ios forensics: where are we now and what are we …...iphone 4 - cdma a1349 n92ap iphone3,2 2011 8,...
TRANSCRIPT
![Page 1: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/1.jpg)
FOR408 Windows Forensic Analysis<YOUR COURSE NAME HERE>SANS DFIR
Prague, 3rd October 2017
© 2017 Mattia Epifani | All Rights Reserved |
iOS Forensics: where are we now and what are we missing?
![Page 2: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/2.jpg)
• iOS acquisition challenges
•Search and seizure of iOS Devices
•Acquisition techniques
•Alternative options
2
Overview on iOS Forensics
![Page 3: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/3.jpg)
3
Why iOS Forensics?September 2017 – Mobile OS (source Statcounter.com)
![Page 4: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/4.jpg)
4
Why iOS Forensics?September 2017 –Tablet OS (source Statcounter.com)
![Page 5: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/5.jpg)
• iOS devices use full disk encryption •Other protection layers
(i.e. per-file key, backup password)•JTAG ports are not available•Chip-off techniques are not useful
because of full disk encryption• But some experimental techniques are just out!
5
iOS Acquisition Challenges
![Page 6: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/6.jpg)
•Turned off device•LEAVE IT OFF!
•Turned on device(locked or unlocked)•DON’T TURN IT OFF AND THINK!
6
iOS Forensics RULES!
![Page 7: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/7.jpg)
1. Activate Airplane mode2.Connect to a power source
(i.e. external battery)3.Verify the model4.Verify the iOS version
7
PRESERVATION -Turned ON and LOCKED
![Page 8: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/8.jpg)
8
PRESERVATION - Activate Airplane Mode on a Locked Device
![Page 9: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/9.jpg)
9
IDENTIFICATION - Identify the model (I)
![Page 10: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/10.jpg)
10
IDENTIFICATION - Identify the model (II) and the iOSVersion
•Libimobiledevice (Linux/Mac)
http://www.libimobiledevice.org/
• iMobiledevice (Windows)
http://quamotion.mobi/iMobileDevice/
• ideviceinfo -s
•They also work on locked devices!
![Page 11: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/11.jpg)
11
IDENTIFICATION - Identify the model (II) and the iOSVersion
![Page 12: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/12.jpg)
12
IDENTIFICATION - iPhone Model ChartDevice name Model number Internal Name Identifier Year Capacity (GB)
iPhone 7 Plus A1784 D111AP iPhone9,4 2016 32, 128, 256
iPhone 7 Plus (China/Japan) A1661 – A1785 – A1786 D11AP iPhone9,2 2016 32, 128, 256
iPhone 7 A1778 D101AP iPhone9,3 2016 32, 128, 256
iPhone 7 (China) A1660 – A1779 – A1780 D10AP iPhone 9,1 2016 32, 128, 256
iPhone SE A1662 – A1723 – A1724 N69AP iPhone8,4 2016 16, 32, 64, 128
iPhone 6s Plus A1634 – A1687 – A1699 – A1690 N66AP iPhone8,2 2015 16, 64, 128
iPhone 6s A1633 – A1688 – A1700 – A1691 N71AP iPhone8.1 2015 16, 64, 128
iPhone 6 Plus A1522 – A1524 – A1593 N56AP iPhone7,1 2014 16, 64, 128
iPhone 6 A1549 – A1586 N61AP iPhone7,2 2014 16, 64, 128
iPhone 5S (CDMA) A1457 – A1518 – A1528 – A1530 N53AP iPhone6,2 2013 16, 32
iPhone 5S (GSM) A1433 – A1533 N51AP iPhone6,1 2013 16, 32, 64
iPhone 5C (CDMA) A1507 – A1516 – A1526 – A1529 N49AP iPhone5,4 2013 16, 32
iPhone 5C (GSM) A1456 – A1532 N48AP iPhone5,3 2013 16, 32
iPhone 5 rev.2 A1429 – A1442 N42AP iPhone5,2 2012 16, 32, 64
iPhone 5 A1428 N41AP iPhone5,1 2012 16, 32, 64
iPhone 4s (China) A1431N94AP iPhone4,1
2011 8, 16, 32, 64
iPhone 4S A1387 2011 8, 16, 32, 64
iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32
iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32
iPhone 3GS (China) A1325N88AP iPhone2,1
2009 8, 16, 32
iPhone 3GS A1303 2009 8, 16, 32
iPhone 3G (China) A1324N82AP iPhone1,2
2009 8, 16
iPhone 3G A1241 2008 8, 16
iPhone 2G A1203 M68AP iPhone1,1 2007 4, 8, 16
![Page 13: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/13.jpg)
