TableofContents
PracticalMobileForensicsCreditsAbouttheAuthorsAbouttheReviewerswww.PacktPub.com
Supportfiles,eBooks,discountoffers,andmoreWhysubscribe?FreeaccessforPacktaccountholders
PrefaceWhatthisbookcoversWhatyouneedforthisbookWhothisbookisforConventionsReaderfeedbackCustomersupport
DownloadingtheexamplecodeDownloadingthecolorimagesofthebookErrataPiracyQuestions
1.IntroductiontoMobileForensicsMobileforensics
MobileforensicchallengesMobilephoneevidenceextractionprocess
TheevidenceintakephaseTheidentificationphase
ThelegalauthorityThegoalsoftheexaminationThemake,model,andidentifyinginformationforthedeviceRemovableandexternaldatastorageOthersourcesofpotentialevidence
ThepreparationphaseTheisolationphaseTheprocessingphase
TheverificationphaseComparingextracteddatatothehandsetdataUsingmultipletoolsandcomparingtheresultsUsinghashvalues
ThedocumentandreportingphaseThepresentationphaseThearchivingphase
PracticalmobileforensicapproachesMobileoperatingsystemsoverview
AndroidiOSWindowsphoneBlackBerryOS
MobileforensictoollevelingsystemManualextractionLogicalextractionHexdumpChip-offMicroread
DataacquisitionmethodsPhysicalacquisitionLogicalacquisitionManualacquisition
PotentialevidencestoredonmobilephonesRulesofevidence
AdmissibleAuthenticCompleteReliableBelievable
GoodforensicpracticesSecuringtheevidencePreservingtheevidenceDocumentingtheevidenceDocumentingallchanges
Summary2.UnderstandingtheInternalsofiOSDevices
iPhonemodelsiPhonehardwareiPadmodelsiPadhardwareFilesystemTheHFSPlusfilesystem
TheHFSPlusvolumeDisklayoutiPhoneoperatingsystem
iOShistory1.x–thefirstiPhone2.x–AppStoreand3G3.x–thefirstiPad4.x–GameCenterandmultitasking5.x–SiriandiCloud6.x–AppleMaps7.x–theiPhone5Sandbeyond
TheiOSarchitectureTheCocoaTouchlayerTheMedialayerTheCoreServiceslayerTheCoreOSlayer
iOSsecurityPasscodeCodesigningSandboxingEncryptionDataprotectionAddressSpaceLayoutRandomizationPrivilegeseparationStacksmashingprotectionDataexecutionpreventionDatawipeActivationLock
AppStoreJailbreaking
Summary
3.DataAcquisitionfromiOSDevicesOperatingmodesofiOSdevices
NormalmodeRecoverymodeDFUmode
PhysicalacquisitionAcquisitionviaacustomramdisk
TheforensicenvironmentsetupDownloadingandinstallingtheldidtoolVerifyingthecodesign_allocatetoolpathInstallingOSXFuseInstallingPythonmodulesDownloadingiPhoneDataProtectionToolsBuildingtheIMG3FStoolDownloadingredsn0w
CreatingandloadingtheforensictoolkitDownloadingtheiOSfirmwarefileModifyingthekernelBuildingacustomramdiskBootingthecustomramdisk
EstablishingcommunicationwiththedeviceBypassingthepasscodeImagingthedatapartitionDecryptingthedatapartitionRecoveringthedeleteddata
AcquisitionviajailbreakingSummary
4.DataAcquisitionfromiOSBackupsiTunesbackup
PairingrecordsUnderstandingthebackupstructure
info.plistmanifest.pliststatus.plistmanifest.mbdb
HeaderRecord
UnencryptedbackupExtractingunencryptedbackups
iPhoneBackupExtractoriPhoneBackupBrowseriPhoneDataProtectionTools
DecryptingthekeychainEncryptedbackup
ExtractingencryptedbackupsiPhoneDataProtectionTools
DecryptingthekeychainiPhonePasswordBreaker
iCloudbackupExtractingiCloudbackups
Summary5.iOSDataAnalysisandRecovery
TimestampsUnixtimestampsMacabsolutetime
SQLitedatabasesConnectingtoadatabaseSQLitespecialcommandsStandardSQLqueriesImportantdatabasefiles
AddressbookcontactsAddressbookimagesCallhistorySMSmessagesSMSSpotlightcacheCalendareventsE-maildatabaseNotesSafaribookmarksTheSafariwebcachesThewebapplicationcacheTheWebKitstorageThephotosmetadataConsolidatedGPScache
VoicemailPropertylists
ImportantplistfilesTheHomeDomainplistfilesTheRootDomainplistfilesTheWirelessDomainplistfilesTheSystemPreferencesDomainplistfiles
OtherimportantfilesCookiesKeyboardcachePhotosWallpaperSnapshotsRecordingsDownloadedapplications
RecoveringdeletedSQLiterecordsSummary
6.iOSForensicToolsElcomsoftiOSForensicToolkit
FeaturesofEIFTUsageofEIFT
GuidedmodeManualmode
EIFT-supporteddevicesCompatibilitynotes
OxygenForensicSuite2014FeaturesofOxygenForensicSuiteUsageofOxygenForensicSuiteOxygenForensicSuite2014supporteddevices
CellebriteUFEDPhysicalAnalyzerFeaturesofCellebriteUFEDPhysicalAnalyzerUsageofCellebriteUFEDPhysicalAnalyzerSupporteddevices
ParabeniRecoveryStickFeaturesofParabeniRecoveryStickUsageofParabeniRecoveryStickDevicessupportedbyParabeniRecoveryStick
OpensourceorfreemethodsSummary
7.UnderstandingAndroidTheAndroidmodel
TheLinuxkernellayerLibrariesDalvikvirtualmachineTheapplicationframeworklayerTheapplicationslayer
AndroidsecuritySecurekernelThepermissionmodelApplicationsandboxSecureinterprocesscommunicationApplicationsigning
AndroidfilehierarchyAndroidfilesystem
ViewingfilesystemsonanAndroiddeviceExtendedFileSystem–EXT
Summary8.AndroidForensicSetupandPreDataExtractionTechniques
AforensicenvironmentsetupAndroidSoftwareDevelopmentKitAndroidSDKinstallationAndroidVirtualDeviceConnectinganAndroiddevicetoaworkstation
IdentifyingthedevicecableInstallingthedevicedrivers
AccessingtheconnecteddeviceAndroidDebugBridgeAccessingthedeviceusingadb
DetectingconnecteddevicesKillingthelocaladbserverAccessingtheadbshell
HandlinganAndroiddeviceScreenlockbypassingtechniques
Usingadbtobypassthescreenlock
Deletingthegesture.keyfileUpdatingthesettings.dbfileCheckingforthemodifiedrecoverymodeandadbconnectionFlashinganewrecoverypartitionSmudgeattackUsingtheprimaryGmailaccountOthertechniques
GainingrootaccessWhatisrooting?RootinganAndroiddeviceRootaccess–adbshell
Summary9.AndroidDataExtractionTechniques
ImaginganAndroidPhoneDataextractiontechniques
ManualdataextractionUsingrootaccesstoacquireanAndroiddeviceLogicaldataextraction
UsingtheadbpullcommandExtractingthe/datadirectoryonarooteddeviceUsingSQLiteBrowserExtractingdeviceinformationExtractingcalllogsExtractingSMS/MMSExtractingbrowserhistoryAnalysisofsocialnetworking/IMchatsUsingcontentproviders
PhysicaldataextractionJTAGChip-off
Imagingamemory(SD)cardSummary
10.AndroidDataRecoveryTechniquesDatarecovery
RecoveringthedeletedfilesRecoveringdeleteddatafromanSDcardRecoveringdatadeletedfrominternalmemory
RecoveringdeletedfilesbyparsingSQLitefilesRecoveringfilesusingfile-carvingtechniques
Summary11.AndroidAppAnalysisandOverviewofForensicTools
AndroidappanalysisReverseengineeringAndroidapps
ExtractinganAPKfilefromanAndroiddeviceStepstoreverseengineerAndroidapps
ForensictoolsoverviewTheAFLogicaltoolAFLogicalOpenSourceEditionAFLogicalLawEnforcement(LE)
Cellebrite–UFEDPhysicalextraction
MOBILeditAutopsy
AnalyzinganAndroidinAutopsySummary
12.WindowsPhoneForensicsWindowsPhoneOS
SecuritymodelWindowschambersCapability-basedmodel
AppsandboxingWindowsPhonefilesystemDataacquisition
SideloadingusingChevronWP7Extractingthedata
ExtractingSMSExtractinge-mailExtractingapplicationdata
Summary13.BlackBerryForensics
BlackBerryOSSecurityfeatures
DataacquisitionStandardacquisitionmethods
CreatingaBlackBerrybackupBlackBerryanalysis
BlackBerrybackupanalysisBlackBerryforensicimageanalysisEncryptedBlackBerrybackupfilesForensictoolsforBlackBerryanalysis
SummaryIndex
PracticalMobileForensicsCopyright©2014PacktPublishing
Allrightsreserved.Nopartofthisbookmaybereproduced,storedinaretrievalsystem,ortransmittedinanyformorbyanymeans,withoutthepriorwrittenpermissionofthepublisher,exceptinthecaseofbriefquotationsembeddedincriticalarticlesorreviews.
