iPhone Forensics with F/OSS

A HOWTO for iPhone Forensics with free and/or open source tools

Qualifications
Presentation Goals
iPhone Forensics with F/OSS tools

• Commercial Tools exist but there are a growing number of F/OSS tools
• A Mac (OSX) or Linux workstation is used for many of these programs
• Focus on step-by-step examples

Open source (MIT) iPhone backup analyzer by Mario Picci (http://ipbackupanalyzer.com/)

• Decodes files, presents in a hierarchical view, has some search and conversions
• Plist files are shown (binary plist files are automatically converted in ascii format)
• Image files are shown
• SQLite files are shown with the list of the tables they contain. By clicking on the tables list the selected table’s content is dumped in the main UI
• Unknown data files are shown as hex/ASCII data

iTunes Backup Directories
Mac Os X: ∼/Library/Application Support/MobileSync/Backup/
Windows XP: \Documents and Settings\(username)\Application Data\Apple Computer\MobileSync\Backup\
Windows Vista, Windows 7: \Users\(username)\AppData\Roaming\Apple Computer\MobileSync\Backup\
Linux Install
On Ubuntu Workstation
——————————
sudo apt-get update
sudo apt-get install python-tk python-imaging python-imaging-tk git
Install pyttk
- Download: http://pypi.python.org/pypi/pyttk/
- Extract: tar xzvf pyttk-0.3.2.tar.gz
- cd pyttk-0.3.2/
- Install: sudo python setup.py install
git clone git://github.com/PicciMario/iPhone-Backup-Analyzer
cd iPhone-Backup-Analyzer/
./main.py -d ~/Desktop/8737684969e72eccf5ff0cafed21b15ec1cb6d4d/
Zdziarski’s iOS forensic tools
Free for qualified law enforcement and government agencies

• Based on F/OSS software and research (Cyanide, etc)
• Physical acquisition
• Logical acquisition
• PIN bypass
• Decrypts the encrypted files / slice
– iOS 3.x: fully decrypt slice, gets unallocated
– iOS 4.x: decrypts files, not unallocated (mostly)
• Decrypt Keychain
• Working on recovering deleted keys
with F/OSS
• @0naj iphone-dataprotection tools (Python and C)
– Brute force PIN code on device
– Recover device encryption keys
– Decrypt the keychain, all dataprotection encrypted files
– Scrape the HFS journal for deleted content
– Decrypt the entire raw disk
– Included with Jonathan Zdziarski’s toolset, or available separately to developers:
• http://code.google.com/p/iphone-dataprotection/
Mount the dmg image read-only (Linux)
• Determine file system offset in dd image:
• Mount HFS partition read only:
• Make sure file system was mounted
• Can check disk usage
• The Sleuth Kit by Brian Carrier
– Brain author of excellent book File System Forensics Analysis (FSFA)
– Actively maintained, just released 3.2.2 (06/13/2011)
– Supports NTFS, FAT, UFS 1, UFS 2, EXT2FS, EXT3FS, and ISO 9660
– http://sleuthkit.org/
• Install:
• Programs to start with:
– mmls – Media Management ls, generally partition info:
• fsstat – File system info
• fls – Forensic list
– Power utility which can list allocated/deleted files
– Provides offset so recovery is possible
– Build MACB for timeline analysis
– analyst@ubuntu:/mnt/hgfs/Desktop$ fls -z CST6CDT -s 0 -m ‘/’ -f hfs -r -i raw iPhone-3g-313.dmg > ~/iPhone-timeline.body
human friendly
• analyst@ubuntu:/mnt/hgfs/Desktop$ mactime -b ~/iPhone-timeline.body -z CST6CDT -d > ~/iPhone-timeline.csv
– Takes body file and turns into CSV or other format
Log2timeline
• Kristinn Gudjonsson developed this software
– Written in Perl (trying to convince him to move to Python)
– Extracts timeline artifacts from many file types including
• Evt/extx, registry, $MFT, prefetch, browser history, etc. (46 and climbing)
– 10+ export formats
– http://log2timeline.net/

