Ultimate Hacklab – Self Paced (SP)

Ultimate hacklab – Self Paced (SP) – prep for hacking challenge lab exams like OSCP, LPT, eCPPT, and soon even the new CEH is going to be a hacking challenge lab as well.

If you really want to know what it takes to pass hack lab challenge-based exams like OSCP, LPT, eCPPT then ultimate hacklab is for you and it’s only $200.

The InfoSec Addicts Ultimate hacklab – Self Paced (SP) – is best way for you to practice the skills required for almost any hands-on lab based penetration testing/ethical hacking certification.

The Ultimate hacklab – Self Paced (SP) – gives you the opportunity to follow along with a structured and very detailed training program, and/or make your way through the labs and just ask for help whenever you get stuck. You can run almost any tool and try almost attack in the environment. The class is self-paced. You can sign-up ANYTIME, and start IMMEDIATELY.

The program outlines how to create your own lab environment or you can connect to the InfoSec Addicts lab environment with almost any platform (Windows, Mac OS X, Kali Linux, other Linux distros) to go through the lab exercises.

Class syllabus:

  • Module 1: Connecting via VPN to the lab network
    • Connecting to the VPN with Windows
    • Connecting to the VPN with Mac OS X
    • Connecting to the VPN with Linux
    • Connecting to the VPN with Kali
  • Module 2: Scanning
    • Nmap
    • Net-Discover
  • Module 3: Module X: Enumeration
    • nmap NSE
    • rpcinfo/showmount
    • nbtstat
    • enum4linux
  • Module 4: Brute-forcing
    • Hydra
    • Medussa
  • Module 5: Vulnerability Scanning
    • Nessus
    • OpenVas
  • Module 6: Attacking web servers/web apps
    • Manual XSS/SQL Injection/LFI/RFI
    • Nikto
    • Dirbuster
    • Burp Suite
    • w3af
    • Arachni
  • Module 7: Compiling/Modifying Exploit code
    • Compiling code in Windows
    • Compiling code in Linux
    • Finding offsets
    • Changing out shellcode
  • Module 8: Client-Side Exploitation
    • Metasploit
    • Social Engineering Toolkit
  • Module 9: Transferring files
    • FTP
    • TFTP
    • VBscript
    • Debug,exe
    • wget/linux/bitsadmin
    • PowerShell
  • Module 10: Privilege Escalation
    • Linux
      • SUID binaries
      • Shell escapes
    • Windows
      • Identifying vulnerable services/misconfigurations
      • beR00t.exe
  • Module 11: Data-mining a compromised host
  • Module 12: Hashcracking
  • Module 13: Pivoting
    • Netcat/Socat pivot
    • SSH Pivot
    • Metasploit pivot
  • Module 14: Lateral movement
    • psexec
    • smbexec
    • winexe
  • Module 15: Data Exfiltration
    • ICMP Tunneling
    • DNS Tunneling
  • Module 16: Reporting


Lab Network Access

Targets in the lab network will change on the 1st of every month. Students have the option to purchase 1 months access to the lab environment for $25.


Students will receive:

  • Up to 124 hours of CPEs (24 CPE for the actual training and the rest come from labs and challenges completed by the students)
  • Several virtual machines
  • Courseware access
  • Lab Manual
  • Lab access


Class Videos

Each course module has a corresponding video that demonstrates the task being performed. So you can see each individual lesson’s skill or task that is being described actually being performed.


Each student will have access to an InfoSec Addicts Group (infosecaddicts.com) for the class. Additionally, this is where they can work with other students on lab exercises, homework, and challenges. An InfoSec Addicts class mentor will be assigned to the group to answer questions (allow one day for responses). Likewise, a Customer Relationship Manager will get assigned to the class to manage questions and support issues.


Class Schedule

The class is self-paced. You can sign-up ANYTIME, and start IMMEDIATELY.

Fill out this form below to sign up for the class.

$100.00Add to cart



Was sick, my mother passed away, but now I’m back on track

I want to thank all of you well wishers. The last few months have been crazy for me. I’ve been in and out of the hospital several times, my mother passed away a few days ago, my birthday was on the day I burried my mother (Mother’s Day).

My mother was very sick so honestly her passing was a painful but good thing as her suffering is finally over. My family got together and had a celebration of her life instead of a funeral.


So again to all of you thank you.

My medical issues are under control now, and we’ve dealt with my mother’s passing so I’m back to work next week.

I’ll be teaching Advanced Metasploit, and Python as night classes so I decided to bundle them for $100 (they are usually $100 each).

Click here to register for this class bundle for only $100

Next-Level Metasploit 21st and 23rd of May 2018
– Mon, May 21, 2018 7:00 PM – 9:00 PM EDT
– Wed, May 23, 2018 7:00 PM – 9:00 PM EDT


This is an advanced Metasploit course that will focus on the fundamentals of Ruby (specifically for Metasploit), metasploit automation, and writing auxilliary modules and exploits for Metasploit.


Python for InfoSec Professionals 28th and 30th of May 2018
– Mon, May 28, 2018 7:00 PM – 9:00 PM EDT
– Wed, May 30, 2018 7:00 PM – 9:00 PM EDT


This is a Python for security professionals course. In this course I’ll be covering both log and pcap analysis with Python, as well as network/web app testing with Python.

This course is really designed for people that are NOT very comfortable with programming.


Class Videos

Each class will be recorded and made available to the students via email. So you can keep up with the class even if you have to miss time or even a whole day.


Each student will receive access to an InfoSec Addicts Group (infosecaddicts.com) for the class. Groups are where students can ask questions outside of the regular class hours, work with other students on lab exercises, homework, and challenges.

A class mentor is assigned to the InfoSec Addicts Group to answer questions (allow one day for responses).

Similarly, a Customer Relationship Manager is assigned to the class to manage questions and support issues.


Class Schedules

Next-Level Metasploit 21st and 23rd of May 2018

– Mon, May 21, 2018 7:00 PM – 9:00 PM EDT
– Wed, May 23, 2018 7:00 PM – 9:00 PM EDT

Python for InfoSec Professionals 28th and 30th of May 2018

– Mon, May 28, 2018 7:00 PM – 9:00 PM EDT
– Wed, May 30, 2018 7:00 PM – 9:00 PM EDT


Click here to register for this class bundle for only $100



Unlimited classes:

If you know that you are interested in this class as well as other InfoSec classes then you should consider the unlimited classes package for $49.99 per month. You can find out more about it by clicking on the link below:



NOTE: Due to Joe McCray’s travel and work schedule (ex: short notice consulting/training engagements or changes to those engagements) classes may reschedule or cancel. In these situations a refund will NOT be granted as the class will re-run the following week, or additional days will be added to the class schedule to make up for this.

