7/25/2019 Mac&IOS Hungary11216
1/91
Mac & iOS Forensics and AnalysisBest practices for data collectionLocations of suspect data
Event:
Location:
Digital Forensics KFT Workshop
Budapest, Hungary
7/25/2019 Mac&IOS Hungary11216
2/91
PAGE:
Mac & iOS Forensics and Analysis
BlackBag Technologies, Inc. 2015 Proprietary Information
Copyright
2
This material is subject to copyright, is owned by BlackBag
Technologies, and is proprietary. It is being provided to the recipient
under license.By the recipient's receipt of this material, recipient
acknowledges and agrees that recipient has been granted a limited
and revocable right and license to use theinformation contained
herein solely for general educational purposes. Recipient may not use
these materials for any other purpose (including in connectionwith itsbusiness operations) and may not disclose these materials or its
content, whether in written form or verbally, to any third party.
7/25/2019 Mac&IOS Hungary11216
3/91
PAGE:
Mac & iOS Forensics and Analysis
BlackBag Technologies, Inc. 2015 Proprietary Information
Locks and Encryption
Who are we?
BlackBags mission is to nd the truth in data
BlackBag Technologies is a leading provider of digital forensics
software, training, and services. Our team is solely focused on
developing innovative and accessible solutions for the complex
challenges presented by an increasingly vast digital crime scene.
As the sea of data expands, we stand by our pledge to be an ally
in pursuit of nding truth within it.
Carpe Datum!
3
7/25/2019 Mac&IOS Hungary11216
4/91
PAGE:
Mac & iOS Forensics and Analysis
BlackBag Technologies, Inc. 2015 Proprietary Information
Locks and Encryption
BlackBag Technologies Update
Mobilyze
Mobile acquisition and triage
MacQuisition Imaging and incident response
BlackLight
Forensics on OS X and WindowsSoftBlock
Kernel-level write-blocking ofphysical devices
4
7/25/2019 Mac&IOS Hungary11216
5/91
PAGE:
Mac & iOS Forensics and Analysis
BlackBag Technologies, Inc. 2015 Proprietary Information
Stuart HUTCHINSON
5
23 Years of Policing - Scotland Yard, London
Special Branch Counter Terrorism Command
Part-Time Instructor BlackBag Four Years
Responsible for all International Operations
Based in the UK
7/25/2019 Mac&IOS Hungary11216
6/91
BlackBag Technologies, Inc. 2015 Proprietary InformationPAGE:
OS X Device Forensics
MacQuisition Demo
6
7/25/2019 Mac&IOS Hungary11216
7/91 BlackBag Technologies, Inc. 2015 Proprietary InformationPAGE:
iOS Device Forensics
BlackLight OverviewOverview
Adding iOS Devices/Backups
7
7/25/2019 Mac&IOS Hungary11216
8/91PAGE:
Mac & iOS Forensics and Analysis
BlackBag Technologies, Inc. 2015 Proprietary Information
BlackLight Overview
BlackLight Overview
Features
Runs on OS X 10.7.0 and later
Runs on Windows 7 and later Same look and feel on each OS
Except for any native OS functions
Analyzes OS X 10.0-10.8 and iOS 1.0-7.x Analyzes Windows - NTFS/FAT
8
7/25/2019 Mac&IOS Hungary11216
9/91PAGE:
Mac & iOS Forensics and Analysis
