sm13: iphone forensics, application - uni-koblenz.deaggrimm/teaching/2015ss/sma/sm13_dhein_i... ·...
Post on 17-Aug-2019
214 Views
Preview:
TRANSCRIPT
SS 2015, A. Dhein
1
Seite 1
Security for Mobile Applications (Prof. R. Grimm)
SM13: iPhone Forensics, Application
A. Dhein Institute for Information Systems Research K15, IuC Forensics, tech investigation Ass.University Campus Koblenz Criminhal Policedepartment Koblenz
• Opportunities• Which kind of evidences can be found on mobile phones
• Limitations• Many different mobile devices
• Dumb phones, Smartphones
• Many different operating systems• Even differences between different OS versions
• Data acquisition techniques• Logical gathering• Physical imaging
• Decoding• Wear-Leveling• Flash Translation Layer
• Examination• Different sources• Different formats
• Reporting
Recap
2015 © A. Dhein 2 / 64
SS 2015, A. Dhein
2
Seite 2
Content1. Introduction
• iDevice Teardown (ifixit)• iDevice Feature Evolution• iDevice Hardware Evolution• Limits and how to deal with
1. Data Acquisition
1. Getting in touch with the content
1. Data Analysis I• Where to find what• How to deal with
1. Data Analysis II • Extraction examples
1. Data Analysis III• Media extraction
1. Summary / Questions
2015 © A. Dhein 3 / 64
• Does that matter forforensic reasons?
• Most of the time: NO ☺
• But be aware of• Damaged devices
• Repair to gain back access to device
• Chip-Off
• JTAG
iDevice teardownOverview
2015 © A. Dhein 4 / 64
SS 2015, A. Dhein
3
Seite 3
We’ll see later:
Most of the time iOS features are more
important than device features
• Does that matter forforensic reasons?
• Most of the time: Maybe �
• Be aware of• Different sensors / chips
• e.g. cameras, connectivity
• Different dock interfaces• 30pin / 9pin (Lightning)
• Features not (yet) availablemay not produce artifacts (?)
iDevice feature evolutionOverview
2015 © A. Dhein 5 / 64
• Does that matter forforensic reasons?
• Most of the time: YES �
• Think of• Physical Imaging requires
hardware (e.g.CPU) bugs • to overcome boot-loader
limitations• e.g. limera1n, GreenPois0n
• iPhone 4• iPhone 4S and later
iDevice CPU evolutionOverview
iPhone 4Apple A4
We’ll see later:
Most of the time Logical Acquisition is
quite enough for accessinguser generated data
2015 © A. Dhein 6 / 64
SS 2015, A. Dhein
4
Seite 4
• Model specs printed on the backside
iPhone 2G A1203 iPhone1,1iPhone 3G A1241 iPhone1,2iPhone 3GS A1303 iPhone2,1iPhone 4 A1332 iPhone3,1
iPhone3,2A1349 iPhone3,3
iPhone 4S A1387 iPhone4,1A1431*
iPhone 5 A1428 iPhone5,1A1429 iPhone5,2A1442*
iPhone 5C A1456 iPhone5,3A1532A1507 iPhone5,4A1516A1526*A1529
iPhone 5S A1453 iPhone6,1A1533A1457 iPhone6,2A1518*A1528*A1530
iPhone 6 A1549 iPhone7,2A1586
iPhone 6 Plus A1522A1524 iPhone7,1
Green = physical acquisition possibleOrange = logical acquisition only
* Chinese version
iDevice model evolutionOverview
2015 © A. Dhein 7 / 64
Recap: What to get for with which acquisition metho d?
