iPhone Forensic HOWTOs

While it is possible to recover video files from the iPhone 3GS, it is not a simple task. After considerable research, here’s what I’ve found:

1. Partial recovery is possible
2. Metadata recover (date/time, GPS, etc.) is also possible even if the video is not recoverable
3. Due to wear-leveling algorithms, recovery of the full videos is not always possible.

Point 3 is what is really making things difficult.  The larger the the file is, the more fragmentation occurs which Apple (and other vendors) implement in an attempt to use the storage evenly to avoid disproportionally wearing out parts of the drive.  One researcher I collaborate with stated:

“The spare data at the end of the blocks holds the key.  We at least figured out that the available data sheets are wrong.  We can piece together information based on available logical sector numbers, but they are sometimes missing or corrupted.”

A lot of research will have to go into the closely guarded wear-leveling algorithms different vendors use in order to recover the larger files.

Also far as the specific 3Gs video file format, we pieced together the file signature/magic numbers for the file format.  They are:

Header: 0000 0014 6674 7970 7174 2020 0000 0000

Footer: 2f00 0004 0066 7265 6500

After the footer, there is a series of all 0’s but we have not determined if it is a fixed amount or dynamic based on file size.  Stay tuned for more updates.

The Apple iPhone is unlike most smart phones on the market in that trained experts can successfully recover deleted text messages (and other deleted items), provided certain steps are taken. The below steps will help ensure you have a total recovery of the deleted items you want.

Stop using the iPhone immediately
First, time is everything. If possible, completely stop using the iPhone. Place the iPhone in airplane mode or turn it off. Or you can remove the SIM card if you prefer. The longer you the use the iPhone, the less likely a full or even partial recovery is possible.

Do’s (or Steps to follow to maximize recovery of deleted text messages)

1. Stop using the iPhone immediately.  Turn the iPhone off, place in airplane mode or remove the SIM card.  Yes, I am repeating myself but this is the most important thing you can do.
2. Make a backup of your *iPhone backup directory* (not your iPhone but your existing backup directory on your computer).  Valuable information from a previous backup (which occurs when you upgrade the iPhone OS or specifically request a backup) can contain the information you need.  See my previous post about iPhone backups for more information.
3. Contact an iPhone expert who can perform the recovery.  We use various techniques including:
   1. Forensic imaging and analysis of the iPhone (admissible in court if needed)
   2. Recovery of deleted records in the SMS database if present
   3. Examination of the keyboard cache files for outbound conversations
   4. Recovery of iPhone screenshots which may contain images of the text messages
   5. Full indexed search of the iPhone user data partition using powerful searching tools

Dont’s (or Things to avoid when trying to recover deleted text messages)

1. Avoid using the iPhone, at all.  (do you see a theme here)
2. Don’t sync or backup the iPhone (let the expert take care of this)
3. Don’t install new applications from the App Store
4. Don’t modify/examine the files in your backup directory unless you know how
5. Don’t forgot to call the expert as soon as possible.

Often times, people approach us weeks or months after they text messages have been deleted.  While we are able to sometime make partial recoveries (message fragements), full recovery at that point is nearly impossible.  However, if your text messages are deleted and you follow the steps about immediately, I guarentee full recovery or we’ll provide a 100% refund on the fee we charge.

If you are interested in this topic more, please check out our free iPhone Forensics white paper, contact us at 312-283-0551 or complete the form below.  Good luck and should you need to recover a deleted text message (or other file from the iPhone), we hope to hear from you.

*Name:
Title:
*Company:
Telephone:
*Email:
Subject:
Message:

Doing Mac/iPhone forensics, you will eventually need to examine the contents of a disk image which Apple stores in a .dmg file. Here’s some information on the files and how you can mount them.

.dmg file information

The two types of .dmg files I have come across are a uncompressed file and a compressed one. The file command for both are as follows:

Uncompressed:

ahoog@wintermute:~$ file stage1-decrypted.dmg
stage1-decrypted.dmg: Macintosh HFS Extended version 4 data last mounted by: ‘10.0′, created: Fri Aug 29 00:33:37 2008, last modified: Fri Jan 2 11:07:50 2009, last checked: Fri Aug 29 02:33:37 2008, block size: 4096, number of blocks: 6400, free blocks: 218

Compressed:

ahoog@wintermute:~$ file stage2-decrypted.dmg
stage2-decrypted.dmg: VAX COFF executable not stripped – version 376

Mounting the .dmg disk image in Linux

To mount the uncompressed image in Linux, type the following:

mount -t hfsplus -o loop stage1-decrypted.dmg /mnt/dmg

Using the loop device, you can mount the file and then modify it as needed (or mount read-only) and then umount (all changes are preserved if in read/write mode).

Mounting the compressed .dmg disk image required an additional step. I came across a utility called dmg2img which uncompressed the image. So you now use the following commands to mount the image:

dmg2img -i stage2-decrypted.dmg -o stage2-decrypted-uncompressed.img
mount -t hfsplus -o loop stage2-decrypted-uncompressed.dmg /mnt/dmg

Other operating systems

It’s worthwhile to note that in Apple’s OS X, you can simply double-click the .dmg file and it will mount. However, this is not forensically sound and you should not do this on images that require read-only. For read-only and other options, you can use the hdid or hdiutil commands. In Windows, apparently you can use a program called MacDrive (in Target Disk mode) however I have not verified this.