BlackBag Technologies, Inc. 2015 Proprietary Information
BlackLight Overview
BlackLight Features
Features
MD5, SHA1, and SHA256 hashing of les and content
Support for image le formats Raw (dd), DMG, sparse images/bundles
E01 and L01, SMART, vmdk
iOS physical images from most popular sources Direct read of iOS devices and backup les
9
7/25/2019 Mac&IOS Hungary11216
10/91PAGE:
Mac & iOS Forensics and Analysis
BlackBag Technologies, Inc. 2015 Proprietary Information
BlackLight Overview
Using BlackLight
The BlackLight Application Window
1. Command Bar
2. Component List
3. Content Pane
4. File Information Pane
5. File Content Viewer
6. Status Bar
10
7/25/2019 Mac&IOS Hungary11216
11/91PAGE:
Mac & iOS Forensics and Analysis
BlackBag Technologies, Inc. 2015 Proprietary Information
Locks and Encryption
Adding an iOS Device or Backup
11
Select [Add Encrypted
iOS Disk Image]or
[Add iOS Backup]
Select [Add Disk Image]
or [Add USB Attached
Apple iOS Device]
Select Add
7/25/2019 Mac&IOS Hungary11216
12/91PAGE:
Mac & iOS Forensics and Analysis
BlackBag Technologies, Inc. 2015 Proprietary Information
BlackLight Overview
iOS Import/Processing Options
12
Select iOS Device
More Processing Options
7/25/2019 Mac&IOS Hungary11216
13/91PAGE:
Mac & iOS Forensics and Analysis
BlackBag Technologies, Inc. 2015 Proprietary Information
Encrypted Backups
Encrypted Backups
In BlackLight
Connect an iOS device
Provide the passcode to decrypt the backup
13
7/25/2019 Mac&IOS Hungary11216
14/91PAGE:
Mac & iOS Forensics and Analysis
BlackBag Technologies, Inc. 2015 Proprietary Information
BlackLight Overview
Adding A Backup From A Computer Case
BlackLight identies iOS Backups
14
7/25/2019 Mac&IOS Hungary11216
15/91 BlackBag Technologies, Inc. 2015 Proprietary InformationPAGE:
iOS Device Forensics
Starting a CaseStart a Case in BlackLight
Examining an iOS Backup
15
7/25/2019 Mac&IOS Hungary11216
16/91
PAGE:
Mac & iOS Forensics and Analysis
BlackBag Technologies, Inc. 2015 Proprietary Information
BlackLight Overview
Start a New Case
16
7/25/2019 Mac&IOS Hungary11216
17/91
PAGE:
Mac & iOS Forensics and Analysis
BlackBag Technologies, Inc. 2015 Proprietary Information
BlackLight Overview
Adding an iOS Backup
Select [Add iOS Backup]
17
7/25/2019 Mac&IOS Hungary11216
18/91
PAGE:
Mac & iOS Forensics and Analysis
BlackBag Technologies, Inc. 2015 Proprietary Information
BlackLight Overview
Select the iOS Backup Folder
18
7/25/2019 Mac&IOS Hungary11216
19/91
PAGE:
Mac & iOS Forensics and Analysis
BlackBag Technologies, Inc. 2015 Proprietary Information
BlackLight Overview
Processing Completed
iOS Device Details
19
7/25/2019 Mac&IOS Hungary11216
20/91
BlackBag Technologies, Inc. 2015 Proprietary InformationPAGE:
iOS Device Forensics
AcquisitionSecuring a Device
iOS 8 Implications
Acquisition Options
Power Loss - Dates and Times
Mobilyze
20
7/25/2019 Mac&IOS Hungary11216
21/91
PAGE:
Mac & iOS Forensics and Analysis
BlackBag Technologies, Inc. 2015 Proprietary Information
Acquisitions
Where to nd data?