Everyefforthasbeenmadeinthepreparationofthisbooktoensuretheaccuracyoftheinformationpresented.However,theinformationcontainedinthisbookissoldwithoutwarranty,eitherexpressorimplied.Neithertheauthors,norPacktPublishing,anditsdealersanddistributorswillbeheldliableforanydamagescausedorallegedtobecauseddirectlyorindirectlybythisbook.
PacktPublishinghasendeavoredtoprovidetrademarkinformationaboutallofthecompaniesandproductsmentionedinthisbookbytheappropriateuseofcapitals.However,PacktPublishingcannotguaranteetheaccuracyofthisinformation.
Firstpublished:July2014
Productionreference:2140714
PublishedbyPacktPublishingLtd.
LiveryPlace
35LiveryStreet
BirminghamB32PB,UK.
ISBN978-1-78328-831-1
www.packtpub.com
CoverimagebyAniketSawant(<[email protected]>)
CreditsAuthors
SatishBommisetty
RohitTamma
HeatherMahalik
Reviewers
Dr.AswamiAriffin
Dr.SalvatoreFiorillo(MSIT)
YogeshKhatri
ErikKristensen
Dr.MichaelSpreitzenbarth
CommissioningEditor
RebeccaYoué
AcquisitionEditor
RebeccaYoué
ContentDevelopmentEditor
BalajiNaidu
TechnicalEditor
MananBadani
CopyEditors
SarangChari
SarangChari
MradulaHegde
AdithiShetty
ProjectCoordinator
Aaron.S.Lazar
Proofreaders
MariaGould
AmeeshaGreen
Indexer
HemanginiBari
Graphics
DishaHaria
AbhinashSahu
ProductionCoordinator
AdoniaJones
CoverWork
AdoniaJones
AbouttheAuthorsSatishBommisettyisasecurityanalystworkingforaFortune500company.HisprimaryareasofinterestincludeiOSforensics,iOSapplicationsecurity,andwebapplicationsecurity.Hehaspresentedatinternationalconferences,suchasClubHACKandC0C0n.HeisalsooneofthecoremembersoftheHyderabadOWASPchapter.HehasidentifiedanddisclosedvulnerabilitieswithinthewebsitesofGoogle,Facebook,Yandex,PayPal,Yahoo!,AT&T,andmore,andislistedintheirhalloffame.
Iwouldliketothankeveryonewhoencouragedmewhileproducingthisbook,especiallymywifeforhergreatsupport.
RohitTammaisasecurityanalystworkingforaFortune500company.Hisinterestslieinmobileforensics,Androidapplicationsecurity,andwebapplicationsecurity.Heisexperiencedinperformingvulnerabilityassessmentsandpenetrationtestingofarangeofapplications,includingwebandmobileapplications.HelivesinHyderabad,India,wherehespendstimewithhisparentsandfriends.
IwouldliketothankeveryonewhoencouragedmewhileIwasauthoringthisbook,especiallymyparentsandmyfriendswhoofferedtheirsupportineverywaytheycould.SpecialthankstoSatishBommisetty,mycolleague,co-authorofthisbook,whomentoredmeallthewaythroughwithhisvaluablesuggestions.
HeatherMahalikistheMobileExploitationTeamLeadatBasisTechnologyandtheCourseLeadfortheSANSSmartphoneForensicscourse.Withover11years'experienceindigitalforensics,shecurrentlyfocusesherenergyonmobiledeviceinvestigations,forensiccoursedevelopmentandinstruction,andresearchonsmartphoneforensics.
PriortojoiningBasisTechnology,HeatherworkedatStrozFriedbergandasacontractorfortheU.S.DepartmentofStateComputerInvestigationsandForensicsLab.SheearnedherBachelor'sdegreefromWestVirginiaUniversity.Shehasauthoredwhitepapersandforensiccoursematerial,andhastaughthundredsofcoursesworldwideforlawenforcement,Government,IT,eDiscovery,andotherforensicprofessionalsfocusingonmobiledevicesanddigitalforensics.
digitalforensics.
TherearealotofpeopletowhomIowemydeepestgratitude.Thisbookisformyhusband,whoalwaysencouragesmetotryharderandstrivetobeonestepahead.ThisbookisalsoforJack,whowouldsleepsothatmamacouldwrite,andmydadandmother-in-lawforalwayssupportingme.Professionally,thisbookisforBrianCarrier,EoghanCasey,TerranceMaguire,RobLee,andShawnHowellforgettingmeaddictedtothistradeandprovidingmewiththeopportunitiestobettermyself.Iwouldalsoliketothankmyco-workers,whohavetaughtmepatience,keptasmileonmyface,andhelpedmelearnmoreaboutforensicsthanmostwoulddeemrequired.Youguysarethebest!
AbouttheReviewersDr.AswamiAriffinspecializesindigitalforensics(PhD)andpreviouslywasaGIACCertifiedForensicAnalyst(GCFA)andCertifiedWirelessSecurityProfessional(CWSP).Hehasattendedvariousdigitalforensicstrainingcourses,suchasSANSSystemForensics,InvestigationandResponseinAustralia,multimediaforensicsintheUnitedKingdomandUnitedStates,andalsodatarecoveryinSouthKorea.
Hehasexperienceinhandlingcomputercrimesandcomputer-relatedcrimeswithvariouslawenforcementagencies/regulatorybodiesinMalaysiaandoverseas(recognizedasanexpertbyNewSouthWalesPoliceForce,Australia).Hemanagedmorethan1,800digitalforensicinvestigationsandprovidedexperttestimonies/coordinationinMalaysia'sHighCourtandRoyalCommissionofInquiry.
Heisactiveinresearch,andoneofhispapersentitledDataRecoveryFromProprietary-FormattedFilesCCTVHardDiskswasacceptedforpublicationandpresentationatthe2013NinthAnnualIFIPWG11.9InternationalConferenceonDigitalForensics,USA.HewasalsoinvolvedasacommitteememberofthedigitalforensicsprogramoftheprestigiousInternationalConferenceonAvailability,Reliability,andSecurity(ARES2012and2013).
DuetohisimmensecontributionincombatingcybercrimesanddevelopingCyberSecurity,Malaysia'sdigitalforensicscapabilities,Dr.AswamiAriffinwasawardedtheISLA(InformationSecurityLeadershipAward)in2009byISC2,USA.TheAttorneyGeneralChambersofMalaysiaandRoyalMalaysiaPolicealsoissuedacommendationletterandcertificateofappreciationtohim.
