Day by day, smartphones and tablets are becoming ever more popular, and as a result, the technology used in development to add new features or improve the security of such devices is advancing too fast. iPhone and iPad are the game-changer products launched by Apple. Apple operating system (IOS) devices started growing popular in the mobile world. The latest smartphones or tablets can perform ideally most of the tasks which could be performed on a laptop or personal computer. Show
IOS devices provide larger storage space that could store emails, browsing histories, chat histories, Wi-Fi data and GPS data and more. From the forensics perspective, such devices could present lots of useful artifacts during the investigation. There are well-defined procedures to extract and analyze data from IOS devices which are included in this paper. This paper could be divided into the following sections. Introduction to the forensic processes focused towards mobile forensics, extracting logical and physical data from the IOS devices, IOS file system and storage analysis, analysis of logical data, data from the iTunes and iCloud back up, Wi-Fi and GPS data. Overview of mobile forensics processesMobile forensics is a field of digital forensics which is focused on mobile devices which are growing very fast. Due to the exponential growth of the mobile market, the importance of mobile forensics has also increased. The mobile phone generally belongs to a single person so analysis of it could reveal lots of personal information. Due to the rapid growth, it also introduced challenges. The ratio of new models designed and launched is very high which makes it very difficult to follow similar procedures. Each case or investigation of the new model needs to be considered differently and requires following steps that could be different and unique to the case. With these challenges in mobile forensics, syncing mobiles phone to a computer using software becomes easy. One could extract data like SMS, contacts, installed applications, GPS data and emails, deleted data. CollectionBelow steps are recommended to follow during the collection of mobile device
PreservationPreservation of evidence is a very crucial step in digital forensics. If it is very important to maintain evidence integrity throughout the investigation. For mobile forensics below steps are good practices to follow:
AcquisitionThere are three methods used for the data extraction from the IOS devices. Below overview has been given about each.
iOS devices and file systemApple developed an operating system for iPhone, iPad and iPod Touch which is known as the IOS operating system. Devices running on IOS operating system are called IOS devices. HFS+ file systemApple developed Hierarchical File System (HFS) which provides large data sets. Disk formatted with HFS has 512-byte Blocks at Physical level. There are two types of Blocks in the HFS. Logical Blocks, which are numbered from first to last within the volume. They are also the size of 512 bytes same as physical blocks. Allocation blocks are a group of logical blocks used to track data. Allocation blocks are further grouped together called clumps to reduce fragmentation on volume. HFS uses both absolute time (Local time) as well as UNIX time so one can identify the location of the system. HFS files system uses catalog file system to organize data. It uses B * tree (Balanced tree) structure to organize data. Trees are consisting of nodes. When data are added or deleted, it runs the algorithm to keep balance. Figure 1. Structure of HFS+ File system
HFSX file system is a variation of HFS+ file system which is used in the Apple mobile devices. There is only one variation which is that it is case sensitive and it allows having two files with similar names but different case. PartitionsIOS Devices have two types of partitions. System partition and Data Partition System PartitionSystem partition does not contain more artifacts related to the investigation as it contains mostly system-related information like IOS operating system and pre-installed applications. The system partition is a Read-only as visible in below output of Private/etc./fstab. Figure 1. fstab An iPhone has a single disk, hence it is denoted as Disk0. The system partition is Disk0s1, and Data Partition is Disk0s2. Figure 2. System Partition We can find the user-configured password from the /private/etc./passwd file as shown below. Figure 3. Passwd file As seen in above screenshot, mobile and root password hashes can be retrieved from the passwd file. Further using password cracking tool like “John the Ripper” one can get the password. The root password is “Alpine” and which is the default for all the IOS devices. Data PartitionData partition contains user data and can provide lots of artifacts during the investigation. It is a Read/Write partition. The structure of this partition has been changed with the different version of the IOS. Below is the screenshot from the IOS device which is running on IOS 7. Figure 4. Data Partition The below directories are listed which could be of interest for the artifacts.
Property lists are the XML files used in the management of configuration of OS and applications. These files contain useful artifacts related to web cookies, email accounts, GPS Map routes and searches system configuration preferences, browsing history and bookmarks. These files could be open to the simple text editor to view the contents. Figure 5. Plist SQLite databasesLogical extraction of the iPhone could provide lots of SQLite database files as it uses SQLite databases to store user data, the tool SQLite browser is used to explore and read SQLite database which can be download from http://sqlitebrowser.org/ The main three databases are Call History, Address Book, and SMS databases. These databases could be extracted through applications available like SQLite database Browser as seen in the screenshot below. Figure 6. SQLite Database Browser Acquisition of iOS devicesPhone identificationDuring search and seizure, it is necessary that the examiner identifies the Phone model.
