FCSC : iForensics - iTreasure

Statement: At customs, the officer asks you to hand over your phone and its unlocking code. The phone is returned to you a few hours later…

Suspicious, you send your phone to ANSSI’s CERT-FR for analysis. CERT-FR analysts carry out a collection on the phone, consisting of a sysdiagnose and a backup.

Note: with the exception of iForensics - iBackdoor 2/2, which depends on the resolution of iForensics - iBackdoor 1/2, the tests are independent. However, we advise you to work through them in increasing order of difficulty, ending with iForensics - iCompromise.

Before the phone was handed over to customs, its owner had time to send a treasure. Find the treasure.

In continuation of the iForensics - iNvisible challenge, we are asked to find the treasure.

Still in the same chat.db database, I execute the following sqlite query in order to list the attachments sent :

SELECT a.filename, a.mime_type, a.transfer_name, m.text, m.date
FROM message m
JOIN message_attachment_join maj ON m.ROWID = maj.message_id
JOIN attachment a ON maj.attachment_id = a.ROWID
ORDER BY m.date ASC;

The returning output gives us some interesting information :

~/Library/SMS/Attachments/9e/14/4C3DF366-1CE1-42F1-9570-C76206181041/679329D1-12E7-45F2-A082-1E58A6CB454F.HEIC|image/heic|679329D1-12E7-45F2-A082-1E58A6CB454F.HEIC||765725371069921024
~/Library/SMS/Attachments/9e/14/4C3DF366-1CE1-42F1-9570-C76206181041/679329D1-12E7-45F2-A082-1E58A6CB454F.HEIC|image/heic|679329D1-12E7-45F2-A082-1E58A6CB454F.HEIC| |765725371069921024

In particular, I note the following :

Empty message sent (id 6) probably means it contains an emoji or attachment : 6| |0|robertswigert@icloud.com|765725371069921024
Timestamp of the message and attachment match : 765725371069921024

So I decided to search for a file corresponding to the HEIC/HEIF format, which is an image format used on Apple :

# file backup/*/* | grep -i "hei\w"                                           

backup/6f/6f4e34098e00a80fde876c8638fb1d685be2318b:     ISO Media, HEIF Image HEVC Main or Main Still Picture Profile
backup/78/78564230ecf97df163e76713ce779e028c679bb6:     ISO Media, HEIF Image HEVC Main or Main Still Picture Profile
backup/bf/bf2ce68a5deb520fbce2ceb103b44c7dbb9f8cad:     ISO Media, HEIF Image HEVC Main or Main Still Picture Profile

And I found the following image : itreasure

Flag : FCSC{511773550dca}