typo correction.

[pub/jan/digfor.git] / report4 / content.tex

\newpage\section{Questions (12 points)}
\subsection{How and when did Mr. Smith and Mr. Mayer communicate? (2 point)}
\begin{center}\begin{tabularx}{\textwidth}{| l | l | l | l | l | X | }
  \hline source & service & timestamp & from & to & content\\
  \hline IPBA & skype message & 27-11-2012 12:20:00 & Smith & Mayer & Auth\_Request Hallo! Ich würde Sie gerne in meine Skype-Kontaktlistaufnehmen. Johannes Smith\\
  \hline ANDRO & eMail & 2012-11-27 13:03:02 & Mayer & Smith & Re: current stocks!\\
  \hline ANDRO & dropbox & 2012-11-27 16:08:24 & Mayer & Smith & shared folder confidential\\
  \hline IPBA & skype message & 2012-12-06 13:20:33 & Mayer & Smith & Auth\_Granted\\
  \hline IPBA & call & 2012-12-06 14:35:38 & Mayer & Smith & duration 0:01:15\\
  \hline IPBA & call & 2012-12-06 16:00:10 & Smith & Mayer & duration 0:00:17 No corresponding entry on ANDRO.\\
  \hline IPBA & sms & 2012-12-06 16:20:46 & Mayer & Smith & Ich habe wichtige Informationen über unseren letzten deal für dich. Ruf dich später an, wenn ich ungestört bin.\\
  \hline IPBA & call & 2012-12-06 16:25:30 & Smith & Mayer & duration 0:00:00\\
  \hline IPBA & call & 2012-12-06 16:26:11 & Smith & Mayer & duration 0:00:00 (ANDRO: duration 0:00:13)\\
  \hline IPBA & sms & 2012-12-06 16:30:43 & Smith & Mayer & Sicherer kanal wär besser ....\\
  \hline IPBA & viber call & 2012-12-06 16:31:57 & Mayer & Smith & duration 0:01:11\\
  \hline IPBA & skype message & 2012-12-06 16:33:53 & Smith & Mayer & "Hallo"\\
  \hline ANDRO & viber call & 2012-12-06 16:35:14 & Smith & Mayer & duration 0:00:00. No corresponding entry on IPBA. \\
  \hline IPBA & sms & 2012-12-06 16:36:26 & Smith & Mayer & Hallo, ich empfehle dir den WhatsApp Messenger für Android, iPhone, Nokia, BlackBerry und Windows Phone auf http://whatsapp.com/dl/\\
  \hline IPBA & sms & 2012-12-06 16:42:50 & Mayer & Smith & Viel zu unsicher, hab mir vor kurzem einen ganz tollen vortrag darüber angehört...\\
  \hline IPBA & sms & 2012-12-06 16:45:19 & Mayer & Smith & Ich hab von einem kollegen wichtige informationen. Ruf dich an\\
  \hline IPBA & call & 2012-12-06 16:45:36 & Mayer & Smith & duration 0:00:21\\
  \hline
\end{tabularx}\end{center}

Some inconsistencies between the phones' data could hint at one or both parties owning one more device that was not analyzed.


\subsection{What information was exchanged between Mr. Smith and Mr. Mayer? (3 points)}
Mayer shared a folder called called \emph{\textbf{confidential}} with Smith over Dropbox.\\
The invitation eMail contains the URL to that folder (\url{https://www.dropbox.com/sh/vynk4jf4tghe88d/
xkfh_H-BLn?lst#/}).\\
The folder is publicly accessible so it was possible to extract its contents.
\begin{itemize}
\item\emph{\textbf{2012-11-27 14.31.56.png}}\\iPhone screenshot from some flightplan App, shows a number of flights departing Vienna shortly after 1700 (among those, two flights from Vienna to Paris)
\item\emph{\textbf{Homer-Simpson-Butt-Wide-Load.png}}\\Snapshot of from an episode of The Simpsons showing Homer with \textbf{Wide Load} written across his back.
\item\emph{\textbf{Stocks-watch.jpg}}\\A key lying on a newspaper with a headline beginning with \textbf{Investing}
\item\emph{\textbf{stocks.jpg}}\\Smaller version of \emph{\textbf{IPBA::IMG\_0005.JPG}} from the iPhone backup.
\end{itemize}


\subsection{Can you find any evidence or hints that support the suspicion of insider trade? (3 points)}
No hard evidence was found.\\
The fact that both parties looked up stock trading sites could hint at that. Also some not too suspicious images were exchanged.\\
Mayer communicates with Ernst Strasser while Smith communicates with Karl Heinz Grasser.\\
Obviously because of the Unschuldsvermutung neither Mayer nor Smith could even remotely be connected with insider trading *scnr*


\subsection{Was the person that the witness identified really Mr. Mayer? (2 points)}
As Mayer was in Paris on Friday, 7th of December 2012, late afternoon it seems unlikely that a witness saw them.\\
Unless of course Mayer and Smith met in Paris which could be hinted at by the FILE in the dropbox-directory and the witness too was in Paris at that time.


