The Crime Lab
CyberDefenders Endpoint Forensics Lab
Scenario
We’re currently in the midst of a murder investigation, and we’ve obtained the victim’s phone as a key piece of evidence. After conducting interviews with witnesses and those in the victim’s inner circle, your objective is to meticulously analyze the information we’ve gathered and diligently trace the evidence to piece together the sequence of events leading up to the incident.
Question 1
Based on the accounts of the witnesses and individuals close to the victim, it has become clear that the victim was interested in trading. This has led him to invest all of his money and acquire debt. Can you identify the SHA256 of the trading application the victim primarily used on his phone?
Answer 1
Uploading the file to VirusTotal gave a lot of useful information including the SHA256 of the .apk file.
Question 2
According to the testimony of the victim’s best friend, he said, “While we were together, my friend got several calls he avoided. He said he owed the caller a lot of money but couldn't repay now". How much does the victim owe this person?
Answer 2
Press enter or click to view image in full size
After extrating and producing a report with ALEAPP. It was rather easy to comb through the SMS messages. Revealing that the victim owes 250,000 EGP.
Question 3
What is the name of the person to whom the victim owes money?
Answer 3
Matching the call logs with the contract names, you can easily determine the name of the victim that is rather determined to get a hold of the victim is: Shady Wahab.
Question 4
Based on the statement from the victim’s family, they said that on September 20, 2023, he departed from his residence without informing anyone of his destination. Where was the victim located at that moment?
Answer 4
Looking under the recent activity tab, it seems that the victim was looking at Google Maps on the above date. Placing him at The Nile Ritz-Carlton Cairo.
Question 5
The detective continued his investigation by questioning the hotel lobby. She informed him that the victim had reserved the room for 10 days and had a flight scheduled thereafter. The investigator believes that the victim may have stored his ticket information on his phone. Look for where the victim intended to travel.
Answer 5
Looking through the victims Discord messages, it seems that they were in contact with a friend. Mentioning that they would meet at The Mob Museum, which is located in Las Vegas.
Question 6
After examining the victim’s Discord conversations, we discovered he had arranged to meet a friend at a specific location. Can you determine where this meeting was supposed to occur?
Answer 6
The above answer to question 5 reveals that they would meet at The Mob Museum.
Last updated