User-generated data
Addressbook (+Images), Caches (Safari, Maptiles, etc.), Calendar, CallHistory, Cookies, DataAccess (e.g. online-storage), Keyboard-Dictionaries, Maps (searches, routes, pois), Map-Tiles (for reconstruction), Notes, Recordings (answering machine, memos), Safari (history, bookmarks), SMS/MMS, WhatsApp (other chat-software-logs as well), WebClips
User-generated data + media data
Camera Roll (Photos, Videos)Photo Library (Photos, Videos)iTunes Library (Music, Videos)
User-generated data + media data + restricted data + deleted data
Apparently everything, e.g.Deleted data (if NAND is not encrypted)Geolocation Data (we’ll discuss that later)And even: Emails (most forensic suites simply ignore mails)
Phy
sica
l
Logi
cal
iTun
es-B
acku
p
File
syst
em
NA
ND
-dum
p
Overview
2015 © A. Dhein 8 / 64
SS 2015, A. Dhein
5
Seite 5
Content1. Introduction
1. Data Acquisition• iTunes syncing philosophy• Logical backup
• iTunes• Media access (3rd-party-Apps)
• Physical imaging• Netcat• zdziarski method(s)• commercial solution
1. Getting in touch with the content
1. Data Analysis I• Where to find what• How to deal with
1. Data Analysis II • Extraction examples
1. Data Analysis III• Media extraction
2015 © A. Dhein 9 / 64
1. Always syncing from Master (Mac) to Slave (iDevice)• Used iDevices on a new Mac will be cleaned prior to sync!!
2. “smart syncing” or “lazy syncing” i.e.• Only sync back, what is not already on the Mac
• Photo-Library is already on the Mac, no syncing required• iTunes-Library is already on the Mac, no syncing required• New firmware derives from Apple, no need to backup system image
• SHA-1 hashes instead of directories/filenames• Result is “flat”
• Result is “obfuscated”
• Changes can be determined be comparing hash before sync
iTunes syncing philosophyiTunes
2015 © A. Dhein 10 / 64
SS 2015, A. Dhein
6
Seite 6
• Important!!!• Prevent changes!!!
• iTunes is configured to synchronize devices automatically
• So disable syncing before connecting the device• Preferences – Devices
• Prevent iPods, iPhones and iPads from synching automatically
Logical backup using iTunesLogical acquisition
2015 © A. Dhein 11 / 64
iTunes 10 device overview
• iDevices appear in the left view (Devices)• Check summary before saving backup
• iPhone 3. Generation / iOS 4.3.3 / 16GB • Audio (1,08GB), Video (1,11GB), Photos (5,2GB),
Apps (4,1GB), Books (0,02GB), Other (0,33GB)
Logical acquisition
2015 © A. Dhein 12 / 64
SS 2015, A. Dhein
7
Seite 7
• Syncing is “more integrated”, more obfuscated (?)• iDevices now appear in upper right corner
iTunes 11 device overviewLogical acquisition
2015 © A. Dhein 13 / 64
iTunes 12 device overview
• New Design Director Jonathan Ive introduced flat design• iDevices back in upper left corner
Logical acquisition
2015 © A. Dhein 14 / 64
SS 2015, A. Dhein
8
Seite 8
iTunes backup process in action
Mac: ~/Library/Application Support/MobileSync/Backup/Windows XP: \Documents and Settings\(username)\Application Data\Apple Computer\MobileSync\Backup\Windows Vista and Win 7: \Users\(username)\AppData\Roaming\Apple Computer\MobileSync\Backup\
(„show hidden directories“ – Option in Windows-File-Explorer)
Source: http://support.apple.com/kb/HT1766?viewlocale=de_DE
< iOS 4,x | iOS5,6,7,8 >
Logical acquisition
2015 © A. Dhein 15 / 64
iDevice Manager (Mac/Win)
• Operates on connected device
• Applications• Documents• Library• Cache• Temp
• Media• Photos• Music• Videos• ...
http://www.software4u.de/de/products/idevicemanager/default.aspx (free)
Logical acquisition
2015 © A. Dhein 16 / 64
SS 2015, A. Dhein
9
Seite 9
Sharepod iExplorer (Mac/Win)
• Operates on connectediPhone / iPod
• Decodes namesof music titles
• Copy Music to PC• Offers Picture Previews• And even more!!