The iPhone (based on OS X 10.5 Leopard) stores many configuration settings in a property list (.plist file). While these are often text XML files, at times Apple uses a binary plist format. If you are analyzing the file on a Mac, you can easily open (and edit) the file with several programs including the Property List Editor and plutil (to check the syntax and convert between XML and binary).

On Linux, you have several options. You can compile the source code provided as open source by Apple on their open source developer website. Also, I have found a perl version of plutil that works well on Linux.

While performing forensic testing on an 3G iPhone using the techniques outlined by Jonathan Zdziarski in his book “iPhone Forensics“, I discovered the xpwn tool (by planetbeing) pre-compiled for OS X was not up to date (missing many of the firmware bundles which contain the encryption key and initialization vectors to uncompress the RAM disk .dmg images). I switched over to the Linux workstation however the Linux pre-compiled binaries of xpwn complained about my version of GLIBC with the following error:

/home/ahoog/src/XPwn-0.5.5-Linux.broke/xpwntool: /lib32/libc.so.6: version `GLIBC_2.4′ not found (required by /home/ahoog/src/XPwn-0.5.5-Linux.broke/xpwntool)

So I figured I would just build from source. Planetbeing was nice enough to write up build directions however for my Debian Etch, I had to do a few different things to get it to compile and work. Below are the steps I took to make everything work, adapted from Planetbeing’s direction:

1. apt-get install build-essential
2. apt-get install libz-dev libusb-dev libssl-dev libbz2-dev libpng12-dev (changes from planetbeing’s BUILD doc listed below)
   • libssl-dev instead of libcrypt-dev
   • libbz2-dev instead of libbz2-dev3
   • added libpng12-dev
3. Install git-core and associated files to download the source (GitHub kept failing with a 404 when trying to download from the website link)
   • apt-get install git-core git-arch git-cvs git-svn git-email git-daemon-run gitk gitweb cogito git-doc rsync curl
4. git clone git://github.com/planetbeing/xpwn.git
5. install cmake (per BUILD)
   • wget http://www.cmake.org/files/v2.6/cmake-2.6.2.tar.gz
   • tar zxvf cmake-2.6.2.tar.gz
   • cd cmake-2.6.2
   • ./configure
   • make
   • sudo make install
6. Create and cd to build folder
7. cmake ~/xpwn
8. make
9. make package
10. executables and files located in ~/build/_CPack_Packages/Linux/TBZ2/XPwn-0.5.5-Linux

Hope this helps Debian/iPhone folks out.

One common approach to iPhone forensics is to analyze the backup directory. There is a difference between syncing an iPhone and backing it up. Basically, syncing makes sure files on your computer and iPhone are in sync and does backup some key information. However, a backup will make copies of SMS, Call Logs, application data, etc. Fora forensic analyst, the backup information can be very important, especially if you do not have access to the iPhone directly.

Backup data location iTunes backups of the iPhone (and iPod, iTouch, etc.) are stored in the following directories:

• Windows XP:  C:\Documents and Settings\(username)\Application Data\Apple Computer\MobileSync\Backup\
• Windows Vista: C:\Users\(username)\AppData\Roaming\Apple Computer\MobileSync\Backup\
• Mac OS X: /Users/(username)/Library/Application Support/MobileSync/Backup/

Backup folder files Inside the backup folder, you will fine 3 plist files (plaintext, not binary encoded) and many .mdbackup files

• Status.plist – status of last sync
• Manifest,plist – list of all files backed up, modification time and hash signature
• Info.plist – information about the iPhone
• *.mdbackup – the name of the file is the SHA1 hash when backed up from the iPhone and the data is seralized off the iPhone and stored as the backup file

The Info.plist has detailed information about the iPhone (name, ICCID, IMEI, phone number, firmware version, iTunes file and version info, etc.) and can thus tie a physical device to the backup directory. The Manifest.plist is important as it ensures data integrity between the backup files and the iPhone. Using this information, an examiner can manually construct important information during an investigation. Commercial forensic products that analyze iPhone backup directory Of course, time is precious and manually decoding this information is better left to forensic tools. A good examiner will understand the process, the information and, if needed, should be able to perform these steps manually. However, using a tool you trust is a great way to access the information quickly. Here is a alphabetical list (likely incomplete but I will update) of forensic tools which state they analyze the iPhone backup directory:

• Device Seizure – Paraben
• Mac Lock Pick – SubRosaSoft
• MDBackupExtract – BlackBag Tech
• WOLF – Sixth Legion

My complete analysis of iPhone forensic software will be availabe soon so please sign up for your copy now. This report will analyze all available iPhone forensic tools, perform an acqusition and compare results. It will include screen shots, pitfalls and other information key to making a good choice for iPhone forensic software.