Introduction
On October 18th, 2020, Cellebrite announced on their blog that they were hosting their own capture the flag event. The event began on the October 26th and ended at midnight on the 29th. The CTF was hosted on cellebrite.ctfd.io. Four forensic phone images were provided for analysis and solving the event’s challenges. The archived images can be downloaded from the following links:
Images were password protected. An email had to be sent to the Cellebrite CTF team to get the password to the images. to The images provided were two iPhone X images, a Samsung Galaxy A10e, and a Samsung Galaxy S8. Questions were of three varying difficulties with different points rewarded.
- Level 1 – 10 points each
- Level 2 – 20 points each
- Level 3 – 50 or 100 points each
Hints were given for certain questions but also cost a certain number of points to view. A trial copy of Cellebrite Physical Analyzer was provided for two weeks to use for the competition. Again, the Cellebrite CTF team had to be emailed for a license. The trial version of Physical Analyzer lasts for two weeks.
Tony Mederos Galaxy A10e
Extraction Type – 10pts
What type of extraction is this? (Acronym or Full Wording)
This question appears simple but actually took a few tries to answer properly. Cellebrite appears to list the extraction type right on the Extraction Summary
page.
However, File System
and File System [ Android ADB ]
are not accepted answers.
The correct accepted answer is Full File System
.
Operating System – 10pts
What Android Version is this device running? (enter just numerical value)
The OS version can also be seen right in the Extraction Summary
tab.
The source of this information is the build.prop
file:
The solution is 10
.
Crypto – 10pts
What is the name of the Crypto Currency application?
Simply look under the Installed Applications
tab then Cryptocurrency
.
com.mycelium.wallet
is installed, with the app name being Mycelium
and the solution to this question.
Security Patch – 20pts
What Security Patch Level does this device have? (Date Format: MM-DD-YYYY for example: 12-30-2025)
The security patch is also found further down in the build.prop
file.
Converting this to the answer format, we get 05-01-2020
as the solution.
Location Location Location – 20pts
Was Tony looking for any houses, if so, in what city?
Hmm. Tony probably tried looking up houses for sale online. Lets check that. Going to the Web History
tab and searching for “house” shows Tony visited https://www.realtor.ca/.
Searching for “realtor” shows us a list of all the pages on the website he visited.
These links are viewable in a browser through copying or Control-Clicking on the link in the tab on the right. Several of these links contain specific information Tony was looking for. Viewing them in the browser shows the exact page Tony was looking at.
This shows that Tony was looking for houses in Vancouver.
Job Search – 20pts
What possible new jobs was Tony looking at?
Again, starting with Tony’s browsing history, we can see one of the nine phrases Tony searched is “how much does an oil tanker captain make”, found under the Searched Items
tab.
Searching for “captain” in the Web History
tab also shows a website he looked at after this Google search.
The solution to this challenge is the job he Googled about, a “ship captain”.
Wallet ID – 20pts
What’s the Crypto Wallet ID?
Searching the entire image for “wallet” yields several results, including one in the user’s messages with Rene. You can find a wallet ID by simply going up a few messages in the conversation to get some context.
The solution is 33wnUqRbPT49Z6c7Mkc3PojBHAJEZuacao
.
Name – 20pts
What is Scurvy’s real name? (Given name only)
Searching the entire image for “scurvy” gives a lot of results. The Android contacts database doesn’t list a full name for Mr. Scurvy. The social media results are interesting though. There are several Facebook comments from a “Paul Scurvy”.
Entering “Paul Scurvy” shows us this is the correct answer.
Auto Join WiFi – 50pts
Was Auto Join enabled on CSIS?
Selecting the Wireless Networks
tab from the summary page, we can see the information about the CSIS
access point.
Going to the XML source file and searching for “auto” reveals the presence of an attribute titled AutoReconnect
.
The value is set to 1
. So, Yes, auto join was enabled.
WiFi Password – 100pts
What was the password for the Network of CSIS Mesh?
The plaintext WiFi password is not stored in the XML file found above. Other searches for CSIS Mesh
did not yield anything of worth. The XML file is found at /data/misc/wifi/WifiConfigStore.xml
. There are several other directories in /data/misc
that pertain to WiFi information. In /data/misc/wifi_share_profile/backup.conf
, the plaintext password can be seen in the file.
The password to the network is abcdef1234
.