http://www.getsharepod.com https://www.macroplant.com/iexplorer (demo)
Logical acquisition
2015 © A. Dhein 17 / 64
• Prerequisites• jailbroken iPhone
• openSSH installed
• Run NC on the Mac• nc -l 7000 | dd of=./iPhoneImg.dd
bs=4096
• Then on the iPhone• ssh -l root 192.168.178.28
• Password: alpine• /bin/dd if=/dev/rdisk0s2 bs=4096 |
nc 192.168.178.20 7000
Netcat | dd
Log-Information
1838214+0 records in1838214+0 records out7529324544 bytes (7.5 GB) copied, 10901.9 s, 691 kB/s(ca. 9 hours over wifi)
Physical acquisition
2015 © A. Dhein 18 / 64
SS 2015, A. Dhein
10
Seite 10
Netcat | dd
mounted dd-Image• Mac: Rename dd to dmg
Physical acquisition
2015 © A. Dhein 19 / 64
• Hacker pseudonym: ‘NerveGas”, former Dev-Team Member (resp. for jailbreak-solutions)
• Books • iPhone Forensics* • iOS Security
• Software (Automated Tools) for law-enforcement first,now also commercial (via Forensics; senior for. scientist)
• Idea: • Inject/Infect the bootloader temporary • Execute unsigned boot-code• Boot own OS to RAM with recovery agent
Jonathan ZdziarskiPhysical acquisition
* http://www.zdziarski.com/blog/wp-content/uploads/2013/05/iOS-Forensic-Investigative-Methods.pdf
2015 © A. Dhein 20 / 64
SS 2015, A. Dhein
11
Seite 11
Zdziarski – method 1 / boot [specific] kernelPhysical acquisition
cd iphoneinsecurity/automatedtools/5/OSX/MULTIPLATF ORM_IOS4/sh boot-liverecovery.sh...w a i t...
iPhone restarts################################
greenpois0nhttp://www.greenpois0n.com
################################unable to find gBdevListunable to find fs_mountunable to find fs_unmountunable to find fs_load_fileGreenpois0n initialised
...w a i t...
iPhone restarts
some quickly rushing text lines, boots regularly afterwards
sh boot-kernel.sh
iPhone has to be set to DFU-Modus once again...
iPhone restarts
some quickly rushing text lines, boots regularly afterwards
iPhone back in normal operation mode? (recovery-server is running)
cd ../Recovery_Module/
sh recover.sh (enter root-password)Connecting to recovery agent on 127.0.0.1:7777Connected. Downloading user image to rdisk-1299353466-127.0.0.1-7777.dd...
Image is going to be saved to current directory...w a i t...Transfer in progress [ 0.10 GB ] throughput 2.96 MB/s
(ca. 2 hours over USB)
2015 © A. Dhein 21 / 64
Zdziarski – method 2 / multiplatformPhysical acquisition
• Possible up to iOS 6.x (until iPhone 4)• sudo sh recover-keys.sh• sudo sh recover-[raw|filesystem].sh firmware_x.y.z.ipsw• python emf_decrypter.py rdisk-1309266207-
06_28_2011_09_03_27.dd keys-1309266207- 06_28_2011_09_03_27.txt
• python emf_undelete.py rdisk-1309266207-06_28_2011_09_03_27.dd keys-1309266207- 06_28_2011_09_03_27.txt
2015 © A. Dhein 22 / 64
SS 2015, A. Dhein
12
Seite 12
1. Recovery Mode• Disconnect / Power off
• Hold Home-Button andconnect USB-Dock cable...
• iTunes-Symbol appears...
• Still hold home button
• until.....
UFED Physical Analyzer (iPhone extraction module)Physical acquisition
2015 © A. Dhein 23 / 64
2. Firmware info appears• 4.3.2-4.3.3 (4.3.3)• Successful so far:
• 2G (3.1.3)• 3G (4.1)• 3GS (4.3.3)• 4 (4.2)
• Next ...
UFED Physical Analyzer (iPhone extraction module)Physical acquisition
2015 © A. Dhein 24 / 64
SS 2015, A. Dhein
13
Seite 13
3. Start Acquisition• Enter DFU Mode
• Press Power + Home Button for 10s
• Release Power Button Still holding Home Button
• Wait for 10-20s
• Until ...
UFED Physical Analyzer (iPhone extraction module)Physical acquisition
2015 © A. Dhein 25 / 64
UFED Physical Analyzer (iPhone extraction module)
Loading Cellebrite Agent ....
Physical acquisition
2015 © A. Dhein 26 / 64
SS 2015, A. Dhein
14
Seite 14
4. Capture• Full Physical Extraction
• Encrypted (?)• Passcode does not matter !
• File System Dump• Passcode does not matter!
