\documentclass[a4paper,12pt]{article} \usepackage{geometry} \usepackage[english]{babel} \usepackage{microtype} \usepackage{hyperref} \usepackage{listings} \usepackage{graphicx} \lstdefinestyle{mystyle}{ basicstyle=\ttfamily\footnotesize, breakatwhitespace=false, breaklines=true, captionpos=b, keepspaces=true, showspaces=false, showstringspaces=false, showtabs=false, tabsize=2 } \lstset{style=mystyle} \setlength{\parindent}{0pt} \title{Smartphones Report} \author{Tobias Eidelpes 01527193} \date{\today} \begin{document} \maketitle \section{Befund} Two image files have been provided. One for Beth Dutton (Apple iPhone X) and one for Heisenberg White (Galaxy Note10). Both images were analyzed with Cellebrite Reader\footnote{sha1sum: 327cc80f3a477599ed2f62cb467677830405386a} and databases of interest were opened using the DB Browser for SQLite in version 3.12.2. The system used for forensic analysis is Windows 10. Heisenberg has gotten in contact with Beth in July and tried to sell a 2014 Hyundai Sonata on craigslist. The conversation with a potential buyer is listed in figure~\ref{fig:heisenberg-stolen-car}. The video Heisenberg recorded during the arrest\footnote{/data/media/0/DCIM/Camera/20210720\_150222.mp4} (on 2021-07-20) indicates that the VIN is marked as stolen. Heisenberg is subscribed to multiple topics on Twitter from which he regularly receives E-Mail notifications. The Twitter App stores which topics its users are interested in. For Heisenberg, the database named 1378525099184291843-61.db\footnote{/data/data/com.twitter.android/databases/1378525099184291843-61.db} contains information on his interests in the table \emph{interest\_topics}. Furthermore, he has an android app called \emph{HideX} installed (see figure~\ref{fig:heisenberg-hidex-apps}) which allows users to hide information on the phone or to restrict access to certain apps. Beth has multiple conversations with her sister, Marsha Mellows, on her phone. They have communicated using different Apps such as Signal, WhatsApp and Snapchat. Beth also has an E-Mail account called \emph{tornadobeth@gmail.com} which receives daily E-Mails from Apple News. The E-Mail account is mostly used for creating accounts for Apple. Beth's chat history shows messages with Marsha Mellows, her sister, where the topic is cars that could potentially be interesting to them. They use specific language such as \emph{baby shark} or \emph{f0x} in their messages. Her location history shows that she visited multiple cities between February 2021 and July 2021. In some cities she took pictures at the airport. Other pictures she took include cars. She met with her friends for dinner at Amani's Byob Downingtown as indicated by a post\footnote{/filesystem1/private/var/mobile/Containers/Data/Application/AF3D3CB2-CFB9-4234-AEA7-16C92A99E024/Library/Caches/graphStoreDB/GraphStore\_100032893519941.sqlite3} she made on Facebook on 2021-06-18 (see figure~\ref{fig:beth-dinner}). She also connected her phone to a car MY-QX80 on 2021-04-06\footnote{/filesystem1/private/var/containers/Shared/SystemGroup/C272EF97-5B86-4578-B2ED-AAAB06943E85/Library/Preferences/com.apple.MobileBluetooth.devices.plist} via bluetooth (see figure~\ref{fig:beth-connected-car}). On 2021-06-29 she called her sister from New York. On the same day she took a video\footnote{/filesystem1/private/var/mobile/Media/DCIM/100APPLE/IMG\_0079.MOV} which has location information embedded inside. She did not use the Waze App on 2021-07-13. \section{Gutachten} Heisenberg is most likely aware that the car he was trying to sell was stolen. His message that he will only share the VIN once they meet in person indicates that he did not want to share it earlier out of fear that the buyer will see that the car is marked as stolen. He was in contact with Beth as well and likely received the car from her to sell. Heisenberg's interests on Twitter include multiple cryptocurrencies, which are listed in figure~\ref{fig:heisenberg-crypto-interest}. Beth has been introduced to stealing cars by her sister Marsha Mellows. They have completed multiple jobs in different cities at least from February 2021 until her arrest in July 2021. The online conversations both have contain special words such as \emph{f0x} or \emph{baby shark} which could be code words for different cars. While Beth did not use the Waze App on 2021-07-03, she last used the App on 2021-07-01 at the Philadelphia International Airport (see figures~\ref{fig:beth-waze-usage} and~\ref{fig:beth-waze-userdb}). \section{Appendix} This section contains relevant documentation to the findings from above. \begin{figure} \centering \includegraphics[width=\textwidth]{heisenberg-stolen-car.PNG} \caption{Heisenberg's conversation with a potential customer.} \label{fig:heisenberg-stolen-car} \end{figure} \begin{figure} \centering \includegraphics[width=\textwidth]{heisenberg-hidex-apps.PNG} \caption{Heisenberg installed HideX on his phone to hide access to WhatsApp and his gallery.} \label{fig:heisenberg-hidex-apps} \end{figure} \begin{figure} \centering \includegraphics[width=\textwidth]{beth-dinner.PNG} \caption{Beth's Facebook post on 2021-06-18 when she is out for dinner with friends.} \label{fig:beth-dinner} \end{figure} \begin{figure} \centering \includegraphics{heisenberg-crypto-interest.PNG} \caption{Heisenberg's cryptocurrencies he is interested in on Twitter.} \label{fig:heisenberg-crypto-interest} \end{figure} \begin{figure} \centering \includegraphics[width=\textwidth]{beth-waze-usage.PNG} \caption{Beth Waze App usage on 2021-07-01.} \label{fig:beth-waze-usage} \end{figure} \begin{figure} \centering \includegraphics[width=\textwidth]{beth-waze-userdb.PNG} \caption{Beth Waze App usage on 2021-07-01 near Philadelphia International Airport.} \label{fig:beth-waze-userdb} \end{figure} \begin{figure} \centering \includegraphics[width=\textwidth]{beth-connected-car.PNG} \caption{Bluetooth connection log of Beth's iPhone connecting to MY-QX80.} \label{fig:beth-connected-car} \end{figure} \end{document}