Jump to content
Nytro

IOS Forensics

Recommended Posts

IOS Forensics

POSTED IN FORENSICS ON JULY 25, 2017
 

1. INTRODUCTION

Day by day, Smart phones and tablets are becoming popular, and hence technology used in development to add new features or improve the security of such devices is advancing too fast. iPhone and iPod are the game changer products launched by Apple. Apple operating system (IOS) devices started growing popular in the mobile world. Latest Smart phones or Tablets can perform ideally most of the tasks which could be performed on Laptop or Personal Computers. IOS devices provide larger storage space which could store Emails, Browsing histories, chat histories, Wi-Fi data and GPS data and more. From the forensics perspective, such devices could present lots of useful artifacts during the investigation. There are well-defined procedures to extract and analyze data from IOS devices which are included in this paper. This paper could be divided into the following sections. Introduction to the forensic processes focused towards mobile forensics, Extracting Logical and Physical data from the IOS devices, IOS file system and storage Analysis, Analysis of logical data, data from the iTunes and iCloud back up, Wi-Fi and GPS data.

2. AN OVERVIEW OF MOBILE FORENSICS PROCESSES

Mobile forensics is a field of digital forensics which is focused towards mobile devices which are growing very fast. Due to the exponential growth of the mobile market, Importance of mobile forensics has also increased. Mobile phone generally belongs to a single person so analysis of it could reveal lots of personal information.

Due to the rapid growth, it also introduced challenges. The ratio of new models designed and launched is very high which makes very difficult to follow similar procedures. Each case or investigation of the new model needs to consider differently and requires following steps which could be different and unique to the case. With these challenges in mobile forensics, syncing mobiles phone to a computer using software becomes easy. One could extract data like SMS, contacts, installed applications, GPS data and emails, deleted data.

2.1 Collection

Below steps are recommended to follow during collection of mobile device

  • Note location from where mobile has been collected. It is good practice to take the picture using the camera of the location and mobile phone before starting any progress.
  • Note the status of the device. Whether it’s powered off or on. If it is power on then, check the battery status, network status. Check where the screen is locked.
  • Search for the SIM package and if any cables are located around

2.2 Preservation

Preservation of evidence is a very crucial step in digital forensics. If it is very important to maintain evidence integrity throughout the investigation. For mobile forensics below steps are good practice to follow

  • It is possible that attacker could remotely wipe data or any new activity could override the existing data. So, the first step should be to isolate the mobile device from the network.

    There are several ways that could be followed according to scenario,

    Removing SIM card

    Switching to Airplane mode

    Use Faraday’s Bag or Jammer

  • Chain of Custody – Chain of custody is the document to maintain each record of the Digital evidence from the collection to presentation. It includes details like serial no, case no, locker no,

    Investigator’s name, time and date of each step, Details of evidence transportation. It is crucial because it keeps track of the Digital evidence.

  • Hashing – Hashing is the method used to prove the integrity of the evidence. MD5 or SHA are widely used algorithms to calculate the Hash values of the evidence. As previously mentioned it is almost impossible to interact mobile device without altering it. But we could calculate the hash value of the extracted data through logical extraction or of the image file extracted through physical extraction.

2.3 Acquisition

There are three methods used for the data extraction from the IOS devices. Below overview has been given about each.

  • Physical – It is a bit-to-bit copy of the device and allows recovering deleted data. Unfortunately, with mobile forensic always it is not possible to use this method.
  • File system – This method would extract files which are visible at file system level.
  • Logical – This method allows to extract particular files from the file system like backup taken using iTunes

    Sometimes needs to perform offensive techniques like password cracking, Jail Breaking.

3. IOS DEVICES AND FILE SYSTEM

Apple developed an operating system for iPhone, iPad and iPod Touch which is known as IOS operating system. Devices running on IOS operating system are called IOS devices.

3.1 IOS Devices

iPhone

Most famous among IOS devices is iPhone which was very popular due to look, Camera, and Features.

Total 17 iPhone models were launched till date. Below Table shows Latest iPhone model released and their specifications.

iPhoneModel Camera Spec Cellular radio CPU Spec Firmware RAM Storage
iPhone 5 Front – 1.2 Mp

 

Rear – 8.0 Mp

Up to LTE(4G) CPU speed -1.2 GHZ

 

Instruction Set – ARMv7s

IOS 6.0 1GB 16/32/64 GB
iPhone 5s Front – 1.2 Mp

 

Rear – 8.0 Mp

Up to LTE(4G) CPU speed -1.3 GHZ

 

Instruction Set – ARMv8

IOS 7.0 1GB 16/32/64 GB
iPhone 6 Front – 1.2 Mp

 

Rear – 8.0 Mp

Up to LTE(4G) CPU speed -1.38 GHZ

 

Instruction Set – ARMv8

IOS 7.0 1GB 16/32/64 GB
iPhone 6s Front – 5 Mp

 

Rear – 12.2 Mp

Up to LTE(4G) CPU speed -1.85 GHZ

 

Instruction Set – ARMv8

IOS 9.0 2 GB 16/32/64 GB
iPhone SE Front – 1.2 Mp

 