User can change from local to iCloud anytime
Local computers (Mac or PC)
iOS Backups and iCloud sync data
iCloud
Backups and iCloud sync data
Friends and work computers
Excellent source of pairing certicates
21
7/25/2019 Mac&IOS Hungary11216
22/91
PAGE:
Mac & iOS Forensics and Analysis
BlackBag Technologies, Inc. 2015 Proprietary Information
Acquisitions
New Techniques
Data collection must always be re-evaluated
Review and revise existing techniques
Re-verify processes and technologies Identify areas of concern
Locate new sources of relevant data
Utilize the latest tools for most complete results
22
7/25/2019 Mac&IOS Hungary11216
23/91
PAGE:
Mac & iOS Forensics and Analysis
BlackBag Technologies, Inc. 2015 Proprietary Information
Acquisitions
Securing an iOS Device
Protect the iOS device IMMEDIATELY
Ensure the device stays powered on
Place the device into Airplane Mode Remove the SIM card from the device
Secure the device in a Faraday bag or cage
23
Cellular Wi-Fi BluetoothGPS
7/25/2019 Mac&IOS Hungary11216
24/91
PAGE:
Mac & iOS Forensics and Analysis
BlackBag Technologies, Inc. 2015 Proprietary Information
Acquisitions
Control Center
Available by default on lock screen
24
Swipe up
from bottom
of device screen
Airplane Mode
(Tap to enable)
7/25/2019 Mac&IOS Hungary11216
25/91
PAGE:
Mac & iOS Forensics and Analysis
BlackBag Technologies, Inc. 2015 Proprietary Information
Acquisitions
Data Acquisition
iOS 8 makes signicant changes to data acquisition
iTunes Backup
Voicemail, voice memos, call history, SMS and iMessages,photos and videos
Apple File Conduit (AFC)
Music, pictures, videos, and third party app data
File Relay - DISABLED
Granular access to le system details
Ability to reach data points not available to AFC or iTunes
25
7/25/2019 Mac&IOS Hungary11216
26/91
PAGE:
Mac & iOS Forensics and Analysis
BlackBag Technologies, Inc. 2015 Proprietary Information
Acquisitions
After Power-on
When a PIN code (passphrase) is enabled:
Device enters Protect Until First User Authentication
No communication with device possible until
PIN code (passphrase) is entered once
This can be seen with your own device and iTunes
Restart your own iPhone
Connect to iTunes
Message displayed by iTunes stating device is locked
26
7/25/2019 Mac&IOS Hungary11216
27/91
PAGE:
Mac & iOS Forensics and Analysis
BlackBag Technologies, Inc. 2015 Proprietary Information
Acquisitions
Best Times to Seize a Device
When should you seize an iOS device?
UNLOCKED, available for use
Locked PIN code available
Locked, with pairing certicate, device has not
restarted Locked, no PIN, no pairing certicate = NO DATA
27
7/25/2019 Mac&IOS Hungary11216
28/91
PAGE:
Mac & iOS Forensics and Analysis
BlackBag Technologies, Inc. 2015 Proprietary Information
Locks and Encryption
iOS 8 Protection
Requirement for Passcode
Device has restarted
Loss of power Shutdown
Requires passcode
Despite pairing certi
cate on computer More than 48 hours without a successful logon
28
7/25/2019 Mac&IOS Hungary11216
29/91
BlackBag Technologies, Inc. 2015 Proprietary InformationPAGE:
iOS Device Forensics
Acquisition OptionsLogical Image
Physical Image
Power and Effects on Dates
29
M & iOS F i d A l i
7/25/2019 Mac&IOS Hungary11216
30/91
PAGE:
Mac & iOS Forensics and Analysis
BlackBag Technologies, Inc. 2015 Proprietary Information
Acquisition Options
Logical Image
BlackLight creates a logical image
Provides more information than iTunes backup
Call logs, messages, contacts, voicemail, voicememos, and calendar
Safari web artifacts
All pictures and videos Map information, memos, Wi-Fi networks
Third party applications full
30
M & iOS F i d A l i
7/25/2019 Mac&IOS Hungary11216
31/91
PAGE:
Mac & iOS Forensics and Analysis
BlackBag Technologies, Inc. 2015 Proprietary Information
Acquisition Options
Physical (Full Disk) Images
Data contained in a full image
The same items in the BlackLight backup, plus...
