This CTF challenge was given in-person at the 2022 Magnet User Summit which covered a range of systems/devices. However, the Android portion of the CTF is easily available via NIST which is linked below. This CTF was assigned by the instructor for CSCI-4438-01 in which a set of 15 questions had to be answered while doing analysis of the image.
The files for this Capture the Flag Challenge can be found here
> The device is a Google Pixel 3 XL
> The firmware the device is running is Android 9 (Pie).
> The folder /data/org.thoughtcrime.securesms belongs to the
messaging app, Signal.
> The user account and ID used for Youtube were
rafaelshell24@gmail.com
> The user searched for magic card tricks, Log4Shell exploit
tutorials, aidungeon.io, hacking tutorials, and other
miscellaneous searches.
> The URL visited most in Chrome was aidungeon.io. It was
visited 14 times
7. What SMS messages existed on the user’s device? When were they sent? Who are they to/from?Was the message seen by the user?
> The SMS messages were verification codes from different
services such as Signal, Discord, etc.
> These messages were sent starting from 2022-01-25
> There were a total of 21 messages and only 15 were read
8. What are the names of the user’s Snapchat friends? Who sent the user the most Snapchat messages? How many messages were sent? What time were the messages sent?
> The name of the user's Snapchat friends were:
- angie_frank07
- teamsnapchat
> The user who sent the most messages was teamsnapchat with 7
total messages.
> The messages were sent between February 9th & 10th, 2022 at
varying times ranging from February 9, 2022 at 6:37AM GMT to
February 10, 2022 at 9:37PM GMT
9. What did the user recently play in Spotify? How many items were listed? What are the names of the albums, songs, playlists, or podcasts listened to? What users uploaded these items?
> Only 2 items were listed.
> The user played The Lord of the Rings Soundtrack and the
Matrix Ressurections soundtrack.
> The LOTR Soundtrack was uploaded by a user named Impakt
Records. The Matrix soundtrack was uploaded by a user named
Bonbonniere
> The account associated with Google Keep is
rafaelshell24@gmail.com
11. It looks like the user may have liked to hike, and may have done some research for a trip using a particular application. What particular city did the user search for?
> The user used the app “AllTrails” to search for Burlington, VT
and Plainfield, VT.
> The time on the homescreen was 2:04
> SSID: ChamplaignGuest; Pswd: ChamplaignGuest
14. Where did the user take pictures? What are the coordinates? Based on the coordinates, what is the approximate address?
> The user took pictures at The boardwalk at Waterfront Park in
Burlington, VT and Mt. Abraham Long Trail in Warren, VT.
- 44.47728055555556, -73.22132777777777
- 44.127858333333336, -72.92818611111112
15. What Bluetooth devices did the user device connect to? What is the name of the device? The MAC address?
> The user connected to 3 bluetooth devices.
- Moto 360 DF00 (d0:5f:b8:33:df:00)
- Mpow Flame (50:18:09:17:74:22)
- Tribit XSound Go (c9:5c:fd:17:56:c1)