SQLite Databases and Plist Files

SQLite Databases and Plist Files

  • What about partitions?

Partitions are the components on which different data could get stored inside a device. It comes without saying that the mechanisms differ according to the user to specify partitions and allocate storage to them when it comes to computers or personal laptops. On the other hand, one does not have that much freedom when it comes to a mobile device. The manufacturer of such equipment is the one responsible for such allocation of resources. Hence, Apple is the first responsible for the way in which partitions are created inside their iOS devices.

In fact, there are two partitions on an iOS device: the firmware partition and the data partition. While the first one is aimed to contain the software for running the iOS device, the second is meant to include all the files and data which are used and desired by the iOS device user.

Let’s talk more about the firmware partition. This partition always has the rules of read-only as it does not allow writing except when an update is being installed at the moment. iTunes is the one responsible for the sake of getting the partition overwritten with a brand-new partition when performing an upgrade to the system.

The size of the firmware partition is in most cases something in between 0.9 and 2.7 GBs. The exact size is determined by the size of the NAND driver in fact. Whereas no user data is allowed to access such crucial partition, some critical files are maintained inside this barrier. Such files are like system files, upgrade files and necessary applications.

The data partition is another partition which is aimed to be in favor of the device’s user. All the data is maintained inside such barrier. Accordingly, when performing an investigation process, such partition is critical to collect evidence out from such data available. Both the portfolio of a user’s data and the iTunes applications can just be found all there inside this partition.

  • What about SQL Lite Databases? Plist

First of all, let’s take into consideration that SQLite format is an open source and it is widely used when it comes to mobile devices. Such database is referred to as a relational database. Also, a C programming library can carry such database efficiently and in a small size.

The standard of SQL-92 is adhered to by SQLite, yet not all of the features are included. Although the small size of such an SQLite database, there are a plenty of functions that could be performed by such compacted database.

SQLite databases are widely used by the iOS development community such that a lot of iOS applications depend on this kind of database to get their data organized. These applications could be exemplified by Calendar, Text Messages, Notes, Photos, andAddress Book. All of the data related to these apps are stored in SQLite databases. The primary three databases are actually: Call History, Address Book, and SMS databases.

Let’s think about this matter from another essential perceptive, the perceptive of an examiner who needs to check evidence on an iOS device.A stable database is then required for an investigation process to be performed to serve to the target of the forensics procedures. Well, from the experts’ experience, I can suggest using of Sourceforge.net.

Since Sourceforge.net has its SQLite browser, it can be relied on when it comes to viewing an SQLite database to collect evidence. All data-stores of SQLite can be displayed using this methodology. In the meanwhile, there is another good to use software named RazorSQL. Nevertheless, this software requires some fees under $100 to become a great solution at the end of the day. There is though a free SQLite Manager plugin available for you without any purchases if you are lucky enough to be one of the users of Firefox.

In addition to what was previously discussed, there is a browser available at the following link: http://sqlitebrowser.org/

Such connection provides a downloadable browser that could be installed on the examiner’s machine to use it. It offers a clear and accessible means of reading and exploring an SQLite database for further investigations.

  • What about Plists?

Both iOS devices and Macintosh devices utilize what is called the Property List (plist). It is, in fact, a data file and it is sometimes referred to as a property file. Such files are relied on when it comes to the process of storing data on the aforementioned operating systems.

At the very beginnings of iPhones and Mac OS devices, there was another format utilized which was named NeXSTEP. Also, binary formats were being used for the same purpose. On the other hand, an XLM format which is new came into existence and became used. The formats which could be found nowadays are either an XML format or a binary format.

What type of data could be found inside a plist file then? Data like strings, dates, Boolean values, numbers or binary values could all be stored inside plist files. Examples of the data which use plist file formats to get saved in our browsing history, favorites, configuration data, and others. All of the data of these kinds depend on plist files in the very first place.

How can such plist files be opened? Well, there is a chance that such file could open successfully with the use of a standard text editor. However, there is also another chance that it requires a particular viewer for the sake of getting it opened. An instance of the tools which could be used is plutil. It is, in fact, a tool which depends mainly on a command line interface.

What it does is that it aims to get the plist files which are mostly binary files converted into a format which could be scanned and understood by human beings. The operating systems that could provide suite such tool are Linux, Microsoft Windows, and also Mac OS. After the conversion is applied to the plist file, an XML property list is available, and tags are used to wrap the plist.

References

https://www.sans.org/reading-room/whitepapers/forensics/forensic-analysis-ios-devices-34092

http://resources.infosecinstitute.com/ios-forensics/

https://www.cclgroupltd.com/mobile-device-forensics-data-acquisition-types/

Physical Acquisition of iOS data

  • How to acquire iOS data using physical acquisition techniques?

Acquiring a bit by bit image of a system is always the best case in favor of someone performing forensics on a system. That is what is meant initially by the physical acquisition of IOS data. The next step of the procedure is to check that both the copy and the original data are precisely the same with no slight change.

While this technique can be performed soundly and correctly on computers like laptops and desktops, it cannot be done merely however on mobile devices like iPhone devices. New methods to get physical acquisition smoothly and correctly have been researched nowadays to make the material acquisition on iOS devices. That aspect is attributed to the fact that physical acquisition is the best for a significant acquisition.

What makes the process on iOS device hard? The reason for this is that the storage of iOS devices is embedded in the very first place. Why can this be our concern? That leads to several challenges encountered by an examiner. To illustrate, the drive cannot be removed, and hence it cannot be connected directly to the utilized workstation.

In addition to that, techniques differ according to the platform itself or the version of the iOS inside the device. For instance, a working method to acquire data on iPhone 7 does not necessarily guarantee that it will work for iPhone 5 as well. Also, iOS 9 version can be having security methods that are entirely different from iOS 10 versions. Such changes in security methods prevent an examiner the privilege to access data with the same process on all iOS devices. That drives the motive for researchers to always keep on researching new techniques to perform physical acquisition on iOS devices.

There are some tools developed by organizations, which have to do with the Law Enforcement (LE) space. Such devices could be dedicated actually to LE like the method developed by Zdziarskfor obtaining an iOS acquisition. It depends on the following methodology. The disk software of the Read Only Memory (RAM) is being replaced by another version. Such new version should be capable of running a live recovery agent to get the disk image extracted.

On the other hand, there are some other tools which are not specified for LE. Such tools could be exemplified by Lantern and iXAM. These products are in fact able to modify the RAM as well to execute a recovery agent. This recovery agent could manage to run on the volume of the operating system to perform a physical image of it consequently.

  • More insight


    physical acquisition

What happens when the physical acquisition is performed? The memory of the phones is accessed. Thereby, all data on the phone is extracted through this method. In fact, there are two types of memory inside an iOS device. One is the volatile memory named Ram and the non-volatile one named ROM.

It is actually of great importance to get the data from the RAM extracted. That is because they have Usernames, passwords, encryption keys and more essential artifacts that could be found from the RAM. What happens is that RAM load as executes necessary parts of operating system or application. It gets flushed once device reboot.

The NAND (Non’-Volatile Memory) is also crucial since it has the data kept in it. It is even when system rebooting happens. System files and user data are stored in NAND flash. Using physical acquisition, bit by bit copy of the NAND can be acquired.

  • How to use Lantern for physical acquisition?

