Digital Forensics Report: The Crime — Android Mobile Device Forensics of a Homicide Victim
Platform: CyberDefenders Challenge: The Crime Category: Endpoint Forensics Difficulty: Easy Tools: ALEAPP, DB Browser for SQLite, Linux Command Line Achievement: Proof of Completion
1. Executive Summary
Incident Type: Homicide Investigation / Mobile Device Forensics
Device: Android smartphone belonging to the victim
In this investigation, we are tasked with analyzing the mobile device of a homicide victim. Witness testimonies suggest the victim was heavily involved in trading, incurred massive debt, and exhibited unusual travel and communication patterns shortly before the incident. Our objective is to parse the Android file system using ALEAPP, reconstruct the victim’s activities from application data, SMS records, contact databases, and cached images, and document the digital evidence that connects the victim to key persons of interest, financial motive, and pre-incident travel plans.
Indicators of Compromise (IOCs)
| Type | Indicator | Description |
|---|---|---|
| Trading App Package | com.ticno.olymptrade | Primary trading application installed on the device |
| APK SHA256 | 4f168a77...e9df3c | Cryptographic hash of the base.apk installation file |
| Creditor Phone | +201172137258 | Phone number of the aggressive debt collector |
| Creditor Name | Shady Wahab | Contact saved in the victim’s address book |
| Debt Amount | 250,000 | Monetary value demanded in threatening SMS |
| Location (Sep 20) | The Nile Ritz-Carlton | Victim’s location per Google Maps snapshot |
| Booked Flight | Egypt Airlines → Las Vegas | Boarding pass found in /data/media/0/Download |
| Meeting Venue | The Mob Museum | Arranged via Discord with user rob1ns0n. |
| Discord Contact | rob1ns0n. | Friend the victim arranged to meet in Las Vegas |
MITRE ATT&CK Mapping Overview
| Tactic | Technique | ID |
|---|---|---|
| Collection | Data from Local System — SMS Database | T1005 |
| Collection | Data from Local System — Contacts Database | T1005 |
| Discovery | File and Directory Discovery — APK Enumeration | T1083 |
| Collection | Screen Capture — Android Recent Apps Snapshots | T1113 |
| Collection | Data from Information Repositories — Discord Chat Logs | T1213 |
2. Phase 1: Identifying the Trading Application (Question 1)
Objective: Identify the SHA256 hash of the trading application the victim primarily used.
Android applications are installed as .apk files, typically stored in the /data/app/ directory under their specific reverse-domain package name. By analyzing the installed applications via ALEAPP’s package parsing module or manual file system browsing, we identified a package named com.ticno.olymptrade — the Olymp Trade financial trading platform.
To verify the file and obtain its unique cryptographic signature, we navigated to the application’s directory in the extracted file system using the terminal and hashed the core installation file (base.apk) using the sha256sum utility.
Command Used:
1
sha256sum base.apk
Analyst Note: Hashing application binaries is a fundamental forensic step. The SHA256 hash serves as a digital fingerprint — it can be submitted to VirusTotal or compared against known-good application hashes to verify integrity and rule out trojanized versions.
Answer Q1
What is the SHA256 hash of the trading application?
4f168a772350f283a1c49e78c1548d7c2c6c05106d8b9feb825fdc3466e9df3c
3. Phase 2: Financial Motive — SMS & Contact Analysis (Questions 2 & 3)
Objective: Determine the debt amount and identify the creditor threatening the victim.
Quantifying the Debt
Native text messages (SMS) on Android are stored in the Telephony Provider database, specifically mmssms.db (usually located at /data/user_de/0/com.android.providers.telephony/databases/).
Using ALEAPP to parse the SMS logs, we examined messages matching the witness’s timeline of aggressive threatening communications. We located an unread, incoming message demanding repayment. The sender explicitly states the monetary value required — 250,000.
Identifying the Creditor
In digital forensics, correlation is key. From the SMS analysis, we identified the threatening message originated from the phone number +201172137258.
To map this number to a human identity, we analyzed the Android Contacts database (contacts2.db located at /data/data/com.android.providers.contacts/databases/). By querying this database using ALEAPP’s Contacts parsing module for that specific phone number, we found the display name the victim had saved for this individual: Shady Wahab.
Analyst Note: Cross-referencing phone numbers between the SMS database and the Contacts database is a standard forensic correlation technique. The contact name assigned by the victim themselves provides critical context — it confirms the victim knew the creditor personally, not just as an unknown caller.