Free Advanced Network Penetration Testing webinar

network penetration testingIn this FREE webinar Joe McCray will cover the fundamentals of the network penetration testing, and how to perform basic penetration testing tasks. This webinar is designed for people with little to no network penetration testing experience.

This webinar will be held on the 1st of February at 1pm EST

Click the link below to sign up for this webinar:


network penetration testing

Extraction of Cookies in iOS Forensics

  • Why is it essential for an examiner to get some files of interest from an iOS device?


All activities of an iOS device user are stored inside the device in different formats and for various purposes as well. This evidence is apparently collected for the sake of serving the iOS user in the very first place. However, this is not the complete case. It is because the evidence obtained and stored cookies are even much more than what the user could ask for or need.

Information just like locations, messages, contacts, web surfing habits, notes, pictures and more are available on iOS devices storage media. Many of them come with time-stamped data.

From the forensics point of view, such data becomes much more and more valuable. This is since businesses begin to grow larger nowadays using iOS devices. It urges examiners to cope with any new technologies or software releases. It could offer any help with the forensics procedure and smooth extraction of data and acquisition of it.

  • Cookies of browser inside /private/var/mobile/Library

  • What is meant by cookies in the first place? cookies

Cookies are often utilized by a web page to help provide a user with web pages customized to a very great extent. Users get identified in this manner while they are assisted with personalized results and experience.

A user may be asked to get necessary information filled up when browsing a web page which makes use of it. Names and interests may be the sort of information asked for when it comes to a website depending on cookies. The browser used by the user is the one responsible for storing this critical data on the device for further usage by the site afterward. The browser gets such cookies essentially from this sever in the very first place essentially.

From the perspective of websites, it is an important aspect to have the cookies stored on a computer. It is because such cookies get sent over to the server hosting the site whenever this website is visited. Accordingly, custom pages are sent to the user depending on such cookies.

Have you ever visited a website which welcomes you with your name or shows to you the last time when you visited the site? This website is using cookies to serve you with a customized experience better when visiting their website.

Let’s talk more about exciting stuff of the cookies file. What can be found inside it in particular? Basically, inside the file, there must be informed about the website there in the first place. Moreover, some personal information could be stored along with the information about the website. It is generally in the case that the user provides the site with such information. Otherwise, they will not be included.

It is interesting to know that most of such information will be of text format at the end of the day. Nonetheless, useful websites send such cookie data into the browser in an encrypted form. The fact that they want to secure the data to a great extent, so the reason for this encryption attributes. It is to ensure that they will not make sense even when extracted and acquired in some way or another.

From the perspective of an examiner performing forensics investigation, this data is very crucial in the process. It is because they represent some preferences of the user along with data such as their names and interests. It would help someone interested in an investigation to get data of interest from such cookies.

In such cookies, several vital parameters are passed through such for identification and related purposes intended by the cookies mainly. Typically, the given parameters are like illustrated in the following points:

  • The name of the cookie.
  • The value of the cookie.
  • The expiration date of the cookie: this determines how long the cookie will remain in an active status in the browser of the user.
  • The path for the cookie is valid. Web pages outside of that way cannot use the cookie.
  • The domain for the cookie is valid. It makes the cookie accessible to pages on any of the servers in an area.
  • The need for a secure connection: this indicates that the cookie can only be used under the condition of having a secure server.
  • How to perform such extraction of cookies?


It is considered a significant source of evidence when it comes to forensics investigations to get the data extracted from the browser cookies. Such cookies are attached to the very popular Safari browser. The file which contains these vitally essential cookies is named cookies.binarycookies.

The different main characteristic of the standard browsers and Safari browser lies in the storage of cookies. Browsers such as Internet Explorer store their cookies data inside a plain text format file or they utilize an SQLite database format residing inside the folder of history. Safari, on the other hand, gets its browser cookies stored inside a binary format file.

It is therefore worth noting that opening such a binary format file requires a sort of specific software for this reason in the first place. Such tools could be like iPhone Extractor or any HEX editor to be able to grasp what is there inside such files of interest.

For sure we have opened such files to go through what could be inside such data. When we did that, we figured out that whenever there is a header inside the record, one or more pages are coming after it. Inside each page, there exists one or even more cookies residing there.

It is also essential to make sense of the sizes of each field constructing the cookies of such file. The signature field occupies 4 bytes by default to store the COOK header. In the meanwhile, another field named as Number of pages makes up 4 bytes to store Little Endian Integer. There is also another field called Page Size, and this one uses up 4 bytes of the storage to have another Little Endean Integer saved. An area named Page, on the other hand, varies in size according to the size of the cookies itself. Finally, the tail field has a capacity of eight bytes to store a Hash for the checksum possibly.




Extraction of applications,photos,passwords – iOS forensics

  • What are the files of interest in the first place? ios applications

Extraction of applications,photos,passwords – iOS forensics – There are several directories that one can find for investigation purposes inside an iOS. It is irrespective of whatever the device model is. The structure of directories is common among all iOS devices. The layout utilized for it is a UNIX layout. It is very vital to mention that different file formats exist in this case. Thus, there are some files of format XML, binary data, or SQL databases.

Alright, so how are we going to investigate such files without getting to know their actual location on the device? Initially, data of the default application gets stored inside the following path: private/var/mobile/Library folder. In other words, data of apps like Address Book, Mail, Calendar, Maps, Notes, YouTube, Safari, Texting, Weather and Voicemail applications. On the other hand, some other apps like NFL 2012, Shazam or AroundMe which essentially get downloaded from iTunes have their data stored in the following path: private/var/mobile/Applications.

  • Downloaded applications from iTunes in private/var/mobile/Applications ios applications

The folder: Mobile/Application is always in a dynamic status especially whenever a new application gets downloaded from iTunes. When this happens, basically a new directory gets automatically created inside this folder. Such a file contains all the embedded files that an application needs and originally comes. Also, a unique identifier of 32-character alphanumeric values. This identifier will use by any iOS devices produced by Apple after that.

