Another week, another Magnet Forensics weekly challenge. This time, the challenge is worth 40 points, includes a hint that costs 20 points, and only allows 4 attempts to answer the challenge.
This time, we are tasked with finding the an exit that the user passed. The exit apparently could have been taken for “Cargo”. The meaning of Cargo is not given. A town maybe? Hmmm. The first thing to do is get all the location data that we can from the Android image. When loading up Cellebrite, be sure to select Carve locations
and Recover data from locations
in the Examination tools
window.
When Cellebrite has finished parsing the file, we can see how many locations were found in the content tab. It found 2,350 location data points.
Clicking on this will take us to the Device Locations
tab.
My first thought was to search for cities or towns nearby the locations the phone visited. Unfortunately, there were none relatively close to the user’s location with the name “Cargo”. After looking over the Map, I noticed some of the images were taken at JFK International Airport in New York. Examining the location in Google Earth shows that there is a road named “Service Cargo Rd”. It is just off of Exit C on Interstate 678. This answer was attempted and was in fact wrong. Three attempts remaining.
If you’re following the #Magentweeklyctf hashtag on Twitter, you might have seen and glanced past a tweet from Jessica Hyde. In the Tweet, she said there was a free hint in a YouTube Cache-Up show.
The video did have a hint. The freebie hint was given at 53:20 in the video. Jessica said that the methodology needed to be used was discussed in a talk from last month. The talk was titled “Android v. iOS” and with Jessica Hyde and Chris Vance. Googling for this, a webinar of the talk can be found here. The page asks for an email address, then emails you a YouTube link. The talk goes over many different iOS and Android artifacts. The first relevant topic is location data. None of the techniques mentioned in this section were applicable though to our Android image. The next relevant section was on Picture files. On Android, Jessica discussed MVIMG files. These are similar to Apple iOS’s Live Photos. This section stood out for two reasons. Several of the pictures containing location data had this file format and several of these files were taken while moving or in view of road signs. Such as MVIMG_20200305_145544.jpg
, a picture of a truck driving by a road sign.
Cellebrite shows the file extension of the files as MVIMG but parses them as JPG files, so it only shows a still image.
All of the MVIMG files were found in the Android filesystem and exported to a Linux machine. On Linux, the following terminal command was used to extract the MP4 video files from the MVIMG files.
1
2
3
4
5
for i in MVIMG*.jpg; do \
ofs=$(grep -F --byte-offset --only-matching --text ftypmp4 "$i"); \
ofs=${ofs%:*}; \
[[ $ofs ]] && dd "if=$i" "of=${i%.jpg}.mp4" bs=$((ofs-4)) skip=1; \
done
The command gives us the MP4s from each MVIMG file in the directory this is ran from. The first file to be examined was video pulled from the image of the truck. Unfortunately, the road signs could not seen in the video, and searching the location on Google Earth shows nothing named Cargo is nearby. MVIMG_20200307_130326.jpg
was examined next, it looked like a video taken from a bus. In the video, it quickly passes a road sign. It’s difficult, but if you pause and look at the sign, it does in fact say cargo!
The exit number is difficult to make out though. Cellebrite shows this photo was taken at an airport I had overlooked. Olso Airport in Norway. The location data says the picture was taken here inside the airport:
The location must be slightly off. The video shows a large open space, a road sing with several places, and some strange metal bits in the background, maybe runway lights or something. Looking around on Google Earth, if we travel about a mile out the entry road to the airport, we can see those structures, a fence, and a large open felid. And street view shows the same sign with Cargo on it!
Inputting the answer “E16” reveals it is correct and points are rewarded!