# Jailbroken - Cyberdefenders
### [Challenge](https://cyberdefenders.org/blueteam-ctf-challenges/jailbroken/) - Sha1 : 67b2d3bb549e32727b126232b8c862a3e7816bd0
### Discreption
Jailbroken is an iPad case investigation that exposes different aspects of iOS systems where you can evaluate your DFIR skills against an OS you usually encounter in today's case investigations as a security blue team member.
### Solution
First, let me introduce [ArtEx](https://doubleblak.com/app.php?id=ArtEx2) which is one of the newest, free tools by [Ian Whiffin](https://www.linkedin.com/in/ian-whiffin-dblak/) developed to parse iOS extractions.
Just download and go to **Settings** and clikc check for updated parsers, then click save.
Re-open it and click **Run** then select your **Extraction Folder**
#### Q1- What is the iOS version of this device?
Once the tool finished the parsing it will show some information included ios-version which is `9.3.5`.
##### Answer : `9.3.5`
#### Q2- Who is using the iPad? Include their first and last name. (Two words)?
The account information in iOS reside in **Accounts3.sqlite** database, so when going check it, you will see username under `ZACCOUNT` Table is `Tim.Apple@fruitinc.xyz` so the Owner Name is `Tim Apple`, you can see this easly from the Device interface tab from the tool.
##### Answer : `Tim Apple`
#### Q3- When was the last time this device was 100% charged? Format: 01/01/2000 01:01:01 PM?
Device Battery information reside in many places like `CurrentPowerlog.PLSQL` database, `knowledgeC.db` database.
1. `knowledgeC.db` :
> /private/var/mobile/Library/CoreDuet/Knowledge
Based on [Sara Edward Blog](https://sarah-edwards-xzkc.squarespace.com/blog/2018/12/19/on-the-sixth-day-of-apollo-my-true-love-gave-to-me-blinky-things-with-buttons-device-status-analysis) this database provides the usage time between battery levels which may be used to determine amount of usage during a particular time period by the user or device.
Using [knowledge_device_batterylevel](https://github.com/mac4n6/APOLLO/blob/master/modules/knowledge_device_batterylevel.txt) APPOLLO module. but reveiwing the database and the `ZDOUBLEVALUE` which will be the **battery-level** table is all null, so let's check the second database.
2. `CurrentPowerlog.PLSQL` :
> /private/var/containers/Shared/SystemGroup/<GUID>/Library/ BatteryLife/
Checking this database we can parse all tables with This APPOLLO Module
SELECT
DATETIME(TIMESTAMP + SYSTEM, 'UNIXEPOCH') AS ADJUSTED_TIMESTAMP,
LEVEL AS 'LEVEL',
RAWLEVEL AS 'RAW LEVEL',
ISCHARGING AS 'IS CHARGING',
FULLYCHARGED AS 'FULLY CHARGED',
DATETIME(TIMESTAMP, 'UNIXEPOCH') AS ORIGINAL_TIMESTAMP,
DATETIME(TIME_OFFSET_TIMESTAMP, 'UNIXEPOCH') AS OFFSET_TIMESTAMP,
SYSTEM AS TIME_OFFSET,
TABLE_ID AS "PLBATTERYAGENT_EVENTBACKWARD_BATTERY TABLE ID"
FROM
(
SELECT
TABLE_ID,
TIMESTAMP,
TIME_OFFSET_TIMESTAMP,
MAX(TIME_OFFSET_ID) AS MAX_ID,
LEVEL,
RAWLEVEL,
ISCHARGING,
FULLYCHARGED,
SYSTEM
FROM
(
SELECT
PLBATTERYAGENT_EVENTBACKWARD_BATTERY.TIMESTAMP,
PLBATTERYAGENT_EVENTBACKWARD_BATTERY.LEVEL,
PLBATTERYAGENT_EVENTBACKWARD_BATTERY.RAWLEVEL,
PLBATTERYAGENT_EVENTBACKWARD_BATTERY.ISCHARGING,
PLBATTERYAGENT_EVENTBACKWARD_BATTERY.FULLYCHARGED,
PLBATTERYAGENT_EVENTBACKWARD_BATTERY.ID AS "TABLE_ID",
PLSTORAGEOPERATOR_EVENTFORWARD_TIMEOFFSET.TIMESTAMP AS TIME_OFFSET_TIMESTAMP,
PLSTORAGEOPERATOR_EVENTFORWARD_TIMEOFFSET.ID AS TIME_OFFSET_ID,
PLSTORAGEOPERATOR_EVENTFORWARD_TIMEOFFSET.SYSTEM
FROM
PLBATTERYAGENT_EVENTBACKWARD_BATTERY
LEFT JOIN
PLSTORAGEOPERATOR_EVENTFORWARD_TIMEOFFSET
)
GROUP BY
TABLE_ID
)
After that, the output will give us alot of data like the percentage, adjusted time, originated time.