• Install log2timeline on Ubuntu 10.10 (lucid)
– sudo add-apt-repository “deb http://log2timeline.net/pub/ lucid main”
– wget -q http://log2timeline.net/gpg.asc -O- | sudo apt-key add -
– sudo apt-get update
– sudo apt-get install log2timeline-perl
Log2timeline
• sudo timescanner -d /home/analyst/mnt/hfs/ -z CST6CDT -w ~/iPhone-log2timeline.csv
– 218 artifacts (either files or directories).
– Run time of the script 24 seconds.

• If you output in body format, can combine with TSK’s fls output and generate full timeline of file system and file metadata (sometimes referred to as a “Super Timeline”
Scalpel
• Download scalpel src at:
• wget http://www.digitalforensicssolutions.com/Scalpel/scalpel-2.0.tar.gz
• Compile
– tar xzvf scalpel-2.0.tar.gz
– cd scalpel-2.0/
– sudo apt-get install libtre-dev libtre5
– ./configure; make
– sudo cp scalpel /usr/local/bin

• Run scalpel
$ scalpel -c ~/scalpel.conf iPhone-3g-313.dmg

• Examine data in “scalpel-output” directory
Sample scalpel.conf
viewer
• Usage:
$ xxd iPhone-3g-313.dmg | less

• To auto skip 0’s:
$ xxd -a iPhone-3g-313.dmg | less

Hex editor
• Usage:
$ hexedit iPhone-3g-313.dmg

• Once in hex editor:
– “/” = search hex/ASCII string (in “hexedit” use tab to change between ASCII and hex searches)
– q = exit hex editor
– h = help

• Can quickly locate potential evidence

• Other tools also available (hexeditor and many others)

Grep Command
• Searches through a file (or many files/folders) for a specified keyword(s)

• Grep is case sensitive by default
$ grep amr iPhone-3g-313.dmg

• To do case-insensitive (more time consuming):
$ grep –i AmR iPhone-3g-313.dmg

• Can search for a phrase in quotes
$ grep “Trace File” iPhone-3g-313.dmg
$ grep -a “Trace File” iPhone-3g-313.dmg
$ grep -a -A 1 -B 1 “Trace File” iPhone-3g-313.dmg
Grep Command (continued)
• Can also be used to search through many files

• Grep through all files in a user’s home directory for “viaF”:

analyst@ubuntu:~$ grep -R 312493 *
Binary file scalpel-output/sqlitedb-9-0/00001.db matches
Binary file scalpel-output/sqlitedb-9-0/00017.db matches

Find all sms database files from iPhone (after scalpel)
analyst@ubuntu:~$ grep -R svc_center sqlite*

“Strings” Command
• Strings is a powerful utility to extract ASCII or Unicode strings from binary data

• Can be run against a file or a full disk image
$ strings iPhone-3g-313.dmg > iPhone.str
$ strings iPhone-3g-313.dmg | less

• Can also search for Unicode
$ strings -e b iPhone-3g-313.dmg | less

“Strings” does more than ASCII
• Strings is designed to extract ASCII and Unicode
– 7-bit ASCII, 8-bit ASCII
– 16-bit big-endian and little-endian
– 32-bit big-endian and little-endian

• From the strings manual page:
Decrypting data – step 1
• Scenario: imaged iPhone and application has encrypted data which you need to view.