\subsection{Mr. Mayer seems to have more secrets than initially expected. What is his big secret? (2 points)}
It looks like Mayer is married to Mrs. Ilse Mayer-Brandl (profile: \url{https://www.facebook.com/ilse.mayerbrandl}) and has an affair with Laura Markovic (\url{https://www.facebook.com/laura.markovic.129}).




\newpage\section{iPhone}
\subsection{Source: iPhone.tar.gz (IPBA)}
iPhone backup image from Allegro Mayer's Phone. The extracted files were analysed with iP Backup Analyzer2.
\begin{quote}
\textbf{size}: 6775181 byte\\
\textbf{''file''-output}: gzip compressed data, last modified: Fri Dec 14 11:42:54 2012, from Unix\\
\textbf{sha512}\\\ttfamily{
ff746e574a0d668e1d82c3ff72501a75eabe642e1dee7f20d3d74b9fe72054f9\\
9b9a91ded1b3f98067a63065423c620c73c42c65e13c3b110424854b3e7f6678}
\end{quote}


\subsection{Contacts}
The contacts-db was extracted from \emph{\textbf{IPBA::Home Domain:Library/AddressBook/AddressBook.sqlitedb}}
\begin{quote}
\textbf{size}: 87040 byte\\
\textbf{''file''-output}: SQLite 3.x database\\
\textbf{sha512}\\\ttfamily{
450e49183cc8781577f0c57a91a8a40f604ac2d3621037467f80745850b5613b\\
8c0492724930e90552c671a5f81e20b7f88e5cfd175fe6718eab350b2f3dbc90}
\end{quote}

The content was:
\begin{center}\begin{tabular}{ | l | r | }
  \hline Name & Phone \\
  \hline <None> & +436603169718 \\
  \hline Laura Markovic & 0680 3303660 \\
  \hline Sabine Oberhuber & +436604413637 \\
  \hline Johannes Smith & +43 660 5166042 \\
  \hline Ernst Strasser & 0660 4394199 \\
  \hline
\end{tabular}\end{center}


\subsection{Call-Log}
The call-log was extracted from \emph{\textbf{IPBA::Wireless Domain:Library/Callhistory/call\_history.db}}
\begin{quote}
\textbf{size}: 12288 byte\\
\textbf{''file''-output}: SQLite 3.x database\\
\textbf{sha512}\\\ttfamily{
4cf477e649e9fc868183667489222e3e48cba5e2925423bc8dcdb51783c9b9b6\\
47fc184518b06e8a2b44f7c1e0fc746058eaf0b23a462870b380ea6f7354b6e1}
\end{quote}

The content was:
\begin{center}\begin{tabular}{| l | l | l | l | l | }
  \hline date & to/from & Phonenumber & name & duration (sec)\\
  \hline 2012-12-06 13:35:38 & to & 06603169718 & <None> & 75\\
  \hline 2012-12-06 14:02:20 & to & 06803303660 & Laura Markovic & 0\\
  \hline 2012-12-06 14:03:02 & from & +436605969364 & & 23\\
  \hline 2012-12-06 14:08:34 & to & 0660303010 & & 0\\
  \hline 2012-12-06 14:10:02 & to & 0660303030 & & 1181\\
  \hline 2012-12-06 15:17:05 & to & 0660303030 & & 1023\\
  \hline 2012-12-06 15:34:30 & to & 0660303030 & & 864\\
  \hline 2012-12-06 16:00:10 & from & +436605166042 & Johannes Smith & 17\\
  \hline 2012-12-06 16:08:02 & to & 06604394199 & Ernst Strasser & 9\\
  \hline 2012-12-06 16:25:30 & from & +436605166042 & Johannes Smith & 0\\
  \hline 2012-12-06 16:26:11 & from & +436605166042 & Johannes Smith & 0\\
  \hline 2012-12-06 16:34:39 & to & 06604394199 & Ernst Strasser & 6\\
  \hline 2012-12-06 16:34:52 & to & 06604394199 & Ernst Strasser & 12\\
  \hline 2012-12-06 16:35:10 & to & 06604394199 & Ernst Strasser & 23\\
  \hline 2012-12-06 16:45:36 & to & +436605166042 & Johannes Smith & 21\\
  \hline
\end{tabular}\end{center}


\subsection{SMS/iMessage}
The SMS-Database was extracted from \emph{\textbf{IPBA::Home Domain:Library/SMS/sms.db}}
\begin{quote}
\textbf{size}: 41984 byte\\
\textbf{''file''-output}: SQLite 3.x database\\
\textbf{sha512}\\\ttfamily{
6fa73f676ca04eed70f10b8286c884ebcc5c01073bbdd8128ba26f676c7a6212\\
793f944999a9331fb990ef8e5dd5420b9d758b8456cb7b6f9f577bb8098cfafa}
\end{quote}