• Shutdown• Power off Device
UFED Physical Analyzer (iPhone extraction module)Physical acquisition
2015 © A. Dhein 27 / 64
UFED Physical Analyzer (iPhone extraction module)
iPhone 3GS (16GB / 4.3.3)
1 Std 8 min 30 min
Physical acquisition
2015 © A. Dhein 28 / 64
SS 2015, A. Dhein
15
Seite 15
UFED Physical Analyzer (iPhone extraction module)
iPhone 3GS (16GB / 4.3.3)
Physical acquisition
2015 © A. Dhein 29 / 64
Cellebrite UFED touch [physical]Physical acquisition
2015 © A. Dhein 30 / 64
SS 2015, A. Dhein
16
Seite 16
Zdziarski – latest approach (dunamis < ei < waterboard)Enhanced Logical Acquisition
• Advanced logical acquisition due to the fact, that there is no known hardware exploit for current devices available
• code-names• ./dunamis = God-like power• ./ei = Enhanced interrogation• ./waterboard = another torture technique
• Idea: • Use flaws in iTunes protocols to gain access to restricted data• Use hidden system services (e.g. com.apple.mobile.file_relay)
to access personal data
2015 © A. Dhein 31 / 64
Zdziarski – latest approach (dunamis, ei, waterboard)
• Workflow
1. List=> UniqueDeviceID
2. Pair• usb:UDID|ip:UDID
3. Aquire• Full• Quick• Backup• Appdata only• AFC data only
Enhanced Logical Acquisition
2015 © A. Dhein 32 / 64
SS 2015, A. Dhein
17
Seite 17
Cellebrite UFED 4PC (acquiring assistant)Enhanced Logical Acquisition
2015 © A. Dhein 33 / 64
A last word on device locksPhysical acquisition
• Prior to iOS8 encryption keys are bound to hardware• Since iOS8 encryption keys are bound to PIN
• Apple is not able to decrypt devices any more
• Is your data now secure?• There are keyback keys (an escrow bag) stored on your PC
• What you get then (even if the device is locked)• Camera reel, Videos, and Recordings
• Podcasts, Books, and other iTunes media
• All third party application data (iTunes backup)
Source: http://www.zdziarski.com/blog/?p=3875
2015 © A. Dhein 34 / 64
SS 2015, A. Dhein
18
Seite 18
Content1. Introduction
1. Data Acquisition
1. Getting in touch with the content• Decoding iTunes backups manually• Tools for decoding iTunes backups
1. Data Analysis I• Where to find what• How to deal with
1. Data Analysis II • Extraction examples
1. Data Analysis III• Media extraction
1. Summary / Questions
2015 © A. Dhein 35 / 64
iTunes backup < iOS 3.1.3
• Status.plist (true/false)• Manifest.plist (?)• Info.plist• *.mdinfo (MetaData)• *.mddata (Datei)
Decoding iTunes Backup
2015 © A. Dhein 36 / 64
SS 2015, A. Dhein
19
Seite 19
iTunes backup > iOS 4
• Status.plist• Manifest.plist• Manifest.mbdx• Manifest.mbdb• Info.plist• a08106bec36a03ed714f0908cf2a19e54df877d2
Decoding iTunes Backup
2015 © A. Dhein 37 / 64
iTunes backup ☺ > iOS 4 < iOS8 �
• http://stackoverflow.com/questions/3085153/how-to-parse-the-manifest-mbdb-file-in-an-ios-4-0-itunes-backup• http://code.google.com/p/iphonebackupbrowser/wiki/MbdbMbdxFormat
• Status.plist• Manifest.plist• Manifest.mbdx• Manifest.mbdb• Info.plist• a08106bec36a03ed714f0908cf2a19e54df877d2
Decoding iTunes Backup
2015 © A. Dhein 38 / 64
SS 2015, A. Dhein
20
Seite 20
iPhone Backup Extractor / JuicePhone (Mac)
• Parse local Mobile-Backups• Export Opportunities
• Specific Apps• iOS Home
• Library -> Apple Apps• Media -> Photos, Music etc.
