CyberDefenders: The Crime Write-up

The Crime Lab

Challenge Link: The Crime

Utilize ALEAPP to analyze Android device artifacts, reconstructing a victim’s financial details, movements, and communication patterns.

Scenario

We’re currently in the midst of a murder investigation, and we’ve obtained the victim’s phone as a key piece of evidence. After conducting interviews with witnesses and those in the victim’s inner circle, your objective is to meticulously analyze the information we’ve gathered and diligently trace the evidence to piece together the sequence of events leading up to the incident.

Q&A

Q1. Based on the accounts of the witnesses and individuals close to the victim, it has become clear that the victim was interested in trading. This has led him to invest all of his money and acquire debt. Can you identify the SHA256 of the trading application the victim primarily used on his phone?

First, install ALEAPP from the official GitHub repository, which is a tool designed to parse Android file systems.

Load the downloaded files into ALEAPP

To identify the SHA256 of the application the victim was using for trading, view the Installed Apps tab

The application named olymptrade is the one the victim was using, as the others aren’t related to trading activities.

• Bundle ID: com.ticno.olymptrade
• Version Code: 672
• SHA256: 4f168a772350f283a1c49e78c1548d7c2c6c05106d8b9feb825fdc3466e9df3c

---

Q2. According to the testimony of the victim’s best friend, he said, “While we were together, my friend got several calls he avoided. He said he owed the caller a lot of money but couldn't repay now”. How much does the victim owe this person?

Since several calls were made, check the Call Logs.

On 2023-09-20 19:31 There were several missed calls from this number +201172137258 . This number was saved in the Contacts with the name Shady Wahab

Now check the SMS Messages

On date 2023-09-20 21:09:49 The victim received a threatening SMS message demanding a repayment of his debt, which amounted to 250,000 EGP.

---

Q3. What is the name of the person to whom the victim owes money?

We already extracted this info from the previous question

---

Q4. Based on the statement from the victim’s family, they said that on September 20, 2023, he departed from his residence without informing anyone of his destination. Where was the victim located at that moment?

Android file systems store the GPS data in various file systems, including the recent log and snapshot of recently used applications. On the recent activity tab, the victim was using Google Maps application on 2023-09-20 23:50:29 which is 3 hours after the threat message was sent.

The snapshot shows a highlighted location at the Nile Ritz-Carlton

---

Q5. The detective continued his investigation by questioning the hotel lobby. She informed him that the victim had reserved the room for 10 days and had a flight scheduled thereafter. The investigator believes that the victim may have stored his ticket information on his phone. Look for where the victim intended to travel.

Check the communication logs of the instant messaging applications. After 4 hours of the threatening message, on 2023-09-20 00:57:26The victim texted a user called “rob1ns0n,” stating that he had some changes to the plan, and he booked a flight ticket for October 1, 2023, at 9:00 AM, which was 10 days after his hotel stay.

The user “rob1ns0n” responded on September 20, 2023, at 20:46:02, which is before the changes happened; they were planning to meet at  The Mob Museum 

---

Q6. After examining the victim’s Discord conversations, we discovered he had arranged to meet a friend at a specific location. Can you determine where this meeting was supposed to occur?

We already checked the Discord conversation from the previous question; the arrangement was supposed to happen at the Mob Museum at 9:00 AM. A quick search on The Mob Museum shows it is located in Las Vegas.

---

Timeline of the Events

• Prior to September 20, 2023: The victim invested all of his money and acquired significant debt, primarily using the Olymptrade application (SHA256: 4f168a772350f283a1c49e78c1548d7c2c6c05106d8b9feb825fdc3466e9df3c).
• September 20, 2023, ~19:31: While with his best friend, the victim received and avoided several missed calls from Shady Wahab, a person to whom he owed a large sum of money.
• September 20, 2023, 20:46: The victim’s Discord contact, rob1ns0n, confirmed plans to meet at The Mob Museum in Las Vegas at 9:00 AM.
• September 20, 2023, 21:09: The victim received a threatening SMS from Shady Wahab demanding repayment of his debt, which amounted to 250,000 EGP.
• September 20, 2023, 23:50: The victim, having departed his residence without informing anyone, used Google Maps. His activity indicates his location was at The Nile Ritz-Carlton hotel in Cairo. He booked a room there for 10 days.
• September 21, 2023, 00:57: The victim messaged rob1ns0n on Discord to change their plans. He stated he had booked a flight ticket for October 1, 2023, at 9:00 AM, implying an intention to flee his current situation.