Published on

Magnet Forensics Virtual Summit 2023 CTF – iOS

  • avatar

Magnet Forensics 2023 Virtual Summit CTF – iOS

  • Challenge Creators: Jessica Hyde, Dylan Navarro, Alayna Cash, Austin Grupposo, Thomas Claflin, A'zariya Daniels, and Lorena C.

MD5 of Download: 067606649297d7adcf6082e5ed0acbb9

Case Overview: Magnet Forensics hosted this CTF on March 1, 2023, from 11-2 PM EST. This CTF included three images. Below, you will find the steps I took to solve the questions for the iOS image.

Tools Used

#1 A few too many: How many email accounts did the user own? (not counting privaterelay)

E-mail account information can be found in a number of places on a phone. For example, owner information, web browsing history, autofill history, and e-mail applications to name a few.

On this iOS image, we find that the user has 4 different e-mail addresses. The e-mail addresses were found in Google Accounts, Owner Information, Apple Accounts, Gmail Emails, Apple Mail, and Chrome Autofill.

EmailLocation\private\var\mobile\Containers\Data\Application\0B468A6F-8837-4A85-BF4D-1EF523683946\Library\Application Support\Google\Chrome\Default\Web Data\private\var\mobile\Containers\Data\Application\0B468A6F-8837-4A85-BF4D-1EF523683946\Library\Application Support\Google\Chrome\Default\Web Data\private\var\mobile\Library\Accounts\Accounts3.sqlite\private\var\mobile\Containers\Data\Application\905428F7-6392-4E22-8709-DBB418A2F18B\Library\Caches\\117165063630066444062\Profile.plist

#2 autoFill me in on the deets: Which email, other than their own, was autofilled in Chrome?

Chrome Autofill location in Axiom is found under WEB RELATED > Chrome Autofill


iOS filesystem location: \private\var\mobile\Containers\Data\Application\0B468A6F-8837-4A85-BF4D-1EF523683946\Library\Application Support\Google\Chrome\Default\Web Data

The Web Data file is a sqlite database and can be opened with DB Browser for SQLite. Autofill data is listed under the autofill table.


#3 1 fish 2 fish, red fish blue fish: According to the user's email accounts, what is his favorite color?


#4 Q-uestion: What Chinese networking website was associated with Linkedin?

I used the search function in Magnet AXIOM to help me find this answer. I filtered by searching "linkedin", which reduced the artifacts to 191. Social Media URLS was where I found the answer.

Location: \private\var\containers\Bundle\Application\4D867879-C7BD-4906-8865-EAE0AA4E6236\\LinkedIn


#5 Chef Boyardee 2.0: At which market was the user viewing Chef Pasquale tomato sauce?

I thought this information could be found in web history or photos. As it turns out, the solution was located within the Live Photos section of AXIOM.

AXIOM Location: MEDIA > Live Photos

iOS filesystem location: \private\var\mobile\Media\DCIM\100APPLE\IMG_0034.HEIC


#6 Staying Stylish!: What color shirt did the user choose to put their snapchat bitmoji in?

I used OSINT to figure this out. You can find profiles (if you know the username) by heading to "".

Michael's username can be found by looking at the SnapChat messages. Snapchat messages can be found here: \private\var\mobile\Containers\Data\Application\A5579AA5-A9D6-48BA-B937-4BFF7742ED88\Documents\user_scoped\cc4930c0d71eb7c92c8039f3fe0456cbc1d55be1829129fb3354dbeddb53a783\arroyo\arroyo.db

Once we have the username, we can go to: "".


To find the answer within the iOS image, you can sift through the pictures under MEDIA > Pictures in AXIOM. You'll see the bitmoji pop up several times.

