2022 Magnet Summit Android CTF

Scenario:

This CTF challenge was given in-person at the 2022 Magnet User Summit which covered a range of systems/devices. However, the Android portion of the CTF is easily available via NIST which is linked below. This CTF was assigned by the instructor for CSCI-4438-01 in which a set of 15 questions had to be answered while doing analysis of the image.

CTF Files:

The files for this Capture the Flag Challenge can be found here

Analysis Questions:

1. What is the make/model of the device?

  > The device is a Google Pixel 3 XL

2. What firmware version is on the device?

  > The firmware the device is running is Android 9 (Pie).

3. What does org.thoughtcrime.securesms belong to?

  > The folder /data/org.thoughtcrime.securesms belongs to the 
    messaging app, Signal.

4. What user account and ID are used for Youtube?

  > The user account and ID used for Youtube were 
    rafaelshell24@gmail.com

5 What keyword searches did the user make in Chrome? When were the searches conducted?

  > The user searched for magic card tricks, Log4Shell exploit 
    tutorials, aidungeon.io, hacking tutorials, and other 
    miscellaneous searches.

6. What URL did the user visit most in Chrome? How many times were the URLs visited?

  > The URL visited most in Chrome was aidungeon.io. It was 
    visited 14 times

7. What SMS messages existed on the user’s device? When were they sent? Who are they to/from?Was the message seen by the user?

  > The SMS messages were verification codes from different 
    services such as Signal, Discord, etc.
  > These messages were sent starting from 2022-01-25
  > There were a total of 21 messages and only 15 were read

8. What are the names of the user’s Snapchat friends? Who sent the user the most Snapchat messages? How many messages were sent? What time were the messages sent?

  > The name of the user's Snapchat friends were:
     - angie_frank07
     - teamsnapchat
  > The user who sent the most messages was teamsnapchat with 7 
    total messages. 
  > The messages were sent between February 9th & 10th, 2022 at 
    varying times ranging from February 9, 2022 at 6:37AM GMT to 
    February 10, 2022 at 9:37PM GMT

9. What did the user recently play in Spotify? How many items were listed? What are the names of the albums, songs, playlists, or podcasts listened to? What users uploaded these items?

  > Only 2 items were listed.
  > The user played The Lord of the Rings Soundtrack and the 
    Matrix Ressurections soundtrack.
  > The LOTR Soundtrack was uploaded by a user named Impakt 
    Records. The Matrix soundtrack was uploaded by a user named 
    Bonbonniere 

10. What account is associated with Google Keep?

  > The account associated with Google Keep is 
    rafaelshell24@gmail.com

11. It looks like the user may have liked to hike, and may have done some research for a trip using a particular application. What particular city did the user search for?

  > The user used the app “AllTrails” to search for Burlington, VT 
    and Plainfield, VT.

12. What time was on the screen when the user took a screenshot of their homepage?

  > The time on the homescreen was 2:04

13. What WiFi network did the user connect to? What username and password did they use to log on?

  > SSID: ChamplaignGuest; Pswd: ChamplaignGuest

14. Where did the user take pictures? What are the coordinates? Based on the coordinates, what is the approximate address?

  > The user took pictures at The boardwalk at Waterfront Park in 
    Burlington, VT and Mt. Abraham Long Trail in Warren, VT.
        - 44.47728055555556, -73.22132777777777
        - 44.127858333333336, -72.92818611111112

15. What Bluetooth devices did the user device connect to? What is the name of the device? The MAC address?

  > The user connected to 3 bluetooth devices.
        - Moto 360 DF00 (d0:5f:b8:33:df:00)
        - Mpow Flame (50:18:09:17:74:22)
        - Tribit XSound Go (c9:5c:fd:17:56:c1)