CTF

Cellebrite CTF 2020: Introduction

 · 10 mins read

TL;DR: No need for any commercial tools in Cellebrite’s 2020 Forensics Capture the Flag event, just open source software and an understanding of what you are looking at.

Background

Cellebrite just finished up its first Capture the Flag (CTF) event, running from October 26, 2020 through October 29, 2020. Unlike the Magnet Forensics CTF, Cellebrite made all of their images and questions available at the start. There are positives to both approaches, but it meant Cellebrite was more of a sprint, compared to Magnet where each question had a week to solve. I participated in a team of three for this event, ending in 13th place and kicking myself because that would have been second had I heeded my own rules.

Tools

We used no commercial tools in our analysis, everything was either found in a common *nix-based OS package repository or MIT-licensed and available on GitHub. We set this goal for ourselves to help encourage anyone, even those who can’t afford the name-brand products, that they don’t need them to get the job done1, the knowledge of what is going on is far more important. Or to spoil the ending of every Disney movie: The answer was inside you, all along.

Tools Available on Github

  • Apple Cloud Notes Parser [MIT License]: Used to parse Apple Notes files, supports decrypting encrypted notes.
  • iLEAPP [MIT License]: Used to launch a broad array of processing scripts against iOS device images.
  • ALEAPP [MIT License]: Used to launch a broad array of processing scripts against Android device images.
  • MacForensics/IOS_KTC_TO_PNG [MIT License]: Very useful script to convert a KTX file to PNG.
  • BPLister [MIT License]: A very hacky script that just pretty prints a given binary plist file or NSKeyedArvhice file.

Tools available in your local Linux package repository, license may vary, likely is GPLv3.

  • DB Browser for SQLite: Almost the only thing I use to view SQLite databases.
  • sqlite3 [Public Domain]: When you don’t want to view a SQLite database, just use it.
  • cat [GPLv3 License]: Displays the contents of a file or set of files.
  • grep: Used to find patterns in whatever your corpus might be (including an entire image).
  • hexdump: Displays the contents of a file in hexadecimal (or otherwise, there are more options).
  • find [GPLv3 License]: Searches for files in a directory structure.
  • stat [GPLv3 License]: Displays file status, such as modify timestamps.
  • 7z [GNU LGPL / BSD 3-clause Licenses]: Useful for opening archives of many formats.

I am sure there were other tools used incidentally, those just represet the ones that came up time and again in our solutions.

Preparation

Sadly, lessons were not learned from my previous experiences with lack of preparation. Specifically, our entire team was under the wrong impression that the CTF started on Wednesday, right up until this tweet and we realized our misfortune. While we had intended to look through the images ahead of time, all we had done by that point was get our Discord comms running so we basically had enough time to extract the images, take a 2 hour nap, and get after it cold. In Discord, we created a separate text channel for each image, pinned messages about foundational information (account usage, for example), and wrote up every solve briefly, tagging it with “Capped” for ease of searching later2.

Methodology

Download the images

Cellebrite’s introductory blog post has the links to directly download the images. There are four in all, two iOS devices and two Android. All four are password protected, the password needs to be obtained from Cellebrite.

Extract the images

Once downloaded, you need to extract the images. Each image was a 7z file that was password protected, inside of which was more archives with the file system inside.
Within the Android images were fairly standard zip files and once 7z opened those, you had the full file system. Within the iOS images was a dar archive (gotta love standard formats, eh?) and you’ll want to grab the Disk Archive utility to open them up. Once you’ve done all that, you should have the file system and maybe some information about the extraction.

Fix the problems

Filepath length

Depending on your operating system, file system, and where you have the image extracted to, you may run into filenames that are too long. This quickly became a Russian Nesting Dolls situation with archives of archives with a password-protected archive wrapped around it for fun. In the case of Juan, there are an extra 60 characters inside the archive before you would even get to the root of the file system.