An example of such an identifier could be something like“GA07A3WW- 0E39-33OJ-B947-9CAA16688G22”. When dealing with this application iOS devices is perceive as an id which is consistent and used it. By default, there are some subfolders contained by an application:

  • Documents folder: this has all the files which are relevant to an application.
  • Temp folder: any files which are runtime and temporary reside there.
  • Library folder: any data which is cached or preferences are included in this folder.

There are also some other files which are commonly found in an application folder in an iOS device. Such records are like info.plist, resourcerules.plist and applestores.db. However, configuration files, plist files, and XML data could be found varying and different according to the application itself. It also happens that some vitally essential data for an investigation process could be existent inside such folders. Such include cookies, usernames, and passwords.

  • Photos inside private/var/mobile/media/DCIM

ios applications

All photos could be found in the media/DCIM folder.  These are photos either taken via the phone itself or synced from another device. All images will have timestamp metadata. If a picture is received through the camera of the device itself, then it will reside inside a folder named 100APPLE. It will have a name which is order sequentially. It is according to when the photo was taken in comparison to the others.

To elaborate on this point, naming such photos will begin with “IMG_0001” and then this number will get incremented by one each time a new picture takes no matter how many images got removed in the way through. Taking into consideration, it shall conclude that any missing numbers throughout the used range will indicate that its associated photo is deleting for some reason.

Sometimes it is essential and most importantly exciting to get to know what programs or applications were installed on the machine before it becomes on its current state at the time of forensics. It could be identified through the folder of DCIM/999Apple. Inside this folder, all taken screenshots will be found, which will eventually help with the investigation process. Navigating through these photos will show whether a banned application suspected to have been running on the device was installed or not.

  • Keystrokes inside /private/var/mobile/Library/Keyboard ios applications

A text file named dynamic-text.dat is considered a dynamic dictionary for an iOS device. It is one of the most important directories to investigate through because every written word by the user gets stored in this dictionary at the time it gets typed. Applications like Notes, Safari, Messages, Facebook will have any typed words inside them get entered into this dynamic dictionary. In fact, any applications which are open for a text input get their text data stored in this dynamic dictionary.

The rationale behind such dictionary lies in aiding a user with the typing process. On the other hand, this aspect is perceived as a source of a precious information because common words can come to be known and hence become a keyword for searching.

The downside of this dictionary is that it does not include a timestamp metadata of its reserved words. Accordingly, the time in which a word was typed cannot be identified through this dynamic dictionary.

There is an SQLite database named UserDictionary.sqlite in which all manual auto-corrections get stored. The importance of such database from the perspective of an examiner is that any keywords could be identified whether they are technical ones, special ones, of the Standard English language, or even any acronyms which could become all of the great vitality to the investigation process.

  • Passwords inside /private/var/Keychains ios applications

The keychain of Apple to manage passwords is the one that is mostly in use when it comes to passwords of iOS applications. A database file called keychain-2.db is utilized for the sake of having different accounts and passwords which used to be utilized on the device previously. The are several tables used for saving this information. They include cert, genp, inet, keys, sqlite_sequence, and tversion.

Inside this database, there is a great deal of valuable data that could be found there such as Voicemail passwords, wireless access point key phrases and device login passcodes. While some of these passwords may be stored in an encrypted format, some others could be found in an understandable form. Nevertheless, for those encrypted ones, a password cracker utility could be seen in this case. For instance, an examiner may depend on Elcomsoft’s iPhone Password Breaker, where the extracted keychain file should be given to get such files decrypted.




Artifacts of an IOS device

Artifacts of an IOS device

  1. plist file:

    IOS device

    1. This important file is located inside the folder of the root application.
    2. Relevant information about the device of interest may be revealed from this critical file. Such information includes the name of the used Apple Account and the date when the iPhone device was primarily purchased by the user. The importance of such information may vary according to the case being investigated.
    3. One of the following files will appear in each directory of an application on the iOS device:
      1. AccountURLBagType: in a string format.
      2. CreditDisplayString: in a string format.
      3. AccountServiceTypes: in a Number format.
      4. DidFallbackToPassword: in a Boolean format.
      5. AccountStoreFront: in a string format
      6. AccountIsNewCustomer: in a Boolean format.
      7. AccountKind: in a Number format.
      8. AccountAvailableServiceTypes: in a Number format.
      9. AppleID: in a string format.
      10. AccountSocialEnabled: in a Boolean format.
      11. AccountSource: in a String format
      12. DSPersonID: in a Number format.
      13. PurchaseDate: in a string format.
  2. Timestamps

    IOS device

    1. It’s essential to understand timestamps. That is to know the timing of a piece of evidence on the device.
    2. Most timestamps used in an iOS device are MAC absolute timestamps.
    3. To get such types of timestamps that are converted into an understandable format, we can use one of the commonly available sources online that perform such conversion.
    4. Another method that could get such MAC absolute time converted is to depend on the date command with a u switch on MAC. This will get the time turned into local time on the device or UTC.
  3. Databases:

    IOS device

    1. The most commonly used database format inside an iOS device is the SQLite database. It is used for the sake of getting most of the data that is stored and organized inside the device. In fact, most phone platforms rely heavily on the same SQLite databases for storing their data. Examples of such platforms are Windows Phone operating system which used to operate on Nokia smartphones in the past for instance.
    2. Data of Apple applications gets stored inside such SQLite databases. Data of any third-party applications could get stored inside the same sort of databases as well.
    3. For the sake of getting an SQLite database opened and investigated through, there has to be a tool used for this purpose. Fortunately, there exist several open source applications coming at a zero price to perform this task and make us grasp what is inside the database. In general, SQLite Database Browser is considered to be the best and mostly utilized application to display an SQLite database file. It comes with a command line utility and an interesting GUI as well.
  4. Property List Files:
    1. Formats of data inside an iOS device are mostly of .plist formats or as more formally referred to as Property List Files.
    2. What are the main kinds of data that could get stored inside such plist format files? Any configuration information, preferences, and settings have this file formats on the iOS devices.
    3. To get such file formats opened, you can choose between two methods. While you can just open them using any text editor, plist Editor is a must to use to get these files parsed.
  5. Configuration Files:

    IOS device
    Note that there is an excellent value in extracted configuration files from the forensics point of view. The reason for that lies in the variety of such files that could be of great importance when extracted. The following points will list the different files of these:

    1. Information of the device and account: the plist file inside: /private/var/root/Library/Lockdown/data_ark.plist has information about the device and the account holder of the device.
    2. Information about the account: the Sqlite database file inside: /private/var/mobile/Library/Accounts/Accounts3.sqlite has information about the used account. On the other hand, the plist file inside /private/var/mobile/Library/ DataAccess/AccountInformation.plist contains account’s information for that account which was responsible for setting up applications on the iOS device.
    3. Airplane Mode: the plist file located inside: /private/var/root/Library/Preferences/com.apple.preferences.network.plist. has in fact information about the state of the iOS device in the present period whether airplane mode is enabled for it or it is disabled.
    4. List of installed applications: the plist file inside /private/var/mobile/Library/Caches/com.apple.mobile.installation.plist has a complete list of all the applications which are installed on the iOS device. Also, a path to the files of each application is contained inside this plistfile as well. Mapping GUIDs to a specific application will be guided and undoubtedly aided by such valuable file.
    5. AppStore settings: the plist file inside /private/var/mobile/Library/Preferences/com.apple.AppStore. plist contains the last search store, which could be a plus for identifying preferences of the iOS device user.
    6. Information of Configuration and Settings: the folder is having the following location of: /private/var/mobile/Library/preferences/ contains several plist files which have settings of Apple applications and configurations.
    7. Lockdown certificate Information: inside the folder of /private/var/root/Library/Lockdown/Pair_records/ there shall be existing all computers that are paired with the iOS device, and all the lockdown/pairing certificates as well.
    8. Information about the network: the plist file inside /private/ var/preferences/Systemconfiguration/com.apple.network.identification.plist has some cached information about Internet Protocol (IP) networking such as devices like routers or network addressed and servers that were utilized by the iOS device in the past. Timestamps of such information are all available inside this exciting file.
    9. Notification log: the plist file inside/private/var/mobile/Library/BullitenBoard/ClearedSections.plist has a log of the notifications which were displayed inside the iOS device. This also extends to any cleared notifications of the device.
    10. Passwords: from iOS 7 till iOS 10, the following path to the mentioned database had the password contained and saved in there but definitely in an encrypted format yet it could also be cracked: /private/var/keychains/Keychain-2.db
    11. Information about the SIM card: inside the plist file which is located in: /private/var/wireless/Library/Preferences/com.apple.commcenter.plist there resides several important data about the most recently used SIM card. In fact, ICCID and IMSI of the SIM are included in this plist file.
    12. Springboard: the order in which applications are displayed inside each screen of the iOS device is contained inside the plist file located in the following path: /private/var/mobile/Library/Preferences/com.apple.springboard.plist
    13. System Logs: the folder where all the logs are contained of every activity performed on the iOS device is located inside: /private/var/logs/
    14. Wi-Fi Networks: the plist file inside /private/var/preferences/ SystemConfiguration/com.apple.wifi.plist has all the configured and familiar Wi-Fi Networks to the iOS device. Each of such Wi-Fi network has its timestamp which essentially indicates the timing of the connection to such network and some other important information could be gathered from this plist file as well.



Analysis of AddressBook and Call History data

Analysis of AddressBook and Call History data

  • Analysis of artifacts on iOS devices

Throughout the following paragraphs, I will be going through a discussion about the objects on an iOS device and their interpretation. That is regardless whether it was the user’s interaction that generated them or the device itself along with its features. However, most of the extracted artifacts will be of one of two main formats. These are either the .plist files used for the sake of configuration files or of SQL database file formats.

Let’s discuss the way in which data is stored on an iOS device in the very first place. The location where most of the data reside inside the iOS device is located inside /private/var/mobile or /User/ which is the symlink pointing to the same directory referred to before. To elaborate, /private/var/mobile/Application – /User/Application points to this actual path.

  • /User/Applications/######-####-####-####-########### – #: this actually gets the UUID for the device represented.
  • <Application_Home>/AppName.app: inside this file, any bundle of the application on the iOS device get included. It is worth noting that such file does not get backed up.
  • <Application_Home>/Documents/: inside this folder, any data files which are to relate to applications on the iOS device get included there.
  • <Application_Home>/Library/: if any files are particular or specific for an application, they exist there inside this folder.
  • <Application_Home>/Library/Preferences/: any preference files that are there for applications, they will be all contained in this directory folder.
  • <Application_Home>/Library/Caches/ inside this folder, there exist any support files that are required specifically for a certain application. Such directory folder does not get backed up as well.
  • <Application_Home>/tmp/ any temporary files are contained there inside such folder.


  • AddressBook inside /private/var/mobile/Library/AddressBook addressbook

Investigating through the address book of an iOS device is a significant step. That is more so for an examiner when doing the investigation process. The importance of it could be simply summarized. That is in the fact that all personal contacts of a user will be clear and ready for investigation once the acquisition of his or her addressbook is undertaken successfully.

Several tables are residing inside the SQLite database file of addressbook named Addressbook.sqlitedb. In fact, there are two tables which are interesting for the sake of the investigation process essentially.

First of all, there is the table called ABPerson. It contains new files such as first name, last name, organization, notes, birthday, job title, nickname, prefix and more. There is a name for the index of this cool table. Such name is in fact ROWID.

Secondly, there is another cool table called ABMultiValue residing inside the addressbook database. Inside this new table, essential data about the stored contacts such as the used emails and phone numbers permanently stored inside an element of the table called “value.” That shall be linked to the user’s data and names found inside the other table of ABPerson. The index of the ABMultiValue table is called record_id.

From these points, I have to mention accordingly that there is a relationship between the ABPerson table and ABMultiValue table on one side, and all other tables inside the database on another team. In fact, such a relationship is of type one to many. That is where several tables are linked to ABPerson table and ABMultiValue table through the ROWID and record_id respectively.

  • Call history inside /private/var/Library/CallHistory

  • addressbook

A database file with the name of call_history.db is actually of great importance. It is particularly so when it comes to an examiner performing a forensic investigation on an iOS device of any kind. This database file will help an examiner get to understand and know the conducted cellular calls and have this data stored inside it.

There are in fact four main tables, and they are all of interest to an examiner. One of such tables is called the “call” table. Inside such table, there will be some exciting data such as the phone number, date, duration and reference ID of the contact.

