is only one entry found where the ZSHORT (shortcut) is ‘omw’ and the ZPHRASE (full phrase) is ‘On my way!’.
Flag = omw
Marsha’s iTunes Backup
Marsha’s iTunes Backup — General Identifiers (10 points)
What phone numbers were used by Marsha on the iPhone X? (Make sure to enter the + and country code and use the delimitor “and” in between the answer — ie, +17032226666 and +13012224444)
We will use Artifact Examiner tool to help us solve this problem. After we extract Marsha’s iPhone using Artifact Examiner, we can go to the device tab and we will found all phone numbers used by Marsha on the iPhone X.
From the figure above, we can see that there are 3 phone numbers used by Marsha which are +19735203731, +972529502149, and +12068996918. At first, I tried to answer this problem using all three phone numbers (+19735203731 and +972529502149 and +12068996918). Unfortunately, my answer was wrong. Then, I tried to answer using only 2 phone numbers which are phone numbers with United States calling code (+1). I ignore the phone number with Israel calling code (+972). Then, I got the correct answer.
Flag = +19735203731 and +12068996918
Marsha’s iTunes Backup — Location Artifacts (10 points)
When was Marsha in Washington County, Oregon? State the answer as YYYY-MM-DD.
We will use Artifact Examiner to help us solve this problem. The first thing that I tried is finding the location of Marsha from the Photos on Timeline tab. I use ‘, OR ‘ as the keyword search to find all photos taken on Oregon. After that, we need to collect all the location of the photos by viewing the ‘Moment’ on the metadata. There are 7 cities found. So, I search for the county of each cities on the internet. Below is the list of the cities.
- Tigard, Washington County
- McMinnville, Yamhill County
- Waldport, Lincoln County
- Newport, Lincoln County
- Depoe Bay, Lincoln County
- Portland, Multnomah County
- Hillsboro, Washington County
There are only two cities which county is Washington County. So, we are left with two cities which are Tigard and Hillsboro. The date when Marsha visited Tigard is 07–12–2020 and the date when Marsha visited Hillsboro is 04–05–2021. At first, I tried to answer this question using ‘2021–05–04’ because I think that Tigard located at the edge of Oregon, so I think that Hillsboro is the correct answer. Unfortunately, the answer is wrong. So, I tried to answer using ‘2020–12–07’. Then, I got the correct answer.
Flag = 2020–12–07
Marsha’s PC
We will use Autopsy to open the ‘sda Image.E01’ file.
Marsha’s PC — Backup and syncing data (10 points)
Were any backups located on the PC? If so, what is the name of the device that was backed up?
In order to answer this problem, I don’t have any idea which artifact to look at. So, I tried to use ‘‘s iPhone’ as the keyword search in Autopsy. There are 5 files shown as the result as shown in the figure below.
The first, second, and third file referred to mumma’s iPhone. The fourth one referred to john’s iPhone. The fifth one referred to Marsha’s iPhone. After analyzing all the files, MediaDb.v1.sqlite which referred to Marsha’s iPhone is very interesting because it contains a lot of information related to Marsha’s iPhone including her messages, photos, and others. So, we can consider that this is an artifact created related to the backup of Marsha’s iPhone.
Flag = Marsha’s iPhone
Marsha’s PC — User Activity (10 points)
When did Marsha last change the password on her PC? (The answer must be shown as YYYY-MM-DD HH:MM:SS)
In order to answer this question, we will use Registry Explorer tool because Autopsy registry parser cannot be used to view the last password change. The artifact that we are going to load using Registry Explorer is SAM hive located in /vol_vol6/Windows/System32/config/SAM. After we load it using Registry Explorer, we will go to /SAM/Domains/Account/Users/. There, we will look at User Account tab on the right side of Registry Explorer. The result is shown in the figure below.
As we can see from the figure above, there are 5 entries. We will only focus on the fifth entry which related to Marsha’s account. We can see that there is Last Password Change column which value is 2021–03–23 19:22:12. This is the last time Marsha change her password on her PC. The timestamp is already in UTC format because we opened it using Registry Explorer.
Flag = 2021–03–23 19:22:12
Marsha’s PC — Settings and Notifications (10 points)
What is Marsha’s timezone set to on her PC? (Make sure your answer says THIS STANDARD TIME. The word “time” must be in your answer.)
SYSTEM registry hive located in /vol_vol6/Windows/System32/config/SYSTEM is the artifact that will be used to find out the timezone set on Marsha’s PC. For this question, we can directly view the hive file using Autopsy. We will go to /ControlSet001/Control/TimeZoneInformation key and look for the value of TimeZoneKeyName. The value of TimeZoneKeyName is Pacific Standard Time. This shows us the timezone set on Marsha’s PC.
Flag = Pacific Standard Time
Marsha’s PC — Application Analysis (10 points)
Marsha searched for anti-forensic methods on her PC. What did she search for other than “how to wipe my data” in regards to securing her phone?
In order to answer this problem, we will go to extracted content on Autopsy and find the web search. There are 23 entries shown as the result. After analyzing the entries, we found web search regards to securing her phone beside ‘how to wipe my data’ which is ‘encrypt my fone’. The program used is Firefox.
