My goal this year is to attempt some CTF questions using open source tools so as to skill up myself. I thought it would be a great idea to start with last year’s Cellebrite CTF as they have published the answers so I can check that my solutions were correct and work backwards if they’re not.
Tools used:
- ALEAPP v3.1.9
- Notepad++ v8.6
- DB Browser for SQLite v3.12.2
- DCode v5.5
- ExifTool v12.71
Question 1 – What is the chipset of Sharon’s Android?
Opening the Cellebrite .UFD file using notepad, line 2 reveals the chipset is universal2100_r.
Question 2 – What happened to the device on June 16, 2023 at 8:45:48 Eastern Daylight Time? (Think of a setting change).
Firstly, Eastern Daylight Time is UTC-4 so the time I am looking for should be 12:45:48 UTC.
As the question prompts for a settins change, I thought about Android’s Digital Wellbeing logs and checked this on the ALEAPP report.
I can see there is a notification at 12:45:47 but this is 1 second out and it didn’t show what kind of notification it is.
Then I checked for Android’s Digital Personalization Services (DPS) and Samsung Rubin…
For DPS, I couldn’t find the ./databases/reflection_gel_events.db file so I assume it is not present on this device (or device extraction)
I found the Rubin file /data/data/com.samsung.android.rubin.app/databases/inferenceengine_logging.db but when I opened it with DB Browser for SQLite, a SQLCipher prompt box appeared.
I found the key in the keystore /extra/Secrets/secrets.json but was unable to work out the right SQLCipher settings.
So this question will be a no go at the moment.
Question 3 – Sharon likes secure chat apps. When was the last time she entered a PIN to unlock a secure chat app?
ALEAPP Installed Apps show that Signal is installed on the device on 2023-06-04.
Going to the Signals databases in /data/data/org.thoughtcrime.securesms/databases also requires a decryption key.
I located the key (/extra/Secrets/secrets.json) but was again, unable to go past the SQLCipher screen.
After some Google search, I came across a screenshot on AvillaDaniel’s Github page, and it appears that for SQLCipher, I need to change the KDF iterations to “1” and hash algorithms to “SHA1” for it to work. I tried, and got in, and it worked for all the files in the folder (I went back and attempted Q2 but was still unsuccessful).
The rest is straightforward, I opened “signal-key-value.db”, found the entry “pin.last_successful_entry” and pasted the timestamp to DCode.
So the answer is 2023-06-04 22:17:47 UTC.
Question 4 – Sharon – Sharon had a meeting with a co-conspirator near The Copper Penny on June 7, 2023. What is the exact street address of Sharon’s device when The Copper Penny was near?
A screenshot with GPS coordinates near The Copper Penny was found in the DCIM directory (/data/media/0/DCIM/Screenshots/Screenshot_20230607_093927_Maps.jpg).
Typing this coordinate into Google Maps gives the address 485 N Water Street.
Question 5 – A one-word text message was received with a photo that was stored as Private in a secure messaging app. What was the one-word text message?
I first checked the ALEAPP Installed Apps (vending) report, it contains the following messaging apps:
- Messages by Google
- Messenger (Facebook)
- Signal Private Messenger
- Snapchat
As the question specified “secure messaging app”, I decided to focus on Signal and WhatsApp first.
I had already looked at Signal briefly in Q3 and nothing stood out as being “private”.
Starting with WhatApp, I navigated to the WhatsApp message reports in ALEAPP and typed “private” in the search box.
There were two hits with local media path in “Media/WhatsAppImages/Private/”. The message received on 2023-06-01 is “Mahalo” and the message received on 2023-06-07 is “You coming?”. So the answer is Maholo.
Question 6 – When did Sharon become friends with Abe Rudder on Facebook?
ALEAPP Facebook Contacts has Abe Rudder’s birthday but not when Abe was added as a friend.
Navigating to the Facebook database directory (/data/data/com.facebook.katana/databases). There were more than 50 files in the folder but one of them is “android_facebook_contacts_db.”
Opening this file in DB Browser for SQLite and navigating to the “contacts” table, I can see the “added_time_ms” column.
Pasting the time into DCode gives 2023-06-01.
Question 7 – Sharon decided to crash the “Life at Cellebrite” party and took a train. The day after the party, she left on June 24, 2023, around 9:00 AM EDT and arrived at her final destination around 11:25 AM EDT. In which cities did she start and end?
EDT is UTC-4 so the time frame would be between 1300 UTC and 1525 UTC on 2023-06-24.
I checked ALEAPP Google Map reports and none covered the date of interest.
***Samsung Rubin decryption issue not yet resolved***
Question 8 – On June 16, 2023, Sharon was at “the home of the havoc” and shared her location with another suspect. Who did she share it with?
Searching the dates 2023-06-16 for the different messaging application in ALEAPP show that a message containing a URL was sent to Abe Rudder via WhatsApp.
The URL points to somewhere near Hollydell Ice Arena.
Searching Hollydell Ice Arena shows that it is in New Jersey and that Hollydell Havoc is the local ice hockey team.
The EXIF data of a photo in the DCIM folder (20230616_132526.JPG) also contains GPS coordinates pointing to Hollydell Ice Arena.
Question 9 – Sharon connected to an iPhone mobile hotspot. What was the name of the mobile hotspot and the MM-DD the connection first occurred?
Looking at the Wifi Profile section in ALEAPP, here are two subsections – Wi-Fi Hotspot and Wi-Fi Profiles.
Wi-Fi Hotspot shows the profile of the user’s device if it is used as a hotspot itself, so this is not what I was looking for.
On the other hand, Wi-Fi Profiles lists all the Wi-Fi networks the the device has connected to. I can see the SSID Heather’s iPhone is one of the entries. However, there is no date.
Question 10 – How many time did Sharon’s phone boot (power on and start up) while she was in Paris?
Question 11 – The user made a note on June 4, 2023, Eastern Daylight Time. What did the note say?
Question 12 – As a reference to the previous question of Sharon sharing her location on June 16, 2023, with Abe, when did Abe favorite his location?
Question 13 – Sharon needed a break from the northeastern winter and headed south for a girl’s trip for five days. While on her vacation, she saw her own dolphin. Where was she when she saw her dolphin?
47 Oats Road 
Leave a comment