Figure 7. Model number printed on the back of the device
Figure 8. iDeviceinfo As seen in the above figure, we could extract the following listed important information about iDevice Device Class, Device Name, WiFiAddress, TelephonyCapability and HardwareModel, IOSversion Operating modes of iOS devicesIOS devices can be operated in three modes. 1) Normal mode 2) Recovery mode and 3) DFU mode. It is necessary that examiner or Investigator should be aware of this mode as this knowledge is required to decide during the investigation that on which mode device should be operated to extract data or efficient extraction of data. Normal modeWhen iPhone is switched on, it boots in an operating system, this is normal mode. In normal mode, the user could perform all regular activities. The normal mode boot process consists of three steps: Low-Level Bootloader, iBook and iOS kernel. These boot steps are signed to keep the integrity of the process. Recovery ModeThe device enters into recovery mode if during the normal boot process if any step is failed to load or verify. The screenshot below shows the screen during recovery mode. Figure 9. Screen during Recovery mode This mode is used to perform upgrades or restore iPhone devices. iPhone can be entered in recovery mode by following the steps below:
DFU modeDevice Firmware Upgrade mode is used to perform IOS upgrading, and it is a low-level mode for diagnosis. During boot up, if Boot ROM is not getting a load or verify, then iPhone presents the Black screen. The phone should be in DFU mode while using most acquisition techniques. Below steps needs to be performed to enter the iPhone in DFU mode.
Breaking passcodesThere are different methods of breaking the passcode of IOS. Depending on the version of IOS select the appropriate method. There are various tools that can perform such activity such as IP-Box, UFED lock recovery tool being a commercial tool and a python script in open source. We would be demonstrating a few of the methods of breaking passcodes for IOS. Using IP-Box to break Phone passcodeIf the device is locked using a four-digit passcode, then there are few tools available that could break this passcode. The IP-BOX device does a similar task for more information you can visit the URL IP-BOX is supported for devices up to IOS version 8.1.2. This kit contains Box, iPhone cable, USB cable, IP-BOX software used to configure patterns and using that IP-BOX firmware can be updated. IP-BOX once connected to the iPhone as shown in below figure, it would send predefined passcodes to the phones. These codes are from 0000 to 9999. The screenshot below shows the detected passcode of the iPhone using IP-BOX Figure 10. Passcode detected using IP-BOX Using Python script to Bruteforce passcodePerforming Bruteforce attack on iPhone at springboard level could lead to wiping data within the phone. But this protection mechanism is not getting applied at kernel extension. Some tools can access the forensic workstation on which iPhone is connected and could perform brute force attack by accessing pairing key through an escrow file to decrypt phone. To perform this examiner could follow the steps below:
These scripts communicate with the RAM disk on the Phone through Tcprelay.py with opened port 1999. This dumps the data protection keys into a directory named UDID by Brute forcing the system passcode and decrypting the System Keybag. Running the script would give the result as shown above. Now to brute force we need to hit the enter as mentioned by the script. Figure 11. Bruteforce performed using Script UFED User Lock Code RecoveryThis is a commercial tool licensed under Cellebrite that uses the same technique as IP-BOX. It requires a cable and camera to sense the screen of the connected Phone. As per the screenshot below, it can crack passcodes of IOS devices as well as Android. Figure 12. UFED User Lock Code Recovery Tool Direct acquisitioniDevice browser can be used to directly acquire data if the phone is not locked or lock down certificates is known. This is a very simple method as upon connecting the phone to the forensic workstation, iDevice Browser lists the files as shown below. Figure 13. iDevice browser Such software is working on forensic platforms that mean they could modify the data or accidentally override the evidence. iMazing, iFunBox, iExplorer, Wondershare Dr. Fone are tools that use the libraries from iTunes hence it requires an updated version of iTunes. These tools are running on Windows or MAC platforms. Before connecting the iPhone to the device, make sure the automatic syncing option is enabled on iTunes. This method is a very simple way to copy data using the browser. One can use logical acquisition method using the iDevice browser as an alternate, and it depends on the scenario. Another tool that can perform logical acquisition is described below. Logical acquisitionLogical acquisition can be performed with the help of various commercial tools such as Oxygen Forensic Suite, UFED physical analyzer, Cellebrite, Blacklight, XRY. We would be demonstrating Logical Acquisition with the help of Oxygen forensic suite and UFED physical analyzer tools below. Logical Acquisition using Oxygen Forensic SuiteUsing Oxygen Forensic Suite which is a commercial tool, we could perform logical acquisition of iPhone. Steps as described as below
As shown in below figure, if the password is known then examiner needs to enter and authorize password on the device and select the option “I entered the passcode. Press to connect” or select lockdown plist. Figure 14. Enter a passcode or choose lockdown certificate
Figure 15. Data to be extracted
