And we're on to week 3 of the Magnet Weekly CTF Challenge! This week's question still references the Android image from week 1:
Which exit did the device user pass by that could have been taken for Cargo?
This week's question had me stumped initially and added to the difficulty was the three answer attempt limit. Thankfully Magnet Forensics was generous enough to give a hint on Cache Up, which pointed players to one of their webinar on mobile artifact comparison.
From the webinar hint, my instinct tells me that this had to do with the Pixel equivalent of 'live photos' - a.k.a. motion photos - where the phone records and trims up to 3 seconds of video when taking a photo with motion enabled.
So I started looking at the MVIMG*.jpg files in the DCIM folder:
$ ls data/media/0/DCIM/Camera/ | grep MVIMG MVIMG_20200305_145544.jpg MVIMG_20200306_151636.jpg MVIMG_20200307_130221.jpg MVIMG_20200307_130237.jpg MVIMG_20200307_130326.jpg MVIMG_20200307_185225.jpg MVIMG_20200307_201453.jpg MVIMG_20200310_133405.jpg
There were 8 motion photos and I needed a way to extract the embedded video within. A quick Google search did not disappoint and I found a ready script by Jerry Peek on StackOverflow that does exactly what we needed.
#!/bin/bash
# extract-mvimg: Extract .mp4 video and .jpg still image from a Pixel phone
# camera "motion video" file with a name like MVIMG_20191216_153039.jpg
# to make files like IMG_20191216_153039.jpg and IMG_20191216_153039.mp4
#
# Usage: extract-mvimg MVIMG*.jpg [MVIMG*.jpg...]
for srcfile
do
case "$srcfile" in
MVIMG_*_*.jpg) ;;
*)
echo "extract-mvimg: skipping '$srcfile': not an MVIMG*.jpg file?" 2>&1
continue
;;
esac
# Get base filename: strip leading MV and trailing .jpg
# Example: MVIMG_20191216_153039.jpg becomes IMG_20191216_153039
basefile=${srcfile#MV}
basefile=${basefile%.jpg}
# Get byte offset. Example output: 2983617:ftypmp4
offset=$(grep -F --byte-offset --only-matching --text ftypmp4 "$srcfile")
# Strip trailing text. Example output: 2983617
offset=${offset%:*}
# If $offset isn't an empty string, create .mp4 file and
# truncate a copy of input file to make .jpg file.
if [[ $offset ]]
then
dd status=none "if=$srcfile" "of=${basefile}.mp4" bs=$((offset-4)) skip=1
cp -ip "$srcfile" "${basefile}.jpg" || exit 1
truncate -s $((offset-4)) "${basefile}.jpg"
else
echo "extract-mvimg: can't find ftypmp4 in $srcfile; skipping..." 2>&1
fi
doneRunning the script against the MVIMG*.jpg files earlier and looking through the extracted videos, I noted an interesting frame extracted from MVIMG_20200307_130326.jpg:
The video appears to have captured a signboard on a highway, with the keyword 'Cargo' on it. Unfortunately the video quality isn't the best (or maybe it's just my screen) and I could not make out clearly what was on the signboard.
Checking the EXIF metadata of the image gives us the following information:
$ exiftool data/media/0/DCIM/Camera/MVIMG_20200307_130326.jpg ExifTool Version Number : 12.00 File Name : MVIMG_20200307_130326.jpg Directory : data/media/0/DCIM/Camera File Modification Date/Time : 2020:03:07 07:03:28-05:00 File Type : JPEG File Type Extension : jpg MIME Type : image/jpeg Make : Google Camera Model Name : Pixel 3 Modify Date : 2020:03:07 13:03:26 Date/Time Original : 2020:03:07 13:03:26 Create Date : 2020:03:07 13:03:26 GPS Version ID : 2.2.0.0 GPS Altitude : 246.8 m Above Sea Level GPS Date/Time : 2020:03:07 12:03:26Z GPS Latitude : 60 deg 11' 38.70" N GPS Longitude : 11 deg 5' 46.65" E
Looking up the GPS coordinates on Google Maps places us within Gardermoen Airport in Norway, next to Starbucks - not quite what I expected since the motion photo clearly showed the device user on the move outdoors.
Refusing to be daunted, I checked the EXIF of the images that were sequentially before and after the motion photo of interest and noted that MVIMG_20200307_185225.jpg places the user in Gamle Oslo, Norway. Since the motion photos suggests that the device user was on a bus, I used Google Maps for directions from Gardermoen Airport to Gamle Oslo and followed the route on street view. My persistence finally paid off when I found the signboard at 60°10'14.3"N 11°06'13.8"E.
Answer: E16
Fun fact: E16 is actually the route and not exit, unlike what the question suggests. From Wikipedia: European route E16 is the designation of a main west-east road through Northern Ireland, Scotland, Norway and Sweden.
No comments:
Post a Comment