Jul
MacLockPick II (MLP) by SubRosaSoft (makers of MacForensicLab) takes a unique approach to forensic acquisition. The goal of MLP is to provide a cross platform forensic solution that performs a live acquisition of a suspect machine after inserting the USB device. The information is stored on the USB device and software is provided to analyze the results. The solution support plug-ins for many acquisition types however only the iPhone plug-ins were tested.
MLP does not work directly on the iPhone and instead targets the backup directory where the iPhone stored most files as MDBACKUP files. The following data is recoverable:
- Call History (Received, Dialed, Missed)
- Text Messages (SMS)
- Phonebook
- Notes
- Photos
- Mail Accounts setup for synchronization.
- International Roaming Edge Status
- Favorites – Speed dial entries
- Safari – State, History and Bookmarks
- Phone Details (IMEI / ESN, phone number, TMSI, IMSI)
After familiarizing myself with MLP’s approach to forensic acquisition, the setup was quite simple. Initially, you must license the device by running a program to generate a key file and sending to SubRosaSoft. They will then send you an .inf file which must be placed on the root of the USB key. I had to follow this process at a later time (after I updated the MLP executables) but the device initially arrived licensed.
After you insert the device on a computer, you can explore the drive and run various programs. To configure the acquisition process, I ran MacLockPick Setup (OS X) on my Mac 10.5.6 computer. The program read the device configuration and allowed me to select what type of data I wanted to acquire from the target device. I chose Apple Mobile and Apple Mobile Pictures.
After quitting this application (which saved the settings but that was not initially from the interface) the device was ready to acquire data from target computers.
I did receive a few application updates from SubRosaSoft during the testing and, as mentioned above, I eventually had to complete the licensing process by running MacLockPick Authenticator and following the steps. This process was intuitive. However, afterwards I had trouble running the updated software on the original Windows XP target and eventually switched to a different computer. I also had several problems updating the software and finally moved the entire contents of the device to an “old” folder and extracted the contents of the updated .zip file from a Mac instead of a Window XP computer. This resolved some of the issues and eventually I was able to proceed running the updated software.
With the device licensed and software updated, the acquisition process was quite simple. After inserting the device into the target Windows XP computer and running the Autoplay, my entire screen was taken over the MLP.
The acquisition only took a few minutes and I removed the drive and placed it into an analysis computer (Mac) for review the results.
I ran the MacLockPick Reader on my Mac where I was prompted to open a keylog file.
After selecting the file from the MLP device output directory, I was presented with the main MLP window which allowed me to examine the results, search and export/report on the data.
The user interface is simple and allows for quick searches but I found that I wanted access to more information such as the raw files recovered. The reports generated quickly but were basically text file representations of the analysis window. There was an option to export to HTML which I could tell would contain much more data if a full computer acquisition was performed.
Finally, the latest version extracted the pictures found in the backup directory and placed them in a subdirectory for direct review. Below is a screenshot of the folder using Apple’s Cover Flow view in Finder.
The following are the results from the MacLockPick tests.
Table 1.1. MacLockPick Matrix of Results
| Scenario | MacLockPick Results | Ranking | Results |
| Call Logs | 100 | 3 | Meet |
| SMS | 262 | 3 | Meet |
| Contacts | 1282 | 3 | Meet |
| 0 | 0 | Miss | |
| Calendar | 0 | 0 | Miss |
| Notes | 1 | 3 | Meet |
| Pictures | 41 | 3 | Meet |
| Songs | 0 | 0 | Miss |
| Web History | 0 | 0 | Miss |
| Bookmarks | 0 | 0 | Miss |
| Cookies | 0 | 0 | Miss |
| App Info | 0 | 0 | Miss |
| Google Maps | 0 | 0 | Miss |
| Voicemail | 0 | 0 | Miss |
| Password | 7 | 3 | Meet |
| Plists/XML | 0 | 0 | Miss |
| Phone Info | Yes | 3 | Meet |
| Video | 0 | 0 | Miss |
| Podcasts | 0 | 0 | Miss |
| Speed Dials | 0 | 0 | Miss |
| VPN | Some | 2 | Below |
| Bluetooth | Some | 2 | Below |
| GPS | 0 | 0 | Miss |
| File Hashes | From backup files | 1 | Below |
| You Tube | 0 | 0 | Miss |
| HTML | 0 | 0 | Miss |
| Office Docs | 0 | 0 | Miss |
MacLockPick is a “triage” forensic tool targeted at first responders on-site at the scene of a crime or incident. It performs a fast, efficient acquisition of the target computer and is packaged as an easy to transport USB key device. However, without support for direct acquisition of the iPhone, much of the data is missing. The reporting interface is also designed for a fast analysis of the data and as such does not contain the sophistication found in other tools.
The following ranking establishes MacLockPick’s overall rating of 1.4 on the four criteria established at the beginning of this white paper.
Table 1.2. MacLockPick Rankings
| Area | Weight | Rank |
| Installation | 0.1 | 3.0 |
| Acquisition | 0.2 | 3.0 |
| Reporting | 0.3 | 1.0 |
| Accuracy | 0.4 | 1.0 |
| TOTAL | 1.4 |
Andrew Hoog, Chief Investigative Officer of viaForensics, is a recognized computer scientist and forensic analyst and former chief information officer of a $750 million multinational corporation. He has led investigations, contributed to policy development and lectured at corporations, attorneys’ associations and law enforcement agencies about the computer forensic discipline. He maintains a computer forensics and E-discovery glossary, authors computer/mobile forensic how-to guides and is now writing a book about Android forensics. He is the original author of this ground breaking white paper on iPhone Forensics that has gained recognition throughout the industry.
Kyle Gaffaney is a third year law student at Loyola University of Chicago School of Law. Kyle also has degrees in Accounting and Management Information Systems from the University of Minnesota Carlson School of Management. Prior to law school Kyle served as a staff accountant at a financial management firm.
viaForensics is an innovative computer/mobile forensic and e-discovery company providing expert consulting services to corporations, law firms, law enforcement and government agencies.
Beyond servicing our clients immediate needs, the company focuses on groundbreaking research in areas such as mobile forensics, SQLite forensics, data visualization and general education on forensics by regularly posting HOWTOs, glossary terms and the results of our research, accessible at viaforensics.com.
One key strategy to minimizing this risk is to implement computer forensic techniques. But the question is, why outsource? Often the initial response is that internal IT resources can perform these services in addition to their normal day to day tasks. But the reality is that there are significant burdens including:
- Impartiality: Your case must be credible, unbiased and withstand legal scrutiny; internal investigations present major obstacles in each of these areas.
- Expertise: viaForensics is a qualified expert in the Federal Courts. Expert status is a product of extensive training and a wide range of experience, often a challenge in a single corporate environment.
- Cost: Forensic hardware, software and training are singular in purpose and require major capital investments and recurring expenses.
- Bookmark :
- Digg
- del.icio.us
- Stumbleupon
- Redit it
You must be logged in to post a comment.