Katana Forensics INC was able to develop a great tool for iOS physical acquisition. This is the Lantern forensics suite. It can mostly take any physical image of an iOS device for forensic purposes. Most of the iOS versions and iOS devices could be extracted successfully in a physical image taken through this tool.

A GUI interface is provided by Lantern software. This makes an examiner able to get the essential pieces of evidence reviewed. The lantern can decode all the Plists and SQLite files; then such files will be displayed transparently.

An additional application which is to be used besides Lantern is Lantern Imager. Lantern Imager is specialized for getting images of iOS devices in particular. Through the imager, the extracted image becomes decrypted, and then a simple passcode is brutally forced whereas a SHA1 hash value is offered.

  • How to use iXam for physical acquisition?

    physical acquisition

Pronounced as ig’zam, iXam was created for the sake of law enforcement investigation. It has the potential to get all data such as photograph, specific map location, a stored contact, or text message to an email. All these can all be provided through a physical image by iXam.

Through the physical data copy which is a byte level, the whole file system can be the target of such data copy or such goal could be an individual data set in favor of the examiner.

What is the output of iXam then? It outputs a file having a unique format of DMG which is a raw disk file image file of an iOS device. It is important to notice that the NAND flash does not get modified or edited by iXam. Moreover, kernel patches are not applied here. Such kernel patches get involved when the used method is the method of jailbreaking.

  • How to relate to the evidence?

It is vital to note that cases of a forensic investigation can be formed primarily by a plenty of SQLite and plist files. Utilizing both a timeline and MACB (modified, accessed, changed, born date) times are essential for an examiner while doing his investigation process. Recording timestamps which depended on timelines are also very important for reference to investigated events through a legal procedure.

Such timestamps are shown in a format of CF Absolute Time. This means that the provided time will be regarding seconds since Jan 1st, 2001. The following formula could be used to make the shown timestamp much more readable:  =CreatedTime/(60*60*24)+DATE(2001,1,1). In the meanwhile, other tools could be relied on for accomplishing the task of making the timestamp in a more readable format such as the online tool: http://www.epochconverter.com/

References

https://www.sans.org/reading-room/whitepapers/forensics/forensic-analysis-ios-devices-34092

http://resources.infosecinstitute.com/ios-forensics/

https://www.cclgroupltd.com/mobile-device-forensics-data-acquisition-types/

Logical Acquisition on an iOS device

Logical Acquisition on an IOS device

  • What are the operating modes of an IOS device?logical acquisition

Logical Acquisition on an IOS device: When it comes to iOS forensics it is an important issue to understand and distinguish between the diverse operating modes that an iOS device are working.

There are in fact three modes that are available for an iOS device to be working on. These include Normal Mode, Recovery Mode, and DFU Mode. An examiner shall be aware of such modes to turn a device into it while performing forensics on it. This aspect will help with achieving an efficient extraction of data.

  • What about the Normal Mode?

This mode is the one which runs by default. If ordinary user powers on his iPhone, then it should boot an operating system. That is actually what is referred to as the normal mode. Through this way, a user can perform all activities which they desire from an iPhone. Similarly, they can utilize all its functionalities regularly.

Three steps happen one after another when switching an iOS device in its normal mode. First, it loads the: Low-Level Bootloader. Then, it gets the iBook. Last, the iOS kernel gets running and operating the device. These boot steps are signed to keep the integrity of the process. It is good for the sake of obtaining a high security inside iOS devices.

  • What about the Recovery Mode?

This mode is generated due to an occurrence of failure or something wrong. To elaborate, imagine switching on the iOS device in the normal mode, but an error is encountered. Remember, Low-Level Bootloader, iBook and iOS kernel have all to get loaded for the operating system to run correctly. Nevertheless, doing such a thing all the time successfully is not guaranteed for sure. There is a possibility that loading or verifying such jobs could go to waste and fail.

  • What about the DFU Mode?

This mode essentially means the Device Firmware Upgrade mode. It is intended to be responsible for performing IOS upgrading. This mode is perceived as a low-level mode for diagnosis. It is worth noting that during a bootup, if Boot ROM is not getting a load or verification of the needed process to boot in a normal mode, then iPhone presents the Black screen.

  • How to perform acquisition using logical methods?

    logical acquisition

One of the most utilized methods to extract data from iOS devices nowadays is referred to the as logical acquisition. In fact, a plenty of tools are being developed by specialists in the market for the sake of performing consistent acquisition of iOS’ data and files.

Recovering and analyzing allocated active files of the iOS device can happen through a method of synchronization. This process already exists there on iOS operating system internally. For instance, evidence of vital files has the potential to get extracted and analyzed efficiently using logical acquisition technique. This may include proof of SMS, call logs, calendar events, contacts, photos, web history and email accounts

Some rules have to be adhered to when using this method of data extraction. An examiner must know that slack space is not accessible using this technique. To elaborate, if there is a suspicion that evidence exists in a slack area, then there is no chance to use logical acquisition successfully. However, the solution in such case is physical acquisition which could be helpful for the legal purpose.

Also, having the phone connected to the computer or the used forensics workstation is necessary. This is to be able to access it with its files. The software is used at this stage then files are selected by the examiner for review and forensics processes.

  • How to utilize iPhone Explorer to perform logical iOS acquisition?

    logical acquisition

Macroplant company were able to develop a fresh application. It has the potential to help an examiner export the data of their interest. For instance, data on call history, SMS, photos, contacts, bookmarks can all be exported via this application. Another advantage of such an application is that basically, it can run on different operating systems. These include the famous Microsoft Windows and Mac OS.

Creating a backup initially is sometimes required by the application of some features of it before extracting the desired kind of data. iPhone explorer presents the data of any logical sections after modifications applied on them. Sometimes it displays the file size as well.

It is exciting to get to know that a factory reset of the device does not affect the extracted data in this case. For example, if we are to perform a “Reset All” option in the call history of an iOS device, calls will still appear when extracting the logical section of call history.  The iOS platform is, in fact, the first responsible for obscuring such data even after resetting the phone or the call history.

However, some techniques of data protection performed on iOS devices can prevent showing such data like call history, calendar, notes, contacts or messages. Still, if data is extracted successfully, evidence can all be demonstrated since reaching files happen in the clear by a 3GS.

  • How to relate to the evidence?

It is vital to note that cases for a forensic investigation can be formed primarily by a plenty of SQLite and plist files. Utilizing both a timeline and MACB (modified, accessed, changed, born date) times are essential for an examiner while doing his investigation process. Recording timestamps which depended on timelines are also very important for reference to investigated events through a judicial procedure.

Such timestamps are shown in a format of CF Absolute Time, meaning that the provided time will be regarding seconds since Jan 1st, 2001. The following formula could be used then to make the shown timestamp much more readable:  =CreatedTime/(60*60*24)+DATE(2001,1,1) In the meanwhile, other tools could be relied on for accomplishing the task of making the timestamp in a more readable format such as the online tool: http://www.epochconverter.com/

References

https://www.sans.org/reading-room/whitepapers/forensics/forensic-analysis-ios-devices-34092

http://resources.infosecinstitute.com/ios-forensics/

https://www.cclgroupltd.com/mobile-device-forensics-data-acquisition-types/

 

Jail breaking iOS data

  • How to acquire iOS data through jail breaking?