Currently,heisVicePresidentofCyberSecurityResponsiveServicesatCyberSecurityMalaysia.Heprovidesinputonstrategicdirection,technicalleadership,andmarketingstrategyforCyberSecurityMalaysiasecurityoperationsandresearch—DigitalForensicsDepartment,MyCERT,andSecureTechnologyServices.
Dr.SalvatoreFiorillo(MSIT)isafastlearner,problemsolver,andopen-mindedperson.Helikesunconventionalchallenges.HoldingadegreeinPoliticalScienceandaMaster'sdegreeinITSecurity,hisinterestsarewide
ranging,fromdigitalforensicandgeneralhacking,tosocial,anthropological,statistics,andfinancialstudies.Heisanetwork-centricwarfareevangelistandgaveaspeechatDeVereUniversityArmsinCambridge(UK)duringthe2007conferenceorganizedbytheCommandandControlResearchProgram(CCRP)withintheOfficeoftheAssistantSecretaryofUS-Defense(NII).HeisalsotheauthorofTheoryandpracticeofflashmemorymobileforensics,a2009widespreadpaperonthelimitsofdigitalforensictools(workcitedinthe2014NISTGuidelinesonMobileDeviceForensics).
IwouldliketothankLuciaTirinoandMonicaCapassofortheirprecioushelpandsupportthroughout.IwouldalsoliketothankthepeopleatPacktPublishing;theyareallveryprofessionalandnicepeople.
YogeshKhatriisanassistantprofessorteachingcomputerforensicsatChamplainCollegeinBurlington,Vermont.Priortothat,hehashadadecadeofexperienceworkinginindustryasaconsultantandtrainerforvariouscompanies,includingguidancesoftware,duringwhichheworkedoncasesinseveralcountries,andwithmanyFortune100companies.YogeshhasaMaster'sdegreeinComputerEngineeringfromSyracuseUniversity.Herunsablogatwww.swiftforensics.com,whichshowcaseshislatestresearch,scripts,ideas,andvideosoncomputerforensics.
ErikKristensenholdsaBachelor'sdegreeinComputerSciencewithover15yearsofexperiencewithcomputersystemsthatincludescomputersecurity,mobilesecurity,andcomputerforensics.DuringhistimeintheUnitedStatesAirForce,hespecializedincomputersecurityandhelpedpioneeramobilesecurityprogramfortheBlackBerry,Android,andiPhonedevices.HeiscurrentlyaGIACCertifiedForensicsAnalyst(GCFA)andistheprimarymaintaineroftheSANSInvestigativeForensicsToolkit(SIFT)forcomputerforensics.Hehasabroadrangeofexperienceandinterests.Heenjoysproblemsolvingandthinkingoutofthebox.HeiscurrentlytheleadDevOpsengineerforviaForensics,anadvancedmobilesecurityandforensicscompany.
Dr.MichaelSpreitzenbarthworkedseveralyearsasafreelancerintheITsecuritysectorafterfinishinghisdiplomathesiswithamajorinMobilePhoneForensics.In2013,hefinishedhisPhDfromtheUniversityofErlangen-NuremberginthefieldofAndroidForensicsandMobileMalwareAnalysis.Sincethistime,hehasbeenworkinginaninternationallyoperatingCERT.His
dailyworkdealswiththesecurityofmobilesystems,forensicanalysisofsmartphonesandsuspiciousmobileapplications,aswellastheinvestigationofsecurity-relatedincidents.Alongsidethis,heisworkingontheimprovementofmobilemalwareanalysistechniquesandresearchinthefieldofAndroidandiOSforensics.
Supportfiles,eBooks,discountoffers,andmoreYoumightwanttovisitwww.PacktPub.comforsupportfilesanddownloadsrelatedtoyourbook.
DidyouknowthatPacktofferseBookversionsofeverybookpublished,withPDFandePubfilesavailable?YoucanupgradetotheeBookversionatwww.PacktPub.comandasaprintbookcustomer,youareentitledtoadiscountontheeBookcopy.Getintouchwithusat<[email protected]>formoredetails.
Atwww.PacktPub.com,youcanalsoreadacollectionoffreetechnicalarticles,signupforarangeoffreenewslettersandreceiveexclusivediscountsandoffersonPacktbooksandeBooks.
http://PacktLib.PacktPub.com
DoyouneedinstantsolutionstoyourITquestions?PacktLibisPackt'sonlinedigitalbooklibrary.Here,youcanaccess,readandsearchacrossPackt'sentirelibraryofbooks.
Whysubscribe?FullysearchableacrosseverybookpublishedbyPacktCopyandpaste,printandbookmarkcontentOndemandandaccessibleviawebbrowser
FreeaccessforPacktaccountholders
IfyouhaveanaccountwithPacktatwww.PacktPub.com,youcanusethistoaccessPacktLibtodayandviewnineentirelyfreebooks.Simplyuseyourlogincredentialsforimmediateaccess.
PrefaceTheexponentialgrowthofmobiledeviceshasrevolutionizedmanyaspectsofourlives.InwhatiscalledthePost-PCera,smartphonesareengulfingdesktopcomputerswiththeirenhancedfunctionalityandimprovedstoragecapacity.Thisrapidtransformationhasledtoincreasedusageofmobilehandsetsacrossallsectors.
Despitetheirsmallsize,smartphonesarecapableofperformingmanytasks—sendingprivatemessagesandconfidentiale-mails,takingphotosandvideos,makingonlinepurchases,viewingsalaryslips,completingbankingtransactions,accessingsocialnetworkingsites,managingbusinesstasks,andmore.Hence,amobiledeviceisnowahugerepositoryofsensitivedata,whichcouldprovideawealthofinformationaboutitsowner.Thishasinturnledtotheevolutionofmobiledeviceforensics,abranchofdigitalforensicsthatdealswithretrievingdatafromamobiledevice.Today,thereisahugedemandforspecializedforensicexperts,especiallygiventhefactthatthedataretrievedfromamobiledeviceisadmissibleincourt.
Mobileforensicsisallaboututilizingscientificmethodologiestorecoverdatastoredwithinamobilephoneforlegalpurposes.Unliketraditionalcomputerforensics,mobileforensicshaslimitationswhenobtainingevidenceduetorapidchangesinthetechnologyandthefast-pacedevolutionofmobilesoftware.Withdifferentoperatingsystemsandawiderangeofmodelsbeingreleasedintothemarket,mobileforensicshasexpandedoverthelast3-4years.Specializedforensictechniquesandskillsarerequiredinordertoextractdataunderdifferentconditions.
ThisbooktakesyouthroughthechallengesinvolvedinmobileforensicsandpracticallyexplainsdetailedmethodsonhowtocollectevidencefromdifferentmobiledeviceswiththeiOS,Android,BlackBerry,andWindowsmobileoperatingsystems.
Thebookisorganizedinamannerthatallowsyoutofocusindependentlyonchaptersthatarespecifictoyourrequiredplatform.
WhatthisbookcoversChapter1,IntroductiontoMobileForensics,introducesyoutotheconceptofmobileforensics,corevalues,anditslimitations.Thechapteralsoprovidesanoverviewofpracticalapproachesandbestpracticesinvolvedinperformingmobileforensics.
Chapter2,UnderstandingtheInternalsofiOSDevices,providesanoverviewofthepopularAppleiOSdevices,includinganoutlineofdifferentmodelsandtheirhardware.ThebookexplainsiOSsecurityfeaturesanddevicesecurityanditsimpactontheiOSforensicsapproach.ThechapteralsogivesanoverviewoftheiOSfilesystemandoutlinesthesensitivefilesthatareusefulforforensicexaminations.
Chapter3,DataAcquisitionfromiOSDevices,coversvarioustypesofforensicacquisitionmethodsthatcanbeperformedoniOSdevicesandguidesyouthroughpreparingyourdesktopmachineforforensicwork.Thechapteralsodiscussespasscodebypasstechniques,thephysicalextractionofdevices,anddifferentwaysthatthedevicecanbeimaged.
