• Why is it important for an examiner to get some files of interest from an iOS device?

    cookies

All activities of an iOS device user are stored inside the device in different formats and for different purposes as well. This evidence is apparently collected for the sake of serving the iOS user in the very first place. However, this is not the complete case. This is because the evidence collected and stored is even much more than what the user could need or ask for.

Information just like locations, messages, contacts, web surfing habits, notes, pictures and more are available on iOS devices storage media. Many of them come with time-stamped data.

From the forensics point of view, such data becomes much more and more valuable. This is since businesses begin to grow larger nowadays using iOS devices. This urges examiners to cope with any new technologies or software releases. This could offer any help with the forensics procedure and smooth extraction of data and acquisition of it.

  • Cookies of browser inside /private/var/mobile/Library

    • What is meant by cookies in the first place? cookies

Cookies are often utilized by a web page to help provide a user with web pages customized to a very great extent. Users get identified in this manner while they are assisted with customized results and experience.

A user may be asked to get important information filled up when browsing a web page which makes use of it. Names and interests may be the sort of information asked for when it comes to a website depending on cookies. The browser used by the user is the one responsible for storing this important data on the device for further usage by the website afterward. The browser gets such cookies essentially from this sever in the very first place essentially.

From the perspective of websites, it is an important aspect to have the cookies stored on a computer. This is because such cookies get sent over to the server hosting the website whenever this website is visited. Accordingly, custom pages are sent to the user depending on such cookies.

Have you ever visited a website which welcomes you with your name or shows to you the last time when you visited the site? Definitely, this website is using cookies to better serve you with a customized experience when visiting their website.

Let’s talk more about interesting stuff of the cookies file. What could be found inside it in particular? Basically, inside the cookies file, there must be information about the website there in the first place. Moreover, some personal information could be stored along with the information about the website. This is normally in the case that the user provides the website with such information. Otherwise, they will not be included.

It is interesting to know that most of such information will be of text format at the end of the day. Nonetheless, good websites send such cookies data into the browser in an encrypted format. The reason for this encryption is attributed to the fact that they want to secure the data to a great extent. This is to ensure that they will not make sense even when extracted and acquired in some way or another.

From the perspective of an examiner performing forensics investigation, this data is very crucial in the process. This is because they represent some preferences of the user along with data such as their names and interests. This would definitely help someone interested in an investigation to get data of interest from such cookies.

In such cookies, there are several important parameters that are passed through such cookies for identification and related purposes intended by the cookies mainly. Typically, the passed parameters are like illustrated in the following points:
  • The name of the cookie.
  • The value of the cookie.
  • The expiration date of the cookie: this determines how long the cookie will remain in an active status in the browser of the user.
  • The path the cookie is valid for. Web pages outside of that path cannot use the cookie.
  • The domain the cookie is valid for. This makes the cookie accessible to pages on any of the servers in a domain.
  • The need for a secure connection: this indicates that the cookie can only be used under the condition of having a secure server.
  • How to perform such extraction of cookies?

    cookies

It is considered a really important source of evidence when it comes to forensics investigations to get the data extracted from the browser cookies. Such cookies are attached to the very famous Safari browser. The file which contains these vitally essential cookies is actually named cookies.binarycookies.

The main different characteristic between the normal browsers and Safari browser lies in the storage of cookies. Browsers such as Internet Explorer store their cookies data inside a plain text format file or they utilize an SQLite database format residing inside the folder of history. Safari, on the other hand, gets its browser cookies stored inside a binary format file.

It is therefore worth noting that opening such a binary format file requires a sort of specific software for this reason in the first place. Such tools could be like iPhone Extractor or any HEX editor in order to be able to grasp what is there inside such files of interest.

For sure we have opened such files to go through what could actually be inside such files. When we did that, we figured out that whenever there is a header inside the file, there are one or more pages coming after it. Inside each page, there exists one or even more cookies residing there.

It is also important to make sense of the sizes of each field constructing the cookies of such file. The signature field occupies 4 bytes by default to store the COOK header. In the meanwhile, another field named as Number of pages makes up 4 bytes to store Little Endian Integer. There is also another field called Page Size and this one uses up 4 bytes of the storage to have another Little Endean Integer stored. A field named Page, on the other hand, varies in size according to the size of the cookies itself. Finally, the tail field has a size of eight bytes to store a Hash for the checksum possibly.

Resources

https://www.sans.org/reading-room/whitepapers/forensics/forensic-analysis-ios-devices-34092

http://resources.infosecinstitute.com/ios-forensics/

LEAVE A REPLY

Please enter your comment!
Please enter your name here