157 lines
6.1 KiB
TeX
157 lines
6.1 KiB
TeX
\documentclass[a4paper,12pt]{article}
|
|
|
|
\usepackage{geometry}
|
|
\usepackage[english]{babel}
|
|
\usepackage{microtype}
|
|
\usepackage{hyperref}
|
|
\usepackage{listings}
|
|
\usepackage{graphicx}
|
|
|
|
\lstdefinestyle{mystyle}{
|
|
basicstyle=\ttfamily\footnotesize,
|
|
breakatwhitespace=false,
|
|
breaklines=true,
|
|
captionpos=b,
|
|
keepspaces=true,
|
|
showspaces=false,
|
|
showstringspaces=false,
|
|
showtabs=false,
|
|
tabsize=2
|
|
}
|
|
|
|
\lstset{style=mystyle}
|
|
|
|
\setlength{\parindent}{0pt}
|
|
|
|
\title{Smartphones Report}
|
|
\author{Tobias Eidelpes 01527193}
|
|
\date{\today}
|
|
|
|
\begin{document}
|
|
\maketitle
|
|
|
|
\section{Befund}
|
|
|
|
Two image files have been provided. One for Beth Dutton (Apple iPhone X) and one
|
|
for Heisenberg White (Galaxy Note10). Both images were analyzed with Cellebrite
|
|
Reader\footnote{sha1sum: 327cc80f3a477599ed2f62cb467677830405386a} and databases
|
|
of interest were opened using the DB Browser for SQLite in version 3.12.2. The
|
|
system used for forensic analysis is Windows 10.
|
|
|
|
Heisenberg has gotten in contact with Beth in July and tried to sell a 2014
|
|
Hyundai Sonata on craigslist. The conversation with a potential buyer is listed
|
|
in figure~\ref{fig:heisenberg-stolen-car}. The video Heisenberg recorded during
|
|
the arrest\footnote{/data/media/0/DCIM/Camera/20210720\_150222.mp4} (on
|
|
2021-07-20) indicates that the VIN is marked as stolen.
|
|
|
|
Heisenberg is subscribed to multiple topics on Twitter from which he regularly
|
|
receives E-Mail notifications. The Twitter App stores which topics its users are
|
|
interested in. For Heisenberg, the database named
|
|
1378525099184291843-61.db\footnote{/data/data/com.twitter.android/databases/1378525099184291843-61.db}
|
|
contains information on his interests in the table \emph{interest\_topics}.
|
|
Furthermore, he has an android app called \emph{HideX} installed (see
|
|
figure~\ref{fig:heisenberg-hidex-apps}) which allows users to hide information
|
|
on the phone or to restrict access to certain apps.
|
|
|
|
Beth has multiple conversations with her sister, Marsha Mellows, on her phone.
|
|
They have communicated using different Apps such as Signal, WhatsApp and
|
|
Snapchat. Beth also has an E-Mail account called \emph{tornadobeth@gmail.com}
|
|
which receives daily E-Mails from Apple News. The E-Mail account is mostly used
|
|
for creating accounts for Apple.
|
|
|
|
Beth's chat history shows messages with Marsha Mellows, her sister, where the
|
|
topic is cars that could potentially be interesting to them. They use specific
|
|
language such as \emph{baby shark} or \emph{f0x} in their messages. Her location
|
|
history shows that she visited multiple cities between February 2021 and July
|
|
2021. In some cities she took pictures at the airport. Other pictures she took
|
|
include cars. She met with her friends for dinner at Amani's Byob Downingtown as
|
|
indicated by a
|
|
post\footnote{/filesystem1/private/var/mobile/Containers/Data/Application/AF3D3CB2-CFB9-4234-AEA7-16C92A99E024/Library/Caches/graphStoreDB/GraphStore\_100032893519941.sqlite3}
|
|
she made on Facebook on 2021-06-18 (see figure~\ref{fig:beth-dinner}). She also
|
|
connected her phone to a car MY-QX80 on
|
|
2021-04-06\footnote{/filesystem1/private/var/containers/Shared/SystemGroup/C272EF97-5B86-4578-B2ED-AAAB06943E85/Library/Preferences/com.apple.MobileBluetooth.devices.plist}
|
|
via bluetooth (see figure~\ref{fig:beth-connected-car}). On 2021-06-29 she
|
|
called her sister from New York. On the same day she took a
|
|
video\footnote{/filesystem1/private/var/mobile/Media/DCIM/100APPLE/IMG\_0079.MOV}
|
|
which has location information embedded inside. She did not use the Waze App on
|
|
2021-07-13.
