iForensics - iBackdoor 2/2

Description

As you pass through customs, the customs officer asks you to hand over your phone and its unlock code. The phone is returned to you a few hours later…

Suspicious, you send your phone to ANSSI’s CERT-FR for analysis. CERT-FR analysts carry out a collection on the phone, consisting of a sysdiagnose and a backup.

Now that you know which application has been compromised, find out how the attacker retrieved the legitimate application prior to infection.

You’ll need to find :

• The identifier of the application used to retrieve the legitimate application;
• The path used to store the legitimate application;
• The date on which the legitimate application was uninstalled (in local time).

The flag is in the format FCSC{<application identifier>|<path>|<date>}. For example, if the application used is Example (com.example), the path is /private/var/tmp/test.xyz and the uninstall date is 2025-01-01 01:00:00: FCSC{com.example|/private/var/tmp/test.xyz|2025-01-01 01:00:00}.

This challenge is part of a serie. The challenges are independent, except iBackdoor 2/2 whitch depends on iBackdoor 1/2:

• iForensics - iCrash
• iForensics - iDevice
• iForensics - iWiFi
• iForensics - iTreasure
• iForensics - iNvisible
• iForensics - iBackdoor 1/2
• iForensics - iBackdoor 2/2
• iForensics - iC2
• iForensics - iCompromise