Figure 16. Passware Kit password cracking Advance logical acquisition or file system dumpA file system dump or File system acquisition is usually referred to as an advanced logical acquisition, which is a subset of a physical image, could be performed by several well-known tools such as Cellebrite, Blacklight, Oxygen or XRY. As it provides access to the file system data, it allows more data to be extracted than logical acquisition. We would perform a file system dump using UFED. Using UFED Physical Analyzer to perform Advance logical acquisitionTo perform advanced logical extraction using UFED physical analyzer, the first step is to select the option to start IOS Device Extraction from the Extract menu of the Main Window. Figure 17. IOS device Extraction The next option would allow choosing Advance logical extraction or Physical mode. Once we select advanced logical extraction, it is necessary to have the phone connected to the Forensic Workstation as shown in the screenshot below. Figure 18. Advanced logical extraction The above figure shows which kind of artifacts tool could extract using Advance logical Extraction. If the device is locked, it would through an error message “iOS device is locked.” The analyst needs to unlock the device or put the lockdown certificate on the correct directory. While extracting the backup if the password is set, there are two methods offered by the tool. Method 1: provide the password of the backup or crack the backup password and extract the full data Method 2: extract partial data which are available to extract without cracking back up Figure 19. Extraction Method Upon selecting the extraction method, the Software would allow the user to choose a destination folder to extract the data. Method 1 is faster than method 2. Once extraction finishes, the tool shows a report stating the size of the data extracted and time taken. Figure 20. Extraction Status Physical acquisitionUsing physical acquisition, the examiner could extract almost all data by accessing phone memory and all files stored there. iOS devices use two types of memory: volatile and non-volatile. RAM load executes important parts of the operating system or application. It gets flushed once the device reboots. Username, passwords, encryption keys and more important artifacts could be found from the RAM. From a forensic perspective, it is crucial to extract information stored in RAM. NAND (non -volatile) memory would keep the data if it rebooted. System files and user data are stored in NAND flash. Using physical acquisition, bit by bit copy of the NAND can be acquired. Using custom RAM disk for the physical acquisitionThis method uses weaknesses in the boot process while the device is in DFU mode to load a custom RAM disk and get access to the file system. Forensic tools in the custom RAM disk dumps the file system over USB via SSH tunnel. If it is performed properly, then data within the phone would remain intact, and there will not be any alteration to data. So, there is less risk of distortion of evidence data. iPhone’s secure boot chain prevents loading RAM disk. Hence we use the method to exploit the BootROM vulnerability and patching stages as shown in the figure below. Figure 21. Custom RAM disk Forensic tools leverage this vulnerability to perform physical acquisition of iOS devices. The steps below show the process to acquire physical access to the IOS device using the UFED physical analyzer. This tool instructs the examiner to switch the device into DFU mode. Once the device is placed in the DFU mode, the tool will verify and provide an alert indicating that it is possible to perform physical acquisition using this method for this device or of the need to perform another method of acquisition. Once we proceed with the physical acquisition, the tool will start uploading Bootloader to iPhone. As soon as Bootloader is uploaded to the phone, the tool gets access to the NAND flash. It prompts the screen to extract system data or user data. If the connected phone is not jailbroken, then the system partition would be in read-only mode. As shown in the figure below, to acquire a full image, both data and system partition need to be selected. Most of the tools dump data and system partition as a single disk image. The selected tool dumps the image to a destination folder as shown below: Figure 22. Dumping Image of both partitions to the destination Jailbreaking an IOS deviceThis covers a method to Jailbreak IOS device 9. Using this method user could gain access to all partitions including the file system with read-write. This method is not accepted forensically because it may overwrite some important data but it allows performing physical acquisition efficiently. Jailbreak is a method to remove software restrictions and expand the feature set by a manufacturer like Apple in the case of IOS. This method is used when root access of the file system is required as well as for the physical acquisition. In this example, we used the tool Pangu Jailbreak, which can be found at http://www.downloadpangu.org/. Steps are described below,
Figure 23. Pangu Jailbreak Launch
Figure 24. Jailbreak notice The figure above shows the notice presented by the application. This warns the user about Data loss may occur as well as for the smoother and successive operation suggests switching the phone to airplane mode. It also suggests backing up data before proceeding further.
As shown in the screenshot below, at the progress of 75%, would be asked to unlock the device and run Pangu Jailbreak. Figure 25. Status at 75% progress
Figure 26. Device is Jailbroken Physically acquire IOS deviceA tool such as XRY, Cellebrite, Lantern, MPE, Elcomsoft could be used for the physical acquisition of IOS devices. The output of all the mentioned tools would either be a bitstream image (dd) or a DMG image file that can then be analyzed manually or with the help of a forensic analysis tool. We’ll demonstrate physical acquisition using Elcomsoft. Using Elcomsoft IOS Forensic Toolkit to Physically acquire IOS deviceElcomsoft IOS Forensic Toolkit is a commercial tool that allows us to take a Bit to Bit Image of iOS devices. It also supports the extraction of secret passwords and decryption of file systems.