The content was:
\begin{center}\begin{tabularx}{\textwidth}{| l | l | X | l | X | }
  \hline date & from/to & number & service & text\\
  \hline 2012-12-06 16:17:20 & from & Viber & SMS & Your Viber code is: 9386 Close this message and enter the code into Viber to activate your account.\\
  \hline 2012-12-06 16:20:46 & to & +436603169718 <None> & SMS & Ich habe wichtige Informationen über unseren letzten deal für dich. Ruf dich später an, wenn ich ungestört bin\\
  \hline 2012-12-06 16:30:43 & to & +436603169718 <None> & SMS & Sicherer kanal wär besser ....\\
  \hline 2012-12-06 16:33:58 & to & +436604413637 & iMessage & Hi wie gehts? Treffen wir und mal auf einen drink?\\
  \hline 2012-12-06 16:36:26 & from & +436605166042 Johannes Smith & SMS & Hallo, ich empfehle dir den WhatsApp Messenger für Android, iPhone, Nokia, BlackBerry und Windows Phone auf http://whatsapp.com/dl/\\
  \hline 2012-12-06 16:42:50 & to & +436605166042 Johannes Smith & SMS & Viel zu unsicher, hab mir vor kurzem einen ganz tollen vortrag darüber angehört...\\
  \hline 2012-12-06 16:45:19 & to & +436605166042 Johannes Smith & SMS & Ich hab von einem kollegen wichtige informationen. Ruf dich an\\
  \hline
\end{tabularx}\end{center}


\subsection{Calendar}
The Calendar-Database was extracted from \emph{\textbf{IPBA::Home Domain:Library/Calendar/Calendar.sqlitedb}}
\begin{quote}
\textbf{size}: 126976 byte\\
\textbf{''file''-output}: SQLite 3.x database\\
\textbf{sha512}\\\ttfamily{
bcb14cbb2df068bf6905f3383c0bade056a0f1188aa9606dbe639e4d11f32a5d\\
79dee3f3fdf4ac6eb7581c6a4c6c46f0620cf6e49f46567a40870e13926cc3af}
\end{quote}

The content was:
\begin{center}\begin{tabular}{| l | l | l | l | }
  \hline event & start & end & location\\
  \hline Paris geschäftsreise & 2012-12-07 14:00:00 & 2012-12-09 19:00:00 & Paris\\
  \hline Meeting & 2012-12-10 10:00:00 & 2012-12-10 11:00:00 & Zbank\\
  \hline Nordic walking & 2012-12-11 07:00:00 & 2012-12-11 07:30:00 &  \\
  \hline Statusmeeting & 2012-12-11 08:00:00 & 2012-12-11 12:00:00 &  \\
  \hline
\end{tabular}\end{center}


\subsection{Browser}
The plist \emph{\textbf{IPBA::HomeDomain:Library/Safari/History.plist}} opened with IPBA2 plist-viewer cointains the browser history.

