tracking traces of deleted applications · ios –all about the bundle •deletion of an app...
TRANSCRIPT
Tracking traces of deleted applications
Christopher Vance
Alexis Brignoni
iOS – All About the Bundle
• Deletion of an app deletes the entire “Container”
• Native files and databases track references to apps
• Deleted? Or Just Offloaded?
Offloaded?
• Apple allows users to “Offload” apps not frequently used
• Deletes the App container, but not the Data container
Offloaded?
App Storage (ApplicationState.db)Package Name com.atebits.Tweetie2
AppSource Location /private/var/containers/Bundle/Application/15FFD685-5154-4C07-B332-95F3F7521A48/Twitter.app
Application Data Location /private/var/mobile/Containers/Data/Application/1562A7BD-D4FA-4838-88FC-3F48C009EBD0
\private\var\mobile\Library\FrontBoard\applicationState.db
No Directions
• Offloaded apps lose ApplicationState.db entry (no map to container)
• MobileInstallation Log MAY have it depending on time.
• Bundle ID is searchable in FileSystem
IconState.plist (Springboard)
• Still lists the app.
• Device will show a cloud icon next to app on the home screen.
• BundleID is the key!
Search for BundleID.plist
• Each app has a plist file named [BundleID].plist in the Preferences folder
• Source path reveals the UUID for that App!
Learning BundleIDs
• Search for app online [Google: reddit ios app]– Look for http://apps.apple.com/
• Take the number after ID in URL– https://apps.apple.com/us/app/reddit/id1064216828
• Open URL: https://itunes.apple.com/lookup?id=
– Put value after the “=”
Learning BundleIDs
• Data downloaded as .txt file
• Search for “bundleID”
Search for BundleID!• Mobile Installation Logs• UninstalledApplications.plist• DAAP.sqlitedb• AppPurchaseHistory.6.sqlitedb• ScreenTime• PowerLog.PLSQL• KnowledgeC.db• DataUsage• CallHistory.storedata ???
Mobile Installation Logs• /private/var/installd/Library/Logs/MobileInstallation/*.log
(0 or 1)• Tracks when apps are installed, uninstalled, moved
containers, and destroyed containers.• Gives timestamps and path to app.
• iOS-Mobile-Installation-Logs-Parser:• https://github.com/abrignoni/iOS-Mobile-Installation-Logs-
Parser
Mobile Installation Logs
UninstalledApplications.plist
• \private\var\installd\Library\MobileInstallation\UninstalledApplications.plist
BundleIDs & Dates/Times
Goes back MONTHS
DAAP.sqlitedb
• \private\var\mobile\Library\Caches\com.apple.appstored\DAAP.sqlitedb
• DAAP – Digital Audio Access Protocol for sharing media across a local network
• Lists ALL apps purchased by Apple ID!
• Appears to have been added in iOS 12
• Lists who bought the app! (Remember family sharing)
AppPurchaseHistory.6.sqlitedb
• \private\var\mobile\Library\Caches\com.apple.storeservices\AppPurchaseHistory.6.sqlitedb
• Lists out apps purchased by Apple ID holder
• Includes original purchase date
• Very similar to DAAP.sqlitedb (but found in older iOS)
Screen Time
• \private\var\mobile\Library\Application Support\com.apple.remotemanagementd\RMAdminStore-Local.sqlite
• Added in iOS 12, tracks daily usage history of Apps.
• Only stores the last ~7 days for times, app notifications, and on-screen time.
• Synced applications stick around! [Sometimes]
PowerLog.PLSQL• Stores SO much data. • Tracks app usage and deletion times. • Lists offloaded apps as deleted (careful!)• Timestamps didn’t appear as accurate, and different
from table to table.