Many important artifacts like Apple ID/Password, Wi-Fi passwords, and VPN credentials can be extracted from keys.plist All user data can be extracted using option 8, which acquires all user’s files as a tarball. This process takes time depending on the amount of user data. Upon finishing, the data extracts the .tar file. The figure below shows this process. Figure 28. User’s file Using option 6, the User can acquire a physical image of the device file system. The tool would prompt to select the option to choose whether to extract system and user data. Please refer to the screenshot below, in which option 2 has been chosen. Encrypted user data will then be extracted. To decrypt this data, we can use keys.the plist file which we extracted in the previous step. Figure 29. Physical Acquisition Elcomsoft Figure 30. Decrypting user data Using this decryption, we’ll get the image file user file-decypted.dmg, which is ready to mount. AnalysisData structure and artifactsThis section covers the analysis of the important artifacts that are generated by features of the system or interaction of the user with the device.
/private/var/mobile/Application: /User/Application points to this actual path /User/Applications/ ######-####-####-####-###########: # represents the UUID <Application_Home>/AppName.app: This file contains application bundle. This file doesn’t get backed up <Application_Home>/Documents/: This folder contains application related data files. <Application_Home>/Library/: This also holds application specific files. <Application_Home>/Library/Preferences/: This directory contains application preference files. <Application_Home>/Library/Caches/: This folder holds Application specific support file and doesn’t get backed up. <Application_Home>/tmp/: This folder contains temporary files.
The figure below shows the file and detail found from the file. Figure 31. iTunesMetadata.plist Mostly two types of files are encountered in the apple device: Plist: used for configuration files, mainly SQLite databases TimestampsWhile analyzing artifacts, it is important to determine the timestamp of that artifact. IOS device uses MAC Absolute time. There are resources available that can convert this timestamp to human-readable time. This is also performed using the date command with u switch on Mac, which will display time in UTC or on local time. DatabasesSQLite databases are most common data storage in IOS devices as well as other mobile platforms like Windows Phone. These databases are used to store data of native as well as third- party applications. There are many free/open-source tools available to explore SQLite database files. The most popular and widely used application is SQLite Database Browser, which has both GUI and command-line utility. Property List filesPlist or Property List files are the most commonly used data formats in IOS devices. These files stores configuration information, preferences, and settings. These files could be explored using a simple text editor. A tool commonly used to parse these files is plist Editor. Configuration filesInformation extracted from the configuration or preferences files could be important which investigation. Some important configuration files are listed below
/private/var/mobile/Library/Accounts/Accounts3.sqlite . This file holds account information. /private/var/mobile/Library/ DataAccess/AccountInformation.plist – This file contains information of the account which used to set up applications.
Preinstalled IOS applicationsIOS devices are provided with some pre-installed applications like Safari browser, e-mail client, calendar and basic phone function utilities like Camera, Call history. These artifacts can be found in the application folder itself. Data related to the communication, preferences, Internet history and cache, keyboard keystrokes can be found from the Library folder, /private/var/mobile/Library/ – If data is acquired through Physical acquisition, this path has files mentioned above. Backup service/mobile/Library/ – path for File system acquisition Library – Path from the Logical acquisition /private/var/mobile/Media/ or Media folder is also the important location that can provide artifacts like audio and pictures created by the user. Address BookContacts, Application related to personal contacts in SQLite database file format are available in Library folder of AddressBook folder. Two important databases are available in this folder one is AddressBook.sqlitedb and second AddressBookImages.sqlitedb. AddressBook.sqlitedb database file provides details like name, surname, email address and phone number of each contact. This information is saved in tables. The main tables are ABPerson and ABMultiValue. AddressBookImages.sqlitedb – Images associated with a contact are stored in this database. These images appear on the screen when that contact calls. ABFullSizeImage is the table name which stores these images in Database. Audio recordingsA preinstalled app like Voice memo allows the user to record voice memos. These memos are stored at location /private/var/mobile/Media/Recordings/. In folder mentioned above file named Recordings.db holds information about each voice memo. Information like date, duration, memo name and filename of an audio file could be extracted from this database file. CalendarManually events can be created within the calendar as well as it syncs events with other applications. This information is stored in two database files /private/var/mobile/Library/Calendar/Calendar.sqlitedb – This database file contains information related to events available in calendar /private/var/mobile/Library/Calendar/Extras.db – This database file holds information like calendar settings or details related to notification to particular calendar event. Call HistoryCall Details like incoming