Scenario

Lab Link: The Crime

We're currently in the midst of a murder investigation, and we've obtained the victim's phone as a key piece of evidence. After conducting interviews with witnesses and those in the victim's inner circle, your objective is to meticulously analyze the information we've gathered and diligently trace the evidence to piece together the sequence of events leading up to the incident.

Questions

Q1

Based on the accounts of the witnesses and individuals close to the victim, it has become clear that the victim was interested in trading. This has led him to invest all of his money and acquire debt. Can you identify the SHA256 of the trading application the victim primarily used on his phone?

Answer Format: ****************************************************************

Android Logs Events And Protobuf Parser

First lets use ALEAPP tool: https://github.com/abrignoni/ALEAPP

python3 -m venv myenv
source myenv/bin/activate 
pip install -r requirements.txt  

then make folder called "Output" so you can extract the report to the Folder

mkdir output

now you can use the command by:

python3  ALEAPP/aleapp.py -t fs -i ./temp_extract_dir/data -o output
cd output

now move to the direct of your report i got this folder inside the output

cd ALEAPP_Reports_2025-11-27_Thursday_102552

now open the report:

xdg-open _HTML/index.html

you will get a high details report for android.

now the question ask for SHA256 of the app that the user used to trade so we can go to:

_HTML/Installed_Apps_(GMS)_for_user_0.html?navpos=714

and we can see the record of all APPS that installed at the phone:

Bundle ID   Version Code    SHA-256 Hash
com.discord 194017  cb8511953a2b33be0a5291dd2af23fecdcd02a9df7b1752aa549bea89d3aad30
com.discord 186011  bc85ef24fbf124c7fae1614a49265467b7cb70d04e6da79da92ea2bcaedf09cc
com.discord 149011  70526fd3a0f9d795984157bc06e1baa6f4685bd8f893c6fd2fa359b72fa655e4
com.google.android.youtube  1419573700  fb09675ed6b64e56319cc85d956f194319f5faa41be6e010dbf1c1f021f2c033
com.ticno.olymptrade    672 4f168a772350f283a1c49e78c1548d7c2c6c05106d8b9feb825fdc3466e9df3c

Answer:

4f168a772350f283a1c49e78c1548d7c2c6c05106d8b9feb825fdc3466e9df3c

Q2

According to the testimony of the victim's best friend, he said, "While we were together, my friend got several calls he avoided. He said he owed the caller a lot of money but couldn't repay now". How much does the victim owe this person?

Answer Format: ******

this one easy go to the SMS messages

SMS_messages.html?navpos=1314

we can see the phone number and the message

+201172137258
--
It's time for you to pay back the money you owe me, but you're not picking up my calls. You better think twice about not paying, because it won't end well for you. Prepare the sum of 250,000 EGP, and I'll expect your call within an hour at most.

Answer:

250000

Q3

What is the name of the person to whom the victim owes money?

Answer Format: ***** *****

we got the message from the SMS from this number:

+201172137258

so we can go to the

_HTML/Contacts.html?navpos=252

to get the name of the person

Answer:

Shady Wahab

Q4

Based on the statement from the victim's family, they said that on September 20, 2023, he departed from his residence without informing anyone of his destination. Where was the victim located at that moment?

Answer Format: Th* N*** ****-*******

go to the recent activity to see all the interaction with the google map

_HTML/Recent_Activity_0.html?navpos=1141

Answer:

The Nile Ritz-Carlton

Q5

The detective continued his investigation by questioning the hotel lobby. She informed him that the victim had reserved the room for 10 days and had a flight scheduled thereafter. The investigator believes that the victim may have stored his ticket information on his phone. Look for where the victim intended to travel.

Answer Format: *** *****

go to the Discord messages:

HTML/Discord_Chats.html?navpos=306

You can see the The Mob Museum that located at las vegas

Answer:

las vegas

Q6

After examining the victim's Discord conversations, we discovered he had arranged to meet a friend at a specific location. Can you determine where this meeting was supposed to occur?

Answer Format: *** *** ******

Answer:

The Mob Museum