\begin{center}\begin{tabularx}{\textwidth}{| l | X | X |}
  \hline timestamp & title & url \\
  \hline 2012-12-07 09:03:15 & Flughafen Wien - Abflüge - Offen für neue Horizonte & https://www.google.at/url?sa=t\&source=web\&cd=3\&ved=0CD0QjBAwAg\&url=http\%3A\%2F\%2Fwww.viennaairport.com\%2Fjart\%2Fprj3\%2Fva\%2Fmain.jart\%3Frel\%3Dde\%26content-id\%3D1249344074230\%26reserve-mode\%3Dactive\&ei=jLDBULjlB8bE4gTn-oGABw\&usg=AFQjCNHU5R5b3WsiOhYSIsli3inGLTEFGQ\\
  \hline 2012-12-07 09:02:03 & flughafen wien - Google-Suche & https://www.google.at/search?q=flughafen+wien\&ie=UTF-8\&oe=UTF-8\&hl=de\&client=safari\\
  \hline 2012-12-07 09:01:54 & Laura Markovic & https://m.facebook.com/laura.markovic.129?\_\_user=100004760941674\\
  \hline 2012-12-06 16:14:19 & RNS News - London Stock Exchange & http://m.londonstockexchange.com/exchange/mobile/news/detail.html?announcementId=11421386\\
  \hline 2012-12-06 16:14:14 & FTSE AIM 100 - London Stock Exchange & http://m.londonstockexchange.com/exchange/mobile/indices/summary.html?index=AIM1\\
  \hline 2012-12-06 16:14:07 & Homepage - London Stock Exchange & https://www.google.at/url?sa=t\&source=web\&cd=1\&ved=0CEQQFjAA\&url=http\%3A\%2F\%2Fm.londonstockexchange.com\%2Fexchange\%2Fmobile\%2Fhomepage.html\&ei=ScTAUPK8FMfKtAaQq4GYBQ\&usg=AFQjCNE22q6svVgMrwz\_D7x-iD0srW0nTw\\
  \hline 2012-12-06 16:14:00 & stock exchange london - Google-Suche & https://www.google.at/search?q=stock+exchange+london\&ie=UTF-8\&oe=UTF-8\&hl=de\&client=safari\\
  \hline 2012-12-06 16:10:22 & Ohne Anstehen: Tickets Eiffelturm \& Rundgang Rive Droite, | Mobil - GetYourGuide.com & http://www.getyourguide.de/paris-l16/ohne-anstehen-tickets-eiffelturm-rundgang-rive-droite-t25185/\#calendar\\
  \hline 2012-12-06 16:10:03 & Ohne Anstehen: Tickets Eiffelturm \& Rundgang Rive Droite, | Mobil - GetYourGuide.com & http://www.getyourguide.de/paris-l16/ohne-anstehen-tickets-eiffelturm-rundgang-rive-droite-t25185/\\
  \hline 2012-12-06 16:09:56 & Paris: Touren, Ausflüge \& Aktivitäten | Mobil - GetYourGuide.com & https://www.google.at/aclk?sa=l\&ai=Cw0lOT8PAUNn8BIaX0wXeoYHwD43W1e0EldC\_uXSaooQJCAAQAiD4mYsSKAJQw5HQuPv\_\_\_\_\_AWCpsL6AzAGgAYutzM0DyAEBqQJiko-yhe21PqoEIk\_QmH99e-Hnj0NaSGjzY1ceX0oZt9LcfH\_ckQNETkSVs7yABZfgvAvYBgI\&sig=AOD64\_3cmbdhf4eRcAjv\_a9FMrltcGuHTA\&ved=0CC0Q0Qw\&adurl=http://21.xg4ken.com/media/redir.php\%3Fprof\%3D89\%26camp\%3D65425\%26affcode\%3Dkw720159\%26inhURL\%3D\%26cid\%3D31229666013\%26networkType\%3Dsearch\%26url\%5B\%5D\%3Dhttp\%253A\%252F\%252Fwww.getyourguide.de\%252Fparis\%252Fsightseeing-touren-ltc16-2\%252F\%253Fpartner\_id\%253DCD951\\
  \hline 2012-12-06 16:09:50 & paris sightseeing - Google-Suche & https://www.google.at/search?q=paris+sightseeing\&ie=UTF-8\&oe=UTF-8\&hl=de\&client=safari\\
  \hline 2012-12-06 16:08:58 & Laura Markovic & https://m.facebook.com/laura.markovic.129?\_\_user=100004760941674\#!/laura.markovic.129?\_\_user=100004760941674\&soft=jewel\%3D2\\
  \hline 2012-12-06 16:08:49 & Facebook & https://m.facebook.com/home.php?refid=9\#!/laura.markovic.129?\_\_user=100004760941674\\
  \hline 2012-12-06 13:56:39 & Facebook & http://m.facebook.com/?refsrc=http\%3A\%2F\%2Fwww.facebook.com\%2F\&\_rdr\#!/home.php?refsrc=http\%3A\%2F\%2Fwww.facebook.com\%2F\&soft=side-area\&\_\_user=100004760941674\\
  \hline 2012-12-06 13:55:36 & Facebook & http://facebook.com/\\
  \hline 2012-12-06 13:51:26 & Facebook & https://m.facebook.com/home.php?refid=9\#!/home.php?soft=side-area\&\_\_user=100004760941674\\
  \hline 2012-12-06 13:50:58 & Facebook & https://m.facebook.com/home.php?refid=9\#!/home.php?soft=jewel\%3D0\&\_\_user=100004760941674\\
  \hline 2012-12-06 13:46:54 & Facebook & https://m.facebook.com/login.php?refsrc=http\%3A\%2F\%2Fwww.facebook.com\%2F\&landing\_serial=2\&refid=9\\
  \hline 2012-12-06 13:46:08 & Willkommen bei Facebook & https://m.facebook.com/login.php?refsrc=http\%3A\%2F\%2Fwww.facebook.com\%2F\&landing\_serial=1\&refid=8\\
  \hline
\end{tabularx}\end{center}


\subsection{WLANs}
The plist \emph{\textbf{IPBA::SystemPreferencesDomain:SystemConfiguration/com.apple.wifi.plist}} opened with IPBA2 plist-viewer cointains a list of Wireless Networks the phone has joined.\\

\begin{center}\begin{tabular}{| l | l | l |}
  \hline ssid & last join & last autojoin \\
  \hline tunet & 2012-12-06 90:41:55 & \\
  \hline VirtualRouter & 2012-12-06 09:38:00 & 2012-12-06 09:45:45 \\
  \hline pornhub & 2012-12-06 11:51:01 & 2012-12-06 16:05:07 \\
  \hline
\end{tabular}\end{center}


\subsection{Media}
Images were extracted from \emph{\textbf{IPBA::CameraRollDomain:Media/DCIM/100APPLE}}\\

IMG\_0002.PNG: Screenshot of Facebook-App showing a photograph of a woman. Laura Markovic (\url{https://www.facebook.com/laura.markovic.129}) seems to be tagged in that photograph.
\begin{quote}
\textbf{size}: 844814 byte\\
\textbf{''file''-output}: PNG image data640 960 8-bit/color RGB, non-interlaced\\
\textbf{sha512}\\\ttfamily{
986ae5d4272e003d2b8de8a9851d02721c908a43b3eb824331447c309ac92bc3\\
426d99ec2a749462372778feacaedcbd23823cc34dd53d07ab5e7524e4276a0f}
\end{quote}

IMG\_0003.PNG: Screenshot from Maps-App showing directions within Paris.
\begin{quote}
\textbf{size}: 939169 byte\\
\textbf{''file''-output}: PNG image data640 960 8-bit/color RGB, non-interlaced\\
\textbf{sha512}\\\ttfamily{
4238d1a52b41c7f0991dcce42ca347863244af381f34ff59efa33ab9cc85b241\\
849d7087cf42ce426936fc83b3a72ae991a3fc220d4716d874590222237edacf}
\end{quote}