The partition of formal-breaking-of-ios-Dataware could be replaced with another version of it which is hacked. Through such cool methodology, any desired tools can get accordingly installed while they were not existent there on the device. Such tools will be like services like SSH and Terminal. These are just not available generally on iOS devices without having jailbreaking functioned on them. Image of a partition can then be gotten through jail breaking of the iOS device in the interest of the examiner.

One of the most commonly utilized iPhone jailbreaking methodologies are referred to as redSn0w. What is right about such exciting tool lies in the following: while the firmware gets replaced, Cydia application gets installed instead. After that, any artifacts could get extracted by the examiner as wished.

To start with this great technique of extraction, jail breaking is worth noting that both the forensics workstation used and the iOS device should be existent on the same wireless network in the very first place. Type the following command on the terminal’s workstation or command line prompt to depend on the SSH service in starting the desired process:

ssh [email protected] dd if=/dev/rdisk0 bs=1M | dd of=ios-root.img

Let ’s discuss the last command more right now! The purpose of such a power is to primarily establish a connection between the forensics workstation and the iOS device. The interpretation of the part of “dd if=/dev/rdisk0 bs=1M” is that basically, the dd command will have an input file of =/dev/rdisk0 with a size of a block of 1M. Then, the file of ios-root.img will get outputted onto the forensics workstation through the command of dd of=ios-root.img.

Such an output file could then be analyzed by an examiner; This can be done through any desired software or analysis tool. On some iPhone devices though, the created image file would become encrypted and parse such file would be impossible accordingly. If the iOS device, however, relies on a user volume’s hardware encryption, then they would make no sense at all after all. On the other hand, tools such as iXam and Lantern would be the cool solution in that case. They are used principally for the sake of creating a physical acquisition of data. The reason for that is that such tools can produce a readable image through getting the required keychains decrypted.

  • What are the tools for analyzing acquired data then?

There are in fact plenty of tools which could be utilized for the sake of connecting to and analyzing a created image file taken from an iOS device. The open source community plays a significant role. In this case, such that searching and retrieving evidence which is desired by the examiner could be performed quickly using such tools.

Examples of such tools are like Scalpel, DD, Find, Stings and some others. They can be all used for the sake of analyzing an iOS image much like that of a FAT or NTFS image. Moreover, HFS+ images could get analyzed by tools such as Encase and FTK Imager. They can also mount the photos and examine them afterward.

jail breaking

  • How to use Pangu Jailbreak for Jailbreaking purposes?

  1. First of all, the software is available at the following link:

http://www.downloadpangu.org/.

  1. Get the software downloaded from the website. Check that you download the very last version.
  2. Make use of a USB cable to get the iPhone connected to the forensics workstation
  3. Pay attention to iTunes and assure yourself that it is not running at the moment.
  4. Get the passcode disabled and get the iPhone switched into the Airplane Mode.
  5. Get the downloaded application of Pangu Jailbreak opened now.
  6. When the software detects the connected iPhone, it will automatically display it with its iOS version. Now click “Start” to begin the journey.
  7. That will lead to another window where you have two options. These are either to “Cancel” or “Already backup.” Your choice should be “Already backup.”

Note that inside this window there are some notes which the application presents to you. It warns the user that there is a chance of data loss that may occur. For smoother and continuous operation, it suggests switching the phone to airplane mode. It also suggests getting the data backed up before proceeding further.

  1. Now that you clicked on “Already backup,” the process of the jail breaking will start. Percentage of the completion of the process will always be displayed on the window. At the progress of 55%, there is a high possibility that the device would reboot. At 65%, the program would ask you to re-enable Airplane mode.

Also, at 75%, the program would ask you to get the device unlocked, and getPangu Jailbreak was running on it.

  1. From experience, it could be told that the application would ask now to have access to Photo and will ask for such permission due to an unknown reason. Upon Finishing, Phone would reboot, and Pangu would prompt that device is already Jailbroken,
  • How to relate to the evidence? jail breaking

It is vital to note that cases of a forensic investigation can be formed primarily by a plenty of SQLite and plist files. Utilizing both a timeline and MACB (modified, accessed, changed, born date) times are essential for an examiner while doing his investigation process. Recording timestamps which depended on timelines are also very important for reference to investigated events through a forensic procedure.

Such timestamps are shown in a format of CF Absolute Time. This means that the provided time will be in terms of seconds since Jan 1st, 2001. The following formula could be used then to make the shown timestamp much more readable:  =CreatedTime/(60*60*24)+DATE(2001,1,1). In the meanwhile, other tools could be relied on for accomplishing the task. They make the timestamp in a more readable format such as the online tool: http://www.epochconverter.com/

References

https://www.sans.org/reading-room/whitepapers/forensics/forensic-analysis-ios-devices-34092

http://resources.infosecinstitute.com/ios-forensics/

https://www.cclgroupltd.com/mobile-device-forensics-data-acquisition-types/

Important Background of iOS devices before forensics

It is useless to state that iPhones, iPads, and iPods which we use every single second in our life are developed by Apple company and operate on an operating system named iOS. They are hence referred to as iOS devices.

  • What about iPhones? ios devices

The most commonly used iOS devices are iPhones. This aspect is attributed to the fact that the appearance, the camera, and features offered by iPhones are the best in the market. Several iPhone models were released by Apple. The following table is intended to discuss more of the latest iPhone releases along with their specifications. The progress of iPhone devices throughout the years could be for sure noticed significantly when looking at the next table. The following table displays the most important features of iPhone 6, iPhone 6s, iPhone SE, and iPhone 7 are the iPhone models which are currently on the market and very popular due to their excellent features and performance.

Model of iPhone Specs of Camera Cellular radio Specs of CPU Firmware (Operating System version) RAM Storage
iPhone 5 Front Camera: 1.2MP

Rear Camera:

8.0 MP

Up to LTE(4G) Speed of CPU: 1.2 GHz
Instruction Set is ARMv7s
IOS 6.0 1GB 16/32/64 GB
iPhone 5s Front Camera: 1.2MP

Rear Camera:

8.0 MP

Up to LTE(4G) Speed of CPU: 1.3 GHz
Instruction Set is ARMv8
IOS 7.0 1GB 16/32/64 GB
iPhone 6 Front Camera: 1.2MP

Rear Camera:

8.0 MP

Up to LTE(4G) Speed of CPU: 1.38 GHz
Instruction Set is ARMv8
IOS 7.0 1GB 16/32/64 GB
iPhone 6s Front Camera: 5MP

Rear Camera:

12.2 MP

Up to LTE(4G) Speed of CPU: 1.85 GHz
Instruction Set is ARMv8
IOS 9.0 2 GB 16/32/64 GB
iPhone SE Front Camera: 1.2MP

Rear Camera:

12.2 MP

Up to LTE(4G) Speed of CPU: 1.85 GHz
Instruction Set is ARMv8
IOS 9.3 2 GB 16/32/64/128 GB
iPhone 7 Front Camera: 7MP

Rear Camera:

12.2MP

Up to LTE(4G) Speed of CPU: 2.34 GHz
Instruction Set is ARMv8
IOS 10 2 GB 32/64/128 GB

 

  • What about iPads?


    ios devices

iPad Tablets were launched right after the success witnessed by iPhones in the market. The name of iPad or iPad first Generation was initially granted to the very first iPad tables released in the market. The time of its launch was right after launching iPhone 3Gs when iPhone 4 was not released so far. The specifications of the different releases of iPad Tablets and models are stated clearly and displayed throughout the following table.

