Information
iOS Forensics is similar to Mac Forensics, but the images are usually either Full filesystem (a filesystem copy of a jailbroken device) or logical (usually acquired with iTunes).
There are many open-source tools available for both. I used ios_apt, iLEAPP and walitean for this category. The only question I didn't manage to answer was Question 2, I found literally 0 evidence related to Nest :(.
Category Name:Ā Fruit Pad
Files:Ā iPad.tar 5.4 GB
My Recommendations
Download the file. Consider that the archiveās compressed and uncompressed size is roughly around 14GB. If your VM can handle it, download it directly in the VM. Otherwise, you can download it to an external drive/USB or into your host machine.
Verify the hash:
sha1sum /path/to/archive
Should return: iPad.tar ā 1211ED593E5111E45D04077EDE3D0CD9728349B0
I recommend creating sub-directories in your VM for each section of the CTF to stay organized and to easily remove them when you are done.
mkdir Documents/dfa20/ipad
If you are sharing a folder, extract the archive and share the folder with your VM:
tar -xvf /path/to/iPad.tar -C /your/shared/folder
If you are not sharing a folder, extract it in a directory of your choice. Note that the commands in this writeup will be different, and you will have to adapt some of the commands to the directory you created.
iLEAPP is an amazing open-source tool for iOS forensics. Go to your VM:
cd Documents/dfa20/ipad
git clone https://github.com/abrignoni/iLEAPP
cd iLEAPP
pip3 install -r requirements.txt
sudo apt-get install python3-tk
python3 ileapp.py -t fs -i /mnt/hgfs/iPad -o /home/remnux/Documents/dfa20/ipad
mv (path to output iLEAPP folder) /home/remnux/Documents/dfa20/ileapp
#Renaming makes it it easier to use in the TerminalIĀ 
##Make sure you are in Documents/dfa20
mkdir macapt && cd macaptcd macapt
##Install mac_apt following these instructions
source env/bin/activate
cd mac_apt
python ios_apt.py -i /mnt/hgfs/iPad -o /home/remnux/Documents/dfa20/ipad ALL
##Deactivate the virtual environment and go back into the WD once it's done running
cd ..
deactivate
cd ..
git clone https://github.com/n0fate/walitean
Walkthrough
1. Iām just trying to do my iObeSt (50)
What is the IOS version of this device?
This information is in Basic_Info table of ios_apt.db
Answer: flag<9.3.5>
What mm/dd/yyyy did Nest connect?
2. Take Off (50)
NOT FOUND ANYWHERE!
3. The Man, the Myth, the Legend (50)
Who is using the iPad?
Include their first and last name.
In the Calendar Identity report of iLEAPP, the only name/identity is Tim Apple.
Answer: flag<Tim Apple>
4. 100% Fed Up (100)
When was the last time this device was 100% charged?
(mm/dd/yyyy hh:mm:ssAM/PM)
Battery Usage & Records are stored in CurrentPowerlog.PLSQL.
This Database is located in the /private/var/Containers/Shared/SystemGroup//Library/BatteryLife/CurrentPowerlog.PLSQL. To find it, I enter:
find /mnt/hgfs/iPad/private/var/Containers/Shared/SystemGroup -name "CurrentPowerlog.PLSQL"
This way, I can get the UUID of the directory and copy the Database to my Working Directory.
cp /mnt/hgfs/iPad/private/var/Containers/Shared/SystemGroup/4212B332-3DD8-449B-81B8-DBB62BCD3423/Library/BatteryLife/CurrentPowerlog.PLSQL CurrentPowerlog.PLSQL && sqlitebrowser CurrentPowerlog.PLSQL
Opening the database at PlBatteryAgent_EventBackward_Battery, filtering with Level 100 and sorting by ID Descending:
The timestamp 1586976031.21529 needs to be converted from epoch to datetime, which results in : Wednesday, April 15, 2020 6:40:31.215 PM
Answer: flag<04/15/2020 06:40:31 PM>
5. Curb Your Enthusiasm (100)
What is the title of the webpage that was viewed the most?
cp -r /mnt/hgfs/iPad/private/var/mobile/Containers/Data/Application/FB1B2A1C-AC19-406F-BEEC-EC048BF504EA/Library/Safari Safari
cd walitean
python2 walitean.py -f Safari/History.db-wal -x Historywal.db -m History.db
sqlitebrowser Historywal.db
Filtering the urls in history_items by google.com/search, there are actually 8 entries for ākirby with legsā!
*āKirby with legsā is also bookmarked in Safari.
Answer: flag<kirby with legs>
6. Good āol Radio (150)
What is the title of the first podcast that was downloaded?
Podcast files are in /private/var/mobile/Media, but the juicy data is in the MTLibrary.sqlite database, which is stored in the Containers/Shared/AppGroup directory.
find /mnt/hgfs/iPad/private/var/mobile/Containers/Shared/AppGroup -type f -name "MTLibrary.sqlite"
Copying and opening the database in the WD:
cp /mnt/hgfs/iPad/private/var/mobile/Containers/Shared/AppGroup/80179E24-1812-4B5F-8063-AECFC3773A7A/Documents/MTLibrary.sqlite Mt.sqlite && sqlitebrowser Mt.sqlite
In the table ZMTEPISODE,Ā sort by ZDOWNLOADDATE, as the question explicitly asks for a downloaded podcast.
The first one to be downloaded is WHERE ARE WE? just a few seconds before āOtro camino (ā¦)ā
Answer: flag<WHERE ARE WE?>
7. High Fi! (150)
What is the name of the WiFi network this device connected to
In ios_apt.db, in the table Wifi there is only one entry:
Answer: flag<black lab>
8. Limited Edition ā Not in Stock (150)
What is the name of the skin/color scheme used for the game emulator?