IMG\_0005.JPG: Showing some statistics about company shares.
\begin{quote}
\textbf{size}: 62763 byte\\
\textbf{''file''-output}: JPEG image data, EXIF standard\\
\textbf{sha512}\\\ttfamily{
6201ddb71d24c5b662284ef091f758db5d4144643909eb29dc2522a91fc75bf0\\
e54995f6115f66c96cbd51ec7c052294e8a587eedc156aaa085214fee0619293}
\end{quote}


\subsection{Viber-App}
The Viber-Database was extracted from \emph{\textbf{IPBA::AppDomain:com.viber/Documents/Contacts.data}}
\begin{quote}
\textbf{size}: 41984 byte\\
\textbf{''file''-output}: SQLite 3.x database\\
\textbf{sha512}\\\ttfamily{
89eae3d5fa62a3ea1b499a539f71ee8fc7c8adb147c12d5bb90868384b93206c\\
21f2ce84f493d6c6601851844d14cf4dbdd1523ebe98bdc9deb5db380533df77}
\end{quote}

The call-log was:
\begin{center}\begin{tabular}{| l | l | l | l | l |}
  \hline timestamp & to & number & name & duration (sec)\\
  \hline 2012-12-06 16:27:32 & to & 436803303660 & Laura Markovic & 0\\
  \hline 2012-12-06 16:31:57 & to & 436605166042 & Johannes Smith & 72\\
  \hline
\end{tabular}\end{center}


\subsection{Skype-App}
The Skype-Database was extracted from \emph{\textbf{IPBA::AppDomain:com.skype.skype/Library/Application Support/Skype/allegro.mayer/main.db}}
\begin{quote}
\textbf{size}: 128000 byte\\
\textbf{''file''-output}: SQLite 3.x database\\
\textbf{sha512}\\\ttfamily{
29da4b939b6f3f2def0296ca2087355e57321ecb0a5d0e10264c16c69359a748\\
593fd29b8eef03407be07d386e6a980f2b6d25d29a5d3740bd566531a03c79a1}
\end{quote}

The content was:
\begin{center}\begin{tabularx}{\textwidth}{| l | l | l | l | X |}
  \hline timestamp & to/from & Skype id & name & content\\
  \hline 2012-11-27 12:20:00 & from & johannes.m.smith & Johannes Smith & Hallo! Ich wüurde Sie gerne in meine Skype-Kontaktliste aufnehmen. Johannes Smith\\
  \hline 2012-12-06 13:20:33 & to & johannes.m.smith & Johannes Smith & \\
  \hline 2012-12-06 13:20:57 & to & christoffel.johannes.smith & Chris Smith & Fügen Sie mich als Kontakt hinzu, damit wir anrufen und chatten können\\
  \hline 2012-12-06 13:21:33 & to & addy-juli & Julia & Fügen Sie mich als Kontakt hinzu, damit wir anrufen und chatten können.\\
  \hline 2012-12-06 16:33:51 & from & johannes.m.smith & Johannes Smith & Hallo\\
  \hline
\end{tabularx}\end{center}


\subsection{Dropbox-App}
The plist \emph{\textbf{IPBA::AppDomain:com.getdropbox.Dropbox/Library/Preferences/com.getdropbox.Dropbox.plist}} opened with IPBA2 plist-viewer cointains a field \emph{\textbf{Dropbox Username}} and the email-address \emph{\textbf{allegro.mayer@gmail.com}}\\

Also the field \emph{\textbf{Dropbox Camera Upload Has Ever Uploaded}} is \emph{\textbf{true}}\\


\subsection{Facebook-App}
The plist \emph{\textbf{IPBA::AppDomain:com.facebook.Facebook/com.facebook.Facebook.plist}} opened with IPBA2 plist-viewer cointains a field \emph{\textbf{FBLastLoginEmail}} and the email-address \emph{\textbf{allegro.mayer@gmail.com}}\\

Searching of FB reveales the link to the profile: \url{https://www.facebook.com/allegro.mayer}.\\
That About-Page states his relationship status is married to Mrs. Ilse Mayer-Brandl (profile: \url{https://www.facebook.com/ilse.mayerbrandl}).\\

Relevant FB-postings by Allegro Mayer:\\
On December 7. 2012 11:54 at Flughafen Wien, Vienna Airport, Austria.
\begin{quote}On my way to Paris\end{quote}

On December 7. 2012 14:17 at Paris, with Laura Markovic (\url{https://www.facebook.com/laura.markovic.129}).
\begin{quote}enjoying a romantic weekend with my dearest love in Paris!\end{quote}






\newpage\section{Android}
\subsection{Source: Android.tar.gz (ANDRO)}
Android image from Johannes Markus Smith's phone.
\begin{quote}
\textbf{size}: 270397822 byte\\
\textbf{''file''-output}: gzip compressed data, last modified: Fri Dec 14 12:06:37 2012, from Unix\\
\textbf{sha512}\\\ttfamily{
9614e30affc09d1cbfad5a96e43b2e40dae3c5c123db22dcbd53e980d14418d9\\
ab18c6a2b5b9f8a0e1539474612a4a7ceae627255a2169565f0dddf3409ef67d}
\end{quote}


