SQLite Databases and Plist Files

SQLite Databases and Plist Files

  • What about partitions?

Partitions are the components on which different data could get stored inside a device. It comes without saying that the mechanisms differ according to the user to specify partitions and allocate storage to them when it comes to computers or personal laptops. On the other hand, one does not have that much freedom when it comes to a mobile device. The manufacturer of such equipment is the one responsible for such allocation of resources. Hence, Apple is the first responsible for the way in which partitions are created inside their iOS devices.

In fact, there are two partitions on an iOS device: the firmware partition and the data partition. While the first one is aimed to contain the software for running the iOS device, the second is meant to include all the files and data which are used and desired by the iOS device user.

Let’s talk more about the firmware partition. This partition always has the rules of read-only as it does not allow writing except when an update is being installed at the moment. iTunes is the one responsible for the sake of getting the partition overwritten with a brand-new partition when performing an upgrade to the system.

The size of the firmware partition is in most cases something in between 0.9 and 2.7 GBs. The exact size is determined by the size of the NAND driver in fact. Whereas no user data is allowed to access such crucial partition, some critical files are maintained inside this barrier. Such files are like system files, upgrade files and necessary applications.

The data partition is another partition which is aimed to be in favor of the device’s user. All the data is maintained inside such barrier. Accordingly, when performing an investigation process, such partition is critical to collect evidence out from such data available. Both the portfolio of a user’s data and the iTunes applications can just be found all there inside this partition.

  • What about SQL Lite Databases? Plist

First of all, let’s take into consideration that SQLite format is an open source and it is widely used when it comes to mobile devices. Such database is referred to as a relational database. Also, a C programming library can carry such database efficiently and in a small size.

The standard of SQL-92 is adhered to by SQLite, yet not all of the features are included. Although the small size of such an SQLite database, there are a plenty of functions that could be performed by such compacted database.

SQLite databases are widely used by the iOS development community such that a lot of iOS applications depend on this kind of database to get their data organized. These applications could be exemplified by Calendar, Text Messages, Notes, Photos, andAddress Book. All of the data related to these apps are stored in SQLite databases. The primary three databases are actually: Call History, Address Book, and SMS databases.

Let’s think about this matter from another essential perceptive, the perceptive of an examiner who needs to check evidence on an iOS device.A stable database is then required for an investigation process to be performed to serve to the target of the forensics procedures. Well, from the experts’ experience, I can suggest using of Sourceforge.net.

Since Sourceforge.net has its SQLite browser, it can be relied on when it comes to viewing an SQLite database to collect evidence. All data-stores of SQLite can be displayed using this methodology. In the meanwhile, there is another good to use software named RazorSQL. Nevertheless, this software requires some fees under $100 to become a great solution at the end of the day. There is though a free SQLite Manager plugin available for you without any purchases if you are lucky enough to be one of the users of Firefox.

In addition to what was previously discussed, there is a browser available at the following link: http://sqlitebrowser.org/

Such connection provides a downloadable browser that could be installed on the examiner’s machine to use it. It offers a clear and accessible means of reading and exploring an SQLite database for further investigations.

  • What about Plists?

Both iOS devices and Macintosh devices utilize what is called the Property List (plist). It is, in fact, a data file and it is sometimes referred to as a property file. Such files are relied on when it comes to the process of storing data on the aforementioned operating systems.

At the very beginnings of iPhones and Mac OS devices, there was another format utilized which was named NeXSTEP. Also, binary formats were being used for the same purpose. On the other hand, an XLM format which is new came into existence and became used. The formats which could be found nowadays are either an XML format or a binary format.

What type of data could be found inside a plist file then? Data like strings, dates, Boolean values, numbers or binary values could all be stored inside plist files. Examples of the data which use plist file formats to get saved in our browsing history, favorites, configuration data, and others. All of the data of these kinds depend on plist files in the very first place.

How can such plist files be opened? Well, there is a chance that such file could open successfully with the use of a standard text editor. However, there is also another chance that it requires a particular viewer for the sake of getting it opened. An instance of the tools which could be used is plutil. It is, in fact, a tool which depends mainly on a command line interface.

What it does is that it aims to get the plist files which are mostly binary files converted into a format which could be scanned and understood by human beings. The operating systems that could provide suite such tool are Linux, Microsoft Windows, and also Mac OS. After the conversion is applied to the plist file, an XML property list is available, and tags are used to wrap the plist.