• Our solution (but other approaches may work)
• Noted app data was encrypted
• Analyzed symbol table for app, saw entries such as:
• 00091033 t -[NSData(AESAdditions) AES256DecryptWithKey:]
• 00092015 t -[NSData(AESAdditions) AES256EncryptWithKey:]
• 0009aA07e t -[NSData(AESAdditions) keyBytes:]
• 00034261 t +[NSData(Base64) dataFromBase64String:]
• 00034410 t -[NSData(Base64) base64EncodedString]

• Determined app stored key in Keychain so cracked the key chain, found an entry with a Base64 encoded key
• Decoded Base64 key
• Wrote quick program that used “AES256DecryptWithKey” API, encrypted file and decode AES encryption key to access data

• F/OSS Tools used:
• Zdziarski’s techniques to physically image device, crack keychain
• Strings to determine encryption technique
• XCode from Apple to write decrypt program

Andrew Hoog
Chief Investigative Officer
ahoog@viaforensics.com

http://viaforensics.com

Main Office:
1000 Lake St, Suite 203
Oak Park, IL 60301
Tel: 312-878-1100 | Fax: 312-268-7281

OUTLINE

Mobile App Security
How To Make Mobile Financial Services Secure
Qualifications – Andrew Hoog
Device growth
Mobile devices, sticking around
• 74.6M people in the US owned smartphones (Apr 2011)
• 13 percent increase from preceding 3 months
• 400,000 Android devices daily
• 200,000M iOS devices sold
• Powerful: lagging laptops by only 2-3 years
• Frequent new innovations
o NFC
o UI

App growth
Consumers love apps

• iPhone: just passed 14 billionth app download
• Android: 3 billion Android apps installed (4/14/2011)
• Functionality of apps significantly enhancing device
• App stores (03/2011)
o Apple: ~425k
o Android: ~250k
o RIM: ~20k
o WinMo: ~9k

What’s different about mobile?
Key security challenges for mobile devices
• Flash memory
• Device is constantly connected to the Internet
• Combines highly sensitive personal and corporate data, making perfect device to target
• Operating system is in constant state of flux
• Race to the next feature
• Security is an afterthought (corporate user/pass example)
• Traditional security techniques useful but more advanced ones are needed to secure mobile
• The FI is the developer

appWatchdog
Quick forensic examination of devices, lowest hanging fruit (10%)

appWatchdog – Study of 1st 100 apps
Release study of first 100 mobile apps reviewed

• 7 month period between Nov 2010 and June 2011
• 100 mobile apps reviewed
• Overall findings
• 17% Pass
• 44% Warn
• 39% Fail
• Financial app fared better
• 44% Pass
• 31% Warn
• 25% Fail

* appWatchdog only uses about 5% of our appSecure techniques

Mobile app security – examples
Mobile app security philosophy
Integrate security from design phase
Maintain traditional security controls
As we do in Chicago – Test early and often
Thoughtful questions for dev team
What if development team says, “We’re on it”

• How do you ensure and validate that no sensitive data is
stored on the mobile device?
• What steps do you take to validate that SSL and
authentication implementation are secure against MITM
exploits?
• What is in your code when it gets released to the public?
• How do you ensure that host validation works, to
protect clients from phishing via host spoofing?
• How much time is spent security regression testing
applications, compared to functional testing?
Contact Us
Andrew Hoog, CIO
Presentation: http://viaforensics.com/education/articles/
FS Roundtable, June 13th, 2PM EST

http://viaforensics.com

Main Office:
1000 Lake St, Suite 203
Oak Park, IL 60301
Tel: 312-878-1100 | Fax: 312-268-7281

OUTLINE

SQLite Forensics

About viaForensics

viaForensics is an innovative digital forensics and security company providing expert services to:

·         Law Enforcement

·         Government Agencies

·         Corporations

·         Attorneys/Individuals

What’s the problem?

·         We want to recover as much data from devices as possible

·         People delete data, mostly the data we want!

·         SQLite is a very popular data storage format

·         Currently no advanced SQLite recovery tool on the market (but stay tuned)

What is SQLite?

·         SQLite is a widely used, lightweight database contained in a single cross-platform file used by developers for structured data storage

·         Used in most smart phones (iPhone, Android, Symbian, webOS)

·         Used in major operating systems and applications (Apple OS X, Google Chrome and Chrome OS, Firefox)

Why do developers need structured data storage?

