Magnet User Summit DFIR CTF 2019-Mobile

5 min readApr 6, 2019

The recent Magnet User Summit DFIR CTF Challenge was released to the public. I also took this opportunity to get familiar with the Magnet AXIOM software.

Link to CTF: https://mus2019.ctfd.io/
Other parts:
- Activity
- Secret Project
- Desktop

Mobile

The sources for this challenge is a Google Takeout Dump and an image of the device.

I stuck with using AXIOM for the most part of the mobile challenges.

Image Type 2

What type of mobile image do you have?

Answer: Quick/Logical

A look at the file name “samsung SM-J337V Quick Image” and the file structure of directories suggest it is a logical acquisition.

Logical acquisition implies a bit-by-bit copy of logical storage objects (e.g., directories and files) that reside on a logical storage

IMSI 2

What is the IMSI for the SIM Card?

Answer: 311480460682294

agent_sim.db contains the SIM card data, including the subscriber_id or IMSI.

You can also view this in AXIOM under Android Device Information.

Basic Info 2

What is the phone number for the device in the format 2125551212?

Answer: 3153165956

Was contained in the same file as above.

Google Search 2

Which Google search was made on the phone on Dec 4, 2018?

Answer: iguana potty training

User Name 5

What is mobile device owner’s username on Kik?

Answer: selmabspring

A message to Phoebe Washington contains the owners Kik username. The message database is in samsung SM-J337V Quick Image.zip\Agent Data\agent_mmssms.db.

Travel 5

What country was the mobile phone in on December 7th?

Answer: Australia

Using the timeline on AXIOM, the activity on the 7th points to a message that indicates the phone was in Australia.

Pictures 5

What is the file name of the largest picture taken with the phone camera?

Answer: 20181209_144014.jpg

Sorting by size on all photos, we get a file that is 3481549 bytes,

Email Address 5

What is the home email address for the user that is texted on Feb 13, 2019?

Answer: phoebe5042002@icloud.com

Checking the message logs reveals messages to Phoebe Washington on the 13th. The contact entry provided the email.

Invite 5

What email address sent the Mega invite?

Answer: wdoobner@putinsangels.com

The takeout dump includes an .mbox from GMail. The invite email contains the answer.

Kik User Photo 5

Which imagery is part of the user’s kik avatar?

Answer: penguin

A file in the temp folder provides the answer to this question.

Domestic Travel 10

What state was the phone in on December 25th, 2018?

Answer: Florida

There were several photos taken on 25th with geo-meta data indicating the location. AXIOM’s World view was a quick solution to this question.

Theme Park 5

What theme park was the mobile device in on Dec 25, 2018?

Answer: Universal Studio

See above for more info

App Download Methods 10

Which of the following apps was NOT downloaded from Google Play?

Answer: YouTube

In the takeout dump, you can see the list of installed apps through Google Play. From there you can check which app is not in the list.

Time Zone 10

What time zone was the phone in on Dec 9th?

Answer: UTC+11

A picture of the Sydney Harbour Bridge from the 9th indicates the location.

Contacts 10

What is the last name of the user whose email is pangolinsrock@outlook.com?

Answer: Frazier

The contacts from the Google dump has more info for pangolinsrock.

Content Distributor 10

What account posted the video that the mobile device visited on 4 Dec 2018 at 06:23 am UTC?

Answer: DesertedReptile98

Time watched was in EDT and needed to be converted.

Analysis 15

What country was the mobile device owner in when reading a document that was “IN MEMORY OF MOE”?

Answer: New Zealand

The website http://www.iguanaresource.org/pottytraining.html contains the string “IN MEMORY OF MOE” at the bottom of the page. The user visited this on 6th December EST. We can then use the other phone data to correlate where the user was at the time. The closest time we can track this to is the text when the user reached New Zealand. If we convert the website visit timestamp to NZST then it aligns with the message timestamp.