Post

Endpoint Forensics Challenge Writeup – Android Investigation

Endpoint Forensics Challenge Writeup – Android Investigation

Content

About Challenge

Category : Endpoint Forensics

Tags : Android, ALEAPP, sqlitebrowser

Author : Infern0o

Difficulty : Easy(4.6)

Password : cyberdefenders.org

Description

Scenario:

We’re currently in the midst of a murder investigation, and we’ve obtained the victim’s phone as a key piece of evidence. After conducting interviews with witnesses and those in the victim’s inner circle, your objective is to meticulously analyze the information we’ve gathered and diligently trace the evidence to piece together the sequence of events leading up to the incident.

Tools:

Question and Answers

First, unzip the file using the password cyberdefenders.org. Then, re-compress it without a password and use the ALEAPP GUI to extract and analyze the data.”

alt text

Q1. Based on the accounts of the witnesses and individuals close to the victim, it has become clear that the victim was interested in trading. This has led him to invest all of his money and acquire debt. Can you identify which trading application the victim primarily used on his phone?

Ans. Check the list of installed apps and look for app icons—Olymp Trade should be among them.

alt text

Q2. According to the testimony of the victim’s best friend, he said, “While we were together, my friend got several calls he avoided. He said he owed the caller a lot of money but couldn’t repay now”. How much does the victim owe this person?

Ans. Look through the call logs for the number that made multiple calls to the victim.

alt text

Next, look for any messages from that same number—it’s possible the caller followed up with an SMS when their calls went unanswered.”

alt text

Q3. What is the name of the person to whom the victim owes money?

Ans. Search the contacts for that number.

alt text

Q4. Based on the statement from the victim’s family, they said that on September 20, 2023, he departed from his residence without informing anyone of his destination. Where was the victim located at that moment?

Ans. Check the Google Search history for any relevant information. You should find an image of a hotel.

alt text

Perform a reverse image search on Google to identify the hotel.

alt text

Q5. The detective continued his investigation by questioning the hotel lobby. She informed him that the victim had reserved the room for 10 days and had a flight scheduled thereafter. The investigator believes that the victim may have stored his ticket information on his phone. Look for where the victim intended to travel.

Ans. Keep searching the data for any images related to the ticket.

alt text

Q6. After examining the victim’s Discord conversations, we discovered he had arranged to meet a friend at a specific location. Can you determine where this meeting was supposed to occur?

Ans. This one was tricky. I searched for information on Discord chat logs and found helpful details on this.

1
On Android, Discord stores its application files under the "/data/data/com.discord/" directory. Three subdirectories of special interest are "shared_prefs," "cache," and "files" which respectively contain user configuration information in the file called “com.discord_preferences.xml,” cached multimedia files, and Discord usage details such as chat messages. The format and parsing of the Message files is detailed in Technical Series Publication 2020-001. 

Check the ‘files’ directory and load the database into DB Browser for further inspection.

alt text

That concludes the challenge!

alt text

This post is licensed under CC BY 4.0 by the author.