Information
Image: GrayKey iOS image
Files: MVS2021iOS.zip
My Recommendations
This is my personal preference, I like being organized and deleting a folder when I’m done with it.
mkdir Documents/Magnet/ios Verify the file with md5sum:
md5sum MVS2021iOS.zipCLI tools:
I tried to solve some of these questions with Command Line tools only, but iLEAPP is so much more efficient, and faster. ilEAPP:sudo apt updatesudo apt-get install -y html2text.sudo apt-get install -y xlsx2csvsudo apt-get install -y html2textsudo apt-get install sqlitebrowsersudo snap install vlc
git clone https://github.com/abrignoni/iLEAPP
cd iLEAPP
virtualenv env
source env/bin/activate
pip3 install -r requirements.txt
python3 ileapp.py -t fs -i /home/remnux/Documents/Magnet/ios -o /home/remnux/Documents/Magnet
mv (Name of your iLEAPP folder) ileapp #Renaming makes it it easier to use in the Terminal
deactivate ##when doneWalkthrough
1. Breaking Quarantine (5)
When does Eli go to a neighboring state? Answer in MM/DD/YYYY
In iLEAPP, at the RoutineD Cloud Addresses, on 2021-02-20, Eli went to New York from Vermont, which correlates with the Takeout/Chromebook data, where he was so desperate to cross the border for chicken :o.
Answer: 02/20/2021
2. Burger Time (5)
What fast food restaurant has an application is installed on the device?
find ios/private/var/containers -name "*.app"
All are recognizable except, CFAOne.app, which google reveals to be Chick-fil-A.
Alternatively, in iLEAPP, on the Application State DB tab, you will find the Bundle ID “com.engauge.Chick-fil-A”.
Answer: Chick-fil-A
3. Get Zucked! (5)
What is Eli’s facebook password?
The iOS image, which was imaged with GrayKey, includes a keychain property list and a “passwords” text file:
grep "facebook" -B 1 -A 3 ios/*.txt
Answer: fix_my_flatt2!
4. New Watch Who Dis (5)
What is the MAC address of Eli’s apple watch?
Paired Bluetooth devices are located in the “com.apple.MobileBluetooth.ledevices.paired.db” database, which is at /private/var/containers/Shared/SystemGroup//Library/Database/com.apple.MobileBluetooth.ledevices.paired.db
##Using sudo (root) because SystemGroup directory is protected in iOS
sudo find ios/private/var/containers/Shared/SystemGroup -type f -name "*MobileBluetooth*"
sudo sqlitebrowser ios/private/var/containers/Shared/SystemGroup/3C4306EC-7EC5-4268-A396-4EC44A85C4D7/Library/Database/com.apple.MobileBluetooth.ledevices.paired.db
In the table “PairedDevices”, there is an entry for Eli’s Apple Watch, and the Resolved Address is its the MAC address.
In iLEAPP, the “Bluetooth Paired” tab shows the same answer (and faster!).
Answer: 50:A6:7F:8F:A5:B6
5. Sanik Speed (5)
What was the fastest heart rate recorded for Eli?
Health data is stored in the “healthdb_secure.sqlite” database, which is located in /private/var/mobile/Library/Health.
sqlitebrowser ios/private/var/mobile/Library/Health/healthdb_secure.sqlite
It’s not an easy database to work around with, so I ran this sqlite query in the “Execute Sqlite” tab and added – order by “HEART RATE” DESC on the last line.
In iLEAPP, you just need to go to the “Heart Rate” tab, and sort by descending number (make sure you select Show:ALL).
Answer: 146
6. Sunny Side Up (5)
How does John like his eggs? (2 words)
In iLEAPP, there is no result for “eggs” (which I assume is because the App is not parsed by iLEAPP) so I’m going to search for the string “eggs” in /private/var/mobile/Containers.
grep -s -r "eggs" ios/private/var/mobile/Containers
We get matches from Apple news, Snapchat Sticker search and a mysterious db.sqlite-wal in ChatFiles. If I had more time I would parse it using Walitean, but I’m going to do this instead:
strings ios/private/var/mobile/Containers/Data/Application/1F287418-C53F-4C57-A0A0-E3CA23CC1376/Library/Application\ Support/ChatFiles/6929690733986661382/db.sqlite-wal | grep “eggs”
First line, we get “text”:”I like my eggs in CHICKEN form”
Answer: CHICKEN form
7. Beefstew isn’t a Stoganoff Password (10)
How many Apple Notes did Eli Encrypt?
Notes are stored in the NoteStore.sqlite database, which is at /private/var/mobile/Containers/Shared/AppGroup/<GUID>
find ios/private/var/mobile/Containers/Shared/AppGroup/ -type f -name "NoteStore.sqlite"
##Returns location of DB & open it
sqlitebrowser ios/private/var/mobile/Containers/Shared/AppGroup/E325D0D4-1ADF-4D35-9CF8-6F7DEBFB2156/NoteStore.sqlite
Since the question asks how many Notes are encrypted, we can go to the “ZICNOTEDATA” table, and under the ZCRYPTOTAG column, count the number of “BLOBS” (which is the number of encrypted notes).