·         Applications need to store and retrieve data

·         In past and today, developers created their own file formats

·         But why reinvent the wheel for basic data storage?

·         SQLite is free, open, high quality and takes care of the messy details

Core SQLite characteristics (from their FAQ)

·         Transactions are atomic, consistent, isolated, and durable (ACID) even after system crashes and power failures.

·         Zero-configuration – no setup or administration needed.

·         A complete database is stored in a single cross-platform disk file.

·         Small code footprint: 190KiB – 325KiB fully configured

·         Cross-platform and easy to port to unsupported systems.

·         Sources are in the public domain. Use for any purpose.

·         Standalone command-line interface (CLI) client

SQL = Structured Query Language

·         SQL is the language used to interact with many databases, including SQLite

·         Basic functions: Create, Read, Update and Deleted (CRUD)

·         Transactions: Start a change and it either completes in entirety (commit) or not at all (rollback)

·         Very powerful, many variations

SQL – basic commands

·         SELECT – queries data from tables or tables

·         SELECT rowid, address, date, text FROM message;

·         INSERT INTO – adds data row to table

·         INSERT INTO message VALUES (NULL, ‘3128781100’, 1282844546, ‘text message’);

·         UPDATE – updates data rows in tables

·         UPDATE message SET date=1282846291 WHERE rowid=4;

·         DELETE – deletes data rows in tables

·         DELETE FROM message WHERE rowid=4;

·         Many good tutorials online

Viewing a SQLite database – command line

·         Command line apps

·         sqlite3 for full SQLite functions

·         sqlite_analyzer for db metadata

·         Linux/Mac/Windows versions

·         Represents latest version

·         Full source code and documentation

·         http://www.sqlite.org/download.html

Example sqlite3 session

Run sqlite3 on database file

ahoog@linux-wks-001:~/sqlite$ ./sqlite3 iPhone-3G-313-sms.db

SQLite version 3.7.4

Enter “.help” for instructions

Enter SQL statements terminated with a “;”

sqlite>

List tables in database

sqlite> .tables

_SqliteDatabaseProperties  msg_group

group_member               msg_pieces

message

Examine schema (structure) of message database

sqlite> .schema message

CREATE TABLE message (ROWID INTEGER PRIMARY KEY AUTOINCREMENT, address TEXT, date INTEGER, text TEXT, flags INTEGER, replace INTEGER, svc_center TEXT, group_id INTEGER, association_id INTEGER, height INTEGER, UIFlags INTEGER, version INTEGER, subject TEXT, country TEXT, headers BLOB, recipients BLOB, read INTEGER);

Example sqlite3 session – continued

View record “4” in 2 formats

sqlite> .headers on

sqlite> SELECT * FROM message WHERE ROWID = 4;

ROWID|address|date|text|flags|replace|svc_center|group_id|association_id|height|UIFlags|version|subject|country|headers|recipients|read

4|(312) 898-4070|1282844546|Sure is a nice day out |3|0||3|1282844546|0|4|0||us|||1

sqlite> .mode line

sqlite> SELECT * FROM message WHERE ROWID = 4;