1. Prevent the phone locking!I. Don’t press power button!II. Disable Auto-lock!
2. Verify if a lock code is set!3. Activate Airplane mode4. Acquire the data as soon as possible, keeping the phone
unlocked!ORConnect to a computer to «pair» the iPhoneOR
1. Connect to a power source (i.e. external battery)2. Identify the model3. Identify the iOS version
13
PRESERVATION -Turned ON and UNLOCKED
![Page 14: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/14.jpg)
14
PRESERVATIONPREVENT LOCK STATE! (Disable Auto-Lock)
![Page 15: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/15.jpg)
15
PRESERVATION - Activate Airplane Mode on an unlocked device
![Page 16: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/16.jpg)
• iTunes Backup Can be password protected!• Apple File Relay Zdziarski, 2014 – Up to iOS 7• Apple File Conduit Result depends on iOS version• iCloud Already stored data or forced• Full file system Possible only on jailbroken devices
File System
• Available up to iPhone 4• Possible on jailbroken devices
Physical
16
ACQUISITION - Acquisition techniques
![Page 17: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/17.jpg)
• Physical acquisition is always
possible
• In case of simple passcode all data
will be decrypted
• In case of complex passcode you
will get in any case native
applications data (i.e. address book,
SMS, notes, video, images, etc.)
17
ACQUISITION - iPhone 4 and below
![Page 18: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/18.jpg)
18
ACQUISITION –Turned ON and unlocked –Turned OFF and without passcode
• Always possible doing some kind of file
system acquisition
• The obtained data strongly depends on
the iOS version
• General approach
• Connect the phone to a computer
containing iTunes or a mobile
forensics tool
• ”Pair” the phone with the computer
• Acquire the data with the various
possible techniques/protocols
![Page 19: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/19.jpg)
19
ACQUISITION –Turned ON and unlocked –Turned OFF and without passcode
• Possible problems:
• Backup password
• Managed devices
Connection to PC inhibited
• iOS 11 (!!!)
![Page 20: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/20.jpg)
20
iOS 11 – Lockdown generation
https://blog.elcomsoft.com/2017/09/new-security-measures-in-ios-11-and-their-forensic-implications/
• Establishing Trust (“pairing”) with a PC nowrequires the passcode!
![Page 21: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/21.jpg)
21
ACQUISITION -Turned ON and LOCKED
•Search for a lockdown certificate on
a synced computer
•Unlock through fingerprint
•Try to force an iCloud backup
•Specific iOS version vulnerability for
bypassing passcode
![Page 22: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/22.jpg)
22
ACQUISITION – Lockdown certificate
• Stored in: • C:\Program Data\Apple\Lockdown Win 7/8/10• /private/var/db/lockdown Mac OS X
• Certificate file name Device_UDID.plist• The certificate can be extracted from the computer
and used in another with some forensic tools or directly with iTunes
• Lockdown certificate stored on a computer is valid for 30 days
• Lockdown certificate can be used within 48 hours since last user unlocked with the passcode
![Page 23: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/23.jpg)
• To configure Touch ID, you must first set up a passcode. Touch ID is designed to minimize the input of your passcode; but your passcode will be needed for additional security validation:• After restarting your device• When more than 48 hours have elapsed
from the last time you unlocked your device• To enter the Touch ID & Passcode setting
• https://support.apple.com/en-us/HT204587
23
ACQUISITION – Fingerprint Unlock
![Page 24: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/24.jpg)
24
iOS 11 – SOS Mode
• Apple has added an new emergencyfeature designed to give users an intuitive way to call emergency by simply pressing the Power buttonfive times in rapid succession
• This SOS mode not only allowsquickly calling an emergency number, but also disables Touch ID
https://blog.elcomsoft.com/2017/09/new-security-measures-in-ios-11-and-their-forensic-implications/
![Page 25: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/25.jpg)
25
ACQUISITION – Force iCloud backup
• Be careful when using this option and try other methods first!