Model of iPad Specs of Camera Cellular Radio Specs of CPU Firmware RAM Storage
iPad Air Rear Camera: 5 Mp UP to LTE (4G) Speed of CPU: 1.4 GHz
Instruction Set is ARMv8
IOS 7.0.3 1 GB 16/32/64/128 GB
iPad Air2 Rear Camera: 8 Mp UP to LTE (4G) Speed of CPU: 1.5 GHz
Instruction Set is ARMv8
IOS 8.1 2 GB 16/64/128 GB
iPad Pro Rear Camera: 8 Mp UP to LTE (4G) Speed of CPU: 2.2 GHz
Instruction Set is ARMv8-A
IOS 9.1 4 GB 32/128/256 GB
iPad (5th Gen) Rear Camera: 8 Mp UP to LTE (4G) Speed of CPU: 1.85 GHz
Instruction Set is ARMv8
IOS 10.3 2 GB 32/128 GB
iPad Pro (2nd Gen) Rear Camera: 12 Mp UP to LTE (4G) Speed of CPU: 2.38 GHz
Instruction Set is ARMv8
IOS 10.3.2 4 GB 64/256/512 GB
iPad mini 4 Rear Camera: 8 Mp UP to LTE (4G) Speed of CPU: 1.49 GHZ IOS 9.0 2 GB 16/64/128 GB

 

  • What about iPods?


    ios devices

iPods were initially intended to be designed for the sake of providing their users with capabilities of playing music. It was back in 2001 when the “First Generation” iPods were developed. Then, with time and with developing the “Second Generation” and the “Third Generation” and all of these products, users were given the advantage of playing Videos and Games.

Data from an iPod is also of importance to an examiner performing the forensic investigations. Through iPods, forensics data from Storage, Gallery, or the browser could be of interest to the investigation process when such data gets retrieved.

The following features are actually offered by iPod devices: Camera, Wi-Fi Capabilities, Safari web browser, Storage and Playback for Audio, Video, and Photo, YouTube player, Apps could be installed from App store.

  • Where can I find the passwords of iOS devices?


    ios devices

If we are interested in finding the password which was configured by the user, we can see it inside the following file directory:  /private/etc/passwd

Such directory resides inside the system partition of an iOS device, which is mainly used for maintain information of the operating system and the necessary files to open it and maintain it as well.

The password of the root and the entire mobile device will be displayed as something like smx7MYTQIi2M

Such hash could be retrieved merely back and be used as valuable information for an examiner through such password file.

Also, using a password cracking utility such as John the Ripper could be helpful when it comes to crack the password.

The default password utilized for the root of an iOS device is “Alpine,” and all iOS devices share this standard feature.

  • Property List Files:

The importance of such files lies in the fact that data such as web cookies, email accounts, GPS Map routes and searches system configuration preferences, browsing history and bookmarks can all be found inside there. They are actually of a format of XML. Configurations of the applications on an iOS device and the configuration of the operating system itself are directed by these files. A text editor could merely be depended on to get such files opened and reviewed.

  • SQLite Databases:

When extracting data from an iOS device, a great deal of the data will be coming in the form of an SQLite database. This drives the need for having a browser to get them open. Such browser could be downloaded from the following link: http://sqlitebrowser.org/

References

https://www.sans.org/reading-room/whitepapers/forensics/forensic-analysis-ios-devices-34092

http://resources.infosecinstitute.com/ios-forensics/

https://www.cclgroupltd.com/mobile-device-forensics-data-acquisition-types/

How to use iPhone Analyzer for acquiring backup data?

  • What can I do to acquire backup data in an iOS device using iPhone Analyzer?



Let’s first talk about iPhone Analyzer in the first place! It is mostly a free software developed by a company named Crypticbit. Such a software is built initially using java programming language. It is also a tool which has several platforms for the sake of getting the data from an IOS device using its backup.

Now, we shall talk about this concept further in details. Through iPhone Analyzer, the iOS’ file system could easily be viewed. Similarly, and any other files of the examiner’s interest could mainly be viewed as well.

Since all data are retrieved back using iTunes backup, there is no chance to doubt that the data might be changed or edited or so. This is also because there is no human intervention when it comes to creating or modifying such backup. The mode which is typical is that the tool is run against a backup on a computer or also named as a workstation. However, the phone itself could be utilized as well to get a backup created directly from it in case there is no precedent backup out there.

To get all the binary files converted into their names and locations which make sense correctly, the iPhone Analyzer should then have the feature chosen as “export all files”. This would allow an examiner to check and review the files meaningfully during the process of forensics.

  • What about the encrypted backups?

Sometimes the backups of iTunes are just encrypted. This means that they are not just clear and direct data. In this case, backups are encrypted when initially created through iTunes in the first place. Hence, getting them using iPhone Analyzer or similar tools directly will not make sense to the examiner. Ths is due to the existence of encryption applied to the backup files.

In order for an examiner to understand such extracted data, a utility of password cracking tool is required. This is usually for the sake of cracking the used hash inside the file of manifest.plist for decryption. For instance, a software named Elcomsoft’s iPhone Password breaker could be relied on to get the password and keychain files provided. It costs an examiner less than $100 to utilize such tool and decrypt the files for understanding.

On the other hand, it is worth noting that jailbreaking the phone is another method of acquisition which could be used when having encrypted backups. Such a methodology could be utilized in order to replace the configuration files for the sake of bypassing some sort of a passcode.

So in a nutshell, what is needed is to create a backup of the iOS device using iTunes. This first step is done automatically by default when doing an upgrade or a sync process on a computer device. Then, the second step is that such backup files should be analyzed using a software like iPhone Analyzer. If the backup files are encrypted, then a password cracking utility like Elcomsoft’s iPhone password breaker is required to decrypt the files in the very first place

  • Example: What Is John the Ripper?

John the Ripper is one of the best security tools which can be used to crack passwords. It has a high rank amongst all of its other counterparts in the market, supported by sectools.org which assures such information implying a sort of reliability. Besides, it is a free software which is considered a significant characteristic of such a program. The same as Metasploit, John the Ripper is a part of the Rapid7 family of penetration testing/ hacking tools. If you don’t know Metasploit, you can check an article titled “What is Metasploit” on infosecaddicts.com.

John the Ripper was published stably in 2013 with its 1.8.0 version release. The excellent production and development of such a tool is fundamentally attributed to Solar Designer and the community of such software. It is an open source program adhering to the license of GNU General Public License (GNU GPL).

Initially, “Cracker Jack” was developed for the sake of cracking Unix /etc/passwdfiles with the help of a dictionary. Then, John the Ripper came into existence afterward. Moreover, a “Pro” version was developed to include more features than the ordinary version. Mainly that it has the capability to add and deal with many more hash types on which encrypted passwords are based in the first place. The Ripper’s commercial version is the most used among penetration testers for cracking passwords. This is essential because of both its speed and excellent performance.

  • How Do Password Crackers essentially work?

If you had no prior experience with password cracking, you most probably got lost trying to grasp this very last part of the discussion. If not so, you would get lost if I were not to add this very part. To crack a password means to recover or hack passwords by exploiting data passing through a computer system or within a network.