Chapter4,DataAcquisitionfromiOSBackups,providesadetailedexplanationofdifferenttypesofiOSbackupsanddetailswhattypesoffilesarestoredduringthebackup.Thechapteralsocoverslogicalacquisitiontechniquestorecoverdatafrombackups.
Chapter5,iOSDataAnalysisandRecovery,discussesthetypeofdatathatisstoredoniOSdevicesandthegenerallocationofthisdatastorage.CommonfiletypesusediniOSdevices,suchasplistandSQLite,arediscussedindetailsoyouunderstandhowdataisstoredonthedevice,whichwillhelpforensicexaminerstoefficientlyrecoverdatafromthesefiles.
Chapter6,iOSForensicTools,providesanoverviewoftheexistingopensourceandcommercialiOSforensicstools.Thesetoolsdifferintherangeofmobilephonestheysupportandtheamountofdatathattheycanrecover.Thechapterdescribestheadvantagesandlimitationsofthesetools.
Chapter7,UnderstandingAndroid,introducesyoutotheAndroidmodel,filesystem,anditssecurityfeatures.Itprovidesanexplanationofhowdataisstored
inanyandroiddevice,whichwillbeusefulwhilecarryingoutforensicinvestigations.
Chapter8,AndroidForensicSetupandPreDataExtractionTechniques,guidesyouthroughtheAndroidforensicsetupandothertechniquestofollowbeforeextractinganyinformation.Screenlockbypasstechniquesandgainingrootaccessarealsodiscussedinthischapter.
Chapter9,AndroidDataExtractionTechniques,providesanexplanationofphysical,filesystem,andlogicalacquisitiontechniquestoextractinformationfromanAndroiddevice.
Chapter10,AndroidDataRecoveryTechniques,explainsthepossibilitiesandlimitationsfordatarecoveryonAndroiddevices.ThischapteralsocoverstheprocesstoreverseengineerAndroidapplicationstounearthcrucialinformation.
Chapter11,AndroidAppAnalysisandOverviewofForensicTools,coversvariousavailableopensourceandcommercialtools,whicharehelpfulduringforensicexaminationofAndroiddevices.
Chapter12,WindowsPhoneForensics,providesabasicoverviewofforensicapproacheswhendealingwithWindowsPhonedevices.
Chapter13,BlackBerryForensics,providesforensicapproachestoincludeacquisitionandanalysistechniqueswhendealingwithBlackBerrydevices.BlackBerryencryptionanddataprotectionisalsoaddressed.
WhatyouneedforthisbookThebookprovidespracticalforensicapproachesandexplainsthetechniquesinasimplemanner.Thecontentisorganizedinamannerthatallowsevenauserwithbasiccomputerskillstoexamineadeviceandextracttherequireddata.AMacintosh,Windows,orLinuxcomputerwillbehelpfultosuccessfullyperformthemethodsdefinedinthisbook.Whereverpossible,methodsforallcomputerplatformsareprovided.
WhothisbookisforThisbookisintendedforforensicexaminerswithlittleorbasicexperienceinmobileforensicsoropensourcesolutionsformobileforensics.Thebookwillalsobeusefultocomputersecurityprofessionals,researchers,andanyoneseekingadeeperunderstandingofmobileinternals.Thebookwillalsocomeinhandyforthosewhoaretryingtorecoveraccidentallydeleteddata(photos,contacts,SMS,andmore).
ConventionsInthisbook,youwillfindanumberofstylesoftextthatdistinguishbetweendifferentkindsofinformation.Herearesomeexamplesofthesestylesandanexplanationoftheirmeaning.
Codewordsintext,databasetablenames,foldernames,filenames,fileextensions,pathnames,dummyURLs,userinput,andTwitterhandlesareshownasfollows:"ToviewtherawdiskimagesontheiPhone,connectajailbrokeniPhonetoaworkstationoverSSHandrunthels-lhrdisk*command."
Anycommand-lineinputoroutputiswrittenasfollows:
iPhone4:/devroot#ls-lhrdisk*
crw-r-----1rootoperator14,0Oct1004:28rdisk0
crw-r-----1rootoperator14,1Oct1004:28rdisk0s1
crw-r-----1rootoperator14,2Oct1004:28rdisk0s1s1
crw-r-----1rootoperator14,3Oct1004:28rdisk0s1s2
Newtermsandimportantwordsareshowninbold.Wordsthatyouseeonthescreen,inmenusordialogboxesforexample,appearinthetextlikethis:"iOSprovidesanoptionEraseAllContentandSettingstowipethedataontheiPhone."
Note
Warningsorimportantnotesappearinaboxlikethis.
Tip
Tipsandtricksappearlikethis.
ReaderfeedbackFeedbackfromourreadersisalwayswelcome.Letusknowwhatyouthinkaboutthisbook—whatyoulikedormayhavedisliked.Readerfeedbackisimportantforustodeveloptitlesthatyoureallygetthemostoutof.
Tosendusgeneralfeedback,simplysendane-mailto<[email protected]>,andmentionthebooktitlethroughthesubjectofyourmessage.
Ifthereisatopicthatyouhaveexpertiseinandyouareinterestedineitherwritingorcontributingtoabook,seeourauthorguideonwww.packtpub.com/authors.
CustomersupportNowthatyouaretheproudownerofaPacktbook,wehaveanumberofthingstohelpyoutogetthemostfromyourpurchase.
Downloadingtheexamplecode
YoucandownloadtheexamplecodefilesforallPacktbooksyouhavepurchasedfromyouraccountathttp://www.packtpub.com.Ifyoupurchasedthisbookelsewhere,youcanvisithttp://www.packtpub.com/supportandregistertohavethefilese-maileddirectlytoyou.
Downloadingthecolorimagesofthebook
WealsoprovideyouaPDFfilethathascolorimagesofthescreenshots/diagramsusedinthisbook.Thecolorimageswillhelpyoubetterunderstandthechangesintheoutput.Youcandownloadthisfilefrom:https://www.packtpub.com/sites/default/files/downloads/8311OS_ColoredImages.pdf
Errata
Althoughwehavetakeneverycaretoensuretheaccuracyofourcontent,mistakesdohappen.Ifyoufindamistakeinoneofourbooks—maybeamistakeinthetextorthecode—wewouldbegratefulifyouwouldreportthistous.Bydoingso,youcansaveotherreadersfromfrustrationandhelpusimprovesubsequentversionsofthisbook.Ifyoufindanyerrata,pleasereportthembyvisitinghttp://www.packtpub.com/support,selectingyourbook,clickingontheerratasubmissionformlink,andenteringthedetailsofyourerrata.Onceyourerrataareverified,yoursubmissionwillbeacceptedandtheerratawillbeuploadedtoourwebsite,oraddedtoanylistofexistingerrata,undertheErratasectionofthattitle.
Piracy
PiracyofcopyrightmaterialontheInternetisanongoingproblemacrossallmedia.AtPackt,wetaketheprotectionofourcopyrightandlicensesveryseriously.Ifyoucomeacrossanyillegalcopiesofourworks,inanyform,ontheInternet,pleaseprovideuswiththelocationaddressorwebsitenameimmediatelysothatwecanpursuearemedy.
Pleasecontactusat<[email protected]>withalinktothesuspectedpiratedmaterial.
Weappreciateyourhelpinprotectingourauthors,andourabilitytobringyouvaluablecontent.
Questions
Youcancontactusat<[email protected]>ifyouarehavingaproblemwithanyaspectofthebook,andwewilldoourbesttoaddressit.
Chapter1.IntroductiontoMobileForensicsIn2013,therewerealmostasmanymobilecellularsubscriptionsastherewerepeopleonearth,saysInternationalTelecommunicationUnion(ITU).Thefollowingfigureshowstheglobalmobilecellularsubscriptionsfrom2005to2013.Mobilecellularsubscriptionsaremovingatlightningspeedandpassedawhopping7billionearlyin2014.PortioResearchLtd.predictsthatmobilesubscriberswillreach7.5billionbytheendof2014and8.5billionbytheendof2016.