ROWID = 4

address = (312) 898-4070

date = 1282844546

text = Sure is a nice day out

flags = 3

replace = 0

svc_center =

group_id = 3

association_id = 1282844546

height = 0

UIFlags = 4

version = 0

subject =

country = us

headers =

recipients =

read = 1

sqlite3_analyzer – very useful in forensic analysis

ahoog@linux-wks-001:~/sqlite$ ./sqlite3_analyzer iPhone-3G-313-sms.db

/** Disk-Space Utilization Report For iPhone-3G-313-sms.db

Page size in bytes……………….. 2048

Pages in the whole file (measured)…. 14

Pages in the whole file (calculated).. 14

Pages that store data…………….. 13          92.9%

Pages on the freelist (per header)…. 0            0.0%

Pages on the freelist (calculated)…. 0            0.0%

Pages of auto-vacuum overhead……… 1            7.1%

Number of tables in the database…… 7

Number of indices………………… 4

Number of named indices…………… 3

Automatically generated indices……. 1

Size of the file in bytes…………. 28672

Bytes of user payload stored………. 1833         6.4%

*** Page counts for all tables with their indices ********************

MESSAGE…………………………. 3           21.4%

SQLITE_MASTER……………………. 3           21.4%

_SQLITEDATABASEPROPERTIES…………. 2           14.3%

MSG_PIECES………………………. 2           14.3%

<snip>

Viewing a SQLite database – SQLite Database Browser

·         Freeware, public domain, open source visual tool used to create, design and edit database files compatible with SQLite

·         Windows/Linux/Mac

·         Support SQLite 3.x

·         Last updated 12/2009

·         http://sqlitebrowser.sourceforge.net/

·         Many other (free) options listed at: http://www.sqlite.org/cvstrac/wiki?p=ManagementTools

Viewing a SQLite database – SQLite Database Browser

Viewing a SQLite table – SQLite Database Browser

SQLite – database header format

·         The first 100 bytes of the database file comprise the database file header.

·         First 5 of 22 fields

SQLite – Organized in Pages

·         Database consists of one or more pages, logical units which store data

·         Pages are numbered beginning with 1

·         A page is one of the following:

B+tree and B-Tree formats – on-disk data structure

·         Data structure which represents sorted data in a way that allows for efficient insertion, retrieval and removal of records

·         Optimized for storage devices (vs. in memory) by minimizing the number of disk accesses.

·         In a B+tree, all data is stored in the leaves of the tree instead of in both the leaves and the intermediate branch nodes.

·         A single B-Tree structure is stored using one or more database pages. Each page contains a single B-Tree node.

B+Tree graphical representation

SQLite storage classes and data types

·         Only 5 storage classes/data types :

·         NULL:  The value is a NULL value.

·         INTEGER: The value is a signed integer, stored in 1, 2, 3, 4, 6, or 8 bytes depending on the magnitude of the value.

·         REAL: The value is a floating point value, stored as an 8-byte IEEE floating point number.

·         TEXT: The value is a text string, stored using the database encoding (UTF-8, UTF-16BE or UTF-16LE).

·         BLOB: The value is a blob of data, stored exactly as it was input.  Often used to store binary data

SQLite storage classes – on disk example

·         5 storage classes in hex on disk:

·         NULL: 0×00

·         INTEGER (4-byte): 0x4c76a782 = 1282844546

·         REAL: 0x41B1EC2EC004D9D7 = 300691136.018949

·         http://babbage.cs.qc.edu/IEEE-754/64bit.html

·         TEXT (ASCII): 0×53757265206973 = Sure is

·         BLOB: hard to represent binary here…see Text

Variable Integers – saving space, adding confusion

·         A variable-length integer or “varint” uses less space for small positive values.

·         Used in SQLite metadata (row headers, b-tree indexes, etc.)

·         A varint is between 1 and 9 bytes in length.

·         The varint consists of either zero or more byte which have the high-order bit set followed by a single byte with the high-order bit clear, or nine bytes, whichever is shorter. The lower seven bits of each of the first eight bytes and all 8 bits of the ninth byte are used to reconstruct the 64-bit twos-complement integer.

·         Varints are big-endian: bits taken from the earlier byte of the varint are the more significant and bits taken from the later bytes.

·         http://www.sqlite.org/fileformat.html#varint_format

·         Clear?  How about an example ->

Variable Integers – example

·         Let’s say you find the following hex varint: 0x8CA06F

–     Examine each bit, if > 0×80 then not the last byte

–     So, we have 3 bytes: 0x8C 0xA0 0x6F (since 0x6F < 0×80 it’s the last byte).  Here’s how to convert:

* MSB: Most significant bit (left most bit)

Freelist / Free page list

·         When information is deleted from the database, pages containing that data are not in active use.