Answer Q2
How much money does the victim owe?
250000
Answer Q3
What is the name of the person to whom the victim owes money?
Shady Wahab
4. Phase 3: Location Intelligence — Google Maps Snapshot (Question 4)
Objective: Determine where the victim was located when they departed their residence on September 20, 2023.
Android devices frequently take “snapshots” of an application’s screen right before the app is pushed to the background. These cached images are used to create the smooth visual transition in the “Recent Apps” menu and are stored in the device’s system directory. These snapshots are highly valuable forensic artifacts — they preserve the exact state of an application at the moment the user switched away from it.
In ALEAPP, we examined the Application/Packages data for Google Maps (com.google.android.apps.maps). The system retained a snapshot image (6.jpg) taken on September 20. Viewing this image reveals the exact location the victim was viewing or navigating from on the map interface.
Analyst Note: Recent Apps snapshots are an often-overlooked forensic goldmine. Unlike GPS coordinates in location databases (which can be turned off), these visual snapshots capture what the user was actively viewing — including maps, conversations, and web pages — regardless of location service settings.
Answer Q4
Where was the victim located on September 20?
The Nile Ritz-Carlton
5. Phase 4: Travel Intelligence — Boarding Pass Recovery (Question 5)
Objective: Identify where the victim intended to travel based on a booked flight.
Flight tickets, boarding passes, and travel receipts are commonly downloaded to the device via browsers, email attachments, or messaging apps. These files typically land in the device’s user media storage — specifically the /data/media/0/Download directory.
By manually traversing the extracted file system to the Download folder, we discovered an image file named Plane Ticket.png. Opening this image revealed a boarding pass for Egypt Airlines showing the destination city.
Answer Q5
Where did the victim intend to travel?
Las Vegas
6. Phase 5: Communication Intelligence — Discord Chat Analysis (Question 6)
Objective: Determine where the victim arranged to meet a friend via Discord.
Third-party applications like Discord do not use the native Android SMS database. They maintain their own independent SQLite databases or cache files to store chat history locally on the device. This means SMS parsers will miss these communications entirely — a dedicated parser or manual database inspection is required.
ALEAPP includes a dedicated parser for Discord chats. By reviewing the parsed Discord communications within the report, we identified a conversation between the victim and another user (rob1ns0n.) where they finalize their meetup plans, explicitly naming the venue: The Mob Museum in Las Vegas.
Analyst Note: The correlation between the booked flight (Las Vegas) and the Discord meetup location (The Mob Museum, Las Vegas) is significant. This establishes a clear chain: the victim planned to travel to Las Vegas specifically to meet this Discord contact, providing investigators with a secondary lead to pursue.
Answer Q6
Where did the victim arrange to meet a friend via Discord?
The Mob Museum
7. Conclusion
The Crime investigation demonstrates how Android mobile device forensics can reconstruct a victim’s final activities, financial relationships, and travel plans from native system artifacts and third-party application data. Key findings:
- Trading Activity: The victim used Olymp Trade (
com.ticno.olymptrade) — confirmed via APK hashing withsha256sum. - Financial Motive: SMS analysis revealed a 250,000 debt owed to Shady Wahab (
+201172137258), with threatening messages demanding repayment. - Location on Sep 20: Google Maps Recent Apps snapshot placed the victim at The Nile Ritz-Carlton in Cairo.
- Travel Plans: A boarding pass in the Download folder confirmed an Egypt Airlines flight to Las Vegas.
- Discord Meetup: Chat logs revealed a planned meeting with
rob1ns0n.at The Mob Museum in Las Vegas.
Key Takeaways for the SOC:
- ALEAPP is indispensable for Android forensics — it automates the parsing of hundreds of artifact types including SMS, contacts, app snapshots, and third-party chat databases, dramatically accelerating mobile investigations.
- Recent Apps snapshots are forensic goldmines — they preserve visual evidence of what the user was viewing at specific moments, even when location services are disabled or GPS data is unavailable.
- Third-party app databases require dedicated parsers — Discord, WhatsApp, Telegram, and Signal all store chat data in their own SQLite databases, not in the native SMS provider. Always parse application-specific databases to avoid intelligence gaps.
- Cross-database correlation is essential — linking phone numbers from SMS logs to the Contacts database transforms anonymous threats into named suspects with actionable investigative leads.
Analysis Date: June 13, 2026 Analyst: El OMARI Zakaria