• Possible overwriting of already existing backup• Risk of remote wiping
• Follow this approach:• Bring the device close to a known Wi-Fi network• Connect to a power source
• Wait a few hours• Request data from Apple or download it • Legal authorization• Credentials or token is needed
![Page 26: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/26.jpg)
• A comprehensive and continuously updated list is maintained at:
• http://blog.dinosec.com/2014/09/bypassing-ios-lock-screens.html
• Latest available for iOS 10.3• CVE-2017-2397
• “An issue was discovered in certain Apple products. iOS before 10.3 is affected. The issue involves the "Accounts" component. It allows physically proximate attackers to discover an Apple ID by reading an iCloud authentication prompt on the lock screen.”
26
ACQUISITION – Specific iOS version vulnerability
![Page 27: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/27.jpg)
• Try to use a lockdown certificate• It works well on iOS 7 (AFR and AFC)• It can still get some data on iOS 8 (AFC)• Not useful on iOS 9/10/11
• Some specific unlocking tools • They work on iOS 7 and iOS 8• UFED User Lock Code Recovery Tool• IP-BOX• MFC Dongle• Xpin Clip
27
ACQUISITION –Turned OFF and LOCKED
![Page 28: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/28.jpg)
28
ACQUISITION –Turned OFF and LOCKED (iPhone 7)
![Page 29: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/29.jpg)
29
ACQUISITION –Turned OFF and LOCKED (iPhone 7)
![Page 30: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/30.jpg)
30
ACQUISITION – CAIS (Cellebrite Advanced Investigative Services)
https://www.cellebrite.com/en/services/unlock-services/
![Page 31: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/31.jpg)
31
Alternative options
• Local backup stored on user’s computer
• Other data stored on user’s computer
• iCloud acquisition
• Experimental techniques (chip-off)
![Page 32: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/32.jpg)
32
Backup stored on the user’s computer
![Page 33: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/33.jpg)
33
Encrypted backup
![Page 34: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/34.jpg)
34
iOS Backup password cracking on Mac OS X
![Page 35: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/35.jpg)
35
Dumpkeychain
![Page 36: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/36.jpg)
36
Dumpkeychain
![Page 37: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/37.jpg)
37
Other data stored on the user’s computer
• Windows• C:\ProgramData\AppleComputer\• iTunes\iPodDevices.xml Connected iOS devices
• C:\Users\[username]\AppData\Roaming\Apple Computer• MobileSync\Backup Device Backup• Logs Various device logs• MediaStream PhotoStream information• iTunes iTunes Preferences and Apple
account information
• Mac OS X• https://www.mac4n6.com/resources/• Sarah Edwards• Ubiquity Forensics - Your iCloud and You
![Page 38: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/38.jpg)
38
iPodDevices.xml
![Page 39: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/39.jpg)
39
MobileMeAccounts.plist
![Page 40: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/40.jpg)
40
Logs Folder
![Page 41: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/41.jpg)
41
Logs folder
• Installed applications list and usage• Various logs like PowerLog, Security, OnDemand
• iTunes username• itunesstored.2.log file
• File name of e-mail attachments • MobileMail logs
• List of Wi-Fi networks and history of latest connections • Wi-Fi logs
![Page 42: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/42.jpg)
42
OnDemand log
![Page 43: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/43.jpg)
43
itunesstored.2.log
![Page 44: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/44.jpg)
44
MobileMail Log
![Page 45: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/45.jpg)
45
Wi-Fi log
![Page 46: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/46.jpg)
• You need • User credentialsOR • Token extracted from a computer (Windows/Mac) • Only if iCloud Control Panel is installed!
