If we load up the map view in Axiom, it seems there is a huge number of data points in Norway and some in the US.
We can also note that there was a Google Maps Direction query from Oslo Central Station to Bergen Station.
I spent quite a bit of time going through all the geo-tagged data to see if it lead somewhere. I also tried things like translating the word “Cargo” to Norwegian and many other google searches…
One of the hints Jessica mentioned in the week 3 video was to watch the webinar Mobile Artifact Comparison — Understanding the Similarities Between iOS and Android Data. They also released a hint that cost 20 points but I was stubborn enough to keep looking without it.
The talk includes many great tips but one thing that caught my attention was the “live” images Android has.
Jessica mentioned that these images appear as .jpg files but contain .mp4 of the other frames taken at capture. I thought this could be a rabbit hole but it also seemed pretty interesting regardless
For carving, I used scalpel and added the following line to be able to extract mp4s:
mp4 y 30000000 \x00\x00\x00\x18\x66\x74\x79\x70\x6D\x70\x34\x32
Once you add this line, we can run scalpel to carve mp4 files out of the MVIMG* files located at data\media\0\DCIM\Camera.
Running scalpel MVIMG*, we get the extracted files for review.
As they are only a second or two in length, it didn't take long to get through them all. To my absolute surprise, when scrubbing through the picture taken out of a moving vehicle, the sign in one frame contained “Cargo”.
So from the image, it could be either E16 or F16, but I thought I’d google one of the names on the sign to verify: E16!
I was stumped on this one for a while but was very rewarding.
Answer: E16