\subsection{Contacts}
The contacts were extracted from the table \emph{\textbf{raw\_contacts}} and \emph{\textbf{phone\_lookup}} from the file\\
\emph{\textbf{ANDRO::data/data/com.android.providers.contacts/databases/contacts2.db}}
\begin{quote}
\textbf{size}: 110592 byte\\
\textbf{''file''-output}: SQLite 3.x database\\
\textbf{sha512}\\\ttfamily{
ac4da8a978cb0b1e09f9b556065b93790892568a38e0d86cc5d36490fa1b3acc\\
527651378468b8b17c5d56db375bae2f906e53f0a765471d9fae4b0860a6fbc0}
\end{quote}

The content was:
\begin{center}\begin{tabular}{| l | l | }
  \hline number & display\_name\\
  \hline 06604413637 & Antonio Schweinebauer\\
  \hline 06605969364 & Karl Heinz Grasser\\
  \hline +4300436605969364 & Allegro Mayer\\
  \hline +4300436605969364 & Allegro Mayer\\
  \hline 06603203711 & Allegro Mayer\\
  \hline +4300436605969364 & Allegro Mayer\\
  \hline 
\end{tabular}\end{center}

It looks suspicious that 2 different people share the same number. Maybe the tables became corrupt?


\subsection{Call-Log}
The call-logs were extracted from the table \emph{\textbf{calls}} from the file\\
\emph{\textbf{ANDRO::data/data/com.android.providers.contacts/databases/contacts2.db}}
\begin{quote}
\textbf{size}: 110592 byte\\
\textbf{''file''-output}: SQLite 3.x database\\
\textbf{sha512}\\\ttfamily{
ac4da8a978cb0b1e09f9b556065b93790892568a38e0d86cc5d36490fa1b3acc\\
527651378468b8b17c5d56db375bae2f906e53f0a765471d9fae4b0860a6fbc0}
\end{quote}

The content was:
\begin{center}\begin{tabular}{| l | l | l | l | l | }
  \hline date & type & number & name & duration\\
  \hline 2012-12-06 13:30:49 & to & 6604413637 & Antonio Schweinebauer & 92\\
  \hline 2012-12-06 13:33:24 & to & 6604413637 & Antonio Schweinebauer & 109\\
  \hline 2012-12-06 13:40:43 & from & 19804042297 & & 16\\
  \hline 2012-12-06 14:01:50 & to & 6604413637 & Antonio Schweinebauer & 0\\
  \hline 2012-12-06 15:23:38 & to & 6604413637 & Antonio Schweinebauer & 0\\
  \hline 2012-12-06 15:52:45 & to & 6604413637 & Antonio Schweinebauer & 11\\
  \hline 2012-12-06 15:55:22 & to & 6604413637 & Antonio Schweinebauer & 3\\
  \hline 2012-12-06 16:00:01 & to & 6604413637 & Antonio Schweinebauer & 15\\
  \hline 2012-12-06 16:13:29 & from & 436605969364 & Karl Heinz Grasser & 63\\
  \hline 2012-12-06 16:22:21 & to & 4300436605969364 & & 0\\
  \hline 2012-12-06 16:25:12 & to & 6603203711 & Allegro Mayer & 0\\
  \hline 2012-12-06 16:26:03 & to & 6603203711 & Allegro Mayer & 13\\
  \hline 2012-12-06 16:33:10 & from & 6603203711 & Allegro Mayer & 74 Viber\\
  \hline 2012-12-06 16:35:14 & to & 6603203711 & Allegro Mayer & 0 Viber\\
  \hline 2012-12-06 16:45:30 & from & 436603203711 & Allegro Mayer & 20\\
  \hline
\end{tabular}\end{center}


\subsection{SMS}
The sms were extracted from the table \emph{\textbf{sms}} from the file\\
\emph{\textbf{ANDRO::data/data/com.android.providers.telephony/databases/mmssms.db}}
\begin{quote}
\textbf{size}: 40960 byte\\
\textbf{''file''-output}: SQLite 3.x database\\
\textbf{sha512}\\\ttfamily{
da62de7c96eac0299584fe7a7278b43a5986f1a6c5f5a6ed1f2ec18bddcbd0d2\\
0e6bb39419f5777d8610783f95405d509a39306217ed6ed6186e17ef2db85cd6}
\end{quote}

The content was:
\begin{center}\begin{tabularx}{\textwidth}{| l | l | l | X | }
  \hline date & type & address & body\\
  \hline 2012-12-06 16:29:50 & from & Viber & Your Viber code is: 7868 Close this message and enter the code into Viber to activate your account.\\
  \hline 2012-12-06 16:36:22 & to & 6603203711 & Hallo, ich empfehle dir den WhatsApp Messenger für Android, iPhone, Nokia, BlackBerry und Windows Phone auf http://whatsapp.com/dl/\\
  \hline 2012-12-06 16:42:55 & from & 436603203711 & Viel zu unsicher, hab mir vor kurzem einen ganz tollen vortrag darüber angehört...\\
  \hline 2012-12-06 16:45:24 & from & 436603203711 & Ich hab von einem kollegen wichtige informationen. Ruf dich an\\
  \hline
\end{tabularx}\end{center}


