cyber defenders challenge PATRICK (iOS forensics)

 patrick iphone investigation

conducted 10 oct 2022 to 17 oct 2022

for a shorter writeup and screenshots please follow https://github.com/dakshita-joshi/Cyber-Defenders-Challenge-Patrick

im sick and coughing and sniffling so no smartassery or joke crackery just questions and answers all right now

q14 Which cardinal direction was Patrick moving when he took a live photo? 

right whats a cardinal direction 

oh

ok thats east. easy. exiftool -ee IMG_0002.MOV in mobile/Media/DCIM/100APPLE

how can i map guid to app name its annoying to open them up and then figure it out. i also need to see how plist opens/works

ohoho man i rlly am sick but hey im bored too

anyway for last known location i saw the magnet pdf and went straight to private/var/mobile/Library/Caches/com.apple.routined/Caches.sqlite and opened it on db now i dont know how it works and my head hurts to look at a  youtube video so i clicked around and got to the data table and entered the last coordinates in the list ya huey

i dont like this challenge very much it has me more lost than mr gamer i didnt know that was possible

let me check on my gdrive for references. 

hold up i remember this mobile forensics book i had on a drive somewhere i think i should read that first

reading is good reading is helpful. i always want to read and then attempt a challenge but problem is it ends up always taking too long because i keep discovering new things and then going on tangents and then the challenge takes thrice as long but i will try to keep on course this time. only relevant stuff. ONLY RELEVANT STUFF.

i picked a lovely topic to not get distracted by cus there is hardly ANYTHING of interest wow apple sure keeps a tight lid on things. way to kill any curiosity

when i write a technical book i will make it as untechnical as possible. do these writers get off on big words? if youre describing an acronym with 3 other acronyms youre bad at your job, man.

yeah, no. mission failed. i kept getting distracted looking at new things getting bored doing other stupid things then getting back getting bored again god i love reading so much but its so hard doing it when my brain is boiling horsetail soup god please let me find a bottle of adderall on the road today

ok the internet says engaging motor muscles while reading might help in more focus. i cant walk rn so lemme try to take notes? lets see

well who knows it IS working. interesting.

so i read how they acquire data and how to recreate file folders in iphone structure using manifest.db from itunes backup. i didnt read too hard because i didnt need to do it but it was fun to read anyway. 

some sqlite instructions and usage guide. 

gonna nose around in var/mobile/Library for a while

in calendar.sqlitedb in calendar table lies the colour assigned to work, purple(BORAHAE!) hex code is #CC73E1FF

their notes are empty! what!? empty?? how can someones notes be empty. my notes know the deepest darkest parts of me.

i found when he searched for what is my ip on safari browser data History.db and the mac absolute time is 664490543.181265 now i converted it to gmt and entered and that wasnt right so...? ill try for universal time. nope not right either. before this hes searched for plant shops near me and the anser was for vermont which i learned was gmt -4 aka EST so i converted to that and nope, not that either. 

665628703.528937 665628703.528937 hm i think my selection of the time stamp itself was wrong. 

i saw the ei timestamp on the google search w unfurl and used that and that isnt correct either? i dont get it?

EVEN THE HINT SAYS UNFURL?? I WASTED 10 POINTS GAAAAH

well as usual the format was dd/mm/yy and i entered in dd/mm/yyyy man im tired. the right answer is 16/01/22 09:01:22 in eastern time for vermont. found in var/mobile/Library/Safari/History.db and unfurled and unix time converted. i could have saved myself 10 points if i had eyes

bumble has the most screentime from RMAdminStore-Local.sqlite. 

ok man i have put it off for too long now i have to download ileapp

done

now what?

dinner.

ok now 

sorry i got so into it i forgot to update ayyy so i did install ileapp, ran the gui, and it gave a nice cute well presented report and the alarm sound is system:Radar

okay wow so much all trails data this guy gets his steps in, man. i should have answered the cardnial direction etc question through this i think

ThirstySteveMartin.gif is the gif sent on bumble. ;)

4 grocery items

wow everything is on here i should have done this first instead of squirelling away into god knows what directories

but this isnt very fun this is very point and shoot camera type stuff

Kornbread and Jorgeous are still Making Fun of Cynthia's Car Crash... is the last message recieved on reddit. Kornbread slays tbh. 

oh it says guessing answers affect accuracy count but i wasnt even guessing?? i just mistyped man 

service expires 5 feb 22 from an email by total wireless

thats about all from ileapp. but this writeup i saw from someone who analysed an ipad had many more tabs?? why dont i have any more? should i try doing it again?

nope. no new entries. hm

github says works w python 3.9 and up mine is 3.8 i should update? 

ohohho this is annoying the requiremnts txt is throwing curves and this is some big annoying dragon i have no interest in understanding right now. 

so i found the reddit account info from following the app guid in the ileapp report and put the iv2 thing in cyberchef and it says its an nskeyed archive which is why it wasnt opening i suppose. so im supposed to use the macforensics deserialiser and ileapp together? or am i supposed to first deserialise these plists and then use ileapp again?

ok deserialised. (i stared at the python script for 45 minutes. just stared. nothing. no thought head empty. it was actually quite nice. meditative, even.)

then converted to xml using plistutil (installed with libplist-utils sudo apt-get install libplist-utils) then plistutil -i ivu21eum_deserialized.plist -o reddit.xml.plist then opened the reddit.xml.plist and looked up creation time and its 21:59:38. the avatar i found this http and i went to it and it was a chibi figure wearing an owl onesie. 

at /var/installd/Library hoping to find what app was uninstalled. 

well i found the reboot log with good old cat n grep and the latest is 14 feb 22 at 11:44:13

and it also says uninstalling identifier com.tencent.xin which doesnt fit the required answer format so.....

ok google says its wechat. 

ok now promotion emails. it wronged all my answers and even said suspicious activity detected but the answer is 23 i dont get it

ok i looked around and found a magnet write up. i looked at 2 and they both had the same problems so they guessed and said 21 was right.

what i can do i think is go to the location ileapp is getting its gmail data for and check with my own two eyes

even that says 23?? nvm man il just do 21 and go to sleep my head hurts.

done. goodnight.