Email Log files
Deleted les in unallocated space (encrypted in iOS
4+) Google Map tiles (MapTiles.sqlitedb)
System and data partitions
31
Mac & iOS Forensics and Analysis
7/25/2019 Mac&IOS Hungary11216
32/91
PAGE:
Mac & iOS Forensics and Analysis
BlackBag Technologies, Inc. 2015 Proprietary Information
Acquisition Options
iOS Imaging Solutions
Elcomsoft - http://www.elcomsoft.com
MPE+ - http://www.accessdata.com
iPhone-Dataprotection - http://code.google.com/p/iphone-dataprotection
Cellebrite - http://www.cellebrite.com
XRY - http://www.msab.com
iXam - http://www.ixam-forensics.com
Z Method - http://www.iosresearch.org
32
Mac & iOS Forensics and Analysis
http://www.iphoneinsecurity.com/http://www.ixam-forensics.com/http://www.ixam-forensics.com/http://www.ixam-forensics.com/http://www.accessdata.com/http://www.accessdata.com/http://www.elcomsoft.com/7/25/2019 Mac&IOS Hungary11216
33/91
PAGE:
Mac & iOS Forensics and Analysis
BlackBag Technologies, Inc. 2015 Proprietary Information
Acquisition Options
Acquire a Phone Using BlackLight
33
Mac & iOS Forensics and Analysis
7/25/2019 Mac&IOS Hungary11216
34/91
PAGE:
Mac & iOS Forensics and Analysis
BlackBag Technologies, Inc. 2015 Proprietary Information
Power and Effect on Dates
Summary
Todays rules of acquisition
Keep device offnetwork, charged, and powered on
Obtain pairing certicate or PIN code (passphrase)
Always try for iCloud data
Look for other computers that may be involved
Apple cannot access iOS 8-based devices Apple can still help with iOS 7 and earlier devices
34
Mac & iOS Forensics and Analysis
7/25/2019 Mac&IOS Hungary11216
35/91
PAGE:
Mac & iOS Forensics and Analysis
BlackBag Technologies, Inc. 2015 Proprietary Information
Mobilyze
Mobilyze
Easy to use Fast and accurate
Forensically sound Able to quickly gather actionable intelligence No forensic training or experience necessary
Data viewable almost immediately Customizable reporting on all or selected items
35
Mac & iOS Forensics and Analysis
7/25/2019 Mac&IOS Hungary11216
36/91
PAGE:
Mac & iOS Forensics and Analysis
BlackBag Technologies, Inc. 2015 Proprietary Information
Mobilyze
Mobilyze Overview
Types of devices recognized
How Mobilyze works
Who can use Mobilyze What data is collected
Triage vs. full analysis
36
Mac & iOS Forensics and Analysis
7/25/2019 Mac&IOS Hungary11216
37/91
PAGE:
Mac & iOS Forensics and Analysis
BlackBag Technologies, Inc. 2015 Proprietary Information
Mobilyze
Case Manager (No Prior Case/Device)
37
Initial window
displayed upon
launching Mobilyze
Mac & iOS Forensics and Analysis
7/25/2019 Mac&IOS Hungary11216
38/91
PAGE:
y
BlackBag Technologies, Inc. 2015 Proprietary Information
Mobilyze
Case Manager (Device Trusted)
38
Mac & iOS Forensics and Analysis
7/25/2019 Mac&IOS Hungary11216
39/91
PAGE:
y
BlackBag Technologies, Inc. 2015 Proprietary Information
Mobilyze
Android Information
Case Manager Window
Must have PIN code
USB Debugging mode turned on Connect phone
Phone displays - Allow USB Debugging?