Mobilecellularsubscriptiongrowthfrom2005to2013
Smartphonesoftoday,suchastheAppleiPhone,SamsungGalaxyseries,andBlackBerryphones,arecompactformsofcomputerswithhighperformance,hugestorage,andenhancedfunctionalities.Mobilephonesarethemostpersonalelectronicdeviceauseraccesses.Theyareusedtoperformsimplecommunicationtasks,suchascallingandtexting,whilestillprovidingsupportforInternetbrowsing,e-mail,takingphotosandvideos,creatingandstoringdocuments,identifyinglocationswithGPSservices,andmanagingbusinesstasks.Asnewfeaturesandapplicationsareincorporatedintomobilephones,theamountofinformationstoredonthedevicesiscontinuouslygrowing.Mobilesphonesbecomeportabledatacarriers,andtheykeeptrackofallyourmoves.Withtheincreasingprevalenceofmobilephonesinpeoples'dailylivesandincrime,dataacquiredfromphonesbecomeaninvaluablesourceofevidencefor
investigationsrelatingtocriminal,civil,andevenhigh-profilecases.Itisraretoconductadigitalforensicinvestigationthatdoesnotincludeaphone.MobiledevicecalllogsandGPSdatawereusedtohelpsolvetheattemptedbombinginTimesSquare,NewYork,in2010.Thedetailsofthecasecanbefoundathttp://www.forensicon.com/forensics-blotter/cell-phone-email-forensics-investigation-cracks-nyc-times-square-car-bombing-case/.Thesciencebehindrecoveringdigitalevidencefrommobilephonesiscalledmobileforensics.Digitalevidenceisdefinedasinformationanddatathatisstoredon,received,ortransmittedbyanelectronicdevicethatisusedforinvestigations.Digitalevidenceencompassesanyandalldigitaldatathatcanbeusedasevidenceinacase.
MobileforensicsDigitalforensicsisabranchofforensicsciencefocusingontherecoveryandinvestigationofrawdataresidinginelectronicordigitaldevices.Mobileforensicsisabranchofdigitalforensicsrelatedtotherecoveryofdigitalevidencefrommobiledevices.Forensicallysoundisatermusedextensivelyinthedigitalforensicscommunitytoqualifyandjustifytheuseofparticularforensictechnologyormethodology.Themainprincipleforasoundforensicexaminationofdigitalevidenceisthattheoriginalevidencemustnotbemodified.Thisisextremelydifficultwithmobiledevices.Someforensictoolsrequireacommunicationvectorwiththemobiledevice,thusstandardwriteprotectionwillnotworkduringforensicacquisition.Otherforensicacquisitionmethodsmayinvolveremovingachiporinstallingabootloaderonthemobiledevicepriortoextractingdataforforensicexamination.Incaseswheretheexaminationordataacquisitionisnotpossiblewithoutchangingtheconfigurationofthedevice,theprocedureandthechangesmustbetested,validated,anddocumented.Followingpropermethodologyandguidelinesiscrucialinexaminingmobiledevicesasityieldsthemostvaluabledata.Aswithanyevidencegathering,notfollowingtheproperprocedureduringtheexaminationcanresultinlossordamageofevidenceorrenderitinadmissibleincourt.
Themobileforensicsprocessisbrokenintothreemaincategories:seizure,acquisition,andexamination/analysis.Forensicexaminersfacesomechallengeswhileseizingthemobiledeviceasasourceofevidence.Atthecrimescene,ifthemobiledeviceisfoundswitchedoff,theexaminershouldplacethedeviceinafaradaybagtopreventchangesshouldthedeviceautomaticallypoweron.Faradaybagsarespecificallydesignedtoisolatethephonefromthenetwork.Ifthephoneisfoundswitchedon,switchingitoffhasalotofconcernsattachedtoit.IfthephoneislockedbyaPINorpasswordorencrypted,theexaminerwillberequiredtobypassthelockordeterminethePINtoaccessthedevice.Mobilephonesarenetworkeddevicesandcansendandreceivedatathroughdifferentsources,suchastelecommunicationsystems,Wi-Fiaccesspoints,andBluetooth.Soifthephoneisinarunningstate,acriminalcansecurelyerasethedatastoredonthephonebyexecutingaremotewipecommand.Whenaphoneisswitchedon,itshouldbeplacedinafaradaybag.Ifpossible,priortoplacingthemobiledeviceinthefaradaybag,disconnectit
fromthenetworktoprotecttheevidencebyenablingtheflightmodeanddisablingallnetworkconnections(Wi-Fi,GPS,Hotspots,andsoon).Thiswillalsopreservethebattery,whichwilldrainwhileinafaradaybagandprotectagainstleaksinthefaradaybag.Oncethemobiledeviceisseizedproperly,theexaminermayneedseveralforensictoolstoacquireandanalyzethedatastoredonthephone.
Mobiledeviceforensicacquisitioncanbeperformedusingmultiplemethods,whicharedefinedlater.Eachofthesemethodsaffectstheamountofanalysisrequired,whichwillbediscussedingreaterdetailintheupcomingchapters.Shouldonemethodfail,anothermustbeattempted.Multipleattemptsandtoolsmaybenecessaryinordertoacquirethemostdatafromthemobiledevice.
Mobilephonesaredynamicsystemsthatpresentalotofchallengestotheexaminerinextractingandanalyzingdigitalevidence.Therapidincreaseinthenumberofdifferentkindsofmobilephonesfromdifferentmanufacturersmakesitdifficulttodevelopasingleprocessortooltoexaminealltypesofdevices.Mobilephonesarecontinuouslyevolvingasexistingtechnologiesprogressandnewtechnologiesareintroduced.Furthermore,eachmobileisdesignedwithavarietyofembeddedoperatingsystems.Hence,specialknowledgeandskillsarerequiredfromforensicexpertstoacquireandanalyzethedevices.
Mobileforensicchallenges
Oneofthebiggestforensicchallengeswhenitcomestothemobileplatformisthefactthatdatacanbeaccessed,stored,andsynchronizedacrossmultipledevices.Asthedataisvolatileandcanbequicklytransformedordeletedremotely,moreeffortisrequiredforthepreservationofthisdata.Mobileforensicsisdifferentfromcomputerforensicsandpresentsuniquechallengestoforensicexaminers.