In this section, I will attempt to summarize the basic notion behind password cracking methods. This field of science is basically perceived as cryptanalysis. In fact, there exist some vulnerabilities in passwords, which opens the gate for hackers. They exploit in order to get the password back from its encrypted format following the use of a hashing method.

I will rely heavily now in my elaboration on one of the essential methods to crack passwords. It is called brute-force attack. Oh, what is this? It is simply a method which mainly depends on performing a cross-checking against a cryptographic hash which is available for the password.

  • In this manner, a hacker’s computer can guess the right password and recover it, especially if the password contains clear-text words for which a “dictionary attack” is where the process is derived.
  • On the other hand, a password could be recovered through what is called ‘rainbow’ table. It is much faster and contains password hashes from which a password is guessed by a computer system.

References

https://www.sans.org/reading-room/whitepapers/forensics/forensic-analysis-ios-devices-34092

http://resources.infosecinstitute.com/ios-forensics/

https://www.cclgroupltd.com/mobile-device-forensics-data-acquisition-types/

How to get started with iOS Forensics?

  • Introduction to the topic



Technology is always an excellent motive for people to develop modern techniques and methodologies when it comes to solving a technical issue. The point is that changes witnessed regarding technology always happen at a fast pace. Similarly, the storage of devices is continually expanding, making it compulsory for specialists to think about great solutions.

Technology seems to handle several vital tasks in our daily life routine. Functions such as Email, productivity suites, tasks lists, calendaring, browsing and presenting are always of importance and interest to the youth to use on technology devices. In the meanwhile, tablets and mobile devices are commonly used by organizations and individuals whenever it comes to performing any automated tasks. Such devices facilitate any task and process for organizations in the first place.

After the creation of Apple’s operating system named iOS, there has been a plenty of storage available on iOS devices. Consequently, several daily tasks were able to be performed simply by use of these devices. As a result of this progress, records of emails, text messages, browsing history, chat, map searching, and more could be easily kept and used through iOS devices.

Because there is plenty of data or information which gets stored inside iOS devices, such data becomes vitally important when it comes to performing a process of investigation and forensics. Acquiring data and creating sound images of the stored data is what an examiner always aims to do. When the images are formed either using a logical method or through a backup or even through a physical methodology, files could be investigated and alongside all critical data and information become available for the examiner.

  • Why is it important to understand IOS forensics?


    ios forensics

The essentiality of studying mobile forensics and in particular IOS forensics lies in the fact that mobile phones are utilized by the vast majority of people around the world nowadays. The number of such users even increase every day. Furthermore, features regarding arising technologies of different smartphones are always in great advance changes which occur in a fast-paced manner.

For sure iPhones and iPods play a significant role in such processes. From this, the Apple company always performs several improvements and modifications to its operating system. The OS is named IOS, and it is utilized in all the products of Apple corporation. Phones like these have become capable of performing all the tasks of an ordinary personal computer or a laptop despite the minimization in size.

The advantage of using such IOS devices is the high capacity of the offered storage. This allows for plenty of emails, browsing histories, chat histories, Wi-Fi data and GPS data and more data to get stored conveniently and simply.

However, it is important to note that such devices are in fact a source of beneficial artifacts during a process of investigation. To illustrate, extracting data from such devices result in getting handy information about an individual.

The process of performing IOS forensics on iPhones or iPads adheres to specific procedures. This is in order to get the data and further analyze it efficiently.

  • Let’s talk more about mobile forensics in general:


    ios forensics

One of the most important fields of digital forensics relates directly to phones. When it comes to mobile phone forensics, the exponential growth witnessed in such a field is significantly noticed and should be taken care of. Accordingly, the importance of studying this field and understanding it is always on the rise. This fact is attributed to such fast growth and advancements happening towards the mobile market.

Let’s think about this way! Only one person is, in fact, the user of a mobile device. Consequently, this leads to a reveal of a great deal of personal information of an individual when performing mobile forensics on a device.

On the other hand, there are a bunch of diverse problems or challenges faced by mobile forensics. This is due to the fact that companies keep on producing brand new models with different designs and operating systems. This makes the following of a particular procedure while performing forensics almost impossible. Since that, there are different procedures to be applied according to the investigated model or type of device.

Having all of such challenges in mind, syncing mobiles phone to a computer using software becomes easy. Different sorts of data could be able to get extracted through such methodology such as SMS, contacts, installed applications, GPS data and emails, deleted data.

  • How to identify the phone to investigate through?

  • ios forensics

The model of an iPhone has to be recognized by the time an examiner starts his investigation process. The reason for that lies in the fact that the proper means of investigation which should be followed by an examiner to get the evidence depends in the first place on the model of the iPhone and its iOS version altogether. There are in fact a plenty of methods to adhere to achieve this goal:

  • The back of the device shows the model of the phone. This will be printed on the back of the device.
  • If this is not accessible or hard to see due to the status of the outside body of the device, another method could be followed then. There is a library named libimobiledevice which could be installed on the forensics workstation. This solution works for different sorts of operating systems. They include MAC OS, Microsoft Windows, and Linux up to 10.3. The following URL could be utilized for this purpose:

http://www.libimobiledevice.org/

The detailed steps of downloading the library and getting it working well on the workstation can be known through the following link:

http://krypted.com/mac-os-x/use-libimobiledevice-to-view-ios-logs/

Although the iPhone is highly probable to be locked, this method could also work. The iPhone device is locked or not does really matter since data will be collected in the following manner. Just make use of the following command:

Ideviceinfo

Execution of this command will yield considerable information. This includes Device Class, Device Name, WiFiAddress, TelephonyCapability and HardwareModel, IOSversion.

References

https://www.sans.org/reading-room/whitepapers/forensics/forensic-analysis-ios-devices-34092

http://resources.infosecinstitute.com/ios-forensics/

https://www.cclgroupltd.com/mobile-device-forensics-data-acquisition-types/

How to be a professional in Mobile Forensics?

  • Why is mobile forensics important?

While technology gets wider and wider and its usage becomes all over the globe, the need for understanding different forms of technology and their effects on our daily lives becomes extremely important in the meantime. Since data becomes more significant and allocated space to store such immense amount of data gets more substantial as well, analyzing such data and making sense out of it becomes an important issue to understand and grasp so correctly.

Nowadays, mobile forensics has become one of the most critical parts of an investigation process searching for the evidence. But why is that? Let’s take yourself as an example, and you definitely use your mobile device to make calls, browse the internet, send messages, play music, create notes, and get help through navigation. All of such data is very valuable when it comes to an investigation procedure.

For all who strives to become professionals in the field, several notions need to be very well understood and complied with before hands. Some of them relate to digital forensics in general, and some others refer to the technique in which data should be acquired and utilized.

  • What is digital forensics in the first place?

Digital Forensics:

Maybe you have heard of forensics in some field of science even if you are pretty new to the area of computer security. It is fundamentally no different in concept from investigating and recovering the material found in digital devices. In fact, it includes all such devices that contain numeric data stored or processed on them.

Although such notion of forensics is often referred to when talking of a crime or a similar incident, it is very essential for corporates whether they are private or public organizations. During such process of forensics, data are captured and then analyzed in order to produce a report summarizing any detected attack or discovered evidence.

