• Why is it essential for an examiner to get some files of interest from an iOS device?

  

All activities of an iOS device user are stored inside the device in different formats and for various purposes as well. This evidence is apparently collected for the sake of serving the iOS user in the very first place. However, this is not the complete case. It is because the evidence obtained and stored cookies are even much more than what the user could ask for or need.

Information just like locations, messages, contacts, web surfing habits, notes, pictures and more are available on iOS devices storage media. Many of them come with time-stamped data.

From the forensics point of view, such data becomes much more and more valuable. This is since businesses begin to grow larger nowadays using iOS devices. It urges examiners to cope with any new technologies or software releases. It could offer any help with the forensics procedure and smooth extraction of data and acquisition of it.

• Cookies of browser inside /private/var/mobile/Library

• What is meant by cookies in the first place?
  

Cookies are often utilized by a web page to help provide a user with web pages customized to a very great extent. Users get identified in this manner while they are assisted with personalized results and experience.

A user may be asked to get necessary information filled up when browsing a web page which makes use of it. Names and interests may be the sort of information asked for when it comes to a website depending on cookies. The browser used by the user is the one responsible for storing this critical data on the device for further usage by the site afterward. The browser gets such cookies essentially from this sever in the very first place essentially.

From the perspective of websites, it is an important aspect to have the cookies stored on a computer. It is because such cookies get sent over to the server hosting the site whenever this website is visited. Accordingly, custom pages are sent to the user depending on such cookies.

Have you ever visited a website which welcomes you with your name or shows to you the last time when you visited the site? This website is using cookies to serve you with a customized experience better when visiting their website.

Let’s talk more about exciting stuff of the cookies file. What can be found inside it in particular? Basically, inside the file, there must be informed about the website there in the first place. Moreover, some personal information could be stored along with the information about the website. It is generally in the case that the user provides the site with such information. Otherwise, they will not be included.

It is interesting to know that most of such information will be of text format at the end of the day. Nonetheless, useful websites send such cookie data into the browser in an encrypted form. The fact that they want to secure the data to a great extent, so the reason for this encryption attributes. It is to ensure that they will not make sense even when extracted and acquired in some way or another.

From the perspective of an examiner performing forensics investigation, this data is very crucial in the process. It is because they represent some preferences of the user along with data such as their names and interests. It would help someone interested in an investigation to get data of interest from such cookies.

In such cookies, several vital parameters are passed through such for identification and related purposes intended by the cookies mainly. Typically, the given parameters are like illustrated in the following points:

• The name of the cookie.
• The value of the cookie.
• The expiration date of the cookie: this determines how long the cookie will remain in an active status in the browser of the user.
• The path for the cookie is valid. Web pages outside of that way cannot use the cookie.
• The domain for the cookie is valid. It makes the cookie accessible to pages on any of the servers in an area.
• The need for a secure connection: this indicates that the cookie can only be used under the condition of having a secure server.
• How to perform such extraction of cookies?
  

  

It is considered a significant source of evidence when it comes to forensics investigations to get the data extracted from the browser cookies. Such cookies are attached to the very popular Safari browser. The file which contains these vitally essential cookies is named cookies.binarycookies.

The different main characteristic of the standard browsers and Safari browser lies in the storage of cookies. Browsers such as Internet Explorer store their cookies data inside a plain text format file or they utilize an SQLite database format residing inside the folder of history. Safari, on the other hand, gets its browser cookies stored inside a binary format file.

It is therefore worth noting that opening such a binary format file requires a sort of specific software for this reason in the first place. Such tools could be like iPhone Extractor or any HEX editor to be able to grasp what is there inside such files of interest.

For sure we have opened such files to go through what could be inside such data. When we did that, we figured out that whenever there is a header inside the record, one or more pages are coming after it. Inside each page, there exists one or even more cookies residing there.