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

References

https://www.sans.org/reading-room/whitepapers/forensics/forensic-analysis-ios-devices-34092

http://resources.infosecinstitute.com/ios-forensics/

https://www.cclgroupltd.com/mobile-device-forensics-data-acquisition-types/

Novice
$0
Join the infosec family! Your journey starts here. The free tier gives you limited access to our training materials.
Regular use
$49
This is the second tier that includes limited access to our training materials and to our exclusive lab.  
Risky use
$69
This third tier gives you all the luxuries of the Free use and more. You have access to self-paced classes.  
Monthly use
$89
This last tier gives you the Free, Social and Problem use for just $89 a month. Plus you will save $29!!!  

Physical Acquisition of iOS data

  • How to acquire iOS data using physical acquisition techniques?

Acquiring a bit by bit image of a system is always the best case in favor of someone performing forensics on a system. That is what is meant initially by the physical acquisition of IOS data. The next step of the procedure is to check that both the copy and the original data are precisely the same with no slight change.

While this technique can be performed soundly and correctly on computers like laptops and desktops, it cannot be done merely however on mobile devices like iPhone devices. New methods to get physical acquisition smoothly and correctly have been researched nowadays to make the material acquisition on iOS devices. That aspect is attributed to the fact that physical acquisition is the best for a significant acquisition.

What makes the process on iOS device hard? The reason for this is that the storage of iOS devices is embedded in the very first place. Why can this be our concern? That leads to several challenges encountered by an examiner. To illustrate, the drive cannot be removed, and hence it cannot be connected directly to the utilized workstation.

In addition to that, techniques differ according to the platform itself or the version of the iOS inside the device. For instance, a working method to acquire data on iPhone 7 does not necessarily guarantee that it will work for iPhone 5 as well. Also, iOS 9 version can be having security methods that are entirely different from iOS 10 versions. Such changes in security methods prevent an examiner the privilege to access data with the same process on all iOS devices. That drives the motive for researchers to always keep on researching new techniques to perform physical acquisition on iOS devices.

There are some tools developed by organizations, which have to do with the Law Enforcement (LE) space. Such devices could be dedicated actually to LE like the method developed by Zdziarskfor obtaining an iOS acquisition. It depends on the following methodology. The disk software of the Read Only Memory (RAM) is being replaced by another version. Such new version should be capable of running a live recovery agent to get the disk image extracted.

On the other hand, there are some other tools which are not specified for LE. Such tools could be exemplified by Lantern and iXAM. These products are in fact able to modify the RAM as well to execute a recovery agent. This recovery agent could manage to run on the volume of the operating system to perform a physical image of it consequently.

  • More insight


    physical acquisition

What happens when the physical acquisition is performed? The memory of the phones is accessed. Thereby, all data on the phone is extracted through this method. In fact, there are two types of memory inside an iOS device. One is the volatile memory named Ram and the non-volatile one named ROM.

It is actually of great importance to get the data from the RAM extracted. That is because they have Usernames, passwords, encryption keys and more essential artifacts that could be found from the RAM. What happens is that RAM load as executes necessary parts of operating system or application. It gets flushed once device reboot.

The NAND (Non’-Volatile Memory) is also crucial since it has the data kept in it. It is even when system rebooting happens. System files and user data are stored in NAND flash. Using physical acquisition, bit by bit copy of the NAND can be acquired.

  • How to use Lantern for physical acquisition?

Katana Forensics INC was able to develop a great tool for iOS physical acquisition. This is the Lantern forensics suite. It can mostly take any physical image of an iOS device for forensic purposes. Most of the iOS versions and iOS devices could be extracted successfully in a physical image taken through this tool.

A GUI interface is provided by Lantern software. This makes an examiner able to get the essential pieces of evidence reviewed. The lantern can decode all the Plists and SQLite files; then such files will be displayed transparently.

An additional application which is to be used besides Lantern is Lantern Imager. Lantern Imager is specialized for getting images of iOS devices in particular. Through the imager, the extracted image becomes decrypted, and then a simple passcode is brutally forced whereas a SHA1 hash value is offered.

