FCSC : iForensics - iNvisible

Statement: At customs, the officer asks you to hand over your phone and its unlocking code. The phone is returned to you a few hours later…

Suspicious, you send your phone to ANSSI’s CERT-FR for analysis. CERT-FR analysts carry out a collection on the phone, consisting of a sysdiagnose and a backup.

Note: with the exception of iForensics - iBackdoor 2/2, which depends on the resolution of iForensics - iBackdoor 1/2, the tests are independent. However, we advise you to work through them in increasing order of difficulty, ending with iForensics - iCompromise.

It seems that a message failed to be sent … Find the recipient of this message.

The flag is in FCSC{<recipient>} format. For example, if the recipient is example@example.com: FCSC{example@example.com}.

Warning: for this test, you only have 5 flag attempts.

By inspecting the contents of the backup, I notice the presence of many sqlite files :

# file backup/*/* | grep -i "sqlite" | awk '{print $1}' | wc -l

80

After a few minutes, I noticed an interesting sqlite database to find the recipient of an unsent message :

# echo ".tables" | sqlite3 backup/3d/3d0d7e5fb2ce288813306e4d4636395e047a3d28

_SqliteDatabaseProperties              message                              
attachment                             message_attachment_join              
chat                                   message_processing_task              
chat_handle_join                       recoverable_message_part             
chat_message_join                      sync_deleted_attachments             
chat_recoverable_message_join          sync_deleted_chats                   
deleted_messages                       sync_deleted_messages                
handle                                 unsynced_removed_recoverable_messages
kvtable

This database seems to correspond to the chat.db file containing information about iMessage and sms.

I start by listing the messages in the database with the following query :

SELECT 
  m.ROWID AS message_id,
  m.text AS message_text,
  m.is_from_me,
  h.id AS destinataire,
  m.date
FROM message m
JOIN handle h ON m.handle_id = h.ROWID
ORDER BY m.date ASC;

I see in the output that the destination address seems to correspond only to the address of the sender account :

1|Hi!|1|robertswigert@icloud.com|765724942566530944
2|Hi!|0|robertswigert@icloud.com|765724942566530944
3|Do you want to have my precious secret ?|1|robertswigert@icloud.com|765724959532763904
4|Do you want to have my precious secret ?|0|robertswigert@icloud.com|765724959532763904
5||1|robertswigert@icloud.com|765725371069921024
6| |0|robertswigert@icloud.com|765725371069921024

So I decide to consult the handle table for retrieve the list of contacts :

# sqlite> SELECT * FROM handle ORDER BY id;

1|kristy.friedman@outlook.com|us|SMS||
2|robertswigert@icloud.com|us|iMessage||

Flag : FCSC{kristy.friedman@outlook.com}