This presentation was delivered in September 2011 at the High Technology Crime Investigation Association (HTCIA) Annual conference

Browse the slide images in the gallery below. A PDF version is available; make sure you are
registered on the site
and then use this link: PDF Download

viaForensics-iPhone-Forensics-with-FOSS (1)
viaForensics-iPhone-Forensics-with-FOSS (2)
viaForensics-iPhone-Forensics-with-FOSS (3)
viaForensics-iPhone-Forensics-with-FOSS (4)
viaForensics-iPhone-Forensics-with-FOSS (5)
viaForensics-iPhone-Forensics-with-FOSS (6)
viaForensics-iPhone-Forensics-with-FOSS (7)
viaForensics-iPhone-Forensics-with-FOSS (8)
viaForensics-iPhone-Forensics-with-FOSS (9)
viaForensics-iPhone-Forensics-with-FOSS (10)
viaForensics-iPhone-Forensics-with-FOSS (11)
viaForensics-iPhone-Forensics-with-FOSS (12)
viaForensics-iPhone-Forensics-with-FOSS (13)
viaForensics-iPhone-Forensics-with-FOSS (14)
viaForensics-iPhone-Forensics-with-FOSS (15)
viaForensics-iPhone-Forensics-with-FOSS (16)
viaForensics-iPhone-Forensics-with-FOSS (17)
viaForensics-iPhone-Forensics-with-FOSS (18)
viaForensics-iPhone-Forensics-with-FOSS (19)
viaForensics-iPhone-Forensics-with-FOSS (20)
viaForensics-iPhone-Forensics-with-FOSS (21)
viaForensics-iPhone-Forensics-with-FOSS (22)
viaForensics-iPhone-Forensics-with-FOSS (23)
viaForensics-iPhone-Forensics-with-FOSS (24)
viaForensics-iPhone-Forensics-with-FOSS (25)
viaForensics-iPhone-Forensics-with-FOSS (26)
viaForensics-iPhone-Forensics-with-FOSS (27)
viaForensics-iPhone-Forensics-with-FOSS (28)
viaForensics-iPhone-Forensics-with-FOSS (29)

viaForensics-iPhone-Forensics-with-FOSS (1)

viaForensics-iPhone-Forensics-with-FOSS (2)

viaForensics-iPhone-Forensics-with-FOSS (3)

viaForensics-iPhone-Forensics-with-FOSS (4)

viaForensics-iPhone-Forensics-with-FOSS (5)

viaForensics-iPhone-Forensics-with-FOSS (6)

viaForensics-iPhone-Forensics-with-FOSS (7)

viaForensics-iPhone-Forensics-with-FOSS (8)

viaForensics-iPhone-Forensics-with-FOSS (9)

viaForensics-iPhone-Forensics-with-FOSS (10)

viaForensics-iPhone-Forensics-with-FOSS (11)

viaForensics-iPhone-Forensics-with-FOSS (12)

viaForensics-iPhone-Forensics-with-FOSS (13)

viaForensics-iPhone-Forensics-with-FOSS (14)

viaForensics-iPhone-Forensics-with-FOSS (15)

viaForensics-iPhone-Forensics-with-FOSS (16)

viaForensics-iPhone-Forensics-with-FOSS (17)

viaForensics-iPhone-Forensics-with-FOSS (18)

viaForensics-iPhone-Forensics-with-FOSS (19)

viaForensics-iPhone-Forensics-with-FOSS (20)

viaForensics-iPhone-Forensics-with-FOSS (21)

viaForensics-iPhone-Forensics-with-FOSS (22)

viaForensics-iPhone-Forensics-with-FOSS (23)

viaForensics-iPhone-Forensics-with-FOSS (24)

viaForensics-iPhone-Forensics-with-FOSS (25)

viaForensics-iPhone-Forensics-with-FOSS (26)

viaForensics-iPhone-Forensics-with-FOSS (27)

viaForensics-iPhone-Forensics-with-FOSS (28)

viaForensics-iPhone-Forensics-with-FOSS (29)

iPhone Forensics with F/OSS

A HOWTO for iPhone Forensics with free and/or open source tools

Qualifications
Presentation Goals
iPhone Forensics with F/OSS tools

• Commercial Tools exist but there are a growing number of F/OSS tools
• A Mac (OSX) or Linux workstation is used for many of these programs
• Focus on step-by-step examples