Lawenforcementandforensicexaminersoftenstruggletoobtaindigitalevidencefrommobiledevices.Thefollowingaresomeofthereasons:
Hardwaredifferences:Themarketisfloodedwithdifferentmodelsofmobilephonesfromdifferentmanufacturers.Forensicexaminersmaycomeacrossdifferenttypesofmobilemodels,whichdifferinsize,hardware,features,andoperatingsystem.Also,withashortproductdevelopmentcycle,newmodelsemergeveryfrequently.Asthemobilelandscapeischangingeachpassingday,itiscriticalfortheexaminertoadapttoallthechallengesandremainupdatedonmobiledeviceforensictechniques.Mobileoperatingsystems:UnlikepersonalcomputerswhereWindowshasdominatedthemarketforyears,mobiledeviceswidelyusemoreoperatingsystems,includingApple'siOS,Google'sAndroid,RIM'sBlackBerryOS,Microsoft'sWindowsMobile,HP'swebOS,Nokia'sSymbianOS,andmanyothers.Mobileplatformsecurityfeatures:Modernmobileplatformscontainbuilt-insecurityfeaturestoprotectuserdataandprivacy.Thesefeaturesactasahurdleduringtheforensicacquisitionandexamination.Forexample,modernmobiledevicescomewithdefaultencryptionmechanismsfromthehardwarelayertothesoftwarelayer.Theexaminermightneedtobreakthroughtheseencryptionmechanismstoextractdatafromthedevices.Lackofresources:Asmentionedearlier,withthegrowingnumberofmobilephones,thetoolsrequiredbyaforensicexaminerwouldalsoincrease.Forensicacquisitionaccessories,suchasUSBcables,batteries,andchargersfordifferentmobilephones,havetobemaintainedinordertoacquirethosedevices.Genericstateofthedevice:Evenifadeviceappearstobeinanoffstate,backgroundprocessesmaystillrun.Forexample,inmostmobiles,thealarmclockstillworksevenwhenthephoneisswitchedoff.Asudden
transitionfromonestatetoanothermayresultinthelossormodificationofdata.Anti-forensictechniques:Anti-forensictechniques,suchasdatahiding,dataobfuscation,dataforgery,andsecurewiping,makeinvestigationsondigitalmediamoredifficult.Dynamicnatureofevidence:Digitalevidencemaybeeasilyalteredeitherintentionallyorunintentionally.Forexample,browsinganapplicationonthephonemightalterthedatastoredbythatapplicationonthedevice.Accidentalreset:Mobilephonesprovidefeaturestoreseteverything.Resettingthedeviceaccidentallywhileexaminingmayresultinthelossofdata.Devicealteration:Thepossiblewaystoalterdevicesmayrangefrommovingapplicationdata,renamingfiles,andmodifyingthemanufacturer'soperatingsystem.Inthiscase,theexpertiseofthesuspectshouldbetakenintoaccount.Passcoderecovery:Ifthedeviceisprotectedwithapasscode,theforensicexaminerneedstogainaccesstothedevicewithoutdamagingthedataonthedevice.Communicationshielding:Mobiledevicescommunicateovercellularnetworks,Wi-Finetworks,Bluetooth,andInfrared.Asdevicecommunicationmightalterthedevicedata,thepossibilityoffurthercommunicationshouldbeeliminatedafterseizingthedevice.Lackofavailabilityoftools:Thereisawiderangeofmobiledevices.Asingletoolmaynotsupportallthedevicesorperformallthenecessaryfunctions,soacombinationoftoolsneedstobeused.Choosingtherighttoolforaparticularphonemightbedifficult.Maliciousprograms:Thedevicemightcontainmalicioussoftwareormalware,suchasavirusoraTrojan.Suchmaliciousprogramsmayattempttospreadoverotherdevicesovereitherawiredinterfaceorawirelessone.Legalissues:Mobiledevicesmightbeinvolvedincrimes,whichcancrossgeographicalboundaries.Inordertotacklethesemultijurisdictionalissues,theforensicexaminershouldbeawareofthenatureofthecrimeandtheregionallaws.
MobilephoneevidenceextractionprocessEvidenceextractionandforensicexaminationofeachmobiledevicemaydiffer.However,followingaconsistentexaminationprocesswillassisttheforensicexaminertoensurethattheevidenceextractedfromeachphoneiswelldocumentedandthattheresultsarerepeatableanddefendable.Thereisnowell-establishedstandardprocessformobileforensics.However,thefollowingfigureprovidesanoverviewofprocessconsiderationsforextractionofevidencefrommobiledevices.Allmethodsusedwhenextractingdatafrommobiledevicesshouldbetested,validated,andwelldocumented.
Agreatresourceforhandlingandprocessingmobiledevicescanbefoundathttp://digital-forensics.sans.org/media/mobile-device-forensic-process-v3.pdf.
Mobilephoneevidenceextractionprocess
Theevidenceintakephase
Theevidenceintakephaseisthestartingphaseandentailsrequestformsandpaperworktodocumentownershipinformationandthetypeofincidentthemobiledevicewasinvolvedin,andoutlinesthetypeofdataorinformationtherequesterisseeking.Developingspecificobjectivesforeachexaminationisthecriticalpartofthisphase.Itservestoclarifytheexaminer'sgoals.
Theidentificationphase
Theforensicexaminershouldidentifythefollowingdetailsforeveryexaminationofamobiledevice:
ThelegalauthorityThegoalsoftheexaminationThemake,model,andidentifyinginformationforthedeviceRemovableandexternaldatastorageOthersourcesofpotentialevidence
Wewilldiscusseachoftheminthefollowingsections.
Thelegalauthority
Itisimportantfortheforensicexaminertodetermineanddocumentwhatlegalauthorityexistsfortheacquisitionandexaminationofthedeviceaswellasanylimitationsplacedonthemediapriortotheexaminationofthedevice.
Thegoalsoftheexamination
Theexaminerwillidentifyhowin-depththeexaminationneedstobebaseduponthedatarequested.Thegoaloftheexaminationmakesasignificantdifferenceinselectingthetoolsandtechniquestoexaminethephoneandincreasestheefficiencyoftheexaminationprocess.
Themake,model,andidentifyinginformationforthedevice
Aspartoftheexamination,identifyingthemakeandmodelofthephoneassistsindeterminingwhattoolswouldworkwiththephone.
Removableandexternaldatastorage
Manymobilephonesprovideanoptiontoextendthememorywithremovablestoragedevices,suchastheTransFlashMicroSDmemoryexpansioncard.Incaseswhensuchacardisfoundinamobilephonethatissubmittedforexamination,thecardshouldberemovedandprocessedusingtraditionaldigitalforensictechniques.Itiswisetoalsoacquirethecardwhileinthemobiledevicetoensuredatastoredonboththehandsetmemoryandcardarelinkedforeasieranalysis.Thiswillbediscussedindetailinupcomingchapters.
Othersourcesofpotentialevidence
Mobilephonesactasgoodsourcesoffingerprintandotherbiologicalevidence.Suchevidenceshouldbecollectedpriortotheexaminationofthemobilephonetoavoidcontaminationissuesunlessthecollectionmethodwilldamagethedevice.Examinersshouldweargloveswhenhandlingtheevidence.
Thepreparationphase
Oncethemobilephonemodelisidentified,thepreparationphaseinvolvesresearchregardingtheparticularmobilephonetobeexaminedandtheappropriatemethodsandtoolstobeusedforacquisitionandexamination.
Theisolationphase
Mobilephonesarebydesignintendedtocommunicateviacellularphonenetworks,Bluetooth,Infrared,andwireless(Wi-Fi)networkcapabilities.Whenthephoneisconnectedtoanetwork,newdataisaddedtothephonethroughincomingcalls,messages,andapplicationdata,whichmodifiestheevidenceonthephone.Completedestructionofdataisalsopossiblethroughremoteaccessorremotewipingcommands.Forthisreason,isolationofthedevicefromcommunicationsourcesisimportantpriortotheacquisitionandexaminationofthedevice.Isolationofthephonecanbeaccomplishedthroughtheuseoffaradaybags,whichblocktheradiosignalstoorfromthephone.Pastresearchhasfoundinconsistenciesintotalcommunicationprotectionwithfaradaybags.Therefore,networkisolationisadvisable.Thiscanbedonebyplacingthephoneinradiofrequencyshieldingclothandthenplacingthephoneintoairplaneorflightmode.
Theprocessingphase
Oncethephonehasbeenisolatedfromthecommunicationnetworks,theactualprocessingofthemobilephonebegins.Thephoneshouldbeacquiredusingatestedmethodthatisrepeatableandisasforensicallysoundaspossible.Physicalacquisitionisthepreferredmethodasitextractstherawmemorydataandthedeviceiscommonlypoweredoffduringtheacquisitionprocess.Onmostdevices,theleastamountofchangesoccurtothedeviceduringphysicalacquisition.Ifphysicalacquisitionisnotpossibleorfails,anattemptshouldbemadetoacquirethefilesystemofthemobiledevice.Alogicalacquisitionshouldalwaysbeobtainedasitmaycontainonlytheparseddataandprovidepointerstoexaminetherawmemoryimage.
Theverificationphase
Afterprocessingthephone,theexaminerneedstoverifytheaccuracyofthedataextractedfromthephonetoensurethatdataisnotmodified.Theverificationoftheextracteddatacanbeaccomplishedinseveralways.
Comparingextracteddatatothehandsetdata
Checkifthedataextractedfromthedevicematchesthedatadisplayedbythedevice.Thedataextractedcanbecomparedtothedeviceitselforalogicalreport,whicheverispreferred.Remember,handlingtheoriginaldevicemaymakechangestotheonlyevidence—thedeviceitself.
