Mar 22, 2021
Mobile Forensics CTF write-up
solved and written by dark_mendes and I.
This ctf was put up by ekraal, as part of the aspire program. New challenges can be found at ciphercode.dev every other week:)
A mobile image was provided to conduct forensics analysis on.
Tool used: Autopsy
Therefore, create a new case and add the mobile device disk image as the data source into the tool.
#Mobile-1 Model
Step 1: Navigate to the views/application/json tree path and open the SessionDevice.json file.
Step 2: Take note of the build model value in.
Flag format: Aspire{Nexus 5X }
#Mobile-2 IMEI
Step 1: Navigate to LogicalFileSet1/Mobile_image/Mobile_image/sdcard/pictures/screenshots tree path in Data Sources root and double click the third image.
Step 2: Note the IMEI No. in that screenshot.
Flag format: Aspire{353626075095047}
#Mobile-3 Network
Step 1: Navigate to the Views/File Type/By Extension/Databases path and open agent_sim.db file.
Step 2: Open the Text tab. Notice the value of the sim_operator_name od record 1 is Safaricom.
Flag format: Aspire{Safaricom}
#mobile 4 scam
Step 1: Still on the same tree path of Views/File Type/By Extension/Databases, open the agent_mmssms.db file.
Step 2: Navigate to the Text tab and the message being investigated is of id no. 5.
Step 3: Convert the epoch time to a human readable format using the converter from this URL, https://www.epochconverter.com/
Flag format: Aspire{Wednesday, October 23, 2019 3:32 PM}
#mobile 5 scammer
Step 1: Still on the same tree path of Views/File Type/By Extension/Databases, agent_mmssms.db file, and message 5, the sender’s number is as highlighted below.
Flag format: Aspire{+254794660124}
#mobile 7 country code
Step 1: Navigate to the /LogicalFileSet1/Mobile_image/Mobile_image/adb-data/apps/com.android.calllogbackup/ path and open the com.android.calllogbackup.data file
Step 2: Note the two international numbers in the call logs which are from the same region.
Step 3: +44 is associated with the United Kingdom.
Flag format: Aspire{United Kingdom}
#mobile 8 wireless
Step 1: Navigate to the Views/File Type/By Extension/Databases path and open the wifi.db file.
Step 2: Take note of the 7-letter wireless network name.
Flag format: Aspire{kongoni}
#mobile 11 tweeter
Step 1: Navigate to /LogicalFileSet1/Mobile_image/Mobile_image/Live Data/Dumpsys Data/ path and open the account.txt file
Step 2: The name associated with the twitter account is marked below
Flag format: Aspire{KamiLenana}
#mobile12 Accounts
Step 1: Still on the same Views/File Type/By Extension/Databases path, open the agents_accounts.db file.
Step 2: Click on the Text tab of this file to find the google accounts.
Flag format: Aspire{cocoash100@gmail.com_lenanakami@gmail.com}
#mobile 13 analyst tool
Step 1: Navigate to /LogicalFileSet1/Mobile_image/Mobile_image/adbdata/apps/com.viaforensics.android.aflogical_ose folder.
Step 2: Open the folder, download, and install the base.apk file to verify if it is the forensic tool. This is done by right clicking on the apk file, selecting the Extract File(s) option, and selecting the folder to save the file in.
A successful apk file installation would look like this.
Step 3: verify the application with a tool such as bluestacks
Flag format: Aspire{AFLogical OSE}