• Keychains
http://supercrazyawesome.com (free)
Decoding iTunes Backup
http://www.addpod.de/juicephone (kostenlos)
2015 © A. Dhein 39 / 64
Problems since iOS8 (work in progress)
• Problems parsing iTunes backup
• Different folders for one single App• App-Folder(s)• ShareExtension• WatchKitExtension
• Lots of empty folders
Decoding iTunes Backup
2015 © A. Dhein 40 / 64
SS 2015, A. Dhein
21
Seite 21
Cellebrite UFED 4PC (extraction overview)Physical acquisition
2015 © A. Dhein 41 / 64
Content1. Introduction
1. Data Acquisition
1. Getting in touch with the content
1. Data Analysis I• Where to find what• How to deal with
• Plist Files• SQLite Databases• Different Formats
1. Data Analysis II • Extraction examples
1. Data Analysis III• Media extraction
2. Summary / Questions
2015 © A. Dhein 42 / 64
SS 2015, A. Dhein
22
Seite 22
• /mobile/Library/*• plist-Files
• Cookies, Maps (History, Routes), Safari (History, Bookmarks)
• SQLite3-Databases• Addressbook, Calendar, Caller Lists, Notes, SMS, VoiceMail• SQLiteBrowserFE (self-development)
• /mobile/Media/*• Pictures taken, Video recordings, audio recordings
• iTunes-Music Library, iTunes-Video Library,
• Photo Library, iBooks-Media
• /mobile/Applications/*• WhatsApp, Facebook, Skype, ICQ, Navigon, etc.
Where to find what in which domainData Analysis I
2015 © A. Dhein 43 / 64
• XML-Format (sometimes binary)• Integrated into MacOSX
• Windows-Version• plist Editor(*) (free)
Plist-Files (e.g. Safari History)
(*) http://www.iCopyBot.com/download.htm
Data Analysis I
2015 © A. Dhein 44 / 64
SS 2015, A. Dhein
23
Seite 23
SQLite extraction (e.g. SMS-messages)
(*) http://sqlitebrowser.sourceforge.net/
• terminal • SQLiteBrowser(*)
Microsoft Excel – Import von csv
(not applicable)
Data Analysis I
2015 © A. Dhein 45 / 64
SQLite extraction (e.g. SMS-messages)
• Specific Problems• Linebreaks in CSV files (table structure damaged)
• Html-tags in texts (no natural reading)
• Unix timestamps (standard)• Seconds since 01.01.1970 00:00:00 h• 1.434.653.657 -> Thu, 18 Jun 2015 18:54:17 GMT
• CFAbsoluteTime timestamp (Apple)• Seconds since 01.01.2001 00:00:00 h
cfabsolute = unix timestamp + 978.307.200 s
• Flags• 0 = no / 1 = yes• Odd = out / Even = in
Data Analysis I
2015 © A. Dhein 46 / 64
SS 2015, A. Dhein
24
Seite 24
Content1. Introduction
1. Data Acquisition
1. Getting in touch with the content
1. Data Analysis I• Where to find what• How to deal with
1. Data Analysis II • Extraction examples
• Addressbook• SMS/MMS• WhatsApp
1. Data Analysis III• Media extraction
2. Summary / Questions
2015 © A. Dhein 47 / 64
• SQLite3-Datenbank• /mobile/Library/AddressBook/AddressBook.sqlited
• Structure is different in different iOS-Versions
• Content is different according to user input (e.g. labels)
Addressbook
ABPERSONROWID First Last Organization Department Note Kind Birthday JobTitle Nickname CreationDate ModificationDate308 Andreas Dhein Polizei Koblenz Kriminaldirektion ... nein CFAbsolute PG TechEU Andi CFAbsolute CFAbsolute
ABMULTIVALUE
UID record_id label value47 308 8 Name48 308 7 + 49 ..49 308 3 + 49 ..50 308 4 0177 ..51 308 3 + 49 ..52 308 2 + 49 ..53 308 1 + 49 .. 54 308 5 0221 ..55 308 1 KDK ..56 308 3 Andr ..57 308 5 andr ..58 308 3 KDK ..59 308 5 adh ..60 308 1 info ..61 308 3 adh ..62 308 363 308 9 163 ..64 308 9 243 ..65 308 6 http: ..