Open source (MIT) iPhone backup analyzer by Mario Picci (http://ipbackupanalyzer.com/)

• Decodes files, presents in a hierarchical view, has some search and conversions
• Plist files are shown (binary plist files are automatically converted in ascii format)
• Image files are shown
• SQLite files are shown with the list of the tables they contain. By clicking on the tables list the selected table’s content is dumped in the main UI
• Unknown data files are shown as hex/ASCII data

iTunes Backup Directories
Mac Os X: ∼/Library/Application Support/MobileSync/Backup/
Windows XP: \Documents and Settings\(username)\Application Data\Apple Computer\MobileSync\Backup\
Windows Vista, Windows 7: \Users\(username)\AppData\Roaming\Apple Computer\MobileSync\Backup\
Linux Install
On Ubuntu Workstation
——————————
sudo apt-get update
sudo apt-get install python-tk python-imaging python-imaging-tk git
Install pyttk
- Download: http://pypi.python.org/pypi/pyttk/
- Extract: tar xzvf pyttk-0.3.2.tar.gz
- cd pyttk-0.3.2/
- Install: sudo python setup.py install
git clone git://github.com/PicciMario/iPhone-Backup-Analyzer
cd iPhone-Backup-Analyzer/
./main.py -d ~/Desktop/8737684969e72eccf5ff0cafed21b15ec1cb6d4d/
Zdziarski’s iOS forensic tools
Free for qualified law enforcement and government agencies

• Based on F/OSS software and research (Cyanide, etc)
• Physical acquisition
• Logical acquisition
• PIN bypass
• Decrypts the encrypted files / slice
– iOS 3.x: fully decrypt slice, gets unallocated
– iOS 4.x: decrypts files, not unallocated (mostly)
• Decrypt Keychain
• Working on recovering deleted keys
with F/OSS
• @0naj iphone-dataprotection tools (Python and C)
– Brute force PIN code on device
– Recover device encryption keys
– Decrypt the keychain, all dataprotection encrypted files
– Scrape the HFS journal for deleted content
– Decrypt the entire raw disk
– Included with Jonathan Zdziarski’s toolset, or available separately to developers:
• http://code.google.com/p/iphone-dataprotection/
Mount the dmg image read-only (Linux)
• Determine file system offset in dd image:
• Mount HFS partition read only:
• Make sure file system was mounted
• Can check disk usage
• The Sleuth Kit by Brian Carrier
– Brain author of excellent book File System Forensics Analysis (FSFA)
– Actively maintained, just released 3.2.2 (06/13/2011)
– Supports NTFS, FAT, UFS 1, UFS 2, EXT2FS, EXT3FS, and ISO 9660
– http://sleuthkit.org/
• Install:
• Programs to start with:
– mmls – Media Management ls, generally partition info:
• fsstat – File system info
• fls – Forensic list
– Power utility which can list allocated/deleted files
– Provides offset so recovery is possible
– Build MACB for timeline analysis
– analyst@ubuntu:/mnt/hgfs/Desktop$ fls -z CST6CDT -s 0 -m ‘/’ -f hfs -r -i raw iPhone-3g-313.dmg > ~/iPhone-timeline.body
human friendly
• analyst@ubuntu:/mnt/hgfs/Desktop$ mactime -b ~/iPhone-timeline.body -z CST6CDT -d > ~/iPhone-timeline.csv
– Takes body file and turns into CSV or other format
Log2timeline
• Kristinn Gudjonsson developed this software
– Written in Perl (trying to convince him to move to Python)
– Extracts timeline artifacts from many file types including
• Evt/extx, registry, $MFT, prefetch, browser history, etc. (46 and climbing)
– 10+ export formats
– http://log2timeline.net/

• Install log2timeline on Ubuntu 10.10 (lucid)
– sudo add-apt-repository “deb http://log2timeline.net/pub/ lucid main”
– wget -q http://log2timeline.net/gpg.asc -O- | sudo apt-key add -
– sudo apt-get update
– sudo apt-get install log2timeline-perl
Log2timeline
• sudo timescanner -d /home/analyst/mnt/hfs/ -z CST6CDT -w ~/iPhone-log2timeline.csv
– 218 artifacts (either files or directories).
– Run time of the script 24 seconds.