RSA key ngerprint shown
Click OK
Available device shown
39
Mac & iOS Forensics and Analysis
7/25/2019 Mac&IOS Hungary11216
40/91
PAGE:
y
BlackBag Technologies, Inc. 2015 Proprietary Information
Mobilyze
Device is connected but unpaired, unable to acquire
Trust to pair the device
Case Manager (Device Locked/Unpaired)
40
Mac & iOS Forensics and Analysis
7/25/2019 Mac&IOS Hungary11216
41/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Mobilyze
Collection Options
41
Limited Full - All available items
Mac & iOS Forensics and Analysis
7/25/2019 Mac&IOS Hungary11216
42/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Mobilyze
Collection Options
Limited Collection with nothing selected
42
Mac & iOS Forensics and Analysis
7/25/2019 Mac&IOS Hungary11216
43/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Mobilyze
Android Information
Case Manager Window
Limited Collection button MAY have third party applications available
Some are set for needing root access May be able to set the order of collection
Based on OS-allowed behavior
43
Mac & iOS Forensics and Analysis
7/25/2019 Mac&IOS Hungary11216
44/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Mobilyze
Android Information
Collection process
BlackBag trusted agent written to the device Removed after nished or Stop Import implemented
Do not touch the device until instructed Can be disconnected and retain data for review
Android data
Voicemail and voice memos not likely available Internet - open pages
No pictures to correlate with the URL
44
Mac & iOS Forensics and Analysis
7/25/2019 Mac&IOS Hungary11216
45/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Mobilyze
Data Collection Started
45
Data metrics populate
shortly after starting as
data is collected
Mac & iOS Forensics and Analysis
7/25/2019 Mac&IOS Hungary11216
46/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Mobilyze
Data Collection - iOS 8
Devices running iOS 8.x are handled differently
Some connection methods now blocked by Apple
Complete processing for each data type may be
necessary before its viewing is possible
46
Mac & iOS Forensics and Analysis
7/25/2019 Mac&IOS Hungary11216
47/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Mobilyze
Data Collection Completed
47
Mobilyze announces when the data collectionprocess has completed and the device can be
safely disconnected
Processing of the collected data will continue
Mac & iOS Forensics and Analysis
7/25/2019 Mac&IOS Hungary11216
48/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Mobilyze
Device View
Details and collectionsummary
Top 10 Contacts
Accounts
Filtering
Navigate to data
Mobilyze User Interface
48
Mac & iOS Forensics and Analysis
7/25/2019 Mac&IOS Hungary11216
49/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Mobilyze
Filtering
Allows user to concentrate on items of interest
Filter by keyword
and/or
date range
49
Mac & iOS Forensics and Analysis
7/25/2019 Mac&IOS Hungary11216
50/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Mobilyze
Filtering
Keywords and phrases can also be used to further lter
the results
50
Mac & iOS Forensics and Analysis
7/25/2019 Mac&IOS Hungary11216
51/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Mobilyze
Communications
Comm view consolidates all the communicationsdata into one area
51
Call History Messages Contacts
Voicemail Voice Memos
Mac & iOS Forensics and Analysis
7/25/2019 Mac&IOS Hungary11216
52/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Mobilyze
Phone Calls
Consolidated Call History
52
Mac & iOS Forensics and Analysis
7/25/2019 Mac&IOS Hungary11216
53/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Mobilyze
Tagging
Tags are used to mark data of interest
Tag a le using:
1. Action!Tag Selected Rows
2. Right-click!Tag Selected Rows
3. Hotkey! CMD/CTRL + T
53
Mac & iOS Forensics and Analysis
7/25/2019 Mac&IOS Hungary11216
54/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Mobilyze
Tag Icon
Once tagged the tag icon appears alongside the
item
To view a list of all tags in a case go to the Report
view where a summary is displayed
54
Mac & iOS Forensics and Analysis
7/25/2019 Mac&IOS Hungary11216
55/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Mobilyze
Search / Find
Find - Mobilyzes search function
Mac: CMD + F Windows: CTRL + F
55
Mac & iOS Forensics and Analysis
7/25/2019 Mac&IOS Hungary11216
56/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Mobilyze
Search / Find
56
Mac & iOS Forensics and Analysis
7/25/2019 Mac&IOS Hungary11216
57/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Mobilyze
Messages
SMS
MMS
FaceTime
Skype
Kik
textPlus