It is also essential to make sense of the sizes of each field constructing the cookies of such file. The signature field occupies 4 bytes by default to store the COOK header. In the meanwhile, another field named as Number of pages makes up 4 bytes to store Little Endian Integer. There is also another field called Page Size, and this one uses up 4 bytes of the storage to have another Little Endean Integer saved. An area named Page, on the other hand, varies in size according to the size of the cookies itself. Finally, the tail field has a capacity of eight bytes to store a Hash for the checksum possibly.

Try Certified Ethical Hacker for FREE!!!– https://infosecaddicts.com/course/certified-ethical-hacker-v10/

Resources

https://www.sans.org/reading-room/whitepapers/forensics/forensic-analysis-ios-devices-34092

http://resources.infosecinstitute.com/ios-forensics/

Novice

$0

Join the infosec family! Your journey starts here. The free tier gives you limited access to our training materials.  

Sign Up

Regular use

$49

This is the second tier that includes limited access to our training materials and to our exclusive lab.    

Sign Up

Risky use

$69

This third tier gives you all the luxuries of the Free use and more. You have access to self-paced classes.  

Sign Up

Monthly use

$89

This last tier gives you the Free, Social and Problem use for just $89 a month. Plus you will save $29!!!

Sign Up

Artifacts of an IOS device

1. plist file:

   

   1. This important file is located inside the folder of the root application.
   2. Relevant information about the device of interest may be revealed from this critical file. Such information includes the name of the used Apple Account and the date when the iPhone device was primarily purchased by the user. The importance of such information may vary according to the case being investigated.
   3. One of the following files will appear in each directory of an application on the iOS device:
      1. AccountURLBagType: in a string format.
      2. CreditDisplayString: in a string format.
      3. AccountServiceTypes: in a Number format.
      4. DidFallbackToPassword: in a Boolean format.
      5. AccountStoreFront: in a string format
      6. AccountIsNewCustomer: in a Boolean format.
      7. AccountKind: in a Number format.
      8. AccountAvailableServiceTypes: in a Number format.
      9. AppleID: in a string format.
      10. AccountSocialEnabled: in a Boolean format.
      11. AccountSource: in a String format
      12. DSPersonID: in a Number format.
      13. PurchaseDate: in a string format.

2. Timestamps

   

   1. It’s essential to understand timestamps. That is to know the timing of a piece of evidence on the device.
   2. Most timestamps used in an iOS device are MAC absolute timestamps.
   3. To get such types of timestamps that are converted into an understandable format, we can use one of the commonly available sources online that perform such conversion.
   4. Another method that could get such MAC absolute time converted is to depend on the date command with a u switch on MAC. This will get the time turned into local time on the device or UTC.

3. Databases:

   

   1. The most commonly used database format inside an iOS device is the SQLite database. It is used for the sake of getting most of the data that is stored and organized inside the device. In fact, most phone platforms rely heavily on the same SQLite databases for storing their data. Examples of such platforms are Windows Phone operating system which used to operate on Nokia smartphones in the past for instance.
   2. Data of Apple applications gets stored inside such SQLite databases. Data of any third-party applications could get stored inside the same sort of databases as well.
   3. For the sake of getting an SQLite database opened and investigated through, there has to be a tool used for this purpose. Fortunately, there exist several open source applications coming at a zero price to perform this task and make us grasp what is inside the database. In general, SQLite Database Browser is considered to be the best and mostly utilized application to display an SQLite database file. It comes with a command line utility and an interesting GUI as well.
4. Property List Files:
   1. Formats of data inside an iOS device are mostly of .plist formats or as more formally referred to as Property List Files.
   2. What are the main kinds of data that could get stored inside such plist format files? Any configuration information, preferences, and settings have this file formats on the iOS devices.
   3. To get such file formats opened, you can choose between two methods. While you can just open them using any text editor, plist Editor is a must to use to get these files parsed.