calls, Outgoing calls and missed calls can be extracted from the /private/var/wireless/Library/CallHistory/Call_History.db. It also provides the date, time, and duration of the call. IOS 8 has different path for this file which is as mentioned below /private/var/wireless/Library/CallHistoryDB/CallHistory.storedata DialerSavedNumber – Last dialed phone can be extracted from the plist file from the below location /private/var/mobile/Library/Preferences/com.apple.mobilephone.plist This file remains though user deletes call history database file so forensically this is a very important file. Another important file with the forensic perspective is com.apple.mobilephone.speeddial.plist – contains speed dial numbers. Location for this file is as below /private/var/mobile/Library/Preferences/com.apple.mobilephone.speeddial.plist Mails sent, received, or drafted are stored in the database at below mentioned path /private/var/mobile/Library/Mail/. Each account has a separate folder within the Apple Mail application. Images/private/var/mobile/Media/ contains photos inside IOS devices. There are two folders DCIM – contains user created photos like captured by camera or screenshots. PhotoData – This folder contains photo albums synced with clouds as well as a computer. Thumbnails for each image are stored in /Private/var/mobile/Media/PhotoData/Thumbnails/ Photos.sqlite database contains information about images. Using Thumbnails and information about images can be recovered irrespective of the original image is available or deleted. MapsIOS devices have Apple’s own MAPS application. Information related to the last searches, like search query or Longitude and Latitude coordinates can be retrieved from below path /private/var/mobile/Library/Preferences/com.apple.Maps.plist. The main folder of Maps contains information of the searches of users and bookmarked locations. It is located at path /private/Library/Maps NotesUser created notes are stored at /private/var/mobile/Library/Notes/notes.sqlite. The ZNOTE and ZNOTE-BODY tables contain important details like note title, content, creation, and modification date. SafariEvery IOS device has the Safari browser preinstalled. There are two locations where all activities get stored. These locations are /private/var/mobile/Library/ and main application folder of Safari. Safari Bookmarks – Saved bookmarks in Database file are found from /Library/Safari/Bookmarks.db Last time bookmarks were modified timestamp can be extracted from the plist file /Library/Safari/Bookmarks.plist.anchor.plist Safari Cookies – Web sites cookies are stored in /Library/Cookies/Cookies.binarycookies Safari Screenshots – Thumbnails of web pages visited can be found from the directory Library/Caches/Safari/ Search cache – Most recent searches entered into the search bar can be retrieved from plist file at location Library/Caches/Safari/Recentsearches.plist Search History – Library/Preferences/com.apple.mobilesafari.plist contains recent search list. This file is important as a forensic perspective because when the user would delete cache or history from the browser then as well this file would not be deleted. Suspended state – Library/Safari/Suspendedstate.plist. This plist file contained state of safari when user powered off iPhone or browser got crashed. This file would contain a list of URLs open at the time of state occurred. Safari Thumbnails – /Library/Safari/Thumbnails/ – screenshot of the last active browser pages viewed by third party apps are contained in this folder. Safari Web Cache – Library/Caches/com.apple.mobilesafari/Cache.db contains recently downloaded and cached objects in safari. Safari History – Library/Safari/History.plist file contains web browser history. If history is cleared by the user then it this file would not contain history. SMSA database which stores SMS, MMS and iMessages sent or received at /private/var/mobile/Library/SMS/sms.db Attachments in the SMS or MMS or iMessage are stored at /Library/SMS/Attachments/ Drafts are saved at /Library/SMS/Drafts. Each draft has its own plist file within this folder. VoicemailThe Voicemail folder at /private/var/mobile/Library contains AMR codec audio files of each voicemail recorded message and voicemail.db database, where information related to each audio file like sender, the date, the duration and so on are stored. General IOS forensics artifactsArtifacts covered in this section are not related to any particular application, but those are the evidence generated by general use of the IOS device. ClipboardCached copy of device’s clipboard data can be found in a binary file located at /private/var/mobile/Library/caches/com.apple.UIKit.pboard Data like passwords or other portions of text data which copied, cut, or pasted by the user are stored in this file. KeyboardAuto correction and auto-completion while typing are supported by IOS devices. Device caches user types in file dynamic-text.dat file. A file can be found via path /private/var/mobile/Library/Keyboard. In the same directory IOS stores, one file for each language is used and configured on the keyboard. LocationThe consolidated.db file which is Consolidated GPS cache contains location information related to every Wi-Fi hotspot and cell tower that phone ranged. This database is located at /private/var/root/Library/Caches/locations/consolidated.db. Table WiFiLocation and CellLocation are important in this database file. In newer devices, a new database has been included instead of consolidated.db which are /private/var/root/Library/Caches/locations/cache_encryptedA.db – similarly like consolidated.db this database contains Wi-Fi access points and cell towers that ranged with the device. The main difference is data remains only for 8 days before being cleared out. Other applications which track the