Textfree
57
Mac & iOS Forensics and Analysis
7/25/2019 Mac&IOS Hungary11216
58/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Mobilyze
Messages
58
Conversation View
Mac & iOS Forensics and Analysis
7/25/2019 Mac&IOS Hungary11216
59/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Mobilyze
Messages
59
List View
Mac & iOS Forensics and Analysis
bil
7/25/2019 Mac&IOS Hungary11216
60/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Mobilyze
Contacts
Body Level One
Body Level Two
Body Level Three
Body Level Four
Body Level Five
60
Mac & iOS Forensics and Analysis
M bil
7/25/2019 Mac&IOS Hungary11216
61/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Mobilyze
Contacts - Avatars
61
Mac & iOS Forensics and Analysis
M bil
7/25/2019 Mac&IOS Hungary11216
62/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Mobilyze
Voicemail and Voice Memos
Voicemail and Voice Memos can be listened to within
Mobilyze
62
Mac & iOS Forensics and Analysis
Mobilyze
7/25/2019 Mac&IOS Hungary11216
63/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Mobilyze
Media - Pictures
63
GPS indicator
Mac & iOS Forensics and Analysis
Mobilyze
7/25/2019 Mac&IOS Hungary11216
64/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Mobilyze
Media - Videos
Play videos within Mobilyze
Body Level Two
Body Level Three
Body Level Four
Body Level Five
64
Mac & iOS Forensics and Analysis
Mobilyze
7/25/2019 Mac&IOS Hungary11216
65/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Mobilyze
Locations - Wi-Fi
Dates
Remembered network ID's
Sorting each column
Find and filter functionality
65
Mac & iOS Forensics and Analysis
Mobilyze
7/25/2019 Mac&IOS Hungary11216
66/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Mobilyze
Locations - Geo Tags
The following items are displayed in the Geo Tags
subview:
Pictures with GPS
Videos with GPS
Third party app data with GPS
Foursquare, etc.
66
Latitude, Longitude, Altitude, Dates are sortable
7/25/2019 Mac&IOS Hungary11216
67/91
Mac & iOS Forensics and Analysis
Mobilyze
7/25/2019 Mac&IOS Hungary11216
68/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Mobilyze
Applications
68
Mac & iOS Forensics and Analysis
Mobilyze
7/25/2019 Mac&IOS Hungary11216
69/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
y
Internet
Collected information
Bookmarks
History
iOS - Safari browser
Android - other browsers
69
Mac & iOS Forensics and Analysis
Mobilyze
7/25/2019 Mac&IOS Hungary11216
70/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
y
Internet Filter and Find
Looking for terms of interest
70
Mac & iOS Forensics and Analysis
Mobilyze
7/25/2019 Mac&IOS Hungary11216
71/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
y
Internet Tagging and Export
Tagging
Highlight
[Action]![Tag
Selected Rows]
Export as CSV or tab delimited
Great intelligence info
71
Mac & iOS Forensics and Analysis
Mobilyze
7/25/2019 Mac&IOS Hungary11216
72/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Internet - Open Pages
iOS
Browser history where tab wasnot closed
MAY have a picture saved onthe device, showing what was
viewable by the user
Android
Data only, no pictures
72
Mac & iOS Forensics and Analysis
Mobilyze
7/25/2019 Mac&IOS Hungary11216
73/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Reporting
Mobilyze Report Preferences
Preferences icon
[Mobilyze]![Preferences]
Agency icon, name, address
73
Mac & iOS Forensics and Analysis
Mobilyze
7/25/2019 Mac&IOS Hungary11216
74/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Reporting
Creating a report
Case information
No need to complete until ready to output the report
Report on:
Tagged Items
All Items
Clear Selected Tagsbutton
Can continue tagging and return to this window
74
Mac & iOS Forensics and Analysis
Mobilyze
7/25/2019 Mac&IOS Hungary11216
75/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Generating a Report
Generate Report
Select Generate Report
Report le types
HTML
HTML and PDF
HTML opens automatically in users default browser
75
Mac & iOS Forensics and Analysis
Mobilyze
7/25/2019 Mac&IOS Hungary11216
76/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Report Location
Macintosh
Users Desktop
Windows
Users Documentsfolder
Folder named Mobilyze_Report
Contains index.html Contains report.pdfle
76
iOS Device Forensics
7/25/2019 Mac&IOS Hungary11216
77/91
BlackBag Technologies, Inc. 2015 Proprietary InformationPAGE:
Advanced
Analysis
77
Determine the User
Mac & iOS Forensics and Analysis
Advanced Analysis
7/25/2019 Mac&IOS Hungary11216
78/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Determine the User
How do we determine who the user is?