• If you output in body format, can combine with TSK’s fls output and generate full timeline of file system and file metadata (sometimes referred to as a “Super Timeline”
Scalpel
• Download scalpel src at:
• wget http://www.digitalforensicssolutions.com/Scalpel/scalpel-2.0.tar.gz
• Compile
– tar xzvf scalpel-2.0.tar.gz
– cd scalpel-2.0/
– sudo apt-get install libtre-dev libtre5
– ./configure; make
– sudo cp scalpel /usr/local/bin

• Run scalpel
$ scalpel -c ~/scalpel.conf iPhone-3g-313.dmg

• Examine data in “scalpel-output” directory
Sample scalpel.conf
viewer
• Usage:
$ xxd iPhone-3g-313.dmg | less

• To auto skip 0’s:
$ xxd -a iPhone-3g-313.dmg | less

Hex editor
• Usage:
$ hexedit iPhone-3g-313.dmg

• Once in hex editor:
– “/” = search hex/ASCII string (in “hexedit” use tab to change between ASCII and hex searches)
– q = exit hex editor
– h = help

• Can quickly locate potential evidence

• Other tools also available (hexeditor and many others)

Grep Command
• Searches through a file (or many files/folders) for a specified keyword(s)

• Grep is case sensitive by default
$ grep amr iPhone-3g-313.dmg

• To do case-insensitive (more time consuming):
$ grep –i AmR iPhone-3g-313.dmg

• Can search for a phrase in quotes
$ grep “Trace File” iPhone-3g-313.dmg
$ grep -a “Trace File” iPhone-3g-313.dmg
$ grep -a -A 1 -B 1 “Trace File” iPhone-3g-313.dmg
Grep Command (continued)
• Can also be used to search through many files

• Grep through all files in a user’s home directory for “viaF”:

analyst@ubuntu:~$ grep -R 312493 *
Binary file scalpel-output/sqlitedb-9-0/00001.db matches
Binary file scalpel-output/sqlitedb-9-0/00017.db matches

Find all sms database files from iPhone (after scalpel)
analyst@ubuntu:~$ grep -R svc_center sqlite*

“Strings” Command
• Strings is a powerful utility to extract ASCII or Unicode strings from binary data

• Can be run against a file or a full disk image
$ strings iPhone-3g-313.dmg > iPhone.str
$ strings iPhone-3g-313.dmg | less

• Can also search for Unicode
$ strings -e b iPhone-3g-313.dmg | less

“Strings” does more than ASCII
• Strings is designed to extract ASCII and Unicode
– 7-bit ASCII, 8-bit ASCII
– 16-bit big-endian and little-endian
– 32-bit big-endian and little-endian

• From the strings manual page:
Decrypting data – step 1
• Scenario: imaged iPhone and application has encrypted data which you need to view.

• Our solution (but other approaches may work)
• Noted app data was encrypted
• Analyzed symbol table for app, saw entries such as:
• 00091033 t -[NSData(AESAdditions) AES256DecryptWithKey:]
• 00092015 t -[NSData(AESAdditions) AES256EncryptWithKey:]
• 0009aA07e t -[NSData(AESAdditions) keyBytes:]
• 00034261 t +[NSData(Base64) dataFromBase64String:]
• 00034410 t -[NSData(Base64) base64EncodedString]

• Determined app stored key in Keychain so cracked the key chain, found an entry with a Base64 encoded key
• Decoded Base64 key
• Wrote quick program that used “AES256DecryptWithKey” API, encrypted file and decode AES encryption key to access data

• F/OSS Tools used:
• Zdziarski’s techniques to physically image device, crack keychain
• Strings to determine encryption technique
• XCode from Apple to write decrypt program

Andrew Hoog
Chief Investigative Officer
ahoog@viaforensics.com

http://viaforensics.com

Main Office:
1000 Lake St, Suite 203
Oak Park, IL 60301
Tel: 312-878-1100 | Fax: 312-268-7281