Content
About Challenge
Category : Endpoint Forensics
Tags : Android, ALEAPP, sqlitebrowser
Author : Infern0o
Difficulty : Easy(4.6)
Password : cyberdefenders.org
Description
Scenario:
We’re currently in the midst of a murder investigation, and we’ve obtained the victim’s phone as a key piece of evidence. After conducting interviews with witnesses and those in the victim’s inner circle, your objective is to meticulously analyze the information we’ve gathered and diligently trace the evidence to piece together the sequence of events leading up to the incident.
Tools:
Question and Answers
Unzip the file using the password “cyberdefenders.org” and zip it without password. Now use the aleapppGUI to process info out of it.
Q1. Based on the accounts of the witnesses and individuals close to the victim, it has become clear that the victim was interested in trading. This has led him to invest all of his money and acquire debt. Can you identify which trading application the victim primarily used on his phone?
Ans. In the installed apps list, look for various app icons. Olymp Trade should be present in that list.
Q2. According to the testimony of the victim’s best friend, he said, “While we were together, my friend got several calls he avoided. He said he owed the caller a lot of money but couldn’t repay now”. How much does the victim owe this person?
Ans. Check the call history for the number from which he received multiple calls.
Then, check for any messages from that same number, as another person might send an SMS if one isn’t answering their calls.
Q3. What is the name of the person to whom the victim owes money?
Ans. Check for that number in the contacts.
Q4. Based on the statement from the victim’s family, they said that on September 20, 2023, he departed from his residence without informing anyone of his destination. Where was the victim located at that moment?
Ans. Look for any information in Google Search and history. There is an image of a hotel.
Search that image on google.
Q5. The detective continued his investigation by questioning the hotel lobby. She informed him that the victim had reserved the room for 10 days and had a flight scheduled thereafter. The investigator believes that the victim may have stored his ticket information on his phone. Look for where the victim intended to travel.
Ans. Continue searching for any ticket images present in the data.
Q6. After examining the victim’s Discord conversations, we discovered he had arranged to meet a friend at a specific location. Can you determine where this meeting was supposed to occur?
Ans. This was a tricky one. I Googled about discord chat logs and found some information on this..
1
On Android, Discord stores its application files under the "/data/data/com.discord/" directory. Three subdirectories of special interest are "shared_prefs," "cache," and "files" which respectively contain user configuration information in the file called “com.discord_preferences.xml,” cached multimedia files, and Discord usage details such as chat messages. The format and parsing of the Message files is detailed in Technical Series Publication 2020-001.
So, check the files directory and load the database into DB Browser.
That completes the challenge!