[notta@cuppa ~]$ mkdir jm
[notta@cuppa ~]$ cd jm
[notta@cuppa jm]$ mv ~/Downloads/CTF_Apple_iPhone_X_Juan_Mortyme_parts.7z.001 ~/Downloads/CTF_Apple_iPhone_X_Juan_Mortyme_parts.7z.002 .
[notta@cuppa jm]$ 7z l CTF_Apple_iPhone_X_Juan_Mortyme_parts.7z.001
   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2020-09-30 17:58:37 D....            0            0  CTF_Apple_iPhone X_Juan_Mortyme
2020-09-16 23:28:38 D....            0            0  CTF_Apple_iPhone X_Juan_Mortyme/Apple_iPhone X_Juan_Mortyme
2020-09-08 19:13:05 D....            0            0  CTF_Apple_iPhone X_Juan_Mortyme/Apple_iPhone X_Juan_Mortyme/KeychainDump
2020-09-08 19:13:08 D....            0            0  CTF_Apple_iPhone X_Juan_Mortyme/Apple_iPhone X_Juan_Mortyme/MetaData
2020-08-14 19:07:10 ....A         1213          768  CTF_Apple_iPhone X_Juan_Mortyme/Apple_iPhone X_Juan_Mortyme/Apple_iPhone X (A1901) Juan Mortyme.ufd
1970-01-01 03:00:00 ....A  39200970936  26657331136  CTF_Apple_iPhone X_Juan_Mortyme/Apple_iPhone X_Juan_Mortyme/FullFileSystem.1.dar
1970-01-01 03:00:00 ....A      1611006     16814864  CTF_Apple_iPhone X_Juan_Mortyme/Apple_iPhone X_Juan_Mortyme/KeychainDump/backup_keychain.plist
1970-01-01 03:00:00 ....A        39650               CTF_Apple_iPhone X_Juan_Mortyme/Apple_iPhone X_Juan_Mortyme/Log.txt
1970-01-01 03:00:00 ....A    298094273               CTF_Apple_iPhone X_Juan_Mortyme/Apple_iPhone X_Juan_Mortyme/MetaData/data_metadata.plist
1970-01-01 03:00:00 ....A    512485895               CTF_Apple_iPhone X_Juan_Mortyme/Apple_iPhone X_Juan_Mortyme/MetaData/system_metadata.plist
------------------- ----- ------------ ------------  ------------------------
2020-09-30 17:58:37        40013202973  26674146768  6 files, 4 folders

[notta@cuppa jm]$ mv CTF_Apple_iPhone X_Juan_Mortyme/Apple_iPhone X_Juan_Mortyme/FullFileSystem.1.dar .
[notta@cuppa jm]$ dar -x FullFileSystem.1.dar

Because of that, I ended up extracting Juan pretty high up in my filepath and removing a lot of the extra folders which were created by UFED in making the image. At that point, I had all of Juan’s device available to me at just /home/notta/jm/, instead /home/notta/jm/CTF_Apple_iPhone X_Juan_Mortyme/Apple_iPhone X_Juan_Mortyme/.

File ownership and permissions

Depending on how you extract the files, you likely will run into permissions errors trying to use them. For example, many of the system folders will likely end up being owned by the root user, which you probably aren’t logged in as. Some of the files also end up without any of the permissions bits set, so your user technically can’t do anything with them. You can either get around that by prefacing most commands with sudo to run the command as the root user, or you could just recursively chown -R all the files to be owned by your user and then recursively chmod -R have at least the read bit set (+r).

[notta@cuppa jm]$ sudo chown -R notta:notta .
[notta@cuppa jm]$ sudo chmod -R +r .

Analyze

We didn’t have any set order that we wanted to knock out the questions in, basically just started picking them and working through them. We did, however, have two rules: Click on everything and if it is worth clicking on, it is worth doing justice to.

Click on everything

The crux of this rule is that whether you know your stuff or not, every forensic examination is different and if you go into it thinking you already know what you’re looking for, you’ll find exactly (and only) what you’re looking for. However, if you go in with an open mind and work through the full image, you’ll find interesting tidbits you might have missed. Click on everything doesn’t necessarily mean you open all the files in every image, but it would mean, for example, that you go through each of the applications to make sure you know what tehy are. Or that you at least understand the different folders at the root level and, those you don’t, you dive into to get that understanding.

Do justice to it

Once your eyes start to glaze over, it becomes really easy to phone it in when you are going through the applications. You might go into the directory look for any files ending in .db, see none, and back out. This is more dangerous than not looking because you’ll have convinced yourself you looked, it was innocent, and you don’t need to look again. Doing justice to each application might mean knowing at a minimum when and why it was installed, what user accounts are contained within it, and what the user was using it for. Violating this rule added two days and 11 positions onto our final result because even though we had looked at the answer, we had not done justice to it and assumed it was benign.

Answers

Check out the posts below to see the specific answers for each image3:

Conclusion

It is smart for Cellebrite to run a CTF and provide a free trial license for their tool4, but you don’t need this. For the grand total of $0, you can get all the tools you need, licensed in such a way as to allow you to make your own changes to it if it doesn’t do what you need. You should seriously consider spending time with these non-commercial tools to test your own knowledge. You’ll likely find that the answer was inside of you, all along, and that when you work through the questions without pushing a button to get there, your understanding of how that machine was working goes up dramatically.

Footnotes

  1. Need is a very strong term that is used far, far too often in American society to really mean ‘want’. In this case I’m not referring to the “need” of shelter, food, and water, but the perceived need of having a fancy tool to get to the right answer. 

  2. I really dislike the CTF software which doesn’t show your answers on a question after you get it right. It means that if you forget to write the answer down elsewhere, you can’t quickly review what it was for write-ups or for others on the team to see the answer. 

  3. Life is busy right now, I’ll try to get them up as quickly as possible. 

  4. I’m not questioning Cellebrite’s motives in this CTF, just saying from a marketing perspective, they handled it right.