[ Forensics Walk-through: DFIRCON EAST Smartphone Forensics Challenge ]

Today I was asked by a good friend of mine on whether there could be 2 answer(s) to the last question in DFIRCON EAST Smartphone Forensics Challenge.

Being the curious cat, i downloaded the Challenge and have a quick look and decided to write this out while i’m at it. It seems like we are given an iOS backup folder and an Android .apk file.

[ Tools Used ]
iPhone Backup Browser – https://code.google.com/p/iphonebackupbrowser/
SQLite Database Browser – http://sqlitebrowser.org/
pList Editor – http://www.icopybot.com/plist-editor.htm or use the default viewer in Mac
Cerbero Profiler – http://cerbero.io/profiler/

Let’s go through the question(s) and load the iOS backup folder using iPhone Backup Browser as shown here.
DFIR.001

[ 1st Question ]
1. What third-party applications have been granted access to device camera photos?
Ok, if you have done iOS forensics before. It’s always good to do a quick check of the TCC SQLite3 database.
You might be asking “What is TCC SQLite3 database”?
Well, this SQLite3 database is used to control what permissions iOS apps have.
TCC.db is located at the following location on your phone.
/root/var/mobile/Library/TCC/TCC.db
Likewise this file also exists on a Mac.
~/Library/Application Support/com.apple.TCC/TCC.db

Incase, you have “accidentally” allowed more permissions than you wanted. You can use tccutil to reset the permissions instead of “tampering” the SQLite3 file.

So using SQLite DB Browser on TCC.db, we can immediately see the permissions granted to which applications.
DFIR.002

So for this particular question, Facebookand Dropbox were both granted permissions to access the device camera photos.

[ 2nd Question ]
2. What third-party applications have been granted access to the device address book?
Actually if you had looked at TCC.db, you will notice that the answer to this question is “Waze” as shown here.
DFIR.003

[ 3rd Question ]
3. Which websites were visited that requested the iPhone’s geolocation information for optimal browsing and were granted access?
Ok, now if you want to find out which website(s) requested this. The first thing to look for is GeolocationSites.plist
In this case, if you use iPhone Backup Browser to extract out the file. It should be located here:
iOS backup\Liz Lemon’s iPhone\System\Library\WebKit\GeolocationSites.plist
Using pList Editor or the default one on a Mac, you should see something like this.

Based on the returned results, we know that both “https://m.stubhub.com” and “http://m.simplyhired.com” are the website(s) that request geolocation and were granted access.

[ 4th Question ]
4. What permissions does the application MysteryApp.apk NOT have on the device?
Naise, now we have moved on to the Android .apk file.
Let’s extract out the Android.manifest file and we should have something like this.
DFIR.004
And if we do a quick check against the options that we were given:

  • Record audio
  • Read contacts
  • Send SMS
  • Record video
  • Mount & unmount files

We can quickly eliminate and know that that the permission that “MysteryApp.apk” don’t have is “Record video

[ 5th Question ]
5. What is the SHA1 digest value associated with the classes.dex file for the MysteryApp.apk application?
This is the question which my good friend asked about.
To me, if it’s SHA1 of classes.dex. The answer is definitely “0C3A720EB61D736E21561E9AA96066A4771F0F70
My friend was actually talking about the SHA-1 Signature found in the Dex header.
But the answer was saying “SHA1 (value within file)” so i’m not sure whether the original question implied the wrong thing or the answer was weird?

[ 6th Question ]
6. What foreign language word(s) are found within the MysteryApp.apk application?
We were given these options:

  • запись аудио – Record audio
  • mesajlaşma – Messaging
  • 未接来电 – Missed Calls
  • 連絡 – Contacts
  • None of the above

For this particular, you can use Cerbero Profiler and immediately you will know that the only foreign language found is “Chinese”.
Doing a quick check, we will see this.
DFIR.005
Thus we know the correct answer to this is “未接来电 – Missed Calls“.

After doing a speed-run on this, I really regretted not taking part in DFIRCON EAST Smartphone Forensics Challenge in the first place. xDDD

I do hope this quick walk-through will be sufficient for others to pick up and learn more stuff about mobile forensics.

Happy Reversing,
Jacob Soo

Leave a Reply