  • How to use iXam for physical acquisition?

    physical acquisition

Pronounced as ig’zam, iXam was created for the sake of law enforcement investigation. It has the potential to get all data such as photograph, specific map location, a stored contact, or text message to an email. All these can all be provided through a physical image by iXam.

Through the physical data copy which is a byte level, the whole file system can be the target of such data copy or such goal could be an individual data set in favor of the examiner.

What is the output of iXam then? It outputs a file having a unique format of DMG which is a raw disk file image file of an iOS device. It is important to notice that the NAND flash does not get modified or edited by iXam. Moreover, kernel patches are not applied here. Such kernel patches get involved when the used method is the method of jailbreaking.

  • How to relate to the evidence?

It is vital to note that cases of a forensic investigation can be formed primarily by a plenty of SQLite and plist files. Utilizing both a timeline and MACB (modified, accessed, changed, born date) times are essential for an examiner while doing his investigation process. Recording timestamps which depended on timelines are also very important for reference to investigated events through a legal procedure.

Such timestamps are shown in a format of CF Absolute Time. This means that the provided time will be regarding seconds since Jan 1st, 2001. The following formula could be used to make the shown timestamp much more readable:  =CreatedTime/(60*60*24)+DATE(2001,1,1). In the meanwhile, other tools could be relied on for accomplishing the task of making the timestamp in a more readable format such as the online tool: http://www.epochconverter.com/

 

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

References

https://www.sans.org/reading-room/whitepapers/forensics/forensic-analysis-ios-devices-34092

http://resources.infosecinstitute.com/ios-forensics/

https://www.cclgroupltd.com/mobile-device-forensics-data-acquisition-types/

Novice
$0
Join the infosec family! Your journey starts here. The free tier gives you limited access to our training materials.
Regular use
$49
This is the second tier that includes limited access to our training materials and to our exclusive lab.  
Risky use
$69
This third tier gives you all the luxuries of the Free use and more. You have access to self-paced classes.  
Monthly use
$89
This last tier gives you the Free, Social and Problem use for just $89 a month. Plus you will save $29!!!  

Logical Acquisition on an iOS device

Logical Acquisition on an IOS device

  • What are the operating modes of an IOS device?logical acquisition

Logical Acquisition on an IOS device: When it comes to iOS forensics it is an important issue to understand and distinguish between the diverse operating modes that an iOS device are working.

There are in fact three modes that are available for an iOS device to be working on. These include Normal Mode, Recovery Mode, and DFU Mode. An examiner shall be aware of such modes to turn a device into it while performing forensics on it. This aspect will help with achieving an efficient extraction of data.

  • What about the Normal Mode?

This mode is the one which runs by default. If ordinary user powers on his iPhone, then it should boot an operating system. That is actually what is referred to as the normal mode. Through this way, a user can perform all activities which they desire from an iPhone. Similarly, they can utilize all its functionalities regularly.

Three steps happen one after another when switching an iOS device in its normal mode. First, it loads the: Low-Level Bootloader. Then, it gets the iBook. Last, the iOS kernel gets running and operating the device. These boot steps are signed to keep the integrity of the process. It is good for the sake of obtaining a high security inside iOS devices.

  • What about the Recovery Mode?

This mode is generated due to an occurrence of failure or something wrong. To elaborate, imagine switching on the iOS device in the normal mode, but an error is encountered. Remember, Low-Level Bootloader, iBook and iOS kernel have all to get loaded for the operating system to run correctly. Nevertheless, doing such a thing all the time successfully is not guaranteed for sure. There is a possibility that loading or verifying such jobs could go to waste and fail.

  • What about the DFU Mode?

This mode essentially means the Device Firmware Upgrade mode. It is intended to be responsible for performing IOS upgrading. This mode is perceived as a low-level mode for diagnosis. It is worth noting that during a bootup, if Boot ROM is not getting a load or verification of the needed process to boot in a normal mode, then iPhone presents the Black screen.

  • How to perform acquisition using logical methods?

    logical acquisition

One of the most utilized methods to extract data from iOS devices nowadays is referred to the as logical acquisition. In fact, a plenty of tools are being developed by specialists in the market for the sake of performing consistent acquisition of iOS’ data and files.