There are plenty of sub-domains underlined by the digital forensics term. According to which type of devices are to be investigated or utilized, the sort of digital forensics specialized for it varies as well. There are those types which are called: computer forensics, network forensics, forensic data analysis and mobile device forensics. In this article, our primary focus will inherently entitle the part of mobile forensics.

  • How to collect data professionally from a mobile phone?

There are several points to take care of when performing a collection of a mobile device. Of these points, there are the following important points to think about while collecting it:

  • The location from where you received the mobile device should be noted and memorized very A suggestion to do so is to depend on a camera to take a photo of the location of the phone and the phone itself before starting to do anything related to the investigation process.
  • The status of a device has to get noticed as well. In other words, it is always advisable to know whether the phone is powered on or off. Also, the battery level should also be checked, and of course the network status whether the phone is connected to an internet connection or it is just offline. The status of the screen lock should also get checked because it could be locked or not.
  • The SIM package should be investigated such that any existing cables could be detected.

 

How to Preserve the evidence now?



Now comes one of the most important steps when it comes to mobile forensics. It is, in fact, the preservation of evidence. Evidence has to get maintained whilst performing the investigation. The next steps aim to clarify the process of preserving evidence of mobile forensics:

  • Kindly note that data could simply get removed or deleted by an attacker through a remote access or connection. In the meanwhile, currently existing data could get overwritten by such an attacker. For the sake of avoiding being in such hassle. You should isolate the phone from any connection to any type of networks:
    • Remove the SIM card to make sure that no connection through network provider is established.
    • Get the phone into the Airplane mode where connections are forbidden.
    • Make use of what is referred to as Faraday’s bag or jammer. Such bag is intended to protect a device and isolate it from RF for the purposes of such forensics.
  • Pay attention to maintain the chain of Custody. But what is the chain of Custody in the first place? To elaborate on this, you should know that the process of digital forensics witnesses several stages starting from the stage of collection explained before, and ending with the stage of presenting the results in a comprehensively understandable manner.

All of such stages could be saved and recorded. These records are thereby maintained inside a document named the chain of Custody. What details should be included in such report then? Basically the serial number, number of the case, and the number of the locker. In addition to that, the name of the investigator performing the forensics process, and the time and date of every stage or step should all be documented for further references. It is also important to record the details of evidence transportation because this allows for keeping track of the digital evidence.

  • Make use of the method of hashing. This is an excellent means of getting the integrity of the evidence proved and clearly shown. Two of the most commonly used hashing types are MD5 or SHA; they are in fact utilized for the sake of getting the values of the hashed evidence calculated and retrieved.

One of the good points to make a note of is that forensics always make some alterations on mobile devices, making it impossible to have the phone on the same exact status after collecting the data. Nevertheless, extracted data could get its hash values calculated through making use of logical extraction of the data. Or physical removal could get applied towards the image of the file.

References

https://www.sans.org/reading-room/whitepapers/forensics/forensic-analysis-ios-devices-34092

http://resources.infosecinstitute.com/ios-forensics/

https://www.cclgroupltd.com/mobile-device-forensics-data-acquisition-types/

 

Getting started with HFS+ file system

  • Do you know what we mean by HFS+ File System?

It is always good to understand an entire system before starting to perform any sort of forensics oThe story Story is not different for iOS devices which have their unique properties and capabilities.Since a plenty of dissimilarities exist between the local storage of an iOS device and its counterparts of a Microsoft Windows system or a UNIX platform, it is very crucial for an examiner to be aware of such differences by the time he starts the process of forensics.

Being knowledgeable of such points will be very important to select the proper set of tools to depend on when it comes to dealing with an iOS device forensics case. In addition, unexpected results of such tools could be dealt with when understanding such dissimilarities. Or an output which does not come out could also be dealt with thereafter.

The Hierarchical File System (HFS) was first designed by Apple corporation back then in the early 90s. It was originally intended to serve as file system which is dynamic and having its block scheme of 512 bytes. Two sorts of such blocks in HFS system were formed then: logical blocks and allocation blocks.

What are the differences between logical and allocation blocks? Basically, the numbering of a logical block remains static, starting from the first block which is available up till the last one that is available. However, allocated blocks have the ability to form groups out of them together. And hence, such groups could be great to achieve the efficiency in usage of such blocks of storage. The HFS+ file system consists of diverse components forming the structure of such file systems such as a volume header, startup file, allocation file, attributes file, extents overflow file and a catalog file.

  • What about the HFS+ volume header?

The size of the header is actually 1024 bytes or 1Kbs in other words. The last 1024 bytes inside an HFS volume contains a backup of the volume header. Although such backup is not used very often, it is important in several cases really. Such cases occur when the actual header gets crashed or missed for some reason.

The information inside such a header is simply data about the structure of the volume of HFS. Two sectors which are 0 and 1 indicate the blocks of the boot. After such bits come to the header of the volume bytes. What are the types of information that are stored inside the header particularly? Basically information like the allocation blocks’ size, the timestamp which refers to the creation date of the volume, and other volume structures’ locations. Such file systems are exemplified by the Catalog File or Extent Overflow File.

  • What about HFS+ Allocation File?

The allocation file is aimed to indicate the allocation blocks which are not in use and show those which are not free as well. A bitmap is utilized for the sake of displaying free and used allocation blocks; to elaborate on this point, if there is a free allocation block, it will be indicated by a Zero, which is a clear bit. Also, the size of an allocation block may get altered in time and its location could be out of a volume in the meanwhile.

  • What about the HFS+ Extents Overflow File?

If an allocation block is used by a certain volume, then HFS+ Extents Overflow File will keep track of such block. A balanced tree format is utilized to store the information of such Extent Overflow File. But what kind of information is stored in particular? Simply the data stored has all files’ extents and the allocated blocks of them in a suitable order.

  • What about HFS+ Catalog File?

The hierarchy of both folders and files is shown inside such Catalog File. Metadata about the files and folders which are contained there inside a volume are all available inside the Catalog file, displaying all the data about modified, access, and created times.

A balanced tree catalog is utilized inside HFS system. Nodes are depended on when it comes to doing a reference onto folders and files. The hierarchy of all the nodes of header, index, leaf, and map are all maintained inside the catalog file. Groups of nodes are created linearly for the sake of making the process much faster and more efficient. An ID number for every newly created file; such an ID increases in number by one whenever a new file becomes added.

  • What about partitions?

In fact, there are two partitions on an iOS device: the firmware partition and the data partition. While the first one is basically aimed to contain the software for running the iOS device, the second is meant to include all the files and data which are used and desired by the iOS device user.

Let’s talk more about the firmware partition. This partition always has the rules of read-only as it does not allow writing except when an update is being installed at the moment. iTunes is actually the one responsible for the sake of getting the partition overwritten with a brand new partition when performing an upgrade to the system.

The size of the firmware partition is in most cases something in between 0.9 and 2.7 GBs. The exact size is determined by the size of the NAND driver in fact. Whereas no user data is allowed to access such crucial partition, some important files are maintained inside this partition. Such files are like system files, upgrade files and basic applications.

The data partition is really another partition which is aimed to be in favor of the device’s user. All the data is maintained inside such partition. Accordingly, when performing an investigation process, such partition is really important to collect evidence out from such data available. Both the portfolio of a user’s data and the iTunes application can be simply found all there inside this partition.