It is crystal clear that the field of phone number will be responsible for displaying the phone numbers inside the call history. On the other hand, the date field comes at the time format of EPOC. As a result, this time format will need to get converted into an understandable time format. To elaborate, this form will display the number of seconds since the time of 00:00:00 UTC on 1 January 1970. The duration field is for sure relied on for the sake of getting to know the duration of time spent on such phone call with a specific phone number.

Another field is called the id field. The importance of such an area is that it has the id used for this number by the phone. Using this id, and attempting to link it to the id found in the addressbook, this number will be able to get grasped to belong to which contact name and so. However, sometimes such number is not listed inside the addressbook. Accordingly, this means that there is no id specified for it by the device. In this case, the field ID of will display a negative one value to indicate that there is no actual id stored for this phone number.

Last, there is another field residing inside the call table; it is a fact named as the flags field. What is the importance of such field then? This area is utilized for the sake of indicating whether the phone call conducted with a specific phone number was an outbound call or an incoming call. It is worth noting that it is the case that if the call was a received one, then number four will be used for the sake of getting this data identified. Number five, on the other hand, will be depended on to annotate that the call was an outbound one.



SQLite Databases and Plist Files

SQLite Databases and Plist Files

  • What about partitions?

Partitions are the components on which different data could get stored inside a device. It comes without saying that the mechanisms differ according to the user to specify partitions and allocate storage to them when it comes to computers or personal laptops. On the other hand, one does not have that much freedom when it comes to a mobile device. The manufacturer of such equipment is the one responsible for such allocation of resources. Hence, Apple is the first responsible for the way in which partitions are created inside their iOS devices.

In fact, there are two partitions on an iOS device: the firmware partition and the data partition. While the first one is aimed to contain the software for running the iOS device, the second is meant to include all the files and data which are used and desired by the iOS device user.

Let’s talk more about the firmware partition. This partition always has the rules of read-only as it does not allow writing except when an update is being installed at the moment. iTunes is the one responsible for the sake of getting the partition overwritten with a brand-new partition when performing an upgrade to the system.

The size of the firmware partition is in most cases something in between 0.9 and 2.7 GBs. The exact size is determined by the size of the NAND driver in fact. Whereas no user data is allowed to access such crucial partition, some critical files are maintained inside this barrier. Such files are like system files, upgrade files and necessary applications.

The data partition is another partition which is aimed to be in favor of the device’s user. All the data is maintained inside such barrier. Accordingly, when performing an investigation process, such partition is critical to collect evidence out from such data available. Both the portfolio of a user’s data and the iTunes applications can just be found all there inside this partition.

  • What about SQL Lite Databases? Plist

First of all, let’s take into consideration that SQLite format is an open source and it is widely used when it comes to mobile devices. Such database is referred to as a relational database. Also, a C programming library can carry such database efficiently and in a small size.

The standard of SQL-92 is adhered to by SQLite, yet not all of the features are included. Although the small size of such an SQLite database, there are a plenty of functions that could be performed by such compacted database.

SQLite databases are widely used by the iOS development community such that a lot of iOS applications depend on this kind of database to get their data organized. These applications could be exemplified by Calendar, Text Messages, Notes, Photos, andAddress Book. All of the data related to these apps are stored in SQLite databases. The primary three databases are actually: Call History, Address Book, and SMS databases.

Let’s think about this matter from another essential perceptive, the perceptive of an examiner who needs to check evidence on an iOS device.A stable database is then required for an investigation process to be performed to serve to the target of the forensics procedures. Well, from the experts’ experience, I can suggest using of Sourceforge.net.

Since Sourceforge.net has its SQLite browser, it can be relied on when it comes to viewing an SQLite database to collect evidence. All data-stores of SQLite can be displayed using this methodology. In the meanwhile, there is another good to use software named RazorSQL. Nevertheless, this software requires some fees under $100 to become a great solution at the end of the day. There is though a free SQLite Manager plugin available for you without any purchases if you are lucky enough to be one of the users of Firefox.

In addition to what was previously discussed, there is a browser available at the following link: http://sqlitebrowser.org/

Such connection provides a downloadable browser that could be installed on the examiner’s machine to use it. It offers a clear and accessible means of reading and exploring an SQLite database for further investigations.

  • What about Plists?

Both iOS devices and Macintosh devices utilize what is called the Property List (plist). It is, in fact, a data file and it is sometimes referred to as a property file. Such files are relied on when it comes to the process of storing data on the aforementioned operating systems.

At the very beginnings of iPhones and Mac OS devices, there was another format utilized which was named NeXSTEP. Also, binary formats were being used for the same purpose. On the other hand, an XLM format which is new came into existence and became used. The formats which could be found nowadays are either an XML format or a binary format.

What type of data could be found inside a plist file then? Data like strings, dates, Boolean values, numbers or binary values could all be stored inside plist files. Examples of the data which use plist file formats to get saved in our browsing history, favorites, configuration data, and others. All of the data of these kinds depend on plist files in the very first place.

How can such plist files be opened? Well, there is a chance that such file could open successfully with the use of a standard text editor. However, there is also another chance that it requires a particular viewer for the sake of getting it opened. An instance of the tools which could be used is plutil. It is, in fact, a tool which depends mainly on a command line interface.

What it does is that it aims to get the plist files which are mostly binary files converted into a format which could be scanned and understood by human beings. The operating systems that could provide suite such tool are Linux, Microsoft Windows, and also Mac OS. After the conversion is applied to the plist file, an XML property list is available, and tags are used to wrap the plist.





Physical Acquisition of iOS data

  • How to acquire iOS data using physical acquisition techniques?

Acquiring a bit by bit image of a system is always the best case in favor of someone performing forensics on a system. That is what is meant initially by the physical acquisition of IOS data. The next step of the procedure is to check that both the copy and the original data are precisely the same with no slight change.

While this technique can be performed soundly and correctly on computers like laptops and desktops, it cannot be done merely however on mobile devices like iPhone devices. New methods to get physical acquisition smoothly and correctly have been researched nowadays to make the material acquisition on iOS devices. That aspect is attributed to the fact that physical acquisition is the best for a significant acquisition.

What makes the process on iOS device hard? The reason for this is that the storage of iOS devices is embedded in the very first place. Why can this be our concern? That leads to several challenges encountered by an examiner. To illustrate, the drive cannot be removed, and hence it cannot be connected directly to the utilized workstation.