\subsection{Calendar}
The calendar events were extracted from the table \emph{\textbf{Events}} from the file\\
\emph{\textbf{ANDRO::data/data/com.android.providers.calendar/databases/calendar.db}}
\begin{quote}
\textbf{size}: 33792 byte\\
\textbf{''file''-output}: SQLite 3.x database\\
\textbf{sha512}\\\ttfamily{
8e8a8a427432c3e2ddfc3435b1121da27442d53eed27bb433b784850efa703d4\\
b8b6e55ebbe31ab55612e94a83cd933bb75fbffbb33f680a260bcc9c86380f86}
\end{quote}

The content was:
\begin{center}\begin{tabular}{ | l | l | l | l|  l |}
  \hline event & location & start & end & attendees \\
  \hline Geschäftsessen & Maylee & 2012-12-07 11:00:00 & 2012-12-07 12:00:00 & Johannes Smith\\
  \hline
\end{tabular}\end{center}


\subsection{Accounts}
All registered accounts were extracted from the table \emph{\textbf{accounts}} from the file\\
\emph{\textbf{ANDRO::data/system/accounts.db}}
\begin{quote}
\textbf{size}: 20480 byte\\
\textbf{''file''-output}: SQLite 3.x database\\
\textbf{sha512}\\\ttfamily{
986ef7b12650f36959592640dc824fa22c40fd1d6c13dc36f4eeb719c6b6ef80\\
773762691bb9adb0b9c7490e5eedd4c5fa462b5b8c6119e6736bc2be3b09cd03}
\end{quote}

There seems to be nothing of interest on Smith's Facebook public profile (\url{https://www.facebook.com/johannes.markussmith}).\\

Whatsapp seems to be interesting: It seems that \emph{\textbf{+436603169718}} is Smith's secondary phone number.


\subsection{eMail}
Relevant eMail-headers were extracted from the table \emph{\textbf{Message}} from the file\\
\emph{\textbf{ANDRO::data/data/com.android.email/databases/EmailProvider.db}}
\begin{quote}
\textbf{size}: 33792 byte\\
\textbf{''file''-output}: SQLite 3.x database\\
\textbf{sha512}\\\ttfamily{
bbcfc7565fe211a9b86d49a8ce816b4ac6d44c6bd7360f0342961af2051f60f9\\
c6481393562aa5413e25ec8b7b78c0be43e530b498f59d11b6e5f2c5c6cdab5e}
\end{quote}

Relevant eMail-bodies were extracted from the table \emph{\textbf{Body}} from the file\\
\emph{\textbf{ANDRO::data/data/com.android.email/databases/EmailProviderBody.db}}
\begin{quote}
\textbf{size}: 108544 byte\\
\textbf{''file''-output}: SQLite 3.x database\\
\textbf{sha512}\\\ttfamily{
a3b3d4160cc51651894bdd569677ecaea80cdee5b0622015604293b2dcb1c2e4\\
15c05f2ccbf70b82b8b5fc03c8d3c8ced182db17a9cdf603aa08f831c57d2ce8}
\end{quote}

On \emph{\textbf{2012-11-27 13:03:02}} subject \emph{\textbf{Re: current stocks!}}
\begin{lstlisting}Thanks!!!
It seems that we've made the right decisions!!

Am Dienstag, 27. November 2012 schrieb Johannes Smith :

> FYI.
> regards,
> johannes
>
>
\end{lstlisting}

On \emph{\textbf{2012-11-27 16:08:24}} subject \emph{\textbf{Allegro Mayer shared "confidential" with you}}
\begin{lstlisting}Allegro hat über Dropbox einige Dateien für dich freigegeben!

Klicke hier, um "confidential" anzuzeigen: https://www.dropbox.com/el/?r=/sh/vynk4jf4tghe88d/xkfh_H-BLn&b=clk:124439748:4804662256873865079:776:445&z=AACxCiMV76RVXzyBMgmjFiqsgTRbi53b5uE5OmdOmwYvZg
\end{lstlisting}


\subsection{Viber-App}
The Viber-call-logs were extracted from the table \emph{\textbf{viber\_call\_log}} from the file\\
\emph{\textbf{ANDRO::data/data/com.viber.voip/databases/viber\_call\_log.db}}
\begin{quote}
\textbf{size}: 5120 byte\\
\textbf{''file''-output}: SQLite 3.x database\\
\textbf{sha512}\\\ttfamily{
64fb64c0568f54c762561c0d939538a938adb7a671904418b763992701b5b24a\\
75ec0c3f0e6959525f05bae929b6734c7d6ccac19a0363ebc3459c7b45cbdbe1}
\end{quote}

The content was:
\begin{center}\begin{tabular}{ | l | l | }
  \hline number & timestamp\\
  \hline 06603203711 & 2012-12-06 16:35:14\\
  \hline
\end{tabular}\end{center}