References

https://www.sans.org/reading-room/whitepapers/forensics/forensic-analysis-ios-devices-34092

http://resources.infosecinstitute.com/ios-forensics/

https://www.cclgroupltd.com/mobile-device-forensics-data-acquisition-types/

File System and Operating Modes inside IOS devices

  • The HFS+ file system in points

    • The disk is formatted in a manner of 512-byte Blocks at the physical level.
    • Two types of blocks exist inside HFS+ file system format.
    • Logical blocks are the first type and Allocation blocks are the second.
    • The numbering of logical blocks is from the first to the last inside a volume.
    • Such blocks come in size of 512 bytes as well.
    • Tracking data could be performed using Allocation blocks.
    • Groups of allocation blocks are named clumps.
    • Clumps help to minimizefragmentations occurring inside a volume.
    • Local Time which is absolute time and Unix time are both used together in HFS+ format.
    • Using this timing scheme, a location of a HFS+ system could be identified successfully.
    • Data gets organized using a system of catalog file.
    • Such catalog files depend on B* tree format which is referred to as balanced tree structure.
    • There are several nodes inside such a tree.
    • Whenever new data gets added or deleted, the algorithm is utilized for the sake of maintain a balanced tree.
    • The structure of an HFS+ file system is as follows in details:

      ios

      • There are reserved blocks which use 1024 bytes.
      • The Volume Header inside which the structure of HFS volume has its data contained there. There is also a numbering of Catalog ID which gets incremented by one whenever a new file is added inside the HFS+ file system. The signature of “H+” is contained inside an HFS+ Volume Header.
      • Allocation File: inside this file, all the allocation blocks are kept track of them. If a file system uses an allocation block, its representing bit gets altered. In other words, a bitmap is used such that if the allocation block is utilized, then its bit which represents it actually changes into a 1. On the other hand, if the bit is set to a zero, this means that such block is free and it is not in use
      • Extent Overflow File: there is a pointer to the extent of the files. Any files using more than eight allocation blocks that are contiguous use extents.
      • Catalog File: the purpose of this file is to essentially organize the data. A balance tree is used for this purpose in the first place. Such a catalog file could be referred to when the location of a file or a folder is needed to be known within a volume. Data such as the date of creation of files, permissions granted to such files, and their dates of modifications are all maintained in such a catalog file. Such data is what we simply call metadata. J
      • Attribute File: any attributes of a file which up for customization are all contained inside this file.
      • Startup File: this file helps with the booting system wherever ROM built in support is not available.
      • Actual data: the location of this data is definitely inside the file system where tracking of all of such data can happen perfectly.
      • Alternate Volume Header: it is another 1024 bytes which comes at the end of the volume. It is meant basically to have a backup for the volume header with its length of 512 bytes.
      • The very last bytes are reserved for the system and they occupy 512 bytes of the size.
    • There is a good thing about the naming rules inside a variation of the HFS+ file system. There is what is referred to as HFSX file system, allowing for any two different files to be of the same name as long as the case of at least one letter is different. In other words, HFSX file system is a case sensitive file system, meaning that the same name with different case becomes automatically two different names according to the system.

 

  • How to change Operating Modes of an iOS device? ios-modes

  • What about the Normal Mode?

There are actually three steps that happen one after another when switching an iOS device in its normal mode. First, it loads the: Low-Level Bootloader. Then, it gets the iBook. Last, the iOS kernel gets running and operating the device. These boot steps are signed to keep the integrity of the process. This is good for the sake of obtaining a great security inside iOS devices.

  • What about the Recovery Mode?

The iOS device will get automatically into the recovery mode if a failure happens. Such mode is actually intended to perform upgrades or restore iPhone device. How can the examiner switch an iOS device into this mode then? The following steps would be very beneficial to achieve such target for an examiner:

  1. Get the device turned off by holding power button on the top of the device
  2. Keep holding on button of phone of the iPhone and use a USB cable to get the iPhone connected into a computer.
  3. Keep holding home button till the screen showing Connect to the iPhone doesn’t appear anymore. Now then home button is free to get released.
  4. If you need to exit now from the recovery mode, then you will need to get the device rebooted.
  • What about the DFU Mode?

Most acquisition techniques actually require having the phone put into DFU mode. In order for an examiner to turn the device into such mode, below steps would be the solution for this:

  1. Get the Forensics workstation and install the software of iTunes on it. Make use of a USB cable to get the phone connected to the forensic workstation.
  2. Get the phone switched off.
  3. Hold power button for 3 seconds.
  4. Keep holding the power button and hold the home button with it for 10 seconds.
  5. Release your hold of the power button and hold home button until the iTunes software tells you clearly that iPhone in recovery mode has been detected by iTunes.

 

References

https://www.sans.org/reading-room/whitepapers/forensics/forensic-analysis-ios-devices-34092

http://resources.infosecinstitute.com/ios-forensics/

https://www.cclgroupltd.com/mobile-device-forensics-data-acquisition-types/

Data Acquisition through iTunes Backup

Why is it important to consider iTunes Backup data for acquisition?

itunes

Any updates happening towards an iPhone device can be performed using one of two main methods. One, the user can choose to have his or her data backed up by the use of the Apple iTunes software. Another way to do that is to utilize iCloud. iCloud is actually a cloud storage offered by the company of Apple.

The backup of data is performed whenever the iPhone gets connected to the computer. This happens by copying data from the device into the application. From this point comes the importance of an iTunes backup from the forensics perspective. However, it is up to the user in the first place to select which data is to be backed up. So, the data retrieved back from iCloud or iTunes may be greatly different.

How to perform data acquisition through iTunes backup?

itunes

It is actually considered a great approach to make use of the latest backup of iTunes. This is more so when the device isn’t accessible physically. This method depends on the computer on which the IOS device used to connect for updates or syncing music, movies and applications. It is useless to say that such computer can be running on a Windows operating system or a Mac OS with no difference.

An automated backup is performed by iTunes during the process of syncing data or performing an upgrade to the IOS version itself. However, users can always change such default configuration as they desire. Different locations have the backups stored inside them depending on the operating system used by the computer in the first place. The following is three examples of operating systems where the iTunes backup’s location changes accordingly.

  • On Windows XP: %systempartition%\documents and settings\ %username%\Application Data\AppleComputer\MobileSync\Backup
  • Windows 7: systempartition%\Users\%username%\AppData\Roaming\Apple Computer\MobileSync\Backup\
  • On Mac OS: Users/%username%/Library/Application Support/MobileSync/Backup

It is exciting to know that there are several exciting files which exist inside the directory where iTunes backup folder exists. Such files essentially make the examiner assured about the correctness of the identity of the device he/she is investigating through the forensics process.

Examples of such important files which exist inside the root of the backup folder contain the status, info, and manifest list files. To elaborate on this idea, information about the latest performed update could be found inside the file of Status.plist. In addition, information about the matching of backups with the device could be found inside a file named Info.plist. Inside such file, other valuable data could be recognized such as the IMEI number and the phone number.

In the meanwhile, the backed-up files have metadata about them which could be found inside the file named Manifest.plist. It is worth noting that such backed up files are originally binary files. These files become altered into a SHA1 hash value of the original filename. Viewing such file require them being converted into a format which is legible, readable and understandable by human beings.

