Cyber Investigator is the sequel to the Cyber Detective, also created by the Cyber Society (CyberSoc) at Cardiff University. There are 31 challenges spread across five categories, which are Signal Intelligence, Covert Operations, Cyber Crime, Crime Scene Investigation, and Financial Crime.
Signal Intelligence
The audio file that has been provided to us appears to be in the Chinese language. I created a Python script that can convert audio to text by using the SpeechRecognition library.
415364214564383
The tones are called Dual-tone multi-frequency (DTMF) and are generated when numbers on the telephone are pressed. We can decode them with an online tool to get the pressed numbers.
4562659845852366
It sounded like the audio is played backward. This website can reverse the audio back to normal. Then, we can use the above script to convert the audio to text.
Search the text online will bring us to a farewell speech from David Cameron, who is the former Prime Minister of the United Kingdom.
David Cameron
The image given is a spectrogram, which is a visual way of representing the signal strength. We can synthesis it by using Photosounder. The audio is a female robot voice telling coordinates (37.241000, -115.804326). Search the coordinates on Google Map and we can determine the place.
Area 51
Covert Operations
We start with the least intense heat signature to the most.
4158
We can use Shazam to detect the song.
Limitless
It is a road sign in the Chinese language. We need to translate it into English to know where the driver at. I am using Google Lens app on my phone.
We then can search the road’s name in Google Map. All the roads are in Shanghai, China
Shanghai
The gun in the image is a Glock 19. We can go to the Glock official website to know the size of the gun.
187mm x 128mm
To ease the process of analyzing a video, we can use ffmpeg to convert the video frames to images.
We then can upload one of the images to Yandex reverse image search.
The first hit brought us to RT’s Youtube channel. It is a story about the air raid siren that went off in Tel Aviv when Israel’s Iron Dome intercepts Gaza rocket.
Israel
We can reuse the above tool for this task. There are a few interesting frames.
The first image shows an airplane with “LASER” written on it. LASER Airlines is an airline based in Venezuela.
We can confirm that this image is taken in Venezuela’s airport by zooming in the flag in the second image and comparing it with Venezuela’s flag.
Venezuela’s flag:
The third image is an American Airlines Boeing 737–800 plane, which used to fly to Venezuela on daily basis.
From looking at the RadarBox website, there are no flights from the US coming in. Further research indicates that travel restrictions are in place due to unrest in Venezuela. The article is published on 15 March 2019.
15/03/2019
There is a website where we can input the IMEI number and get information about the device.
The phone is a Samsung Galaxy that weighs 138g, minus it from 300g and we can get the extra weight.
162g
We can know the type of font by doing a reverse image search.
Plexifont
We can copy one of the lines and search it online.
The scripting language is called Pawn, and if we read this article, we can know the computer games that use this language.
Grand Theft Auto: San Andreas Multiplayer
The file is a connection log that shows a bunch of requests made to the server. To know where the sender is from, we can search the IP address (175.45.176.212) with an IP address lookup tool.
To find the target, we need to look at the first GET request:
GET /vips/%u0412%u043B%u0430%u0434%u0438%u043C%u0438%u0440%20%u041F%u0443%u0442%u0438%u043D/
The request is URL-encoded. We can decode it by using CyberChef.
The text look likes in the Russian language. Then, we can translate it into English.
NorthKorea Russia
The file provided is a `.dd` file, which is a disk image file and replica of a hard disk drive. We can use [Autopsy](https://www.autopsy.com/) to do forensic analysis on this file. This article is a good tutorial on how to use Autopsy.
A few interesting files on the drive are “gbr-passport.jpg”, “india-passport.jpg” and “usa-passport.jpg”, but all the images are passport images only without the owner’s name. Next, we can look at the recycle bin, and we will see an image of the passport complete with the owner’s details.
Angela Zoe Smith
We can get the passphrase by using John the Ripper, it comes preinstalled with Kali Linux. However, first, we need to convert the text file to the hash. This can be achieved by using the ssh2john script.
Then, we can use John to crack the passphrase.
banana
We can use CyberChef to decode these. The first part is hex.
The second part is binary.
This roman numeral further decodes to a coordinate (2.478615, 45.621192), which is located in a part of Somalia.
Somalia
Crime Scene Investigation
The cipher in the image is a type of Pigpen Cipher.
I found a way here to decipher it.
THE TRUTH IS OUT THERE SOMEWHERE
It is a Caesar Cipher. Without knowing the shift, we can brute force by using this tool.
Follow the money
There is a UK’s missing person database that we can access here. We just need to put the case reference number.
Northface
We can search the address online and the first hit will bring us to a UK planning website.
At the right side of the page, there is a link to submit a support or objection to the application. Click it to view all the submitted supports/objections.
There is only one objection there and it comes from Mrs. Mary Landon Goodman.
Mary Landon Goodman
We can start by searching a part of the text online.
It is a script for Macbeth Act V, Scene 2. We then can search “Macbeth broken thumb” to see which actor broke their thumb while playing Macbeth.
James McAvoy
The “91V” is the tire load index and we can see the maximum load that can be carried.
We then need to do some calculations:
1. Multiple 615KG with 4(numbers of the tire) = 2460KG
2. Minus with the car’s weight(2200KG) and the driver’s weight(85KG) = 175KG
3. Minus with the total weight of the engine blocks(160KG x 3) = -305KG
305KG
We need to assemble the face correctly to do a reverse image search. We can use a collage maker to do this.
The first result is a picture of the Prime Minister of New Zealand, Jacinda Ardern.
Jacinda Ardern
Financial Crime
We can use Docoh, a free stock research platform to see the detail of trading stock. In the institutional tab, we can see the institutions that own GME stock.
Sort the table on December 2020 column, we can see that the FMR is the top holder of GME stock.
FMR is also known as Fidelity Investments.
Fidelity
We start with searching how much the EU pays for the vaccines. There is an article by Reuters that stated the price.
Then, we can calculate the percentage rise of the vaccine price.
600%