geographical locations may store GPS coordinates and timestamps. SnapshotsFade-out effect is being used by IOS for the transition of two screens. As a part of this IOS saves screenshots of the current screen and fade out effect applied picture of the current screen. These screenshots are stored at below locations /private/var/mobile/Library/Caches/Snapshots/ contains apple preinstalled applications /private/var/mobile/Applications/<app_UUID>/Library/Caches/Snapshots – contains all application snapshots. Using these feature lots of forensically valuable information can be gathered. There is a possibility that screenshots of SMS are available, but that SMS is no longer available because deleted. SpotlightThis feature is to assist the user to assist while searching like applications, SMS, contacts and more. /private/var/mobile/Library/Spotlight/ stores spotlight indexes and searches. In the directory mentioned above, there are two folders related to SMS searches and another of general spotlight utility. Wallpaper/private/var/mobile/Library/Springboard/ stores images used as wallpaper. Two types of wallpaper images are available. HomeBackgroundThumbnail.jpg which is related to the wallpaper when the device is unlocked. LockBackgroundThumbnail.jpg is related to the wallpaper when the device is locked. Third-party applicationsThis section covers third-party application analysis which includes locations of the important artifacts related to third party applications. Skype: This is most popular VoIP and chat application com.skype.skype.plist file inside preferences folder contains skype username as shown in below screenshot. Figure 32. com.skype.skype.plist The above screenshot shows only the username which last logged on. Other folder Library/Application Support/Skype/ contains all profiles logged in from this device. This folder contains one folder for each account logged in with that device as shown in below figure below. Each user folder has the database which contains information like chats, contacts. main.db file contains all information stored in clear. There are utilities available which parse these files. In the application folder voicemail messages, screenshots can be found. Figure 33. Skype user profile WhatsApp is widely used instead of SMS nowadays, as it is an Instant messaging application. net. whatsapp.whatsApp.plist file is located at Library/Preferences/. This plist configuration file provides basic information like username, phone number to which WhatsApp account is associated and more. Table ZWAMESSAGE contains exchanged messages, timestamps and user’s name who was chatting which is visible in below screenshot. Figure 34. ZWAMESSAGE Open single user or group chats are stored in table ZWACHATSESSION. Information in this table could be correlated with the information in table ZWAGROUPMEMBER and ZWAGROUPINFO. References to the multimedia files exchanged, timestamps and location of multimedia file are stored in table ZWAMEDIAITEMS. Documents/ChatSearch.sqlite – in this database file table docs_content contains chat contents. It is most widely used social network application. Because of this, during the investigation, high amount of information from the Facebook application can be found. Mainly three kinds of information can be found – user personal information, caches of visited profiles and pages, information about external sites visited within the Facebook application. Account information can be found from the Library/Preferences/com.facebook.plist file. Email address and Facebook id of configured account on the application could be extracted from this file. The date of the last time application was also used could be retrieved from this file. Contact related information are stored in Library/Caches/FbStore.db Profile pictures are saved in Library/Caches/ImageCache/ Directory. Images viewed while surfing through pages of social network can be found from below folder /Library/Caches/_store_<APP_ID>/<ios-Version>_<language>/FBDiskCache/ Library/Caches/com.facebook.Facebook/Cache.db and Library/Caches/com.facebook.facebook/fsCacheddata/ – contains contents of the other website visited including related URL and corresponding files. Videos watched by user within this application are stored in Library/Caches/com.facebook.facebook/var/mobile/Applications/../video_url_cache/Cache.db. Cloud storage applicationsAs the cloud allows the accessing of stored data from anywhere and anytime, Cloud storage applications have become very popular. It is very frequent that this kind of application would be encountered during the investigation. Analysis of few popular cloud storage applications is covered in this section. DropboxThis application is saved in /private/var/mobile/Applications/4BD80D3B-7ADA-4171-B2A0-8A534F05408D/ There are four subfolders in this folder: Cookies, DropboxPrivate, preferences, and Cache Local copies of opened files are saved on Cache folder. It could acquire only through physical acquisition. A file named com.getdropbox.Dropbox.plist is stored in the preferences folder. This plist file contains user information like name, surname, and email. The application structure is shown in the screenshot below: Figure 35. Dropbox application structure Google Drive/private/var/mobile/Applications/8F139264-9142-4B84-A7C3-421ADD6BA05F/ is the path where Google drive application is stored. There are two subfolders within it. Documents and Library. In Library another subfolders Caches, preferences, and Cookies. User information like name and surname, User ID and User e-mail can be found from plist file com.google.Drive.plist exists in the preferences folder. Cached copies of opened files are stored in Caches. It could be extracted if the dump is acquired using Physical acquisition. Three databases followed Contacts_snapshot_useremail.db, Feed_snapshot_usermail.db and Items_snapshit_usermail.db is stored inside Documents folder. User’s email ID, name, and shared files are stored in contacts db. All information listed below about files stored is in Items db. Identifier, Title, Kind, MD5 hash, Last Modified By, Last Modified Date, Last Viewed Date, Shared with Me Date, Last Modified by Me Date Figure 36. Google drive application structure and plist file File CarvingData protection technology is used by Apple in flash memory on IOS devices. 