In addition to that, techniques differ according to the platform itself or the version of the iOS inside the device. For instance, a working method to acquire data on iPhone 7 does not necessarily guarantee that it will work for iPhone 5 as well. Also, iOS 9 version can be having security methods that are entirely different from iOS 10 versions. Such changes in security methods prevent an examiner the privilege to access data with the same process on all iOS devices. That drives the motive for researchers to always keep on researching new techniques to perform physical acquisition on iOS devices.

There are some tools developed by organizations, which have to do with the Law Enforcement (LE) space. Such devices could be dedicated actually to LE like the method developed by Zdziarskfor obtaining an iOS acquisition. It depends on the following methodology. The disk software of the Read Only Memory (RAM) is being replaced by another version. Such new version should be capable of running a live recovery agent to get the disk image extracted.

On the other hand, there are some other tools which are not specified for LE. Such tools could be exemplified by Lantern and iXAM. These products are in fact able to modify the RAM as well to execute a recovery agent. This recovery agent could manage to run on the volume of the operating system to perform a physical image of it consequently.

  • More insight

    physical acquisition

What happens when the physical acquisition is performed? The memory of the phones is accessed. Thereby, all data on the phone is extracted through this method. In fact, there are two types of memory inside an iOS device. One is the volatile memory named Ram and the non-volatile one named ROM.

It is actually of great importance to get the data from the RAM extracted. That is because they have Usernames, passwords, encryption keys and more essential artifacts that could be found from the RAM. What happens is that RAM load as executes necessary parts of operating system or application. It gets flushed once device reboot.

The NAND (Non’-Volatile Memory) is also crucial since it has the data kept in it. It is even when system rebooting happens. System files and user data are stored in NAND flash. Using physical acquisition, bit by bit copy of the NAND can be acquired.

  • How to use Lantern for physical acquisition?

Katana Forensics INC was able to develop a great tool for iOS physical acquisition. This is the Lantern forensics suite. It can mostly take any physical image of an iOS device for forensic purposes. Most of the iOS versions and iOS devices could be extracted successfully in a physical image taken through this tool.

A GUI interface is provided by Lantern software. This makes an examiner able to get the essential pieces of evidence reviewed. The lantern can decode all the Plists and SQLite files; then such files will be displayed transparently.

An additional application which is to be used besides Lantern is Lantern Imager. Lantern Imager is specialized for getting images of iOS devices in particular. Through the imager, the extracted image becomes decrypted, and then a simple passcode is brutally forced whereas a SHA1 hash value is offered.

  • How to use iXam for physical acquisition?

    physical acquisition

Pronounced as ig’zam, iXam was created for the sake of law enforcement investigation. It has the potential to get all data such as photograph, specific map location, a stored contact, or text message to an email. All these can all be provided through a physical image by iXam.

Through the physical data copy which is a byte level, the whole file system can be the target of such data copy or such goal could be an individual data set in favor of the examiner.

What is the output of iXam then? It outputs a file having a unique format of DMG which is a raw disk file image file of an iOS device. It is important to notice that the NAND flash does not get modified or edited by iXam. Moreover, kernel patches are not applied here. Such kernel patches get involved when the used method is the method of jailbreaking.

  • How to relate to the evidence?

It is vital to note that cases of a forensic investigation can be formed primarily by a plenty of SQLite and plist files. Utilizing both a timeline and MACB (modified, accessed, changed, born date) times are essential for an examiner while doing his investigation process. Recording timestamps which depended on timelines are also very important for reference to investigated events through a legal procedure.

Such timestamps are shown in a format of CF Absolute Time. This means that the provided time will be regarding seconds since Jan 1st, 2001. The following formula could be used to make the shown timestamp much more readable:  =CreatedTime/(60*60*24)+DATE(2001,1,1). In the meanwhile, other tools could be relied on for accomplishing the task of making the timestamp in a more readable format such as the online tool: http://www.epochconverter.com/





Logical Acquisition on an iOS device

Logical Acquisition on an IOS device

  • What are the operating modes of an IOS device?logical acquisition

Logical Acquisition on an IOS device: When it comes to iOS forensics it is an important issue to understand and distinguish between the diverse operating modes that an iOS device are working.

There are in fact three modes that are available for an iOS device to be working on. These include Normal Mode, Recovery Mode, and DFU Mode. An examiner shall be aware of such modes to turn a device into it while performing forensics on it. This aspect will help with achieving an efficient extraction of data.

  • What about the Normal Mode?

This mode is the one which runs by default. If ordinary user powers on his iPhone, then it should boot an operating system. That is actually what is referred to as the normal mode. Through this way, a user can perform all activities which they desire from an iPhone. Similarly, they can utilize all its functionalities regularly.

Three steps happen one after another when switching an iOS device in its normal mode. First, it loads the: Low-Level Bootloader. Then, it gets the iBook. Last, the iOS kernel gets running and operating the device. These boot steps are signed to keep the integrity of the process. It is good for the sake of obtaining a high security inside iOS devices.

  • What about the Recovery Mode?

This mode is generated due to an occurrence of failure or something wrong. To elaborate, imagine switching on the iOS device in the normal mode, but an error is encountered. Remember, Low-Level Bootloader, iBook and iOS kernel have all to get loaded for the operating system to run correctly. Nevertheless, doing such a thing all the time successfully is not guaranteed for sure. There is a possibility that loading or verifying such jobs could go to waste and fail.

  • What about the DFU Mode?

This mode essentially means the Device Firmware Upgrade mode. It is intended to be responsible for performing IOS upgrading. This mode is perceived as a low-level mode for diagnosis. It is worth noting that during a bootup, if Boot ROM is not getting a load or verification of the needed process to boot in a normal mode, then iPhone presents the Black screen.

  • How to perform acquisition using logical methods?

    logical acquisition

One of the most utilized methods to extract data from iOS devices nowadays is referred to the as logical acquisition. In fact, a plenty of tools are being developed by specialists in the market for the sake of performing consistent acquisition of iOS’ data and files.

Recovering and analyzing allocated active files of the iOS device can happen through a method of synchronization. This process already exists there on iOS operating system internally. For instance, evidence of vital files has the potential to get extracted and analyzed efficiently using logical acquisition technique. This may include proof of SMS, call logs, calendar events, contacts, photos, web history and email accounts

Some rules have to be adhered to when using this method of data extraction. An examiner must know that slack space is not accessible using this technique. To elaborate, if there is a suspicion that evidence exists in a slack area, then there is no chance to use logical acquisition successfully. However, the solution in such case is physical acquisition which could be helpful for the legal purpose.