5. Configuration Files:

   
   Note that there is an excellent value in extracted configuration files from the forensics point of view. The reason for that lies in the variety of such files that could be of great importance when extracted. The following points will list the different files of these:

   1. Information of the device and account: the plist file inside: /private/var/root/Library/Lockdown/data_ark.plist has information about the device and the account holder of the device.
   2. Information about the account: the Sqlite database file inside: /private/var/mobile/Library/Accounts/Accounts3.sqlite has information about the used account. On the other hand, the plist file inside /private/var/mobile/Library/ DataAccess/AccountInformation.plist contains account’s information for that account which was responsible for setting up applications on the iOS device.
   3. Airplane Mode: the plist file located inside: /private/var/root/Library/Preferences/com.apple.preferences.network.plist. has in fact information about the state of the iOS device in the present period whether airplane mode is enabled for it or it is disabled.
   4. List of installed applications: the plist file inside /private/var/mobile/Library/Caches/com.apple.mobile.installation.plist has a complete list of all the applications which are installed on the iOS device. Also, a path to the files of each application is contained inside this plistfile as well. Mapping GUIDs to a specific application will be guided and undoubtedly aided by such valuable file.
   5. AppStore settings: the plist file inside /private/var/mobile/Library/Preferences/com.apple.AppStore. plist contains the last search store, which could be a plus for identifying preferences of the iOS device user.
   6. Information of Configuration and Settings: the folder is having the following location of: /private/var/mobile/Library/preferences/ contains several plist files which have settings of Apple applications and configurations.
   7. Lockdown certificate Information: inside the folder of /private/var/root/Library/Lockdown/Pair_records/ there shall be existing all computers that are paired with the iOS device, and all the lockdown/pairing certificates as well.
   8. Information about the network: the plist file inside /private/ var/preferences/Systemconfiguration/com.apple.network.identification.plist has some cached information about Internet Protocol (IP) networking such as devices like routers or network addressed and servers that were utilized by the iOS device in the past. Timestamps of such information are all available inside this exciting file.
   9. Notification log: the plist file inside/private/var/mobile/Library/BullitenBoard/ClearedSections.plist has a log of the notifications which were displayed inside the iOS device. This also extends to any cleared notifications of the device.
   10. Passwords: from iOS 7 till iOS 10, the following path to the mentioned database had the password contained and saved in there but definitely in an encrypted format yet it could also be cracked: /private/var/keychains/Keychain-2.db
   11. Information about the SIM card: inside the plist file which is located in: /private/var/wireless/Library/Preferences/com.apple.commcenter.plist there resides several important data about the most recently used SIM card. In fact, ICCID and IMSI of the SIM are included in this plist file.
   12. Springboard: the order in which applications are displayed inside each screen of the iOS device is contained inside the plist file located in the following path: /private/var/mobile/Library/Preferences/com.apple.springboard.plist
   13. System Logs: the folder where all the logs are contained of every activity performed on the iOS device is located inside: /private/var/logs/
   14. Wi-Fi Networks: the plist file inside /private/var/preferences/ SystemConfiguration/com.apple.wifi.plist has all the configured and familiar Wi-Fi Networks to the iOS device. Each of such Wi-Fi network has its timestamp which essentially indicates the timing of the connection to such network and some other important information could be gathered from this plist file as well.

Try Certified Ethical Hacker for FREE!!!– https://infosecaddicts.com/course/certified-ethical-hacker-v10/

References

https://www.sans.org/reading-room/whitepapers/forensics/forensic-analysis-ios-devices-34092http://resources.infosecinstitute.com/ios-forensics/

Novice

$0

Join the infosec family! Your journey starts here. The free tier gives you limited access to our training materials.  

Sign Up

Regular use

$49

This is the second tier that includes limited access to our training materials and to our exclusive lab.    

Sign Up

Risky use

$69

This third tier gives you all the luxuries of the Free use and more. You have access to self-paced classes.  

Sign Up

Monthly use

$89

This last tier gives you the Free, Social and Problem use for just $89 a month. Plus you will save $29!!!

Sign Up