ABMULTIVALUEENTRYKEYvalue
1 Country2 Street3 ZIP4 City5 CountryCode6 State7 Service8 Username
ABMULTIVALUEENTRY
parent_id key value62 1 Deutschland62 2 Im Palmen ..62 3 5607262 4 Koblenz – G ..62 5 de
ABMULTIVALUELABELvalue
1 _$!<Work>!$_2 _$!<Mobile>!$_3 _$!<Home>!$_4 _$!<WorkFAX>!$_5 _$!<Other>!$_6 _$!<HomePage>!$_7 _$!<HomeFAX>!$_8 _$!<Spouse>!$_9 _$!<Anniversary>!$_10 Singapore11 VOIP12 Singapur13 Skype14 _$!<Friens>!$_15 _$!<Main>!$_16 Arbeit17 _$!<Child>!$_18 iPhone19 _$!<Pager>!$_
ABGROUP
ROWID Name10 Gr. 111 Gr. 612 Freunde13 Gastro14 PP Koblenz15 Familie16 Gr. 217 Gr. 418 Gr. 3
ABGROUPMEMBERS
UID group_id member_id66 14 30881 15 308
Data Analysis II
2015 © A. Dhein 48 / 64
SS 2015, A. Dhein
25
Seite 25
• SQLite3-Database• /mobile/Library/AddressBook/AddressBookImages.sqlitedb
Addressbook (images)
• SQL-dump AB[FULLSIZE]IMAGE [ab 4.3.3]
• sh extractAddressBookImages.sh ABImages.txt• Dump „scraping“ out images• Execute unbinhex.pl
Data Analysis II
2015 © A. Dhein 49 / 64
SMS / MMS
• SQLite3-Database• /mobile/Library/SMS/sms.db
• SQL-Query (SMS)• SELECT * from MESSAGE
• SQL-Query (MMS)• SELECT * from MSG_PIECES
Data Analysis II
2015 © A. Dhein 50 / 64
SS 2015, A. Dhein
26
Seite 26
• Short messages over the internet
• Based on mobile number as identity
• Different types of content• Multimediafiles, Images, etc• Geolocation Data
• /mobile/Applications/SHA1-HASH/Documents/ChatStorage.sqlite• /mobile/Applications/WhatsApp/Library/Media/*
Data Analysis II
2015 © A. Dhein 51 / 64
WhatsApp (manually)
• SQLite3-Database• /mobile/Applications/SHA1-HASH/Documents/ChatStorage.sqlite
SELECT datetime((zwamessage.zmessagedate + 978307200), 'unixepoch', 'localtime') as Time, zwamessage.zfromjid, zwachatsession.zpartnername, zwamessage.ztext, zwachatsession.zcontactjid, zwamessage.zmessagestatus, zwamessage.zmessagetype, zwamessage.zmediaitem
FROM zwachatsessionJOIN zwamessageON zwachatsession.z_pk
= zwamessage.zchatsession
Data Analysis II
2015 © A. Dhein 52 / 64
SS 2015, A. Dhein
27
Seite 27
WhatsApp (whatsapp_xtract.py) I
• Copy SQLiteDB/media-folder to whatsapp_xtract folder
• Execute whatsapp_xtract.py script• Open ChatStorage.sqlite.html
Data Analysis II
http://forum.xda-developers.com/showthread.php?t=1583021
2015 © A. Dhein 53 / 64
WhatsApp (whatsapp_xtract.py) II
• Index on all chat conversations
• Embeded and linked media
Data Analysis II
2015 © A. Dhein 54 / 64
SS 2015, A. Dhein
28
Seite 28
Content1. Introduction
1. Data Acquisition
1. Getting in touch with the content
1. Data Analysis I• Where to find what• How to deal with
1. Data Analysis II
1. Data Analysis III• Media extraction
• iTunes Library• Camera-Roll• Audio recordings
2. Summary / Questions
2015 © A. Dhein 55 / 64
iTunes: Music
• Although created with iTunes no audio files inside backup
• /mobile/Media/iTunes_Control (only available via separate service)
• Filenames are 4-Characters „crypted“ (better use „sharepod“)
Data Analysis III
2015 © A. Dhein 56 / 64
SS 2015, A. Dhein
29
Seite 29
Media: Photos, Videos, Audio
• Included in the logical and the physical dump• Acquisition also possible using
Camera Assistant (Win/Mac)
• Taken Photos, Videos• /mobile/Media/DCIM/*
• Analyze EXIF-Data (GPS, timestamp , etc)• exifprobe -L filename.jpg (*)
• Audio recordings• /mobile/Media/Recordings
• recordings.db• *.m4a (Quicktime, VLC)
(*) https://github.com/hfiguiere/exifprobe
Data Analysis III
2015 © A. Dhein 57 / 64
Photo-Library (Thumbnails)
• /mobile/Media/PhotoData/*
(*) http://keithwiley.com/software/keithsIPodPhotoReader.shtml (Mac)
Data Analysis III
2015 © A. Dhein 58 / 64
SS 2015, A. Dhein
30
Seite 30
Cellebrite UFED 4PC (gelocation infos from images)Physical acquisition
Photo takenNO GPS
UMTS cell tower
2015 © A. Dhein 59 / 64
Content1. Introduction
