Africa DFIR CTF 2021 — WK04

Ali Alaa
5 min readAug 9, 2023

Hello dudes,
I hope to find you well.

This is Ali Alaa and this is WEEK 4 writeup for Africa DFIR 2021 CTF by DFIR science.

This is an Android forensics challenge and if you wanna find more about this topic you can try WEEK 4.

Before I get started I must mention which android image I have ?

When we try to make an acquisition for Android OS we must choose proper technique and it depends on situation we are facing.

Please read this article.

It’s Logical extraction.

So, lets start….

First Question: What was the device date and time in UTC at the time of acquisition? (YYY-MM-DD HH:MM:SS)

I investigated “Live Data” folder that hold a file for datetime for this device during acquisition phase.

Datetime of device

Here we go, the answer is : 2021:05:21 18:17:56

Second Question: What time was Tor Browser downloaded in
UTC? (YYYY-MM-DD HH:MM:SS)

I investigated “Agent Data” folder that hold a database file for all downloaded files called “downloads.db”.

After that I must open it with “DB Browser (SQLite)” tool.

Downloads database

I selected “lastmod” value and I tried to decode it to a readable format then I used this site.

timestamp decode

Here we go, the answer is : 2021:04:29 19:42:26

Third Question: What is the email address of Zoe Washburne?

I investigated “Live Data” folder that hold a database file for contacts called “contacts.db” that hold names, phone numbers an emails.

After that I must open it with “DB Browser (SQLite)” tool.

Contacts database

Here we go, the answer is : zoewash@0x42.null

Forth Question: What app was the user focused on at
2021–05–20 14:13:27?

A file located in “Live Data” called “usage_stats.txt” so, I investigated this file because it contained usage statistics for an app package for a specific time range.

I searched for a given datetime and I found “youtube” application came in foreground to use.

App

Here we go, the answer is : YouTube

Fifth Question: What time did the phone charge to 100% after the last reset? (YYYY-MM-DD HH:MM:SS)

In “Live Data” folder I found a folder called “Dumpsys Data” after I searched for it I found this folder provides information about system services and “battery” is one of these info.

I found this info in a file called “batterystats.txt”.

Form question he needed to find the time that phone is full charge after reset.

I found in this file a sting called “Battery History” then I realized that “reset time” is => 2021:05:21 13:12:19.

Status of battery

After reset time I found status changed to “charging” by +4s 304ms so, I traced this charging timeline down till status changed to “full charge”.

Full charge

The time this battery consumed to became full charged after reset time 2021:05:21 13:12:19 is “+5m01s459ms”.

Lets add this consumed time to reset time I got this

13:12:19 + 00:05:01 = 13:17:20

Here we go, the answer is : 2021:05:21 13:17:20

Sixth Question: What is the password for the most recently connected WIFI access point?

Here I got hint first time to face this artifact.

I knew that file I searched for is in “adb-data\apps” folder then I got this folder called “com.android.providers.settings” that holds a folder called “K” open it.

Then I found the file I was searching for called “com.android.providers.settings.data” I opened it in a notepad file.

PreShareKey

Here we go, the answer is : ThinkingForest!

Seventh Question: How much time did the suspect watch Youtube on 2021–05–20? (HH:MM:SS)

As I saw in forth question I found that user used YouTube application at 2021–05–20 14:13:27 and I investigated this timeline to found when this application move to background.

In a file located in “Live Data” called “usage_stats.txt” as mentioned previously I searched for YouTube keyword.

YouTube app

So, I had first time used and last time used then to found out how much time I can subtract them.

22:47:5 — 14:13:27 = 08:34:30.

Here we go, the answer is : 08:34:30.

Eighth Question: “suspicious.jpg: What is the structural similarity metric for this image compared to a visually similar image taken with the mobile phone? (#.###).

Here I used an online python script to found this similarity.

He wanted to find another similar image and I found it called “20210429_151535.jpg”.

Lets run our script…

Results

Here we go, the answer is : 0.996

At the end ,
I hope you enjoyed this writeup ❤️.

Stay in touch

LinkedIn

--

--