256-bit per file key generated every time a new file is created, and content of the file is encrypted using AES encryption. This per-file key is later wrapped with class key and stored in the file’s metadata, which is then encrypted with the EMF (file system) key. EMF key is generated by unique hardware UID. This process is shown in the figure below. Figure 37. Data Protection Due to this data protection schema, it is not possible to carve files with the classical approach. By exploiting the Journaling feature of the HFS+ then comparing and analyzing catalog file and journal file of the HFS+ file system. Using this deleted file’s information, metadata location, and timestamp can be retrieved. By referring to journal file information, deleted files can be searched and recovered, cryptographic keys can be located, and image files can be decrypted. But it is mandatory to have a physically acquired image to perform this approach. Carving deleted SQLite database recordsUsing Python script, it is possible to carve deleted records within SQLite database. The script name is “SQL parse.py” and can be downloaded from GitHub. Running strings command on the database is also helpful to recover portions of deleted entries content. Analysis using oxygen forensic suiteAcquired data could be parsed using Oxygen Forensic Suite. Once data is parsed using Oxygen forensic suite user could search data using GUI. Below screenshot shows the information related to the acquired phone. Figure 38. Information about the acquired phone As shown in the screenshot above, this information includes phone name, internal name, IMEI number, platform, Acquisition type and Acquisition date. Now, User can choose one of the two sections presented by the tool. The first section is the Common section which includes information related to the native applications. The second section includes activities related to the applications installed on IOS device. Information like calendar events, phonebook with assigned photos, call logs, messages and voice mail could be extracted by analysis of preinstalled applications. The figure below shows call history. Figure 39. Main Analysis Window Oxygen forensic suite Figure 40. Call history logs Information related to Wi-Fi access points, IP connections and locations can also be gathered using Oxygen forensic tool. For each network SSID, MAC address of the router, the timestamp of connection is presented by the tool as shown in the figure below. Figure 41. Wi-Fi Data The tool extracts the database, as well as plist files from the application, installed on the device. These applications are categorized into the following types.
There is advanced functionality offered by Oxygen forensic tool as listed below
This tool also offers to navigate to the file system to view all file types. SQLite database and plist file can be explored using embedded tools. Allows performing keyword search and applying the filter. The user could export finding and generate a report in a different format. Data acquisition from iOS backupMuch valuable information can be found from the IOS backup. Users have two options to back up their data. One is using Apple iTunes software, and another is an Apple cloud storage service known as iCloud. Every time phone is connected to the iCloud or computer it creates the back up by copying files from the device. What to include in the backup can be determined by the user. Data retrieved from iCloud or iTunes may differ. iTunes backupLots of information is available on a computer that has been synched with an IOS device. Historical data and passcode bypass certificates are on host computers. IOS backup file forensics involves offline back up produced by IOS devices. In cases when logical, physical and file system acquisition is not possible then iTunes backup analysis method is very useful. Back up of iTunes is created by examiners and analyze it using forensic software. An iPhone backup is created using free utility available for MAC and Windows platforms. It uses proprietor protocol to copy data from an IOS device to a computer. Using a cable or Wi-Fi iPhone can be synced with a computer. There is an option to create an encrypted backup, but by default, it creates an unencrypted backup. Addition access to the data stored in IOS can be accessed when the encrypted backup is cracked. To search for the information either we could create a fresh back up, or we could extract data from the existing IOS backup file. Users create data for the prevention whether if phone damaged or lost. For example, if the device gets wiped then backup still exists. To uncover artifacts examiner needs to forensically analyze each backup. The synchronization process gets automatically initiated once the IOS device is connected to the computer. To disable auto-syncing in iTunes, perform the following steps:
Pairing RecordsSets of pairing records are exchanged between the IOS device and computer when iTunes detects the iOS device. Using pairing mechanism computer establishes trusted relation with iPhone. Personal information on iDevice or backup can be initiated once the computer is paired. Starting from IOS 7 pairing mechanism has been introduced. /var/root/Library/Lockdown/pair_records/ contains pairing records. Multiple pairing records are contained if the device is paired with multiple computers. These records are stored as property list (.plist) files. HOST ID, root certificate, device certificate and host certificate are contained within plist files. Such file has been shown below in the figure. The file shows the content within pairing record plist file. Figure. Pairing records on iDevicePairing records are known as a Lockdown certificate on the computer. Preconfigured location of the pairing records is stored at below location Windows – %AllUserProfile%AppleLockdown Mac OS X – /private/var/db/lockdown/ host private key, Root certificate, host certificate, Escrow keybag are contained within Pairing records on computers. Figure 42. Pairing records on computer iTunes can back up and sync with the iPhone even in a locked state using Escrow keybag. This is a copy of class keys and a system bag that is used for the encryption in IOS. Access to all classes of data on the device without entering the password can be achieved by keybag. Newly generated key computed from the key 0x835 is protected with Escrow keybag and saved in the escrow record on the phone. It is also plist file and located at /private/var/root/Library/Lockdown/escrow_records/ These records are protected with UntilFirstUserAuthentication protection class. It further encrypts to user’s passcode. Hence, the device passcode needs to be entered during the first time syncing the phone to iTunes. Unencrypted backupCommercial tools like MSAB, XRY, and Cellebrite use iTunes to create a backup for examination. Fresh installation of iTunes could also be used to create a Backup file for examination. Follow below steps to create Unencrypted Back up,
Figure 43. Back up process
This is a free tool for MAC OS X, which can be downloaded from the link below: https://www.iPhonebackupextractor.com/ It extracts backup files to be located in: ~/Library/Application Support/Mobile sync/Backup/. This tool allows storing additional backup to another location like external drives. Follow the steps below to extract Backup.
Figure 44. Backup file
Figure 45. Applications available to extract
Except for Keychain, all the Backup files are stored unencrypted in Unencrypted Backups. To decrypt the keychain key, 0x835 needs to be extracted using a Bruteforce method using a script, or we can use Elcomsoft Phone Breaker’s Explore Keychain feature if the passcode of the user is known. Figure 46. Extracting keychain from unencrypted Backup The user would be asked to enter device passcode as shown in below screenshot. Figure 47. Device passcode to explore keychain Encrypted backupiPhone allows extracting encrypted Backup. To protect evidence examiner could create encrypted Back up or get the access of the data which is only available with Encrypted Backup. Following steps are performed to create an Encrypted Backup,
Figure 48. Set password
This password is stored in the device itself and saved in keychain file. Extracting encrypted backupsAES 256 algorithm in the CBC mode is used to encrypt backup files with a unique key and null initialization vector. These file keys are protected in backup Keybag with a set of class keys. Password set in iTunes through 10000 iterations of password based key derivation function 2 is protected with class keys in keybag. If the password is known then open source and commercial tools, support backup file parsing. Some tools offer to crack the password. Elcomsoft Phone BreakerThe encrypted backup file can be cracked using this tool if back up a password is not available. It allows launching Brute-force attack on encrypted backup. Time taken to crack a password depends on the complexity of the password. The following steps need to be performed to brute force backup a password.
Figure 49. Choose source manifest. plist file
Figure 50. Attack Type iCloud backupApple provides cloud computing service as iCloud storage. Data like documents, bookmarks, calendars, contacts, photos, reminders, applications and more can be kept using the iCloud account in cloud storage. Automatically and wirelessly users can backup their iOS devices to iCloud. Other services like Find My Friends and Find My iPhone also comes with iCloud. 5GB free storage is available with the sign-up. For more storage upgrade plan can be purchased. IOS 5 and later offers to the user to back up device settings and data to iCloud. Photos, Videos, documents, application data, device settings, messages, calendar and more can be found from the Backed-up data. iCloud back up can be turned on by navigating settings – iCloud. Data on the Phone can be backed up automatically when the phone is plugged in, locked, and connected to Wi-Fi. As long as space is available to create current Backup, iCloud provides a real-time copy of data available on the phone. iTunes has also option to initiate iCloud Back up. It is incremental Backup. Data transmitted over the internet are encrypted, and stored data are in encrypted format on the server, for authentication uses secure token. Using secure token need for the password to store on a computer or on the device is eliminated. Figure 51. iCloud settings on Device Extracting iCloud Backup using passwordApple’s UserID and password must be known to extract backup from iCloud. Using Apple ID and password, a user can log on to the iCloud website and can access contacts, e-mail, calendar, photos, reminders and so on. Using Elcomsoft Phone Breaker, one can extract iCloud backup. One can also download selected files from the iCloud. The following steps needs to be performed to extract iCloud backup.
Back up Keybag in iCloud backups contains Encrypted Keychain file contents with a set of class keys. Key (0x835) protects Backup keybag which is derived from the iPhone hardware key (UID key). Extracting iCloud Backup using Authentication Token |