Recovering and analyzing allocated active files of the iOS device can happen through a method of synchronization. This process already exists there on iOS operating system internally. For instance, evidence of vital files has the potential to get extracted and analyzed efficiently using logical acquisition technique. This may include proof of SMS, call logs, calendar events, contacts, photos, web history and email accounts

Some rules have to be adhered to when using this method of data extraction. An examiner must know that slack space is not accessible using this technique. To elaborate, if there is a suspicion that evidence exists in a slack area, then there is no chance to use logical acquisition successfully. However, the solution in such case is physical acquisition which could be helpful for the legal purpose.

Also, having the phone connected to the computer or the used forensics workstation is necessary. This is to be able to access it with its files. The software is used at this stage then files are selected by the examiner for review and forensics processes.

  • How to utilize iPhone Explorer to perform logical iOS acquisition?

    logical acquisition

Macroplant company were able to develop a fresh application. It has the potential to help an examiner export the data of their interest. For instance, data on call history, SMS, photos, contacts, bookmarks can all be exported via this application. Another advantage of such an application is that basically, it can run on different operating systems. These include the famous Microsoft Windows and Mac OS.

Creating a backup initially is sometimes required by the application of some features of it before extracting the desired kind of data. iPhone explorer presents the data of any logical sections after modifications applied on them. Sometimes it displays the file size as well.

It is exciting to get to know that a factory reset of the device does not affect the extracted data in this case. For example, if we are to perform a “Reset All” option in the call history of an iOS device, calls will still appear when extracting the logical section of call history.  The iOS platform is, in fact, the first responsible for obscuring such data even after resetting the phone or the call history.

However, some techniques of data protection performed on iOS devices can prevent showing such data like call history, calendar, notes, contacts or messages. Still, if data is extracted successfully, evidence can all be demonstrated since reaching files happen in the clear by a 3GS.

  • How to relate to the evidence?

It is vital to note that cases for a forensic investigation can be formed primarily by a plenty of SQLite and plist files. Utilizing both a timeline and MACB (modified, accessed, changed, born date) times are essential for an examiner while doing his investigation process. Recording timestamps which depended on timelines are also very important for reference to investigated events through a judicial procedure.

Such timestamps are shown in a format of CF Absolute Time, meaning that the provided time will be regarding seconds since Jan 1st, 2001. The following formula could be used then to make the shown timestamp much more readable:  =CreatedTime/(60*60*24)+DATE(2001,1,1) In the meanwhile, other tools could be relied on for accomplishing the task of making the timestamp in a more readable format such as the online tool: http://www.epochconverter.com/

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

References

https://www.sans.org/reading-room/whitepapers/forensics/forensic-analysis-ios-devices-34092

http://resources.infosecinstitute.com/ios-forensics/

https://www.cclgroupltd.com/mobile-device-forensics-data-acquisition-types/

Novice
$0
Join the infosec family! Your journey starts here. The free tier gives you limited access to our training materials.
Regular use
$49
This is the second tier that includes limited access to our training materials and to our exclusive lab.  
Risky use
$69
This third tier gives you all the luxuries of the Free use and more. You have access to self-paced classes.  
Monthly use
$89
This last tier gives you the Free, Social and Problem use for just $89 a month. Plus you will save $29!!!  

Jail breaking iOS data

  • How to acquire iOS data through jail breaking?

The partition of formal-breaking-of-ios-Dataware could be replaced with another version of it which is hacked. Through such cool methodology, any desired tools can get accordingly installed while they were not existent there on the device. Such tools will be like services like SSH and Terminal. These are just not available generally on iOS devices without having jailbreaking functioned on them. Image of a partition can then be gotten through jail breaking of the iOS device in the interest of the examiner.

One of the most commonly utilized iPhone jailbreaking methodologies are referred to as redSn0w. What is right about such exciting tool lies in the following: while the firmware gets replaced, Cydia application gets installed instead. After that, any artifacts could get extracted by the examiner as wished.

To start with this great technique of extraction, jail breaking is worth noting that both the forensics workstation used and the iOS device should be existent on the same wireless network in the very first place. Type the following command on the terminal’s workstation or command line prompt to depend on the SSH service in starting the desired process:

ssh [email protected] dd if=/dev/rdisk0 bs=1M | dd of=ios-root.img

Let ’s discuss the last command more right now! The purpose of such a power is to primarily establish a connection between the forensics workstation and the iOS device. The interpretation of the part of “dd if=/dev/rdisk0 bs=1M” is that basically, the dd command will have an input file of =/dev/rdisk0 with a size of a block of 1M. Then, the file of ios-root.img will get outputted onto the forensics workstation through the command of dd of=ios-root.img.