Rear – 12.2 Mp

Up to LTE(4G) CP

 

U speed -1.85 GHZ

Instruction Set – ARMv8

IOS 9.3 2 GB 16/32/64/128 GB
iPhone 7 Front – 7 Mp

 

Rear – 12.2 Mp

Up to LTE(4G) CPU speed -2.34 GHZ

 

Instruction Set – ARMv8

IOS 10 2 GB 32/64/128 GB

Latest iPhone models and specifications

iPhone 6, iPhone 6s, iPhone 6 Plus, iPhone 6s Plus, iPhone SE, iPhone 7 and iPhone 7 Plus are the iPhone models which are currently on the market and very popular due to their features.

iPad

After the Huge success of the iPhone, Apple launched iPad tablet. The first model was simply named iPad or iPad first Generation. It was released after the iPhone 3Gs and before the iPhone 4. Below table shows Latest iPad Models and specifications.

iPad Model Camera Spec Cellular Radio CPU Spec Firmware RAM Storage
iPad Air Rear 5 Mp UP to LTE (4G) CPU Speed – 1.4 GHZ

 

Instruction Set – ARMv8

IOS 7.0.3 1 GB 16/32/64/128 GB
iPad Air2 Rear 8 Mp UP to LTE (4G) CPU Speed – 1.5 GHZ

 

Instruction Set – ARMv8

IOS 8.1 2 GB 16/64/128 GB
iPad Pro Rear 8 Mp UP to LTE (4G) CPU Speed – 2.2 GHZ

 

Instruction Set – ARMv8-A

IOS 9.1 4 GB 32/128/256 GB
iPad (5th Gen) Rear 8 Mp UP to LTE (4G) CPU Speed – 1.85 GHZ

 

Instruction Set – ARMv8

IOS 10.3 2 GB 32/128 GB
iPad Pro (2nd Gen) Rear 12 Mp UP to LTE (4G) CPU Speed – 2.38 GHZ

 

Instruction Set – ARMv8

IOS 10.3.2 4 GB 64/256/512 GB
iPad mini 4 Rear 8 Mp UP to LTE (4G) CPU Speed – 1.49 GHZ IOS 9.0 2 GB 16/64/128 GB

Latest iPad Models and Specifications.

iPod

First iPod was launched by Apple in 2001. It was known as “First Generation, ” and subsequent have been referred as “Second Generation” and so on. It was initially launched as Music play. As it is grown, it also provided the ability to play Videos and Games to users.

The mentioned below smart feature of iPod models it is likely to come across forensic investigation of iPod device. An examiner could retrieve forensic data from storage, browser, gallery, etc. on an iPod.

iPod touch has following features Camera, Wi-Fi Capabilities, Safari web browser, Storage and Playback for Audio, Video and Photo, YouTube player, Apps could be installed from App store

iPod evolution chart is shown below.

072517_2207_IOSForensic1.jpg

Figure. iPod Evolution Chart

3.2 IOS File System

HFS+ File system

Apple developed Hierarchical File System (HFS) which provides large data sets. Disk formatted with HFS has 512-byte Blocks at Physical level.

There are two types of Blocks in the HFS.

Logical Blocks, which are numbered from first to last within the volume. They are also the size of 512 bytes same as physical blocks.

Allocation blocks are a group of logical blocks used to track data. Allocation blocks are further grouped together called clumps to reduce fragmentation on volume.

HFS uses both absolute time (Local time) as well as UNIX time so one can identify the location of the system.

HFS files system uses catalog file system to organize data. It uses B * tree (Balanced tree) structure to organize data. Trees are consisting of nodes. When data are added or deleted, it runs the algorithm to keep balance.

072517_2207_IOSForensic2.png

Figure. Structure of HFS+ File system

  • As seen in above figure, first 1024 bytes are reserved boot blocks.
  • Volume Header – It contains information about the structure of HFS Volume. It keeps track of Catalog ID Numbering and increases it one each time file added. HFS+ volume header also contains signature “H+.”
  • Allocation file – It keeps track of allocation blocks used by the file system. It basically includes a bitmap. Each bit represents the status of the allocation block. If it is set to 1, that means Allocation block is used, and if it is 0, that means allocation block is not used.
  • Extent Overflow file – It consists of a pointer to the extent of the. If the file is larger than eight contiguous allocation blocks, then it uses extents.
  • Catalog File – It organizes data using balanced tree system as mentioned previously. It utilizes to find the location of file or folder within the volume. It also contains the metadata of file like creation and modification date, permissions.
  • Attribute File – It contains the customizable attributes of a file.
  • Startup File – It assists the booting system which does not have built-in ROM support.
  • Actual data is stored in the file system and tracked by the file system.
  • Alternate Volume Header – It is Back up Volume header located at Last 1024 byte of the volume and its 512 bytes long.
  • Last 512 Bytes are reserved.
  • HFSX File System

HFSX file system is a variation of HFS+ file system which is used in the Apple mobile devices. There is only one variation which is that it is case sensitive and it allows having two files with similar names but different case.