Otherwise, iLEAPP to the rescue! Go to Note Sharing; and there will be three instances of “PasswordProtectedNote” in the Record Type column.
Answer: 3
8. Big Spender (10)
How much (after tax) was Eli’s Chick-fil-A order? Exclude Dollar sign
At this point, I’m going to switch my search directory to the ileapp output directory, as it’s easier to grep for strings.
html2text ileapp/*.html | grep "Chick-fil-A"
In the output, there is something about a ‘Mobile Ordering Receipt’, so I narrow my search by:
grep 'Chick-fil-A® Mobile Ordering Receipt' ileapp/*.html
Eli Flatt received an email to confirm his order, which amounts the order to 28.00 USD, HOWEVER, this is something I got wrong!!!!
UPDATE
This time, I’m going to work directly on the Mail folder in private/var/mobile/Library/Mail since I know there is an email with a receipt.
With grep, I see my email of interest is in the following directory:
ios/private/var/mobile/Library/Mail/MessageData/41 which contains 1.emlxpart and partial.emlx
cat ios/private/var/mobile/Library/Mail/MessageData/41/1.emlxpart
Outputs the email with metadata, and … if I scroll down
Total – $27.24 USD.
I should’ve considered the “exclude dollar sign” as a flag, would’ve helped with greppin’ the filesystem.I was convinced that since he payed with a gift card it would be 0, but no, Eli still got charged 🙁
Answer: 27.24
9. Getting the Bag (10)
When was the first time Eli got Chipotle? mm/dd/yyyy
Grepping for Chipotle gives no realistic answer, so I’m going to look at Media files and open the ios/private/var/mobile/Media/DCIM/100APPLE directory in vlc.
IMG_0001.MOV is a live photo of a Chipotle bag:
To find the date it was taken, which is when Eli “secured the bag”:
ls -la ios/private/var/mobile/Media/DCIM/100APPLE/IMG_0001.MOV
Answer: 02/12/2021
10. News Flash (10)
Who may have the toughest job in Washington?
One of the cool things about iOS forensics, is that within each app directory there is a “Snapshot” folder which contains .ktx images, and are kind of like random screenshots taken by iOS. You can sometimes find evidence in those. In iLEAPP in the Application Snapshots tab at sceneID:com.apple.news directory, there’s the answer!
Answer: Janet Yellen
11. There’s No Sign of Intelligent Life Anywhere (15)
Eli was sent a flat earth meme. Give the last 5 characters of the MD5 hash of the file.
If Eli was sent a meme, then most likely it was through a Social Media app, not parsed by iLEAPP. There’s a recurrence of Snapchat in this Challenge, and it actually took me FOREVER to find this flag. But in the end, and with determination, I FOUND IT!
In this directory, ios/private/var/mobile/Containers/Data/Application/4BE54906-7CC7-4281-B1EB-055263F14F17/Library/Persistent/SCMedia resides all pictures/videos the user saves in a conversation. In VLC, I open the three mov files as a “directory”, the second one is:
Our file of interest is cm-chat-media-video-Uu2LyntLxKFWDKxorL2r2.mov.
md5sum ios/private/var/mobile/Containers/Data/Application/4BE54906-7CC7-4281-B1EB-055263F14F17/Library/Persistent/SCMedia/cm-chat-media-video-Uu2LyntLxKFWDKxorL2r2.mov
The MD5 is 2c4a1b057ebd029eb9d450378b3889aa.
Answer: 889aa
12. What falls but never hits the ground? (15)
What was the temperature in Burlington on March 3rd at approximately 3pm? Answer in degrees fahrenheit.
Same as Question 10, this answer can be found in the sceneID:com.apple.Maps.
Answer: 27
13. What’s your number? (15)
What was the order number for the Chick-fil-A mobile order?
Back to Question 8, the order number was: 1003871.
Answer: 1003871
14. Chicken on a Sunday? (25)
Okay, so we know Eli likes Chick-fil-A, what 2 other chain fast food restaurants were visited? Include both in answer, formatting will not be an issue.
I found entries for KKD in Burlington, but it is not a “chain”. The answers are actually in the questions themselves: Wendy’s (on the snapshot of question 12) and Chipotle (Question 9).
Answer: Wendy’s and Chipotle
15. DFIRFit Target (25)
On which day were the most steps recorded with an Apple Watch? Answer in MM/DD/YYYY.
Opening the iLEAPP HTML file, navigating to “Steps” – most steps recorded were on 2021-03-03, with 759 steps in 10 minutes!
Answer: 03/03/2021
16. Fowl language (25)
Who was mentioned outside the Chick-Fil-A?