Such an output file could then be analyzed by an examiner; This can be done through any desired software or analysis tool. On some iPhone devices though, the created image file would become encrypted and parse such file would be impossible accordingly. If the iOS device, however, relies on a user volume’s hardware encryption, then they would make no sense at all after all. On the other hand, tools such as iXam and Lantern would be the cool solution in that case. They are used principally for the sake of creating a physical acquisition of data. The reason for that is that such tools can produce a readable image through getting the required keychains decrypted.

  • What are the tools for analyzing acquired data then?

There are in fact plenty of tools which could be utilized for the sake of connecting to and analyzing a created image file taken from an iOS device. The open source community plays a significant role. In this case, such that searching and retrieving evidence which is desired by the examiner could be performed quickly using such tools.

Examples of such tools are like Scalpel, DD, Find, Stings and some others. They can be all used for the sake of analyzing an iOS image much like that of a FAT or NTFS image. Moreover, HFS+ images could get analyzed by tools such as Encase and FTK Imager. They can also mount the photos and examine them afterward.

jail breaking

  • How to use Pangu Jailbreak for Jailbreaking purposes?

  1. First of all, the software is available at the following link:

http://www.downloadpangu.org/.

  1. Get the software downloaded from the website. Check that you download the very last version.
  2. Make use of a USB cable to get the iPhone connected to the forensics workstation
  3. Pay attention to iTunes and assure yourself that it is not running at the moment.
  4. Get the passcode disabled and get the iPhone switched into the Airplane Mode.
  5. Get the downloaded application of Pangu Jailbreak opened now.
  6. When the software detects the connected iPhone, it will automatically display it with its iOS version. Now click “Start” to begin the journey.
  7. That will lead to another window where you have two options. These are either to “Cancel” or “Already backup.” Your choice should be “Already backup.”

Note that inside this window there are some notes which the application presents to you. It warns the user that there is a chance of data loss that may occur. For smoother and continuous operation, it suggests switching the phone to airplane mode. It also suggests getting the data backed up before proceeding further.

  1. Now that you clicked on “Already backup,” the process of the jail breaking will start. Percentage of the completion of the process will always be displayed on the window. At the progress of 55%, there is a high possibility that the device would reboot. At 65%, the program would ask you to re-enable Airplane mode.

Also, at 75%, the program would ask you to get the device unlocked, and getPangu Jailbreak was running on it.

  1. From experience, it could be told that the application would ask now to have access to Photo and will ask for such permission due to an unknown reason. Upon Finishing, Phone would reboot, and Pangu would prompt that device is already Jailbroken,
  • How to relate to the evidence? jail breaking

It is vital to note that cases of a forensic investigation can be formed primarily by a plenty of SQLite and plist files. Utilizing both a timeline and MACB (modified, accessed, changed, born date) times are essential for an examiner while doing his investigation process. Recording timestamps which depended on timelines are also very important for reference to investigated events through a forensic procedure.

Such timestamps are shown in a format of CF Absolute Time. This means that the provided time will be in terms of seconds since Jan 1st, 2001. The following formula could be used then to make the shown timestamp much more readable:  =CreatedTime/(60*60*24)+DATE(2001,1,1). In the meanwhile, other tools could be relied on for accomplishing the task. They make the timestamp in a more readable format such as the online tool: http://www.epochconverter.com/

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

References

https://www.sans.org/reading-room/whitepapers/forensics/forensic-analysis-ios-devices-34092

http://resources.infosecinstitute.com/ios-forensics/

https://www.cclgroupltd.com/mobile-device-forensics-data-acquisition-types/

Novice
$0
Join the infosec family! Your journey starts here. The free tier gives you limited access to our training materials.
Regular use
$49
This is the second tier that includes limited access to our training materials and to our exclusive lab.  
Risky use
$69
This third tier gives you all the luxuries of the Free use and more. You have access to self-paced classes.  
Monthly use
$89
This last tier gives you the Free, Social and Problem use for just $89 a month. Plus you will save $29!!!