Flag = encrypt my fone
Marsha’s PC — Device Connections (10 points)
What was the drive letter associated to the media from which Digital Collector was run? (Make sure the form is as follows h:\)
Here, we know that Digital Collector was executed and we are asked to find out the drive letter associated to the media which stores Digital Collector. The artifact that we will try to look for is UserAssist because it is one of the program execution artifact on Windows. Registry hive that stores this information is NTUSER.DAT located in /vol_vol6/Users/marsh/NTUSER.DAT. The path for UserAssist is /Software/Microsoft/Windows/CurrentVersion/Explorer/UserAssist. Under UserAssist, there are some subkeys. Each of the subkeys has another subkeys named ‘count’. We will analyze all the ‘count’ subkeys of each subkeys under UserAssist. After analyze all of it, we got the answer on ‘count’ subkey under a subkey named {CEBFF5CD-ACE2–4F4F-9178–9926F41749EA}.
From the figure above, we can see that DigitalCollector.exe was stored on D:\ drive letter.
Flag = d:\
Marsha’s PC — Device Identification (10 points)
Which operating system is running on Marsha’s PC?
In order to answer this problem, we just need to go to extracted content on Autopsy and find the Operating System Information. The result is shown in the figure below. We can see that the operating system run on Marsha’s PC is Windows 10 Pro.
Flag = Windows 10 Pro
Marsha’s PC — User Activity (20 points)
Some computers have settings to force password resets. Marsha’s PC does not have this rule set. Which user key stores this information?
We will analyze SAM hive to answer this question because the information used to answer the question can be found on /SAM/Domains/Account/Users/. The tool that will be used is Registry Explorer because we will got more result by parsing it using Registry Explorer. The SAM hive file is located in /vol_vol6/Windows/System32/config/SAM. After we load it using Registry Explorer, we will go to /SAM/Domains/Account/Users/.
From the figure above, we can see that Marsha’s User Id is 1001 which is 0x3E9 in hexadecimal. So, we will go to the subkey ‘000003E9’ which related to Marsha.
From the figure above, we can see that ForcePasswordReset was not set. So, this is the Users key that stores information about force password reset on Marsha’s PC.
Flag = 000003E9
Marsha’s PC — User Activity (20 points)
On Marsha’s PC, what is path for how the user landed on a directory named “DELETEME”? (Provide the full path as the user would see it. For example: c:\users\marsha\desktop\deleteme)
In order to answer this problem, the artifact that will be used is shell bags. We can go to extracted content on Autopsy and find the shell bags information. There are 48 entries shown as the result. After analyzing all the entries, we found interesting result as shown in Figure 25.
From the figure above, we can see that the full path of DELETEME is e:\CTF2\Marsha Laptop\DELETEME.
Flag = e:\CTF2\Marsha Laptop\DELETEME
Marsha’s PC — Application Usage (20 points)
How many times was OneNote run on Marsh’a PC?
The artifact that will be used to answer this question is prefetch file for OneNote located on /vol_vol6/Windows/Prefetch/ONENOTE.EXE-3C64260B.pf. We will use PECmd to parse this file. The result is shown in Figure 26.
From the figure above, we can see that ONENOTE.EXE run for 2 times on Marsha’s PC.
Flag = 2
Marsha’s PC — Native Applications (20 points)
When was cmd.exe last run on Marsha’s PC? Answer must be provided in YYYY-MM-DD HH:MM:SS.
The artifact that will be used to answer this question is prefetch file for cmd.exe located on /vol_vol6/Windows/Prefetch/CMD.EXE-0BD30981.pf. We will use PECmd to parse this file. The result is shown in Figure 27.
From the figure above, we can see that the last run time for cmd.exe is 2021–07–30 02:13:55. The timestamp is already in UTC format.
Flag = 2021–07–30 02:13:55
Marsha’s PC — User Activity (20 points)
How many times did Marsha log into her computer on July 24, 2021? (The answer must be in an integer)
The artifact that will be used to answer this question is Security.evtx located on /vol_vol6/Windows/System32/winevt/Logs/Security.evtx. Actually, we can open this file using Event Viewer. However, I use EvtxExplorer to make it easier to analyze. Below is the command I use to parse the file.
EvtxECmd.exe -f “E:\CTF Challenge\Cellebrite CTF 2021\Marsha PC\Cellebrite CTF 2021 — Marsha’s PC\Export\Security.evtx” — csv “E:\CTF Challenge\Cellebrite CTF 2021\Marsha PC\Cellebrite CTF 2021 — Marsha’s PC\Export” — csvf “csvSecurity.csv”
After that, we will use TimelineExplorer to open the file. We need to filter the Time Created column to ‘2021–07–24' and the User Name column to ‘Marsha’. There will be 8 entries shown as the result. If we look at the Map Description column, all the entries has the same value which are Administrative logon. Next, we need to check the Time Created of each entries.
From the figure above, we can see that some of the log event generate more than one entries. The first time Marsha log into her computer on July 24, 2021 generates one entry (the first entry). The second time Marsha log into her computer on July 24, 2021 generates two entries (the second and the third entries). The third time Marsha log into her computer on July 24, 2021 generates 2 entries (the fourth and the fifth entries). The fourth time Marsha log into her computer on July 24, 2021 generates one entry (the sixth entry). The fifth time Marsha log into her computer on July 24, 2021 generates two entries (the seventh and the eighth entries).
Flag = 5
Thanks for reading, feel free to leave any comments.