Also, having the phone connected to the computer or the used forensics workstation is necessary. This is to be able to access it with its files. The software is used at this stage then files are selected by the examiner for review and forensics processes.

  • How to utilize iPhone Explorer to perform logical iOS acquisition?

    logical acquisition

Macroplant company were able to develop a fresh application. It has the potential to help an examiner export the data of their interest. For instance, data on call history, SMS, photos, contacts, bookmarks can all be exported via this application. Another advantage of such an application is that basically, it can run on different operating systems. These include the famous Microsoft Windows and Mac OS.

Creating a backup initially is sometimes required by the application of some features of it before extracting the desired kind of data. iPhone explorer presents the data of any logical sections after modifications applied on them. Sometimes it displays the file size as well.

It is exciting to get to know that a factory reset of the device does not affect the extracted data in this case. For example, if we are to perform a “Reset All” option in the call history of an iOS device, calls will still appear when extracting the logical section of call history.  The iOS platform is, in fact, the first responsible for obscuring such data even after resetting the phone or the call history.

However, some techniques of data protection performed on iOS devices can prevent showing such data like call history, calendar, notes, contacts or messages. Still, if data is extracted successfully, evidence can all be demonstrated since reaching files happen in the clear by a 3GS.

  • How to relate to the evidence?

It is vital to note that cases for a forensic investigation can be formed primarily by a plenty of SQLite and plist files. Utilizing both a timeline and MACB (modified, accessed, changed, born date) times are essential for an examiner while doing his investigation process. Recording timestamps which depended on timelines are also very important for reference to investigated events through a judicial procedure.

Such timestamps are shown in a format of CF Absolute Time, meaning that the provided time will be regarding seconds since Jan 1st, 2001. The following formula could be used then to make the shown timestamp much more readable:  =CreatedTime/(60*60*24)+DATE(2001,1,1) In the meanwhile, other tools could be relied on for accomplishing the task of making the timestamp in a more readable format such as the online tool: http://www.epochconverter.com/






Jail breaking iOS data

  • How to acquire iOS data through jail breaking?

The partition of formal-breaking-of-ios-Dataware could be replaced with another version of it which is hacked. Through such cool methodology, any desired tools can get accordingly installed while they were not existent there on the device. Such tools will be like services like SSH and Terminal. These are just not available generally on iOS devices without having jailbreaking functioned on them. Image of a partition can then be gotten through jail breaking of the iOS device in the interest of the examiner.

One of the most commonly utilized iPhone jailbreaking methodologies are referred to as redSn0w. What is right about such exciting tool lies in the following: while the firmware gets replaced, Cydia application gets installed instead. After that, any artifacts could get extracted by the examiner as wished.

To start with this great technique of extraction, jail breaking is worth noting that both the forensics workstation used and the iOS device should be existent on the same wireless network in the very first place. Type the following command on the terminal’s workstation or command line prompt to depend on the SSH service in starting the desired process:

ssh [email protected] dd if=/dev/rdisk0 bs=1M | dd of=ios-root.img

Let ’s discuss the last command more right now! The purpose of such a power is to primarily establish a connection between the forensics workstation and the iOS device. The interpretation of the part of “dd if=/dev/rdisk0 bs=1M” is that basically, the dd command will have an input file of =/dev/rdisk0 with a size of a block of 1M. Then, the file of ios-root.img will get outputted onto the forensics workstation through the command of dd of=ios-root.img.

Such an output file could then be analyzed by an examiner; This can be done through any desired software or analysis tool. On some iPhone devices though, the created image file would become encrypted and parse such file would be impossible accordingly. If the iOS device, however, relies on a user volume’s hardware encryption, then they would make no sense at all after all. On the other hand, tools such as iXam and Lantern would be the cool solution in that case. They are used principally for the sake of creating a physical acquisition of data. The reason for that is that such tools can produce a readable image through getting the required keychains decrypted.

  • What are the tools for analyzing acquired data then?

There are in fact plenty of tools which could be utilized for the sake of connecting to and analyzing a created image file taken from an iOS device. The open source community plays a significant role. In this case, such that searching and retrieving evidence which is desired by the examiner could be performed quickly using such tools.

Examples of such tools are like Scalpel, DD, Find, Stings and some others. They can be all used for the sake of analyzing an iOS image much like that of a FAT or NTFS image. Moreover, HFS+ images could get analyzed by tools such as Encase and FTK Imager. They can also mount the photos and examine them afterward.

jail breaking

  • How to use Pangu Jailbreak for Jailbreaking purposes?

  1. First of all, the software is available at the following link:


  1. Get the software downloaded from the website. Check that you download the very last version.
  2. Make use of a USB cable to get the iPhone connected to the forensics workstation
  3. Pay attention to iTunes and assure yourself that it is not running at the moment.
  4. Get the passcode disabled and get the iPhone switched into the Airplane Mode.
  5. Get the downloaded application of Pangu Jailbreak opened now.
  6. When the software detects the connected iPhone, it will automatically display it with its iOS version. Now click “Start” to begin the journey.
  7. That will lead to another window where you have two options. These are either to “Cancel” or “Already backup.” Your choice should be “Already backup.”

Note that inside this window there are some notes which the application presents to you. It warns the user that there is a chance of data loss that may occur. For smoother and continuous operation, it suggests switching the phone to airplane mode. It also suggests getting the data backed up before proceeding further.

  1. Now that you clicked on “Already backup,” the process of the jail breaking will start. Percentage of the completion of the process will always be displayed on the window. At the progress of 55%, there is a high possibility that the device would reboot. At 65%, the program would ask you to re-enable Airplane mode.

Also, at 75%, the program would ask you to get the device unlocked, and getPangu Jailbreak was running on it.

  1. From experience, it could be told that the application would ask now to have access to Photo and will ask for such permission due to an unknown reason. Upon Finishing, Phone would reboot, and Pangu would prompt that device is already Jailbroken,
  • How to relate to the evidence? jail breaking

It is vital to note that cases of a forensic investigation can be formed primarily by a plenty of SQLite and plist files. Utilizing both a timeline and MACB (modified, accessed, changed, born date) times are essential for an examiner while doing his investigation process. Recording timestamps which depended on timelines are also very important for reference to investigated events through a forensic procedure.

