VU CTF
This was one of the most peculiar CTF we participated in , because unlike other ctfs which had challenges . The tasks we had to do in this CTF was more practical because ,
We were handed a .bin file on which most of the forensics questions were based. It had more real-world application to it.
Solution
I used the AccessData FTK Imager software to tackle these questions as recommended by the organizers.
The .bin file as well as FTK Imager were provided [here]
(https://www.cyberthon.lt/large-files.html).
What is the SHA1 checksum # of image file blk0_mmcblk0.bin?
By using the “Verify Image” option, we can find the SHA1 checksum.
What is the name of the largest partition?
We can see that the largest partition is the userdata partition, with a size of 5465MB.
What is the brand (vendor) of phone?
There are several directories in userdata/data containing ‘Samsung’ in their name.
What is the model of the phone?
I found this in system/SW_Configuration.xml
What is the Bluetooth MAC Address of the device?
I found it in the file efs/bluetooth/bt_addr
What is the username ID of the Telegram account?
I opened the file userdata/data/org.telegram.messenger.web/cache4.db in DB Browser and opened the users table.
What email address is setup on com.android.email service?
I browsed through the userdata partition and found a directory titled com.android.email inside the data directory. This had a file titled EmailProvider.db inside its databases folder. I opened the file using DB Browser for SQLite (also recommended by the organisers).
What is a name of video file which is related to tanks?
I browsed through the files in userdata/media/0/Download and found tanks.mp4
What is a name of audio file which is related with rifles and their price?
I found a file called userdata/media/0/Telegram/Telegram Audio/4_5956573053423979339.ogg
Based on the review of the media files, please provide the GPS coordinates of the possible meeting point
The coordinates are visible in the image userdata/media/Telegram/Telegram Images/-5956573053880219321_121.jpg
What is the name of WhatsApp user which has phone number +37062166565?
I opened the file userdata/data/com.whatsapp/databases/wa.db and went to the wa_contacts table.
How much dollars the seized weapons (stuff) may have cost?
I found a screenshot (userdata/data/media/0/Pictures/Screenshots/Screenshot_2022-10-23-10-42-01.png) of a Telegram chat.
Based on the analysis of the video file 20221015_173902.mp4, please provide the GPS coordinates of the possible place, where video was recorded
This file can be found in userdata/data/media/0/Download.
On using exiftool 20221015_173902.mp4, we find the GPS coordinates that we need.
Additional Resource
I found this after the event ended. It seems pretty useful and has many similar questions
