AF-2DFB-MB · Mobil (Android)
Deleted Message
DOWNLOADABLE real SQLite. Recover the DELETED incriminating message from the freelist of a messaging app. A live 'promo' message is a decoy.
Scenario
An Android-style messaging database (.db). The suspect DELETED an incriminating message; but because secure_delete is off, the row remains in the freelist and is recoverable. A naive SELECT or grep also shows a live fake 'promotion' message. Recover the deleted message's flag and sender; do not report the live decoy.
Anti-forensics techniques
- Deleted record recovery (SQLite freelist)
- Live fake message (red herring)
Provided artifacts
- SQLite database (Android messaging app .db)
Sample questions
- q1: What flag is recovered from the deleted message?
- q2: Who sent the deleted message (sender)?
- q3: What is the state of the key evidence message? (deleted)
- trap1: Do NOT report the live 'promo' message's flag as evidence.
Soundness trap
The live promo message appears in SELECT but is harmless; reporting it is heavily penalized. The real evidence is the DELETED one (freelist).
Scoring
Deleted-record recovery + live-decoy resistance (soundness).
DOWNLOADABLE
Download and solve
The answer key is hidden (scored set); the flag is encrypted, you must decrypt it.