#1 A few too many: How many email accounts did the user own? (not counting privaterelay)

E-mail account information can be found in a number of places on a phone. For example, owner information, web browsing history, autofill history, and e-mail applications to name a few.

On this iOS image, we find that the user has 4 different e-mail addresses. The e-mail addresses were found in Google Accounts, Owner Information, Apple Accounts, Gmail Emails, Apple Mail, and Chrome Autofill.

#2 autoFill me in on the deets: Which email, other than their own, was autofilled in Chrome?

Chrome Autofill location in Axiom is found under WEB RELATED > Chrome Autofill

iOS filesystem location: \private\var\mobile\Containers\Data\Application\0B468A6F-8837-4A85-BF4D-1EF523683946\Library\Application Support\Google\Chrome\Default\Web Data

The Web Data file is a sqlite database and can be opened with DB Browser for SQLite. Autofill data is listed under the autofill table.

#3 1 fish 2 fish, red fish blue fish: According to the user's email accounts, what is his favorite color?

#4 Q-uestion: What Chinese networking website was associated with Linkedin?

I used the search function in Magnet AXIOM to help me find this answer. I filtered by searching "linkedin", which reduced the artifacts to 191. Social Media URLS was where I found the answer.

Location: \private\var\containers\Bundle\Application\4D867879-C7BD-4906-8865-EAE0AA4E6236\LinkedIn.app\LinkedIn

#5 Chef Boyardee 2.0: At which market was the user viewing Chef Pasquale tomato sauce?

I thought this information could be found in web history or photos. As it turns out, the solution was located within the Live Photos section of AXIOM.

AXIOM Location: MEDIA > Live Photos

iOS filesystem location: \private\var\mobile\Media\DCIM\100APPLE\IMG_0034.HEIC

#6 Staying Stylish!: What color shirt did the user choose to put their snapchat bitmoji in?

I used OSINT to figure this out. You can find profiles (if you know the username) by heading to "https://www.snapchat.com/add/USERNAME".

Michael's username can be found by looking at the SnapChat messages. Snapchat messages can be found here: \private\var\mobile\Containers\Data\Application\A5579AA5-A9D6-48BA-B937-4BFF7742ED88\Documents\user_scoped\cc4930c0d71eb7c92c8039f3fe0456cbc1d55be1829129fb3354dbeddb53a783\arroyo\arroyo.db

Once we have the username, we can go to: "https://www.snapchat.com/add/m_b227468".

To find the answer within the iOS image, you can sift through the pictures under MEDIA > Pictures in AXIOM. You'll see the bitmoji pop up several times.

Location: \private\var\mobile\Library\Sharing\XHC\a\+Lu1m|zu9X7Rv+qxy4h771ZxB36yHBC+8IwRZcEYkbzPIexks=.png

Location: \private\var\mobile\Containers\Shared\AppGroup\F6809526-E8EE-4E16-8077-88B9A3B98C21\WidgetExtension\snapcode

Location: \private\var\mobile\Containers\Shared\AppGroup\F6809526-E8EE-4E16-8077-88B9A3B98C21\User\044aebd1-8c6d-48d9-976b-61574a1519bf\camera-lock-screen-widget\camera-lock-screen-widget-bitmoji

#7 Picking up Steam: What server was the user interested in making?

I narrowed down the artifacts by searching for "server". You'll find the answer under COMMUNICATION > Google Searches. You will also find mention of the server in Discord Messages.

iOS filesystem location: \private\var\mobile\Library\Biome\streams\restricted\UserActivityMetadata\local\690754927940769

#8 Overlooking Excellence: What Sports stadium was the user overlooking at Camilien-Houde belvedere?

Assuming the user wanted a photo of an overlook they had visited, I immediately checked the photos and found several that appeared to be an overlook. To confirm its location, I examined the metadata and discovered that they were taken at the Camilien-Houde belvedere. As you zoom in, a stadium was clearly visible in the picture. I searched for stadiums near Camilien-Houde belvedere and compared the results to the image. The Olympic stadium stood out due to its distinctive structure, allowing us to easily identify it.

Interesting fact about the stadium: "In May 1970 the City of Montreal was awarded the 1976 Summer Olympics. This led to the construction of a new stadium that would be used for the Olympics and then the Expos. The new stadium was named Olympic Stadium and became the first to have a retractable roof". (https://www.ballparksofbaseball.com/ballparks/olympic-stadium/)

#9 You're going to crush this one!: What light-hearted game did the user spend the most time on?

You can find application usage under APPLICATION USAGE > Screen Time Application Usage. Filtering by total time (descending) will show you the most used applications first.

iOS filesystem location: \private\var\mobile\Library\Application Support\com.apple.remotemanagementd\RMAdminStore-Local.sqlite

#10 You are here: Which airline lounge was viewed?

Narrow down artifacts by searching for "lounge". You will find the airport lounge listed under APPLICATION USAGE > Biome User Activity.

#11 Out of this world: Which terms and conditions site on Tik Tok is named after a space formation?

The terms and conditions page can be found by heading to the Social Media URLS tab in Magnet EXAMINE. Filtering by SITE makes it easier to find.

#12 Which way?: Which cardinal direction was the user turning when driving towards RHEINFAHRE?

I applied lessons learned from previous CTF errors. You only had one attempt for this question. I was able to find an image of an underpass with large letters with the word 'RHEINFAHRE'. The location of the image was under MEDIA > Live Photos. Once the photo was located, I examined the preview of the live photo in Magnet EXAMINE, consulted Google Maps, and got the answer.

iOS filesystem location: \private\var\mobile\Media\DCIM\100APPLE\IMG_0068.HEIC

#13 Boosting into a new era: The user was trying to learn German through an application, what promotion featuring a rocket was most commonly shown to the user?

This one took me awhile to find. I first started by looking in application notifications - I was seeing a lot of emojis but no rockets. I then decided to look in photos and videos. The answer can be found in Videos with the name of the promotion in the filename.

iOS filesystm location: \private\var\mobile\Containers\Data\Application\89A6AE48-C46D-4405-A187-C7FF439873F3\Documents\plus-ad-video\Duolingo_NYPromo_2023_EN.mp4

#14 As a river runs: At which location did the user travel the most meters according to Apple? (City, Country)

I ran out of time before I was able to answer this question during the CTF. Below is what I believe is the answer.

You will find distance traveled under CONNECTED DEVICES > Apple Health Distance. If you filter by Distance (meters) you will see that the longest traveled distance is 662.19. This was on 12/31/2022 around 1:35 PM. I then filtered the entire image by date using 12/31/2022 and checked LOCATION DATA, more specifically, Apple Map Trips. There was one trip around that time. I searched the lat and long to determine the City and Country.

#15 Lo Siento Señor, its going to be a cold one: What weather front was warned to the user by youtube?

I filtered artifacts by "youtube". The answer can be found in OPERATING SYSTEM > User Notifaction Events. There was one artifact listed in Spanish. I copy and pasted that into Google Translate to get the answer.