Such timestamps are shown in a format of CF Absolute Time. This means that the provided time will be in terms of seconds since Jan 1st, 2001. The following formula could be used then to make the shown timestamp much more readable:  =CreatedTime/(60*60*24)+DATE(2001,1,1). In the meanwhile, other tools could be relied on for accomplishing the task. They make the timestamp in a more readable format such as the online tool: http://www.epochconverter.com/





Important Background of iOS devices before forensics

It is useless to state that iPhones, iPads, and iPods which we use every single second in our life are developed by Apple company and operate on an operating system named iOS. They are hence referred to as iOS devices.

  • What about iPhones? ios devices

The most commonly used iOS devices are iPhones. This aspect is attributed to the fact that the appearance, the camera, and features offered by iPhones are the best in the market. Several iPhone models were released by Apple. The following table is intended to discuss more of the latest iPhone releases along with their specifications. The progress of iPhone devices throughout the years could be for sure noticed significantly when looking at the next table. The following table displays the most important features of iPhone 6, iPhone 6s, iPhone SE, and iPhone 7 are the iPhone models which are currently on the market and very popular due to their excellent features and performance.

Model of iPhone Specs of Camera Cellular radio Specs of CPU Firmware (Operating System version) RAM Storage
iPhone 5 Front Camera: 1.2MP

Rear Camera:

8.0 MP

Up to LTE(4G) Speed of CPU: 1.2 GHz
Instruction Set is ARMv7s
IOS 6.0 1GB 16/32/64 GB
iPhone 5s Front Camera: 1.2MP

Rear Camera:

8.0 MP

Up to LTE(4G) Speed of CPU: 1.3 GHz
Instruction Set is ARMv8
IOS 7.0 1GB 16/32/64 GB
iPhone 6 Front Camera: 1.2MP

Rear Camera:

8.0 MP

Up to LTE(4G) Speed of CPU: 1.38 GHz
Instruction Set is ARMv8
IOS 7.0 1GB 16/32/64 GB
iPhone 6s Front Camera: 5MP

Rear Camera:

12.2 MP

Up to LTE(4G) Speed of CPU: 1.85 GHz
Instruction Set is ARMv8
IOS 9.0 2 GB 16/32/64 GB
iPhone SE Front Camera: 1.2MP

Rear Camera:

12.2 MP

Up to LTE(4G) Speed of CPU: 1.85 GHz
Instruction Set is ARMv8
IOS 9.3 2 GB 16/32/64/128 GB
iPhone 7 Front Camera: 7MP

Rear Camera:


Up to LTE(4G) Speed of CPU: 2.34 GHz
Instruction Set is ARMv8
IOS 10 2 GB 32/64/128 GB


  • What about iPads?

    ios devices

iPad Tablets were launched right after the success witnessed by iPhones in the market. The name of iPad or iPad first Generation was initially granted to the very first iPad tables released in the market. The time of its launch was right after launching iPhone 3Gs when iPhone 4 was not released so far. The specifications of the different releases of iPad Tablets and models are stated clearly and displayed throughout the following table.

Model of iPad Specs of Camera Cellular Radio Specs of CPU Firmware RAM Storage
iPad Air Rear Camera: 5 Mp UP to LTE (4G) Speed of CPU: 1.4 GHz
Instruction Set is ARMv8
IOS 7.0.3 1 GB 16/32/64/128 GB
iPad Air2 Rear Camera: 8 Mp UP to LTE (4G) Speed of CPU: 1.5 GHz
Instruction Set is ARMv8
IOS 8.1 2 GB 16/64/128 GB
iPad Pro Rear Camera: 8 Mp UP to LTE (4G) Speed of CPU: 2.2 GHz
Instruction Set is ARMv8-A
IOS 9.1 4 GB 32/128/256 GB
iPad (5th Gen) Rear Camera: 8 Mp UP to LTE (4G) Speed of CPU: 1.85 GHz
Instruction Set is ARMv8
IOS 10.3 2 GB 32/128 GB
iPad Pro (2nd Gen) Rear Camera: 12 Mp UP to LTE (4G) Speed of CPU: 2.38 GHz
Instruction Set is ARMv8
IOS 10.3.2 4 GB 64/256/512 GB
iPad mini 4 Rear Camera: 8 Mp UP to LTE (4G) Speed of CPU: 1.49 GHZ IOS 9.0 2 GB 16/64/128 GB


  • What about iPods?

    ios devices

iPods were initially intended to be designed for the sake of providing their users with capabilities of playing music. It was back in 2001 when the “First Generation” iPods were developed. Then, with time and with developing the “Second Generation” and the “Third Generation” and all of these products, users were given the advantage of playing Videos and Games.

Data from an iPod is also of importance to an examiner performing the forensic investigations. Through iPods, forensics data from Storage, Gallery, or the browser could be of interest to the investigation process when such data gets retrieved.

The following features are actually offered by iPod devices: Camera, Wi-Fi Capabilities, Safari web browser, Storage and Playback for Audio, Video, and Photo, YouTube player, Apps could be installed from App store.

  • Where can I find the passwords of iOS devices?

    ios devices

If we are interested in finding the password which was configured by the user, we can see it inside the following file directory:  /private/etc/passwd

Such directory resides inside the system partition of an iOS device, which is mainly used for maintain information of the operating system and the necessary files to open it and maintain it as well.

The password of the root and the entire mobile device will be displayed as something like smx7MYTQIi2M

Such hash could be retrieved merely back and be used as valuable information for an examiner through such password file.

Also, using a password cracking utility such as John the Ripper could be helpful when it comes to crack the password.

The default password utilized for the root of an iOS device is “Alpine,” and all iOS devices share this standard feature.

  • Property List Files:

The importance of such files lies in the fact that data such as web cookies, email accounts, GPS Map routes and searches system configuration preferences, browsing history and bookmarks can all be found inside there. They are actually of a format of XML. Configurations of the applications on an iOS device and the configuration of the operating system itself are directed by these files. A text editor could merely be depended on to get such files opened and reviewed.

  • SQLite Databases:

When extracting data from an iOS device, a great deal of the data will be coming in the form of an SQLite database. This drives the need for having a browser to get them open. Such browser could be downloaded from the following link: http://sqlitebrowser.org/