The binary files named *.mddata and *.mdinfo have actually very interesting data which are the user data actually. The question now is; how could such data be investigated and analyzed for review? In fact, there exist several tools which are to be depended on when reviewing such data. Such tools are like iPhoneAnalyzer, Paraben Device Seizure, iPhone Backup Extractor and Mobile Sync Browser.

What could be gained from an iTunes Backup in summary?

itunes

In summary, syncing data through a backup leaves us with a bunch of valuable information to make use of inside a computer. Historical data and passcode bypass certificate are all on the host device. Offline backup is needed to be performed beforehand to utilize this method of acquisition of data.

This method is needed whenever other methods of acquisition cannot be performed. These methods include logical, physical and file system acquisitions. An examiner shall create a backup of the iOS device, then depend on a good utility to get the data analyzed.

Creating the backup is done freely using a free utility on any operating systems like MAC or Microsoft Windows. Copying data from the iOS device into the computer happens through a proprietor protocol. This process of syncing the iOS device with the computer can be performed either through a cable or through Wi-Fi.

While a user can choose to have the created backup as an encrypted one, there is also a possibility to choose to have an unencrypted backup. However, an encrypted backup could be cracked by and then access to data becomes real.

It is always advisable to create a fresh backup when it comes to the forensic process. Synchronization Process gets automatically initiated once an IOS device is connected to the computer. In the meanwhile, this cannot always be the case and an already existent backup could be harnessed.

The aforementioned backup to be existent on a computer provides the user with the privilege of having their data protected if their phone got lost or deteriorated for some reason. For example, if the device gets wiped then back up still exists. To uncover artifacts examiner needs to forensically analyze each backup.

How to relate to the evidence?

It is vital to note that cases of a forensic investigation can be formed basically by a plenty of SQLite and plist files. Utilizing both a timeline and MACB (modified, accessed, changed, borndate) times are essential for an examiner while doing his investigation process. Recording timestamps which depend on timelines are also very important for reference to investigated events through a forensic procedure.

Such timestamps are shown in a format of CF Absolute Time. This means that the provided time will be in terms of seconds from Jan 1st, 2001. The following formula could be used to make the shown timestamp much more readable:  =CreatedTime/(60*60*24)+DATE(2001,1,1). In the meanwhile, other tools could be relied on for accomplishing the task of making the timestamp in a more readable format such as the inline tool: http://www.epochconverter.com/

References

https://www.sans.org/reading-room/whitepapers/forensics/forensic-analysis-ios-devices-34092

http://resources.infosecinstitute.com/ios-forensics/

https://www.cclgroupltd.com/mobile-device-forensics-data-acquisition-types/+

Acquiring data from an iOS device

What are Data Acquisition methods in general?

An interesting topic to know about in the domain of mobile forensics is data acquisition. But why is it important to get to know about it in the first place? Since a logical image is needed for investigating a system, we need to refer to such process of extracting data as data acquisition. There are in fact three main categories of data acquisition which we are to analyze in details.

    1. Manual Acquisition:
      • A mobile device’s user interface is depended on in order to get through the investigation process.
      • Images of each screen are taken or captured by the examiner while the device gets browsed. Although there is no need for any tools to be involved in such process, manual acquisition has a great pitfall on the other hand. In addition to being a time-consuming process, not all the data could be visualized by the user and therefore not all the data could be recovered by this method in the first place.
    2. Physical Acquisition:
      • A bit-by-bit copy of the whole file system is created.
      • This seems so similar to physical acquisition process on standard digital forensics
      • Data residing on a device plus unallocated space in addition to even deleted data are all copied through such demanding method.
      • It is not possible to make use of such method when it comes to mobile forensics
    3. Logical Acquisition
      • The application programming interface of an equipment manufacturer is depended on in this process.
      • The phone’s contents get synchronized with a personal computer through such original interface.
      • This method has a plenty of free software tools available.
      • Neither deleted data nor unallocated space gets recovered through such method which fundamentally extracts these data accessible to the users of the device.

What are the main methods used for data forensics on IOS devices?

data acquisition

In fact, extraction of data from an IOS device can be simply categorized into four categories which have each their pros and cons. Understanding these four types of forensics is a must for an examiner before even starting to investigate a device. An examiner is usually compelled to depend on several of these categories whilst performing the process of forensics.

Also, the cases for which each a certain type of IOS forensics is applied differ accordingly. At some cases, the IOS device does not exist. Or it exists yet it is locked or at some cases, it is even encrypted. Therefore, it is a very crucial step to get to know first of all each of these categories and their limitations.

Now, let’s note that usually most of IOS phones which are to be investigated will be locked through a passcode. For the sake of overcoming this problem, it is always importantly advisable to attempt to get the passcode secured from the owner. It is even much more advisable to get the passcode requirement disabled whenever the device is accessible and can be reached. In order to get this setting applied, we should change the Auto-lock feature to “never” during performing the forensics process.

Now, do not forget to make note of the alterations you make onto the device through the investigation process. The second aspect which should be considered besides the passcode lock is the fact that putting the device in the “Airplane mode” is a very helpful step to secure the phone from any external connections on it. Following this way, no one could connect to the device remotely and delete its data or perform a remote wipe of the data after getting access to the phone and evidence on it.

The essential four types of data acquisition applied through IOS devices are the following:

      1. Getting the data pulled out from an iTunes backup.
      2. Getting the data pulled out from a logical API type method.
      3. The method of jail breaking
      4. Getting a complete physical image of the storage hardware.

What are the partitions of an iOS device in general?

data acquisition

There are actually two main partitions which characterize an iOS device:

      • System Partition:

Actually, this kind of partition is not of a great interest to someone who is performing a forensic investigation. The reason for that is attributed to the fact that this partition contains data like IOS operating system and pre-installed applications. As a result of that, this partition is a read-only partition inside iOS devices. The output of Private/etc./fstab can easily show the following which indicates that the file is read-only:

/dev/disk0s1 /hfs ro 0 1

Disk0 actually denotes that a single disk is utilized by iOS devices. What is s1 then? It means that you are looking at the system partition in fact. So Disk0s1 refers to the system partition of an iOS device in general. On the other hand, Disk0s2 indicates the data partition.

      • Data Partition:

This partition, on the other hand, constitutes a valuable location for an examiner to collect data from. Being a read/write partition, data could be collected or it could even be edited.

For the sake of not maintaining one static format, the structure of the data partition witnessed some alterations throughout changing the versions of iOS.

There are diverse directories that could make a great interest for an examiner for his forensic process’ targets. Such directories are like the following:

      • Keychains – Keychain.db: this is actually important since a plenty of user passwords used for different applications are kept there.
      • Logs – General.log: the valuable data such as the version of the running operating system and the serial number of the device are in there.
      • Logs – Lockdown.log: the importance of this one is that the Lockdown Daemon log is saved inside it.
      • Mobile – User Data
      • Preferences – system configurations
      • Run – system logs
      • Tmp -manifest.Plist: all the backup of plist files are kept there
      • Root – Caches, Lockdown, and Preferences

References

https://www.sans.org/reading-room/whitepapers/forensics/forensic-analysis-ios-devices-34092

http://resources.infosecinstitute.com/ios-forensics/

https://www.cclgroupltd.com/mobile-device-forensics-data-acquisition-types/