The Crime writeup using ALEAPP - cyberdefenders

Instructions: Uncompress the lab (pass: cyberdefenders.org)

Scenario: We're currently in the midst of a murder investigation, and we've obtained the victim's phone as a key piece of evidence. After conducting interviews with witnesses and those in the victim's inner circle, your objective is to meticulously analyze the information we've gathered and diligently trace the evidence to piece together the sequence of events leading up to the incident.

Tools: ALEAPP , sqlitebrowser

Resources: Android-Forensics-References

Follow these steps so the we can parse the android data with aleapp for better investigation :

Step 1 : Extract the provided lab file. There would be an directory named "data" where all the android files are stored.
Step 2 : Use aleapp tool to parse the data directory into a more interactive one.
STEP 3 : ./aleapp -t fs -i data -o OUTPUT_DIRECTORY
Above command will create another directory in OUTPUT_DIRECTORY provided by you.

Step 4 : There will be an index.html file into the directory/report. Open that file into any browser.

Question 1/6 - Based on the accounts of the witnesses and individuals close to the victim, it has become clear that the victim was interested in trading. This has led him to invest all of his money and acquire debt. Can you identify which trading application the victim primarily used on his phone?

In the list of installed apps , trading plateform is easily visible.

Answer - Olymp Trade

Question 2/6 - According to the testimony of the victim's best friend, he said, "While we were together, my friend got several calls he avoided. He said he owed the caller a lot of money but couldn't repay now". How much does the victim owe this person?

After doing some investigation , I found that there is an message done by the person demanding for money :

Answer - 250000

Question 3/6 - What is the name of the person to whom the victim owes money?

Now we have the number of that person , so we can use the contacts to find the name associated with that person's number.

Answer - Shady Wahab

Question 4/6 - Based on the statement from the victim's family, they said that on September 20, 2023, he departed from his residence without informing anyone of his destination. Where was the victim located at that moment?

In Recent Activity_O the is a map image , who reveals the location of the victiom on the given date. Location timing is given before the map image.

Answer - The Nile Ritz-Carlton

Question 5/6 - The detective continued his investigation by questioning the hotel lobby. She informed him that the victim had reserved the room for 10 days and had a flight scheduled thereafter. The investigator believes that the victim may have stored his ticket information on his phone. Look for where the victim intended to travel.

Victim had stored some5nformation about the ticket on his device. Searching for the keyword ticket into the search bar gives the location of the image of ticket.

Now we have the full path of the ticket image. We can find that ticket in extracted data directory on path /data/media/0/Download/Plane\ Ticket.png

Answer - Las Vegas

Question 6/6 - After examining the victim's Discord conversations, we discovered he had arranged to meet a friend at a specific location. Can you determine where this meeting was supposed to occur?

There is an section for the discord messages , who reveals the conversations and locations.

Answer - The Mob Museum

CAPA: The Basics01/02/25 ctf → thm → capa-the-basics

SQLMap: The Basics31/01/25 ctf → thm → sqlmap-the-basics

SQL Fundamentals31/01/25 ctf → thm → sql-fundamentals

Powershell30/01/25 programming → powershell