\subsection{Whatsapp-App}
The Whatsapp call-log seems to have been wiped, as there was nothing useful to extracted from the table \emph{\textbf{messages}} from the file\\
\emph{\textbf{ANDRO::data/data/com.whatsapp/databases/msgstore.db}}
\begin{quote}
\textbf{size}: 8192 byte\\
\textbf{''file''-output}: SQLite 3.x database\\
\textbf{sha512}\\\ttfamily{
700ad004b1c20d4c3bdc4d56ee59e3469db661a045fcb4803906f9d77a76f5c5\\
829d0751f84e913fcebe0d23491ec2c4d5ca03f577cbb087218b314422a68821}
\end{quote}

The Whatsapp contactlist was extracted from the table \emph{\textbf{wa\_contacts}} from the file\\
\emph{\textbf{ANDRO::data/data/com.whatsapp/databases/wa.db}}
\begin{quote}
\textbf{size}: 7168 byte\\
\textbf{''file''-output}: SQLite 3.x database\\
\textbf{sha512}\\\ttfamily{
ace8f7e526fc641556d96a58f0bdffd99f2b93bf39be271c9599eab10bcdd3b5\\
7111b321a9dd6ca51c81c7bd4422e6126a6a7dd66d3fa59e328ff990a99642d1}
\end{quote}

The content was:
\begin{center}\begin{tabular}{ | l | l | l | }
  \hline jid & number &  display\_name\\
  \hline 436605969364@s.whatsapp.net & 6605969364 & Karl Heinz Grasser\\
  \hline 436604413637@s.whatsapp.net & 6604413637 & Antonio Schweinebauer\\
  \hline 436603203711@s.whatsapp.net & 6603203711 & Allegro Mayer\\
  \hline 4300436605969364@s.whatsapp.net & 4300436605969360 & Allegro Mayer\\
  \hline
\end{tabular}\end{center}


\subsection{WLANs}
The file \emph{\textbf{ANDRO::data/misc/wifi/wpa\_supplicant.conf}} shows an interesting network configuration.
\begin{quote}
\textbf{size}: 126 byte\\
\textbf{''file''-output}: ASCII text\\
\textbf{sha512}\\\ttfamily{
cf30537161f54bad5f9a741f90c14afb2e6cf00151ed3ed414f301c9aa5cb964\\
b6d745f0daabb44f922efded0c1b7c93698b43545dbf465608807bc22b779787}
\end{quote}

\begin{lstlisting}
ctrl_interface=eth0
update_config=1

network={
        ssid="pornhub"
        psk="I'mNaked!FindMeUpstairs"
        key_mgmt=WPA-PSK
        priority=1
}
\end{lstlisting}
The same Access-Point name was used on Mayer's iPhone too.


\newpage\section{Dropbox}
TODO: move to top.

Mayer shared a folder called called \emph{\textbf{confidential}} with Smith over Dropbox.\\
The invitation eMail contains the URL to that folder (\url{https://www.dropbox.com/sh/vynk4jf4tghe88d/
xkfh_H-BLn?lst#/}).\\
The folder is publicly accessible so it was possible to extract its contents.
\begin{itemize}
\item\emph{\textbf{2012-11-27 14.31.56.png}}\\iPhone screenshot from some flightplan App, shows a number of flights departing Vienna shortly after 1700 (among those, two flights from Vienna to Paris)
\item\emph{\textbf{Homer-Simpson-Butt-Wide-Load.png}}\\Snapshot of from an episode of The Simpsons showing Homer with \textbf{Wide Load} written across his back.
\item\emph{\textbf{Stocks-watch.jpg}}\\A key lying on a newspaper with a headline beginning with \textbf{Investing}
\item\emph{\textbf{stocks.jpg}}\\Smaller version of \emph{\textbf{IPBA::IMG\_0005.JPG}} from the iPhone backup.
\end{itemize}




\newpage\section{Details}
\subsection{Used tools on GuestVM}
Tools that were used for analysis (-{}-version):
\begin{itemize}
\item IP Backup Aanalyzer 2.0 build 20130319 (mar 2013)
\end{itemize}

\subsection{Used tools on Host}
Tools that were used for analysis (-{}-version):
\begin{itemize}
\item sqlite3 3.8.5 2014-06-04 14:06:34 b1ed4f2a34ba66c29b130f8d13e9092758019212
\item sha512sum (GNU coreutils) 8.22
\item ls (GNU coreutils) 8.22
\item file 5.18
\item tar tar (GNU tar) 1.27.1
\end{itemize}

\subsection{Machines}
\begin{itemize}
\item \textbf{Virtual machine}\\
Windows XP Version5.1 (Build2600.xpsp\_sp3\_qfe.130704-0421 : Service Pack3)
\item \textbf{Oracle VirtualBox} 4.3.10
\item \textbf{Host machine}\\
Linux rebx 3.14.0-gentoo-somenet.org \#1 SMP Sun Apr 6 01:00:17 CEST 2014 x86\_64 Intel(R) Core(TM)2 Duo CPU T9300 @ 2.50GHz GenuineIntel GNU/Linux
\end{itemize}