Usingmultipletoolsandcomparingtheresults
Toensureaccuracy,usemultipletoolstoextractthedataandcompareresults.
Usinghashvalues
Allimagefilesshouldbehashedafteracquisitiontoensuredataremainsunchanged.Iffilesystemextractionissupported,theexaminerextractsthefilesystemandthencomputeshashesfortheextractedfiles.Later,anyindividuallyextractedfilehashiscalculatedandcheckedagainsttheoriginalvaluetoverifytheintegrityofit.Anydiscrepancyinahashvaluemustbeexplainable(forexample,ifthedevicewaspoweredonandthenacquiredagain,thusthehashvaluesaredifferent).
Thedocumentandreportingphase
Theforensicexaminerisrequiredtodocumentthroughouttheexaminationprocessintheformofcontemporaneousnotesrelatingtowhatwasdoneduringtheacquisitionandexamination.Oncetheexaminercompletestheinvestigation,theresultsmustgothroughsomeformofpeer-reviewtoensurethedataischeckedandtheinvestigationiscomplete.Theexaminer'snotesanddocumentationmayincludeinformationsuchasthefollowing:
ExaminationstartdateandtimeThephysicalconditionofthephonePhotosofthephoneandindividualcomponentsPhonestatuswhenreceived—turnedonoroffPhonemakeandmodelToolsusedfortheacquisitionToolsusedfortheexaminationDatafoundduringtheexaminationNotesfrompeer-review
Thepresentationphase
Throughouttheinvestigation,itisimportanttomakesurethattheinformationextractedanddocumentedfromamobiledevicecanbeclearlypresentedtoanyotherexaminerortoacourt.Creatingaforensicreportofdataextractedfromthemobiledeviceduringacquisitionandanalysisisimportant.Thismayincludedatainbothpaperandelectronicformats.Yourfindingsmustbedocumentedandpresentedinamannerthattheevidencespeaksforitselfwhenincourt.Thefindingsshouldbeclear,concise,andrepeatable.Timelineandlinkanalysis,featuresofferedbymanycommercialmobileforensicstools,willaidinreportingandexplainingfindingsacrossmultiplemobiledevices.Thesetoolsallowtheexaminertotietogetherthemethodsbehindthecommunicationofmultipledevices.
Thearchivingphase
Preservingthedataextractedfromthemobilephoneisanimportantpartoftheoverallprocess.Itisalsoimportantthatthedataisretainedinauseableformatfortheongoingcourtprocess,forfuturereference,shouldthecurrentevidencefilebecomecorrupt,andforrecordkeepingrequirements.Courtcasesmaycontinueformanyyearsbeforethefinaljudgmentisarrivedat,andmostjurisdictionsrequirethatdataberetainedforlongperiodsoftimeforthepurposesofappeals.Asthefieldandmethodsadvance,newmethodsforpullingdataoutofaraw,physicalimagemaysurface,andthentheexaminercanrevisitthedatabypullingacopyfromthearchives.
PracticalmobileforensicapproachesSimilartoanyforensicinvestigation,thereareseveralapproachesthatcanbeusedfortheacquisitionandexamination/analysisofdatafrommobilephones.Thetypeofmobiledevice,theoperatingsystem,andthesecuritysettinggenerallydictatetheproceduretobefollowedinaforensicprocess.Everyinvestigationisdistinctwithitsowncircumstances,soitisnotpossibletodesignasingledefinitiveproceduralapproachforallthecases.Thefollowingdetailsoutlinethegeneralapproachesfollowedinextractingdatafrommobiledevices.
Mobileoperatingsystemsoverview
Oneofthemajorfactorsinthedataacquisitionandexamination/analysisofamobilephoneistheoperatingsystem.Startingfromlow-endmobilephonestosmartphones,mobileoperatingsystemshavecomealongwaywithalotoffeatures.Mobileoperatingsystemsdirectlyaffecthowtheexaminercanaccessthemobiledevice.Forexample,AndroidOSgivesterminal-levelaccesswhereasiOSdoesnotgivesuchanoption.Acomprehensiveunderstandingofthemobileplatformhelpstheforensicexaminermakesoundforensicdecisionsandconductaconclusiveinvestigation.Whilethereisalargerangeofsmartmobiledevices,fourmainoperatingsystemsdominatethemarket,namely,GoogleAndroid,AppleiOS,RIMBlackBerryOS,andWindowsPhone.Moreinformationcanbefoundathttp://www.idc.com/getdoc.jsp?containerId=prUS23946013.Thisbookcoversforensicanalysisofthesefourmobileplatforms.Thefollowingisabriefoverviewofleadingmobileoperatingsystems.
Android
AndroidisaLinux-basedoperatingsystem,andit'saGoogleopensourceplatformformobilephones.Androidistheworld'smostwidelyusedsmartphoneoperatingsystem.SourcesshowthatApple'siOSisaclosesecond(http://www.forbes.com/sites/tonybradley/2013/11/15/android-dominates-market-share-but-apple-makes-all-the-money/).AndroidhasbeendevelopedbyGoogleasanopenandfreeoptionforhardwaremanufacturersandphonecarriers.ThismakesAndroidthesoftwareofchoiceforcompanieswhorequirealow-cost,customizable,lightweightoperatingsystemfortheirsmartdeviceswithoutdevelopinganewOSfromscratch.Android'sopennaturehasfurtherencouragedthedeveloperstobuildalargenumberofapplicationsanduploadthemontoAndroidMarket.Later,enduserscandownloadtheapplicationfromAndroidMarket,whichmakesAndroidapowerfuloperatingsystem.MoredetailsonAndroidarecoveredinChapter7,UnderstandingAndroid.
iOS
iOS,formerlyknownastheiPhoneoperatingsystem,isamobileoperatingsystemdevelopedanddistributedsolelybyAppleInc.iOSisevolvingintoauniversaloperatingsystemforallApplemobiledevices,suchasiPad,iPod
touch,andiPhone.iOSisderivedfromOSX,withwhichitsharestheDarwinfoundation,andisthereforeaUnix-likeoperatingsystem.iOSmanagesthedevicehardwareandprovidesthetechnologiesrequiredtoimplementnativeapplications.iOSalsoshipswithvarioussystemapplications,suchasMailandSafari,whichprovidestandardsystemservicestotheuser.iOSnativeapplicationsaredistributedthroughAppStore,whichiscloselymonitoredbyApple.MoredetailsaboutiOSarecoveredinChapter2,UnderstandingtheInternalsofiOSDevices.
Windowsphone
WindowsphoneisaproprietarymobileoperatingsystemdevelopedbyMicrosoftforsmartphonesandpocketPCs.ItisthesuccessortoWindowsmobileandprimarilyaimedattheconsumermarketratherthantheenterprisemarket.TheWindowsPhoneOSissimilartotheWindowsdesktopOS,butitisoptimizedfordeviceswithasmallamountofstorage.WindowsPhonebasicsandforensictechniquesarediscussedinChapter12,WindowsPhoneForensics.
BlackBerryOS
BlackBerryOSisaproprietarymobileoperatingsystemdevelopedbyBlackBerryLtd.,knownasResearchinMotion(RIM),exclusivelyforitsBlackBerrylineofsmartphonesandmobiledevices.BlackBerrymobilesarewidelyusedincorporatecompaniesandoffernativesupportforcorporatemailviaMIDP,whichenableswirelesssyncwithMicrosoftExchange,e-mail,contacts,calendar,andsoon,whileusedalongwiththeBlackBerryEnterpriseserver.Thesedevicesareknownfortheirsecurity.BlackBerryOSbasicsandforensictechniquesarecoveredinChapter13,BlackBerryForensics.
Mobileforensictoollevelingsystem
Mobilephoneforensicacquisitionandanalysisinvolvesmanualeffortandtheuseofautomatedtools.Thereareavarietyoftoolsthatareavailableforperformingmobileforensics.Allthetoolshavetheirprosandcons,anditisfundamentalthatyouunderstandthatnosingletoolissufficientforallpurposes.Sounderstandingthevarioustypesofmobileforensictoolsisimportantforforensicexaminers.Whenidentifyingtheappropriatetoolsfortheforensicacquisitionandanalysisofmobilephones,amobiledeviceforensictoolclassificationsystem(showninthefollowingfigure)developedbySamBrotherscomesinhandyfortheexaminers.
