BTLO Countdown Walkthrough
Countdown Video Walkthrough
NYC Police received information that a gang of attackers has entered the city and are planning to detonate an explosive device. Law enforcement have begun investigating all leads to determine whether this is true or a hoax.
Persons of interest were taken into custody, and one additional suspect named ‘Zerry’ was detained while officers raided his house. During the search they found one laptop, collected the digital evidence, and sent it to NYC digital forensics division.
Police believe Zerry is directly associated with the gang and are analyzing his device to uncover any information about the potential attack.
Disclaimer: The story, all names, characters, and incidents portrayed in this challenge are fictitious and any relevance to real-world events is completely coincidental.
- Window File Analyzer
- Jumplist Explorer
- SQLite DB Browser
Verify the Disk Image. Submit SectorCount and MD5
The first question is quite straightforward, we can find the answer under “Desktop -> Investigation Files-> Disk Image -> Zerry -> Zerry.E01(text file)”, we can see the md5 presented in the file.
What is the decryption key of the online messenger app used by Zerry?
The online messenger key could locate in the file system. Open the “Countdown.aut” file under “Desktop -> Countdown” in Autopsy.
Under the “Zerry.E01 disk -> Volumn 3 -> Users -> ZerryD -> App Data -> Roaming”, we find the secure messenger used by the criminals is Signal. We can extract the whole folder to the “Export” for futhur investigation.
For decryption key, let’s checkout the app’s config file to see what we can find. We find the raw key in the “config.json” file!
What is the registered phone number and profile name of Zerry in the messenger application used?
With the decryption key in hand, we can use it to decrypt the database and read the data from it. We will open the Signal Database via SQLiteBrowser under tools folder. Use the raw key we found early to decrypt the database. Notice I chose the raw key and added “0x” before my key.
Now, we have a decrypted database.
Under Conversation table, we can find the Zerry’s username and phone number. Note the profile name has an emoji “fire” in it if you search on google.
What is the email id found in the chat?
We can find the email used under “messages_fts” table.
What is the filename(including extension) that is received as an attachment via email?
From the conversation, we find the criminals are trying to bomb the city. Zerry wants to know the bomb time. So, a image file contains date and time was being downloaded. We can locate the image file downloaded at Autopsy Recent Documents. The emoji for the filename are “time” and “Calender”.
What is the Date and Time of the planned attack?
I used hint provided by BTLO for this question, we need to extract the “thumbcache256.db” under
Then use “Thumbcache Viewer” under tools folder to open the database to view the images.
Answer: 01-02-2021 9:00 am
What is the GPS location of the blast? The format is the same as found in the evidence . [Hint: Encode(XX Degrees,XX Minutes, XX Seconds)]
The last question is quite tricky since you need to be very familar with the file system in order to solve it. I used hint provided by BTLO for this question. First, we need to locate the stickynote the criminal left based on the hint. Frist, lets export the folder the file located at from Autopsy. The folder is
By searching the file “plum.sqlite” in the exported folder, we can locate its location and use SQLiteBrowser to open it.
Locate the note under “Note” table. We got the encoded GPS location. Now, we need to find a way to decode it!
Encoded GPS Location:
Based on the hint, we knew they used Tor browser, so lets find the Tor browser folder and extract the file “places.sqlite”.
File full path:
Open the “places.sqlite” with the SqliteBrowser, under table “moz_places” we find the encoded website is “https://rot13.com/”.
We can perform the decode with the same website.
Answer: 40 degrees 45 minutes 28.6776 seconds N, 73 degrees 59 minutes 7.944 seconds W
That’s all for today, hope you enjoyed the walkthrough and learned something new! I will keep posting more BTLO writeups as I make progress on the platform. Thank you for stoping by :)