• SUPER thankful for APOLLO– https://github.com/mac4n6/APOLLO
PowerLog.PLSQL
• PLApplicationAgent_EventNone_AllApps
• PLApplicationAgent_EventNone_AllPlugins
• PLApplicationAgent_EventNone_AppVersions
• PLAppTimeService_Aggregate_AppRunTime
KnowledgeC.db
• Useful to track application install/uninstall dates/times
• Application in Focus (even after removal)
DataUsage.sqlite
• Private\var\wireless\Library\Databases\DataUsage.sqlite
• Found in iTunes backups and full file system
• Tracks only cellular data usage (app must be used once on cellular network)
• Keeps longer records of deleted apps
• Tracks several usage timestamps
DataUsage.sqlite
netusage.sqlite
• Private/var/networkd/netusage.sqlite
• Almost identical structure
• Better at clearing deleted apps
• Tracks WiFi / Cellular / Wired data sizes
• Multiple potential timestamps
Deleted Database Records!
• App could call to Call Log API
– Call Logs now delete records of apps that are deleted
– bundleID can be carved
– {SCREENSHOT}
The Takeaways
• Some apps were there, some weren’t.
• The less time passes the more potential for data.
• Not every artifact will be populated for each deleted app.
Timelining Activity• App Purchase Times
• Potential Install Times
• Usage/Connection Times
• Times in Focus (Last 7-30 days)
• Deleted Time
DAAP / AppPurchase.6
Mobile Installation Logs
DataUsage / NetUsage / PowerLog
KnowledgeC / ScreenTime
Mobile Installation Logs DeletedApplications.plistPowerLog
Android – Trace categories
• Native to Android
• Vendor installed
• User installed 3rd party apps
Native to Android
• Usagestats
– https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1528491463.pdf
– Keeps app activity record even after app deletion
Usagestats
Usagestats
• lastTimeActive="1756933803"
• package="com.viber.voip“
• timeActive="512058"
• lastEvent="2"
• appLaunchCount="14"
Usagestats
Usagestats
• Python Script
– https://github.com/abrignoni/Android-Usagestats-XML-Parser
Well known Android native DBs
• /data/com.android.vending/databases
– Localappstate.db
– Library.db
– Package_verification.db
Vendor Installed
• Samsung Members
Samsung Members
• Pocket Geek
• Installed by default
Samsung Members
• Pocket Geek
• Installed by default
• Path:
– /data/com.samsung.oh/databases/
• Databases:• com_pocketgeek_sdk_app_inventory.db -> android_app
• com_pocketgeek_sdk.db -> device_events
Samsung Members
• com_pocketgeek_sdk_app_inventory.db
– Display name
– Package_name
– System_app
– Last_used
Samsung Members
• com_pocketgeek_sdk_app_inventory.db
Samsung Members
• com_pocketgeek_sdk.db– Type
• Network, install, power, and alert events
– Value• JSON
• Inventory data for apps
– Created_at• Epoch time
Samsung Members
• com_pocketgeek_sdk.db
Context log
• Path:
– /data/com.Samsung.android.providers.context/databases/ContextLog.db -> use_app
Context log
• Timestamp: Epoch & human readable
• Timezone offset
• App ID + app sub ID
• Start & stop times: Epoch & human readable
• Duration in miliseconds
Context log
Samsung Smart Manager
Samsung Smart Manager
• Installed by default
• Path:
– /data/com.samsung.android.sm/databases
• Databases:
– sm.db -> crash_info, excluded_app
– lowpowercontext-system-db -> usage_log
Samsung Smart Manager
• lowpowercontext-system-db
– Package_name
– Start_time_string
– End_time_string
Samsung Smart Manager
• lowpowercontext-system-db
User installed 3rd party apps
• CCleaner
CCleaner
• Optimize app usage
• Large user base
• Path:– /data/com.piriform.ccleaner/databases
• Databases:– cleaner_apps_db -> app
– scanner_cache.db -> appInfoCache
CCleaner
• Cleaner_apps_db
CCleaner
• Scanner_cache.db
Resources
• https://github.com/abrignoni
– DFIR SQL Query Repo
• https://www.magnetforensics.com/artifact-exchange/