Since I opened the DCIM live photos for question 9, I knew there was a picture outside of Chick-Fil-A (IMG_0003.MOV) with the sound on we can hear someone saying: Johnathan.
Answer: Johnathan
17. Give me a signal (25)
What was the link sent to Eli on Signal?
Signal’s database is encrypted with SCL Cipher. I followed this super cool tutorial to decrypt the database. Note that the decrypted property list in the tutorial is actually the keychain.plist provided with the iOS image.
In the decrypted table indexable_text, there is a TikTok link without the punctuation: httpsvmtiktokcomZMejtu5mG, which translates to: https://vm.tiktok.com/ZMejtu5mG/
Answer: https://vm.tiktok.com/ZMejtu5mG/
18. Peek-a-boo (25)
What app was used to let Eli know it is Burrito Time?
Peek-a-boo is basically the answer itself, as “Picaboo” was the original name of the Snapchat App.
Answer: Snapchat
19. The Epitome of Health (25)
What time did the health database last sync? Answer in GMT and HH:MM:SS format
In the healthdb.sqlite, at ios/private/var/mobile/Library/Health/healthdb.sqlite:
sqlitebrowser ios/private/var/mobile/Library/Health/healthdb.sqlite
The table “cloud_sync_store” has a value displayed in last_sync is your timestamp. Convert it from Cocoa Core Timestamp (iOS’s default timestamp format) to Date Time.
Answer: 05:35:53
20. You can’t beat encryption right? (25)
What user was Eli texting on Wickr?
This is the one where no matter what I tried, I did not find a single OpenSource tool or method that could decrypt the wickrLocal.sqlite database. In Magnet Axiom, if you load the .zip file and provide the v_data hash from the keychain.plist (following Axiom’s method ) you have access to the fully decrypted database:
Answer: jchipps723
21. Lettuce insert a sandwich pun here (50)
Eli was telling his friend about a sandwich he got. When was the message sent where he said he got the sandwich? Answer in yyyy-mm-dd HH:MM:SS
Running html2text *.html | grep “sandwich” in the iLEAPP results directory gives no answers. So I’m going to assume the message is in an App not parsed by iLEAPP such as: Snapchat, Wickr, Signal or Tiktok.
grep -r "sandwich" ios/private/var/mobile/Containers/Shared/AppGroup
The first output is: Binary file ios/private/var/mobile/Containers/Shared/AppGroup/FEB19AB8-2FD0-4768-8587-9FA485D0E90A/User/74f9528c-7e7e-493a-b3a0-56f23882d626/deltaSyncData/ebe29dbb-6b83-5f95-9e1b-86dd6efb1dc8 matches
strings ios/private/var/mobile/Containers/Shared/AppGroup/FEB19AB8-2FD0-4768-8587-9FA485D0E90A/User/74f9528c-7e7e-493a-b3a0-56f23882d626/deltaSyncData/ebe29dbb-6b83-5f95-9e1b-86dd6efb1dc8
So I have a lead! there is something about a sandwich conversation in this App. To find out which app it is I do:
ls -la ios/private/var/mobile/Containers/Shared/AppGroup/FEB19AB8-2FD0-4768-8587-9FA485D0E90A/Library/Preferences
Usually, there is a property list with the App’s name, and we get: group.snapchat.picaboo.plist.
Snapchat conversations are stored in “arroyo.db” so I’m going to use the find command and open it with sqlitebrowser like we did previously.
find ios/private/var/mobile/Containers -name "arroyo.db"
Success! at ios/private/var/mobile/Containers/Data/Application/4BE54906-7CC7-4281-B1EB-055263F14F17/Documents/user_scoped/c410029b87cd535dcda1e773b850ea8cc8b07ca206320a03937260a995463acf/arroyo/arroyo.db
sqlitebrowser ios/private/var/mobile/Containers/Data/Application/4BE54906-7CC7-4281-B1EB-055263F14F17/Documents/user_scoped/c410029b87cd535dcda1e773b850ea8cc8b07ca206320a03937260a995463acf/arroyo/arroyo.db
In the table conversation_message, client_message_id “13” ; the BLOB at message_content contains the message “I got a spicy chicken sandwich. Not as good as chick fil a though”.
The creation timestamp for this item is : “1614893591699”, using epoch converter this timestamp translates to : Thursday, March 4, 2021 9:33:11.699 PM GMT
Answer: 2021-03-04 21:33:11
22. TikTokClock (75)
When was the tiktok sent in signal posted? Answer in yyyy-mm-dd hh:mm:ss GMT
Opening the page in a web browser with Developer tools on, if we search for “createTime”, we will eventually find a big block which contains the value: CreateTime: 1607451208. Converted into date-time it’s Tuesday, December 8, 2020 6:13:28 PM GMT.
Answer: 2020-12-08 18:13:28