|
|
|
|
\section{Gutachten}
|
|
|
|
Heisenberg is most likely aware that the car he was trying to sell was stolen.
|
|
His message that he will only share the VIN once they meet in person indicates
|
|
that he did not want to share it earlier out of fear that the buyer will see
|
|
that the car is marked as stolen. He was in contact with Beth as well and likely
|
|
received the car from her to sell.
|
|
|
|
Heisenberg's interests on Twitter include multiple cryptocurrencies, which are
|
|
listed in figure~\ref{fig:heisenberg-crypto-interest}.
|
|
|
|
Beth has been introduced to stealing cars by her sister Marsha Mellows. They
|
|
have completed multiple jobs in different cities at least from February 2021
|
|
until her arrest in July 2021. The online conversations both have contain
|
|
special words such as \emph{f0x} or \emph{baby shark} which could be code words
|
|
for different cars.
|
|
|
|
While Beth did not use the Waze App on 2021-07-03, she last used the App on
|
|
2021-07-01 at the Philadelphia International Airport (see
|
|
figures~\ref{fig:beth-waze-usage} and~\ref{fig:beth-waze-userdb}).
|
|
|
|
\section{Appendix}
|
|
|
|
This section contains relevant documentation to the findings from above.
|
|
|
|
\begin{figure}
|
|
\centering
|
|
\includegraphics[width=\textwidth]{heisenberg-stolen-car.PNG}
|
|
\caption{Heisenberg's conversation with a potential customer.}
|
|
\label{fig:heisenberg-stolen-car}
|
|
\end{figure}
|
|
|
|
\begin{figure}
|
|
\centering
|
|
\includegraphics[width=\textwidth]{heisenberg-hidex-apps.PNG}
|
|
\caption{Heisenberg installed HideX on his phone to hide access to WhatsApp
|
|
and his gallery.}
|
|
\label{fig:heisenberg-hidex-apps}
|
|
\end{figure}
|
|
|
|
\begin{figure}
|
|
\centering
|
|
\includegraphics[width=\textwidth]{beth-dinner.PNG}
|
|
\caption{Beth's Facebook post on 2021-06-18 when she is out for dinner with
|
|
friends.}
|
|
\label{fig:beth-dinner}
|
|
\end{figure}
|
|
|
|
\begin{figure}
|
|
\centering
|
|
\includegraphics{heisenberg-crypto-interest.PNG}
|
|
\caption{Heisenberg's cryptocurrencies he is interested in on Twitter.}
|
|
\label{fig:heisenberg-crypto-interest}
|
|
\end{figure}
|
|
|
|
\begin{figure}
|
|
\centering
|
|
\includegraphics[width=\textwidth]{beth-waze-usage.PNG}
|
|
\caption{Beth Waze App usage on 2021-07-01.}
|
|
\label{fig:beth-waze-usage}
|
|
\end{figure}
|
|
|
|
\begin{figure}
|
|
\centering
|
|
\includegraphics[width=\textwidth]{beth-waze-userdb.PNG}
|
|
\caption{Beth Waze App usage on 2021-07-01 near Philadelphia International
|
|
Airport.}
|
|
\label{fig:beth-waze-userdb}
|
|
\end{figure}
|
|
|
|
\begin{figure}
|
|
\centering
|
|
\includegraphics[width=\textwidth]{beth-connected-car.PNG}
|
|
\caption{Bluetooth connection log of Beth's iPhone connecting to MY-QX80.}
|
|
\label{fig:beth-connected-car}
|
|
\end{figure}
|
|
|
|
\end{document}
|