1. Data Acquisition
1. Getting in touch with the content
1. Data Analysis I• Where to find what• How to deal with
1. Data Analysis II
1. Data Analysis III
2. Summary / Questions
2015 © A. Dhein 60 / 64
SS 2015, A. Dhein
31
Seite 31
• Introduction• Different aspects of device evolution
i.e. hardware, features, software• Limits to access content
-> What artifacts to get from which processing
• Data Acquisition• Need to understand: iTunes syncing philosophy• Logical Backup vs Physical Imaging (iTunes, Zdziarski, Commercial)
• Getting in touch with the content• Decoding iTunes backups manually/automatically
• Data Analysis I (Where to find what, how to deal with)• Different domains, different data sources, different data formats
• Data Analysis II (Extraction examples)• How to extract standard iOS-Software artifacts• Complexity in some cases, simplicity in general
• Data Analysis III (Media extraction)• Easy to catch -> Camera Roll <- connected device• More media to get -> Filesystem acquisition
Summary: What we‘ve learnt
A dvanced P hysical E xaminer
2015 © A. Dhein 61 / 64
iFix4: iPhone4 teardown. Ifixit.http://www.ifixit.com/Teardown/iPhone+4+Teardown/3130/3 [14.07. 2011] (goodresource for all kind of disassembly information)
iFix5: iPhone5 teardown. ifixit,http://www.ifixit.com/Teardown/iPhone+5+Teardown/10525/1, [21.09. 2012]
JZ1: iOS research (Automated tools). Jonathan Zdziarski, http://www.iosresearch.org,[24.07.2009] (restricted to law enforcement)
JZ2: Waterboard: Advanced Forensic Logical Acquisition for iOS Devices. JonathanZdziarski, http://www.zdziarski.com/blog/?p=2385;https://github.com/jzdziarski/waterboard, [12.06.2013] (free)
JZ3: iOS Forensic Investigative Methods. Jonathan Zdziarski,http://www.zdziarski.com/blog/?p=2287, [06.05.2013] (free)
References [all links checked on 26.4.2013]
2015 © A. Dhein 62 / 64
SS 2015, A. Dhein
32
Seite 32
1. What are the reasons for not being able to access an iDevice (physically)?
1. Describe the different content types to extract from logical/physical backup.
2. Name the two main objectives in iTunes Syncing philosophy.
3. Why is it important to prevent iTunes from syncing automatically before connecting an iDevice?
4. Find Mobile Backup locations in different Desktop Operating Systems.
5. Name the 3 different imaging approaches Zdziarski uses and describe the differences in extraction.
1. Explain how to parse a current iTunes Backup, i.e. decoding filenames fromManifest.mbdx.
2. What are the 3 different mobile-domains and which data to get from each?
3. Explain how to extract the caller list and name the 2 conversions that have to beundertaken.
4. What are ithmb files and how to deal with them?
Questions to check your knowledge
2015 © A. Dhein 63 / 64
1. Was sind die Gründe, die den physischen Zugriff auf ein iDevice verhindern?
1. Beschreibe die unterschiedlichen Inhaltstypen von logischen und physischen Extraktionen
1. Benenne die 2 Grundregeln der iTunes Synchronisierungsphilosophie
2. Warum ist es so wichtig, in iTunes vor dem Verbinden mit einem iDevice das automatische Synchronisieren zu verhindern?
1. Wo sind die mobile-backups in den verschiedenen Desktop Betriebssystemen zu finden?
2. Nenne die 3 unterschiedlichen Vorgehensweisen Zdziarskis und beschreibe die Unterschiede in der Extraktion.
1. Beschreibe die Vorgehensweise beim Parsen eines aktuellen iTunes Backup, d.h. das Dekodieren der Manifest.mbdx Datei
1. Was sind die 3 unterschiedlichen /mobile/-Domänen und welche Daten können jeweils extrahiert werden?
2. Wie kann man die Anruferliste extrahieren und welche 2 Konvertierungen sind notwendig?
3. Was sind ithmb-Dateien und wie kann man die Inhalt sichtbar machen?
Questions to check your knowledge
2015 © A. Dhein 64 / 64
top related