Note: This post was originally written and posted on Medium. It has been copied here for posterity.

The Challenge

The challenge for this week asked, “Which exit did the device user pass by that could have been taken for Cargo?”. There was also a hint provided in the announcement video to look at a webinar done by Jessica Hyde and Christopher Vance on the difference between Android and iOS artifacts. This is where I began my investigation.

Solving the Challenge

Because we were looking for evidence of the device passing an exit I thought the evidence would likely be a picture. This led to me beginning my investigation in the /data/media folder and its subfolders. Unfortuinintly nothing in these folders showed anything that said exit or cargo. At this point, I decided the best thing to do was watch the webinar that had been mentioned as a hint. About halfway through this webinar, Jessica talks about Android Motion Videos, Android’s response to iOS’ Live Photos, not only does she demonstrate how they are simply MP4 files embedded in JPEGs but she does this demonstration with one of the files from the data set we are working on. Jackpot.

My next step was to carve out the videos from each of these files. Originally I planned to do it manually with 010 editor as there were only 8 files on the phone however this was taking too long so instead, I threw together a python script which can be found here. After extracting the videos I was able to see in the file located at /data/media/DCIM/Camera/MVIMG_20200307_130326.jpg that a video was taken of the device passing by the exit E16 which specified cargo