In our case we need the original time.
##### Answer : `04/15/2020 06:40:31 PM`
#### Q4- What is the title of the webpage that was viewed the most? (Three words)
First we need to know what are the browser applications on the device, i can know that what applications was used on the device, `DataUsage.sqlite` stores applications that have been used, deleted, or even reinstalled on the iOS device.
I used this query to beatify the output.
```
SELECT
ZPROCESS.Z_PK,
DateTime(ZFIRSTTIMESTAMP + 978307200, 'UNIXEPOCH') AS "First Timestamp",
DateTime(ZTIMESTAMP + 978307200, 'UNIXEPOCH') AS "Last Timestamp",
ZBUNDLENAME,
ZPROCNAME
FROM ZPROCESS
```
Now, we know that the user's browser is safari.
Safari has three important files [Bookmarks.db, History.plist, History.db], so checking the `History.db`, we will see all user's searches, order the search to know the most searched is `kirby with legs`.
we can also view the history through ArtEx.
##### Answer : `kirby with legs`
#### Q5- What is the title of the first podcast that was downloaded?
If you noticed that in the used applications, the user installed `com.apple.podcusts`, so lets check this application.
Every application installed it's data located in `/private/var/mobile/Containers/Data/Application/` folder.
To know the right path, you need to check the `applicationstate.db` located in `/private/var/mobile/Library/FrontBoard/` as this database store the path of the data folder of any applications in blob data.
Every application has 3 main directories to store it's data [Library, Documents, Temp], we are interested with `Library` as it contains the cache.
When i opened the cache database, it seemed that it stored the request's keys and some data related to thumbnails, so i returned to SANS's Poster then which mention that "Some Apps can also store data in other subfolders like `/private/var/mobile/Containers/Shared/AppGroup/`", so i started looking for any database and i found 2, 1 for notes `NoteStore.sqlite`, 2 is `MTLibrary.sqlite` located in `\private\var\mobile\Containers\Shared\AppGroup\80179E24-1812-4B5F-8063-AECFC3773A7A\Documents\MTLibrary.sqlite` , after searching for it, it seemed that it is responsible for recording all apple Podcast episodes.
the podcast which is (three words) was `WHERE ARE WE?`
##### Answer : `WHERE ARE WE?`
#### Q6- What is the name of the WiFi network this device connected to? (Two words)?
iOS wifi information like (BSSID, SSID,...) located in plist file `com.apple.wifi.plist` under `/private/var/preferences/SystemConfiguration/`
##### Answer : `Black lab`
#### Q7- What is the name of the skin/color scheme used for the game emulator? This should be a filename?
looking back to the `applicationstate.db `, i copied all applications bundle, and asked ChatGpt for telling me what could be the mobile emulator. `com.rileytestut.enterprise.GBA4iOS`
So, Lets check it's data, in the `./Application/` folder where all applications reside,
we will find a file called `Default.gbaskin` which indicate that it is the skin file.
##### Answer : `Default.gbaskin`
#### Q8-How long did the News App run in the background?
Back to `CurrentPowerLog.PLSQL` under `PLAppTimeService_Aggregate_AppRunTime` table, you will see every application runtime (backgroundTime, ScreenOnTime)
##### Answer : `197.810275`
#### Q9- What was the first app download from AppStore? (Two words)
Checking `Apps` in ArtEx we can see that there are 2 applications installed from app-store.