Location: \private\var\mobile\Library\Sharing\XHC\a\+Lu1m|zu9X7Rv+qxy4h771ZxB36yHBC+8IwRZcEYkbzPIexks=.png


Location: \private\var\mobile\Containers\Shared\AppGroup\F6809526-E8EE-4E16-8077-88B9A3B98C21\WidgetExtension\snapcode


Location: \private\var\mobile\Containers\Shared\AppGroup\F6809526-E8EE-4E16-8077-88B9A3B98C21\User\044aebd1-8c6d-48d9-976b-61574a1519bf\camera-lock-screen-widget\camera-lock-screen-widget-bitmoji


#7 Picking up Steam: What server was the user interested in making?

I narrowed down the artifacts by searching for "server". You'll find the answer under COMMUNICATION > Google Searches. You will also find mention of the server in Discord Messages.


iOS filesystem location: \private\var\mobile\Library\Biome\streams\restricted\UserActivityMetadata\local\690754927940769

#8 Overlooking Excellence: What Sports stadium was the user overlooking at Camilien-Houde belvedere?

Assuming the user wanted a photo of an overlook they had visited, I immediately checked the photos and found several that appeared to be an overlook. To confirm its location, I examined the metadata and discovered that they were taken at the Camilien-Houde belvedere. As you zoom in, a stadium was clearly visible in the picture. I searched for stadiums near Camilien-Houde belvedere and compared the results to the image. The Olympic stadium stood out due to its distinctive structure, allowing us to easily identify it.

Interesting fact about the stadium: "In May 1970 the City of Montreal was awarded the 1976 Summer Olympics. This led to the construction of a new stadium that would be used for the Olympics and then the Expos. The new stadium was named Olympic Stadium and became the first to have a retractable roof". (


#9 You're going to crush this one!: What light-hearted game did the user spend the most time on?

You can find application usage under APPLICATION USAGE > Screen Time Application Usage. Filtering by total time (descending) will show you the most used applications first.


iOS filesystem location: \private\var\mobile\Library\Application Support\\RMAdminStore-Local.sqlite

#10 You are here: Which airline lounge was viewed?

Narrow down artifacts by searching for "lounge". You will find the airport lounge listed under APPLICATION USAGE > Biome User Activity.


#11 Out of this world: Which terms and conditions site on Tik Tok is named after a space formation?

The terms and conditions page can be found by heading to the Social Media URLS tab in Magnet EXAMINE. Filtering by SITE makes it easier to find.


#12 Which way?: Which cardinal direction was the user turning when driving towards RHEINFAHRE?

I applied lessons learned from previous CTF errors. You only had one attempt for this question. I was able to find an image of an underpass with large letters with the word 'RHEINFAHRE'. The location of the image was under MEDIA > Live Photos. Once the photo was located, I examined the preview of the live photo in Magnet EXAMINE, consulted Google Maps, and got the answer.

iOS filesystem location: \private\var\mobile\Media\DCIM\100APPLE\IMG_0068.HEIC


#13 Boosting into a new era: The user was trying to learn German through an application, what promotion featuring a rocket was most commonly shown to the user?

This one took me awhile to find. I first started by looking in application notifications - I was seeing a lot of emojis but no rockets. I then decided to look in photos and videos. The answer can be found in Videos with the name of the promotion in the filename.


iOS filesystm location: \private\var\mobile\Containers\Data\Application\89A6AE48-C46D-4405-A187-C7FF439873F3\Documents\plus-ad-video\Duolingo_NYPromo_2023_EN.mp4

#14 As a river runs: At which location did the user travel the most meters according to Apple? (City, Country)

I ran out of time before I was able to answer this question during the CTF. Below is what I believe is the answer.

You will find distance traveled under CONNECTED DEVICES > Apple Health Distance. If you filter by Distance (meters) you will see that the longest traveled distance is 662.19. This was on 12/31/2022 around 1:35 PM. I then filtered the entire image by date using 12/31/2022 and checked LOCATION DATA, more specifically, Apple Map Trips. There was one trip around that time. I searched the lat and long to determine the City and Country.


#15 Lo Siento Señor, its going to be a cold one: What weather front was warned to the user by youtube?

I filtered artifacts by "youtube". The answer can be found in OPERATING SYSTEM > User Notifaction Events. There was one artifact listed in Spanish. I copy and pasted that into Google Translate to get the answer.