Our IR team took a disk dump of the android phone. Analyze the dump and answer the provided questions.
Information
Category Name: LGDroid
Files: c51-OreoAnalyst.zip 1.1 GB
— LGE LM-Q725K Quick Image.zip 1.1 GB
— suspicious.jpg
My Recommendations
This is my personal preference, I like being organized and deleting a folder when I’m done with it.
mkdir Documents/CyberDefenders/LG && cd Documents/CyberDefenders/LGDownload it from the Cyber Defenders and verify the file with sha1sum:
sha1sum /path/to/c51-OreoAnalyst.zipSHA1: a371b440d029267e95dbff243d0283b87deb4fd1
Then extract it with the provided the password.
The archive contains another zip-file, which you must extract to access the data.
Walkthrough
1. What is the email address of Zoe Washburne?
Using grep:
grep -r -l -i 'washburne' *
This returns only one file: Agent Data/contacts3.db
sqlitebrowser 'Agent Data/contacts3.db'
In the first table, acquired_contacts you can filter DisplayName for Zoe:
Answer: zoewash@0x42.null
2. What was the device time in UTC at the time of acquisition? (hh:mm:ss)
I genuinely have no idea what software was used to image this phone, however the ‘Live Data/device_datetime_utc.txt’ file seems to point towards the right direction:
cat 'Live Data/device_datetime_utc.txt'
Which returns ‘2021-05-21 18:17:56’.
Answer: 2021-05-21 18:17:56
3. What time was Tor Browser downloaded in UTC? (hh:mm:ss)
In the Agent Data directory, there is a ‘downloads.db’ sqlite database.
sqlitebrowser 'Agent Data/downloads.db'
The timestamp is in UNIX milliseconds, which can be converted to ‘human datetime’ by removing the last three 0s (converting to seconds) and then in terminal:
date -d @1619725346
Just need to convert this pretty little output to HH:MM:SS and we get the answer!
Answer: 19:42:26
4. What time did the phone charge to 100% after the last reset? (hh:mm:ss)
In the’Live Data/Dumpsys Data/batterystats.txt’
cat 'Live Data/Dumpsys Data/batterystats.txt'
At the beginning of the file, we find the date and time of the last reset:
If you scroll down, you can see that ‘status=full’ happened after 5 minutes, 1 second and 459 ms after the last reset.
13:12:19 + 00:05:01 = 13:17:20
Answer: 13:17:20
5. What is the password for the most recently connected WIFI access point?
There are no plaintext passwords in the folders, so they must be in the tar archive. Using the SANS Smartphone Cheatsheet, it says that Username and passwords can be found in
/data/com.android.providers.settings/*
To find out if there is anything in there:
tar -tvf adb-data.tar | grep 'com.android.providers.settings'
We can extract and display this single file by running:
tar -xvf adb-data.tar apps/com.android.providers.settings/k/com.android.providers.settings.data
cat apps/com.android.providers.settings/k/com.android.providers.settings.data
The value for PreSharedKey (where Android stores Wifi Passwords) is ‘ThinkingForest!’.
Answer: ThinkingForest!
6. What app was the user focused on at 2021-05-20 14:13:27?
As usual, I am using grep to find matches for the date
grep -r -l '2021-05-20' *
The file most likely to provide a match is ‘usage_stats.txt’
cat 'Live Data/usage_stats.txt' | grep '2021-05-20 14:13:27'
At this exact time, the package com.google.android.youtube was moved to the foreground.
Answer: youtube
7. How much time did the suspect watch Youtube on 2021-05-20? (hh:mm:ss)
Using the same file as above, we can filter for the app name and date to find the total time spent on the app on that day:
cat 'Live Data/usage_stats.txt' | grep 'youtube' | grep '2021-05-20'
Answer: 8:34:29
8. "suspicious.jpg: What is the structural similarity metric for this image compared to a visually similar image taken with the mobile phone? (#.##).
First, let’s open suscpicious.jpg to see what it looks like:
xdg-open suscpicious.jpg
Using find, there are no other .jpgs in the folders, so they must be in the tar archives. Instead of extracting the tar archives to find jpgs, we can list files that match the extension:
tar -tvf sdcard.tar.gz | grep jpg
tar -tvf adb-data.tar | grep jpg
Both tar archives contain the same amount of “*.jpg” files. The images are saved to the device in a DATE_TIME.jpg format. To find the ‘visually similar image’, we need to find the time time suspicious.jpg was created with exiftool:
exiftool suspicious.jpg | grep -i date
The image was created on 2021:04:29 15:15:35, looking back at the tar archive, there is a file matching that date at sdcard/DCIM/Camera/20210429_151535.jpg (or shared/0/DCIM/Camera/20210429_151535.jpg). You can extract the single file and verify it by running:
tar -xvf sdcard.tar.gz sdcard/DCIM/Camera/20210429_151535.jpg
xdg-open sdcard/DCIM/Camera/20210429_151535.jpg
Now that we found the original image, we need to calculate the Structural Similarity Metric. This online tool can calculate it for us.
Answer: 0.99
TLDR
– an Android Forensics challenge that can entirely solved with basic CLI.