• You can obtain• iCloud Device Backup• iCloud Calendars• iCloud Contacts• Photo Streams• Email• Specific application data
46
iCloud Acquisition
![Page 47: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/47.jpg)
47
ACQUISITION – iCloud Acquisition
![Page 48: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/48.jpg)
48
ACQUISITION – iCloud Acquisition
![Page 49: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/49.jpg)
49
ACQUISITION – iCloud Acquisition
![Page 50: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/50.jpg)
50
ACQUISITION – iCloud Acquisition
![Page 51: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/51.jpg)
51
ACQUISITION – iCloud Acquisition
![Page 52: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/52.jpg)
52
ACQUISITION – iCloud Acquisition
![Page 53: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/53.jpg)
53
ACQUISITION – iCloud Acquisition
![Page 54: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/54.jpg)
• You can request:• Subscriber information• Mail logs• Email content• Other iCloud Content
• iOS Device Backups• iCloud Photo Library• iCloud Drive• Contacts• Calendar• Bookmarks• Safari Browsing History
• Find My iPhone• Game Center• iOS Device Activation• Sign-on logs• My Apple ID and iForgot logs• FaceTime logs
54
Apple support
https://images.apple.com/legal/privacy/law-enforcement-guidelines-outside-us.pdf
![Page 55: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/55.jpg)
• Recently published research by Sergei Skorobogatov• The bumpy road towards iPhone 5C NAND mirroring
• http://www.cl.cam.ac.uk/~sps32/5c_proj.html • https://arxiv.org/pdf/1609.04327v1.pdf• https://www.youtube.com/watch?v=tM66GWrwbsY
55
Chip Off (Experimental)
![Page 56: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/56.jpg)
56
iOS Forensics Tools
Forensic ToolsCellebrite Physical Analyzer
Magnet IEF/AXIOM/Acquire
Oxygen Forensic
Elcomsoft Phone Breaker
Elcomsoft Phone Viewer
Elcomsoft iOS Forensic Toolkit
XRY
MPE+
Paraben Device Seizure
X-Ways/FTK/Encase
Other toolsiTunes
Libimobiledevice
iMobiledevice
iBackupbot
iPhone Backup Extractor
iFunBox
iTools
iExplorer
Plisteditor
SQLite Database Broswer
![Page 57: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/57.jpg)
57
Learning iOS Forensics – Second Edition
https://www.packtpub.com/networking-and-servers/learning-ios-forensics-second-edition
![Page 58: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/58.jpg)
58
SANS FOR 585 - Advanced Smartphone Forensics
https://www.sans.org/course/advanced-smartphone-mobile-device-forensics
![Page 59: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/59.jpg)
59
SANS FOR 585 - Advanced Smartphone Forensics
https://www.sans.org/course/advanced-smartphone-mobile-device-forensics
![Page 60: iOS Forensics: where are we now and what are we …...iPhone 4 - CDMA A1349 N92AP iPhone3,2 2011 8, 16, 32 iPhone 4 - GSM A1332 N90AP iPhone3,1 2010 8, 16, 32 iPhone 3GS (China) A1325](https://reader034.vdocument.in/reader034/viewer/2022050307/5f6fddf68cddec3ea822ea4a/html5/thumbnails/60.jpg)
60
Q&A
Mattia Epifani• CEO @ REALITY NET – System Solutions
• Digital Forensics Analyst
• Mobile Device Security Specialist
• Member of Clusit, DFA, IISFA, ONIF, Tech&Law
• GCFA, GCFE, GASF, GREM, GNFA, GMOB, GCWN
• CEH, CHFI, CCE, CIFI, ECCE, AME, ACE, MPSC
@mattiaep
http://www.linkedin.com/in/mattiaepifani
http://www.realitynet.it
http://blog.digital-forensics.it