1. we can know that `Cookie Run` was the 2 word application, but, let me check the date of the 2 apps to comfirm it.
Based on the `<GUID>/` of `Cookie Run` which is `E8F94CEE-A305-458C-8689-93D0F7957D34` we can parse installation logs, based on [Alexis Bregnoni's blog](https://abrignoni.blogspot.com/2019/01/ios-mobile-installation-logs-parser.html), then filter with that `<GUID>/` to see what is the bundle match in `mib.db`, the installation date is `2020-04-15 04:11:37`
2. Do the same with `pokemonquest`, the date is `2020-04-15 04:52:36`, which confirm that this is the second installation App.
##### Answer : `Cookie Run`
#### Q-10 What app was used to jailbreak this device?
When we go to `Timeline` tap in ArtEx, and run Installed apps plugin, we will see install, uninstall multiple times for app called `phoenix`, searching about this app, it appears that it is a jailbreaker app.
##### Answer : phoenix
#### Q-11 How many applications were installed from the app store?
That was pretty easy, as we mentioned above that there are only 2 applications installed from app-store (Cookie Run, pokemonquest)
##### Answer : `2`
#### Q-12 How many save states were made for the emulator game that was most recently obtained?
After searching on google about `.gba4ios saves files`, it appears that the emulator stores saves file as `.sav` file, searching on the `jailbroken` Folder, there is only one search for it which is `Legend of Zelda, The - The Minish Cap (U).sav`
##### Answer : `1`
#### Q-13 What language is the user trying to learn?
Looking at the `podcasts` Folder located in `private\var\mobile\Media\Podcasts` there are 2 podcasts, 1 in `English`, second in `Spanich`, of course it is `Spanish`, as the timezone of the device was in `New York`.
##### Answer : `Spanish`
#### Q-14 The user was reading a book in real life but used their IPad to record the page that they had left off on. What number was it?
All photos,Videos located in the phone are located in `DCIM\` Folder and inspesific `\private\var\mobile\Media\DCIM\100APPLE\ `
After reviewing the video, it is 85 page.
##### Answer : `85`
#### Q-15 If you found me, what should I buy?
Let's check Calendar database, which located in `private\var\mobile\Library\Calendar`.
We see that there are 2 titles, One of them is `Found in Mail` which indicates that the somthing we are searching for might be in Mail, lets check it.
Nothing there, so let's check notes, there are 2 locations
1. `\private\var\mobile\Library\Notes\notes.sqlite`, i checked it, and it is empty.
2. `\private\var\mobile\Containers\Shared\AppGroup\4466A521-8AF9-4E09-800B-C3203BB70E0E\NoteStore.sqlite`, this the database we talked about in **Q5**.
When i tried to submit `Crash Bandicoot Nitro-Fueled…`, it tells me that there is a part wasn't type, looking back to the database, I noticed that the notes is typed into 2 parts, The first in `ZTITL1` and the second in `ZSNIPPET` Tables.
First Note : `From time to time The clouds give rest `
Second Note : `Crash Bandicoot Nitro-Fueled Racing for the PS4` and that is the answer.
##### Answer : `Crash Bandicoot Nitro-Fueled Racing`
#### Q-16 There was an SMS app on this device's dock. Provide the name in bundle format: com.provider.appname?
Looking into installed app in `/private/var/mobile/Library/FrontBoard/applicationstate.db
` you will notice that there is only sms app `com.apple.MobileSMS`
##### Answer : `com.apple.MobileSMS`
#### Q-17 A reminder was made to get something, what was it?
Returning to **Q-15** as we saw, that there is a Reminder in the calender, so let's check the calender for that reminder.
I found 2 items in the calender, one for `Go to bed BEFORE 5 am` and another for `Get milk`.
Based on the Question he will get `milk`
##### Answer : `milk`
Finally, here we finished this long writeup, hope you learned about those various artifacts.
Sign in with Wallet
Connect another wallet