This should be a filename.
Google is my best friend. We are looking for a file with the .gbaskin extension.
find /mnt/hgfs/iPad -type f -name "*.gbaskin"
Answer: flag<default.gbaskin>
9. Paperboy (150)
How long did the News App run in the background?
Going into the CurrentPowerLog.PLSQL that was copied in Question 3, and in the table PLAppTimeService_Aggregate_AppRunTime, filter BundleID with ācom.apple.newsā
Answer: flag<197.810275>
10. Stole Momās Credit Card (150)
What was the first app download from AppStore?
From the Apps ā Itunes & Bundle Metadata Report in iLEAPP, there are two apps that were downloaded from the AppStore:
The first one was Cookie Run: OvenBreak downloaded on 2020-04-15 at 08:03:29.
Answer: flag<CookieRun>
11. You Wouldnāt Download a Car (150)
What was the most recent emulator game obtained?
The emulator is GBA4IOS. Games for emulator are downloaded as zip-files from a web-browser.
sqlitebrowser History.db
Filtering the history_items table with .zip:
To get the time these files were downloaded/accessed, go to the history_visits table, and filter āhistory_itemā with the ID of each entry:
63 ā visit_time = 608636536.234073 ā Wednesday, April 15, 2020 9:42:16 AM
66 ā visit_time = 608636658.692032 ā Wednesday, April 15, 2020 9:44:18 AM
The most recent one obtained is 66 aka Zelda! I was going INSANE because none of my flag entries worked. I googled āLegend of Zelda, The ā The Minish Cap (U)ā and turns out the actual formatting is The Legend of Zelda: The Minish Capā¦.
Answer: flag<The Legend of Zelda: The Minish Cap>
12. Let me in LET ME INNNNNN (200)
What app was used to jailbreak this device?
A reliable way of getting this information is by checking the Identifier of Installed Applications. For that, Iām going to the ios_apt.db database, and looking at the Apps table and the Bundle_Identifier Column:
This is the complete list of Apps from ios_apt.db. The Bundle_Identifiers that do not start with com.apple are Third-Party Applications.
Cookie Run and Pokemon Quest were downloaded from the AppStore.
GBA4ios is an elmulator.
com.saurik.Cydia is the āAppStoreā for jailbroken devices.
com.VN337S8MSJ.supplies.wall.phoenix is ? unknown to me.
Google confirms itās a Jailbreak, that is tailored to iOS devices running between 9.3.5-9.3.6, just like Timās iPad.
Answer: flag<phoenix>
13. Thereās an app for that (200)
How many applications were installed from the app store?
You only have 3 attempts.
If you look at the question above, the only potential Apps downloaded from the AppStore are CookieRun and Pokemon Quest.
Answer: 2
NO FLAG FORMAT HERE š”š”
14. Cheater Cheater Pumpkin Eater (250)
How many save states were made for the game mentioned in the question āYou Wouldnāt Download a Carā?
From the previous questions, we know that files related to the games are stored in /private/var/mobile/Documents which also contains a folder named āSave Statesā.
Because the names are so impossible to work with in CLI with all the spaces Iām going directly into the directory Save States:
cd /mnt/hgfs/iPad/private/var/mobile/Documents/Save\ States
ls -la
Listing the contents of Zelda:
ls -la 'Legend of Zelda, The - The Minish Cap (U)'
Thereās one āSave Stateā, as the other one is āautosaveā.
Answer: flag<1>
15. Learning a Language Requires a Little Practice Everyday (250)
What language is the user trying to learn?
Question6 4thewin! Tim wants to learn Spanish and is listening to Duo Lingo Podcasts in Spanish.
Answer: flag<Spanish>
16. Take a Look in a Book (250)
The user was reading a book in real life, but used their Fruit Pad to record the page that they had left off on. What number was it?
Like all great CTFs nothing ever happens without some evidence hidden in images. The Notes database was empty, so it just made sense that Tim took a picture of his book page to remember it. I used the command display on all files in the /mnt/hgfs/iPad/private/var/mobile/Media/DCIM/100APPLE/ directory, untilā¦ IMG_0008.MOV (the last one -.-), where I used VLC.
vlc /mnt/hgfs/iPad/private/var/mobile/Media/DCIM/100APPLE/IMG_0008.MOV
Answer: flag<85>
17. Find me (300)
If you found me, what should I buy?
I found this flag āaccidentallyā while trying to figure out one of the FruitBook questions. Copy the NoteStore.sqlite database and copy it to your working directory:
cp /mnt/hgfs/iPad/private/var/mobile/Containers/Shared/AppGroup/4466A521-8AF9-4E09-800B-C3203BB70E0E/NoteStore.sqlite notes.sqlite && sqlitebrowser notes.sqlite
In the ZICLOUDSYNCINGOBJECT scroll scroll scroll and you will find Timās lovely advice:
Answer: flag<Crash Bandicoot Nitro-Fueled Racing>
Super Confusing 
18. Interstellar Docking Scene Music (300)`
Name one of the apps that were on this deviceās dock.
Provide them in bundle format: com.provider.appname
In iLEAPP, at the Apps per Screen section, thereās a layout of all the app names on the screen of the iPad:
Answer: flag<com.apple.MobileSMS>
19. Remind me later (300)
A reminder was made to get something, what was it?
In the Calendar Items report of iLEAPP, there is an entry for āGet milkā:
Answer: flag<milk>