·         Unused pages are stored on the freelist and are reused when additional pages are required.

·         Forensic value: “Freelist leaf pages contain no information. SQLite avoids reading or writing freelist leaf pages in order to reduce disk I/O.”

Rollback journal

·         Created when a database is going to be updated

·         The original unmodified content of that page is written into the rollback journal.

·         The rollback journal is always located in the same directory as the database file and has the same name as the database file but with the string “-journal” appended

·         Excellent source of forensic data if recoverable

·         Recoverable on many systems though some are now writing to tmpfs/RAM disks

Write Ahead Log (WAL)

·         New technique just introduced in 3.7.0

·         Generally faster and disk I/O is more sequential (which helps us in advanced recovery)

·         All changes to the database are recorded by writing frames into the WAL.

·         Transactions commit when a frame is written that contains a commit marker.

·         A single WAL can and usually does record multiple transactions.

·         Periodically, the content of the WAL is transferred back into the database file in an operation called a “checkpoint”.

·         Forensic value: recovery of WAL files

Record Format

·         A record contains a header and a body, in that order. The header:

–     begins with a single varint which determines the total number of bytes in the header. The varint value is the size of the header in bytes including the size varint itself.

–     Following the size varint are one or more additional varints, one per column. These additional varints are called “serial type” numbers and determine the datatype of each column

–     After the final header varint, the record data immediately follows

–     The 2-bytes prior to the start of the header correspond to the auto-increment integer assigned by the system (also a varint)

Record Format – visual representation

·         http://www.sqlite.org/fileformat.html#record_format

Record Format

Recovery from  allocated SQLite with strings

ahoog@linux-wks-001:~/sqlite$ strings iPhone-3G-313-sms.db | less

<snip>

msg_group

(314) 267-6611us

(920) 277-1869us

(312) 898-4070us

(312) 401-1679us

(414) 331-5030us

Piece of cake! Can’t wait to try em out on Sunday

text/plain

2text_0002.txt

image/jpeg

1IMG_6807.jpg?

Check out mccalister

text/plain

2text_0002.txt

image/jpeg

1IMG_6807.jpg

<snip>

Carving SQLite files

·         File header readily identifiable

·         Sample scalpel entry:

·         Other tools like FTK/EnCase also carve

·         Carving SQLite files – OS specific findings

·         iOS

·         Good recovery of both allocated and “latent” SQLite files

·         Android

–   Excellent recovery but high repetition due to log-structured file system repeating SQLite header

·         Other common file systems

–   Good recovery form typical magnetic media device running FAT, FAT32, NTFS, HFS, etc.

SQLite in Hex (really the only way to look at it)

0002270: 0000 0000 0000 0000 004d 0d12 0029 0445  ………M…).E

0002280: 0101 0001 0401 0101 0011 0000 0128 3331  ………….(31

0002290: 3229 2038 3938 2d34 3037 304c 77d8 a257  2) 898-4070Lw..W

00022a0: 696c 6c20 796f 7520 676f 2067 6574 206d  ill you go get m

00022b0: 6520 6120 636f 6666 6565 3f03 0003 4c77  e a coffee?…Lw

00022c0: d8a2 0000 0075 7301 3f0c 1200 2904 2901  …..us.?…).).

Advanced Technique

·         Use well defined SQLite structure to develop a program to recover SQLite rows

·         Row header and data values “decay” over time due to

·         Being (partially) re-allocated

·         Fragmentation

·         Compensated for this with simple probability engine which determined likelihood sequence of bytes represented header row we are interested in

·         Underlying file system can have great impact, from FAT, HFSplus (iPhone) and YAFFS2 (Android)

·         Look for journal files and WAL data too

contact us

Andrew Hoog, CIO
http://viaforensics.com
1000 Lake St, Suite 203
Oak Park, IL 60301
Tel: 312-878-1100   |   Fax: 312-268-7281