3.3 Partitions

IOS Devices have two types of partitions. System partition and Data Partition

System Partition –

System partition does not contain more artifacts related to the investigation as it contains mostly system related information like IOS operating system and pre-installed applications. The system partition is a Read-only as visible in below output of Private/etc./fstab.

072517_2207_IOSForensic3.png

Figure. fstab

iPhone has a single disk hence it is denoted as Disk0. The system partition is Disk0s1, and Data Partition is Disk0s2.

072517_2207_IOSForensic4.png

Figure. System Partition

We can find the user configured password from the /private/etc./passwd file as shown below.

072517_2207_IOSForensic5.png

Figure. Passwd file

As seen in above screenshot, mobile and root password hashes can be retrieved from the passwd file. Further using password cracking tool like “John the Ripper” one can get the password. The root password is “Alpine” and which is the default for all the IOS devices.

Data Partition

Data partition contains user data and can provide lots of artifacts during the investigation. It is Read/Write partition. The structure of this partition has been changed with the different version of the IOS. Below is the screenshot from the IOS device which is running on IOS 7.

072517_2207_IOSForensic6.png

Figure. Data Partition

Below Directories are listed which could be the interest for the artifacts.

  • Keychains – Keychain.db, which contains user password from various applications
  • Logs – General.log: The OS version and Serial number, Lockdown.log – Lockdown Daemon log
  • Mobile – User Data
  • Preferences – system configurations
  • Run – system logs
  • Tmp -manifest.Plist: Plist Back up
  • Root – Caches, Lockdown, and Preferences
  • Property List Files

Property lists are the XML files used in the management of configuration of OS and applications. These files contain useful artifacts related to web cookies, email accounts, GPS Map routes and searches system configuration preferences, browsing history and bookmarks. These files could be open to the simple text editor to view the contents.

072517_2207_IOSForensic7.png

Figure. Plist

SQLite Databases

Logical extraction of the iPhone could provide lots of SQLite database files as it uses SQLite databases to store user data, the tool SQLite browser is used to explore and read SQLite database which can be download from http://sqlitebrowser.org/

Main three databases are Call History, Address Book, and SMS databases.

These databases could be extracted through applications available like SQLite database Browser as seen in below screenshot.

072517_2207_IOSForensic8.png

Figure. SQLite Database Browser

4. ACQUISITION OF IOS DEVICES

4.1 Phone Identification

During search and seizure, it is necessary that examiner identifies the Phone model.

  • One method is that check the back of the device which contains the model number printed

072517_2207_IOSForensic9.png

Figure. Model number printed on back of the device

  • Another approach is connecting iPhone to the forensic workstation. Install the library libimobiledevice on your workstation, it supports Windows, MAC and Linux up to 10.3 it can be downloaded from the URL http://www.libimobiledevice.org/ installation steps in details are explained here http://krypted.com/mac-os-x/use-libimobiledevice-to-view-ios-logs/
  • Regardless of Phone is locked or unlocked; some information can be gathered about connected iDevice using command ideviceinfo as shown in below screenshot.

072517_2207_IOSForensic10.png

Figure. iDeviceinfo

As seen in above figure, we could extract following listed important information about iDevice

Device Class, Device Name, WiFiAddress, TelephonyCapability and HardwareModel, IOSversion

4.2 Operating modes of IOS devices

IOS devices can be operated in three modes. 1) Normal mode 2) Recovery mode and 3) DFU mode. It is necessary that examiner or Investigator should be aware of this mode as this knowledge is required to decide during the investigation that on which mode device should be operated to extract data or efficient extraction of data.

  • Normal mode

When iPhone is switched on, it boots in an operating system, this is normal mode. In normal mode, the user could perform all regular activities.

Normal mode boot process consists of three steps: Low-Level Bootloader, iBook and iOS kernel. These boot steps are signed to keep the integrity of the process.

  • Recovery Mode

The device enters into recovery mode if during the normal boot process if any step is failed to load or verify. The screenshot below shows the screen during recovery mode.

072517_2207_IOSForensic11.png

Figure. Screen during Recovery mode

This mode is used to perform upgrades or restore iPhone device. iPhone can be entered in recovery mode by following below steps

  • Turn off device by holding power button on the top of the device
  • Hold home button of phone and connect it to computer using USB cable
  • Keep holding home button till Connect to the iPhone screen doesn’t appear and then home button could be released.
  • Reboot device to exit the recovery mode
  • DFU mode

Device Firmware Upgrade mode is used to perform IOS upgrading, and it is a low-level mode for diagnosis. During boot up, if Boot ROM is not getting a load or verify, then iPhone presents the Black screen.

The phone should be in DFU mode while using most acquisition techniques. Below steps needs to be performed to enter iPhone in a DFU mode.

  • Install iTunes on a Forensic workstation and connect Phone to the forensic workstation using USB.
  • Switch off Phone
  • Hold power button for 3 seconds
  • Hold home button with power button hold for 10 seconds
  • Release the power button and hold home button still didn’t get alerted in iTunes that iPhone in recovery mode has been detected by iTunes.

 

Articol complet: http://resources.infosecinstitute.com/ios-forensics/

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...