Task 3 requires you to examine the TerrorTime’s local database. To complete this task you need to submit

I was provided a SQLite database that was recovered from a device with TerrorTime installed. I used DB Browser for SQLite to open and examine the database. _config.yml

I found two fully qualified domain names (FQDNs). The hostnames indicate they are for registration and chatting. I checked TerrorTime’s decompiled code in jadx to verify my interpretation. TerrorTime contains a class called ClientDBHandlerClass that handles interacting with the client’s database.


I found the below information by analyzing the variable names in the ClientDBHandlerClass.addOrUpdateClient function. One thing to note for later is that the username appears twice; in column one and column three.

Below is a brief explanation of the different columns.

The command dig can resolve a domain name to an IP address.


Back to Overview