Accounts
Social Networking
iCloud
Computer(s) synced
Personal Information
Personalization
78
Mac & iOS Forensics and Analysis
Advanced Analysis
7/25/2019 Mac&IOS Hungary11216
79/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Accounts
Places to look for user information
mobile/Library/Preferences
com.apple.imservice.iMessage.plist
com.apple.imservice.FaceTime.plist
Shows iCloud Account
Any approved phone number
Any approved email address
79
Mac & iOS Forensics and Analysis
Advanced Analysis
7/25/2019 Mac&IOS Hungary11216
80/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Other Relevant Name Locations
Listing of les that contain user information:
mobile/Library/Preferences/com.apple.conference.plist
shows AppleID of user
mobile/Library/Preferences/
com.apple.ids.service.com.apple.private.ac.plist
shows vetted accounts
/mobile/Library/Preferences/com.apple.ids.service.com.apple.private.alloy.phonecontinuity.plist
shows IDs associated with phone for Handoff
80
Mac & iOS Forensics and Analysis
Advanced Analysis
7/25/2019 Mac&IOS Hungary11216
81/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Hands-on Practical
Using the image le provided
Examine the com.apple.ids* .plist le(s)
Determine email accounts used on this device
Are there any other authorized accounts used on this
device?
Be prepared to discuss your ndings
81
Mac & iOS Forensics and Analysis
Advanced Analysis
7/25/2019 Mac&IOS Hungary11216
82/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Personalization
Name of Device
/preferences/SystemConguration/com.apple.mobilegstalt.plist
82
Mac & iOS Forensics and Analysis
Advanced Analysis
7/25/2019 Mac&IOS Hungary11216
83/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Is the Computer Synced to a Computer?
iTunesprefs
83
Mac & iOS Forensics and Analysis
Advanced Analysis
7/25/2019 Mac&IOS Hungary11216
84/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Personalization
Icon State
/mobile/Library/SpringBoard/IconState.plist
Icon Lists
Shows app icons and folders
Button Bar
Shows icons that are in the bottom dock
84
7/25/2019 Mac&IOS Hungary11216
85/91
Mac & iOS Forensics and Analysis
Advanced Analysis
7/25/2019 Mac&IOS Hungary11216
86/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Has the Device Been Restored
Restored from a backup?
/root/Library/Preferences/com.apple.MobileBackup.plist
86
Mac & iOS Forensics and Analysis
Advanced Analysis
7/25/2019 Mac&IOS Hungary11216
87/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
SIM Card Swapping
Has the device changed numbers?
/wireless/Library/Databases/CellularUseage.db
87
Mac & iOS Forensics and Analysis
Advanced Analysis
7/25/2019 Mac&IOS Hungary11216
88/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Frequent Locations
No longer available with iOS 8
88
7/25/2019 Mac&IOS Hungary11216
89/91
Mac & iOS Forensics and Analysis
7/25/2019 Mac&IOS Hungary11216
90/91
PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information
Staying Connected
In Person:
San Jose, CA (HQ) and Herndon, VA
Remote offices in Texas, SoCal, New York and UK
Online:
90
www.twitter.com/BlackBagTech
www.linkedin.com/company/blackbagtech
www.BlackBagTech.com
iOS Device Forensics
7/25/2019 Mac&IOS Hungary11216
91/91
C A R P E D A T U M
Questions?