Cellularphonetoollevelingpyramid(SamBrothers,2009)
Theobjectiveofthemobiledeviceforensictoolclassificationsystemistoenableanexaminertocategorizetheforensictoolsbasedupontheexaminationmethodologyofthetool.Startingatthebottomoftheclassificationandworkingupward,themethodsandthetoolsgenerallybecomemoretechnical,complex,andforensicallysound,andrequirelongeranalysistimes.Thereareprosandconsofperformingananalysisateachlayer.Theforensicexaminershouldbeawareoftheseissuesandshouldonlyproceedwiththelevelofextractionthatis
required.Evidencecanbedestroyedcompletelyifthegivenmethodortoolisnotproperlyutilized.Thisriskincreasesasyoumoveupinthepyramid.Thus,propertrainingisrequiredtoobtainthehighestsuccessrateindataextractionfrommobiledevices.
Eachexistingmobileforensictoolcanbeclassifiedunderoneormoreofthefivelevels.Thefollowingsectionscontainadetaileddescriptionofeachlevel.
Manualextraction
Thismethodinvolvessimplyscrollingthroughthedataonthedeviceandviewingthedataonthephonedirectlythroughtheuseofthedevice'skeypadortouchscreen.Theinformationdiscoveredisthenphotographicallydocumented.Theextractionprocessisfastandeasytouse,andwillworkonalmosteveryphone.Thismethodispronetohumanerror,suchasmissingcertaindataduetounfamiliaritywiththeinterface.Atthislevel,itisnotpossibletorecoverdeletedinformationandgraballthedata.Therearesometoolsthathavebeendevelopedtoaidanexaminertoeasilydocumentamanualextraction.
Logicalextraction
LogicalextractioninvolvesconnectingthemobiledevicetoforensichardwareortoaforensicworkstationviaaUSBcable,RJ-45cable,Infrared,orBluetooth.Onceconnected,thecomputerinitiatesacommandandsendsittothedevice,whichistheninterpretedbythedeviceprocessor.Next,therequesteddataisreceivedfromthedevice'smemoryandsentbacktotheforensicworkstation.Later,theexaminercanreviewthedata.Mostoftheforensictoolscurrentlyavailableworkatthisleveloftheclassificationsystem.Theextractionprocessisfast,easytouse,andrequireslittletrainingfortheexaminers.Ontheflipside,theprocessmaywritedatatothemobileandmightchangetheintegrityoftheevidence.Inaddition,deleteddataisalmostneveraccessible.
Hexdump
Ahexdump,alsoreferredtoasaphysicalextraction,isachievedbyconnectingthedevicetotheforensicworkstationandpushingunsignedcodeorabootloaderintothephoneandinstructingthephonetodumpmemoryfromthephonetothecomputer.Sincetheresultingrawimageisinbinaryformat,technicalexpertiseisrequiredtoanalyzeit.Theprocessisinexpensive,providesmoredatatothe
examiner,andallowstherecoveringofthedeletedfilesfromthedevice-unallocatedspaceonmostdevices.
Chip-off
Chip-offreferstotheacquisitionofdatadirectlyfromthedevice'smemorychip.Atthislevel,thechipisphysicallyremovedfromthedeviceandachipreaderorasecondphoneisusedtoextractdatastoredonit.Thismethodismoretechnicallychallengingasawidevarietyofchiptypesareusedinmobiles.Theprocessisexpensiveandrequireshardwarelevelknowledgeasitinvolvesthede-solderingandheatingofthememorychip.Trainingisrequiredtosuccessfullyperformachip-offextraction.Improperproceduresmaydamagethememorychipandrenderalldataunsalvageable.Whenpossible,itisrecommendedthattheotherlevelsofextractionareattemptedpriortochip-offsincethismethodisdestructiveinnature.Also,theinformationthatcomesoutofmemoryisinarawformatandhastobeparsed,decoded,andinterpreted.Thechip-offmethodispreferredinsituationswhereitisimportanttopreservethestateofmemoryexactlyasitexistsonthedevice.Itisalsotheonlyoptionwhenadeviceisdamagedbutthememorychipisintact.
ThechipsonthedeviceareoftenreadusingtheJointTestActionGroup(JTAG)method.TheJTAGmethodinvolvesconnectingtoTestAccessPorts(TAPs)onadeviceandinstructingtheprocessortotransfertherawdatastoredonmemorychips.TheJTAGmethodisgenerallyusedwithdevicesthatareoperationalbutinaccessibleusingstandardtools.
Microread
Theprocessinvolvesmanuallyviewingandinterpretingdataseenonthememorychip.Theexaminerusesanelectronmicroscopeandanalyzesthephysicalgatesonthechipandthentranslatesthegatestatusto0'sand1'stodeterminetheresultingASCIIcharacters.Thewholeprocessistimeconsumingandcostly,anditrequiresextensiveknowledgeandtrainingonflashmemoryandthefilesystem.Duetotheextremetechnicalitiesinvolvedinmicroread,itwouldbeonlyattemptedforhigh-profilecasesequivalenttoanationalsecuritycrisisafterallotherlevelextractiontechniqueshavebeenexhausted.Theprocessisrarelyperformedandisnotwelldocumentedatthistime.Also,therearecurrentlynocommercialtoolsavailabletoperformamicroread.
Dataacquisitionmethods
Dataacquisitionistheprocessofimagingorotherwiseextractinginformationfromadigitaldeviceanditsperipheralequipmentandmedia.Acquiringdatafromamobilephoneisnotassimpleasastandardharddriveforensicacquisition.Thefollowingpointsbreakdownthethreetypesofforensicacquisitionmethodsformobilephones:physical,logical,andmanual.Thesemethodsmayhavesomeoverlapwithacoupleoflevelsdiscussedinthemobileforensicstoollevelingsystem.Theamountandtypeofdatathatcanbecollectedwillvarydependingonthetypeofacquisitionmethodbeingused.
Physicalacquisition
Physicalacquisitionofmobilephonesisperformedusingmobileforensictoolsandmethods.Physicalextractionacquiresinformationfromthedevicebydirectaccesstotheflashmemory.Theprocesscreatesabit-for-bitcopyofanentirefilesystem,similartotheapproachtakenincomputerforensicinvestigations.Aphysicalacquisitionisabletoacquireallofthedatapresentonadeviceincludingthedeleteddataandaccesstounallocatedspaceonmostdevices.
Logicalacquisition
Logicalacquisitionofmobilephonesisperformedusingthedevicemanufacturerapplication-programminginterfaceforsynchronizingthephonescontentswithacomputer.Manyoftheforensictoolsperformalogicalacquisition.However,theforensicanalystmustunderstandhowtheacquisitionoccursandwhetherthemobileismodifiedinanywayduringtheprocess.Dependingonthephoneandforensictoolsused,allorsomeofthedataisacquired.Alogicalacquisitioniseasytoperformandonlyrecoversthefilesonamobilephoneanddoesnotrecoverdatacontainedinunallocatedspace.
Manualacquisition
Withmobilephones,physicalacquisitionisusuallythebestoption,andlogicalacquisitionisthesecond-bestoption.Manualextractionshouldbethelastoptionwhenperformingtheforensicacquisitionofamobilephone.Bothlogicalandmanualacquisitioncanbeusedtovalidatefindingsinthephysicaldata.Duringmanualacquisition,theexaminerutilizestheuserinterfacetoinvestigatethecontentsofthephone'smemory.Thedeviceisusednormallythroughakeypad
ortouchscreenandmenunavigation,andtheexaminertakespicturesofeachscreen'scontents.Manualextractionintroducesagreaterdegreeofriskintheformofhumanerror,andthereisachanceofdeletingtheevidence.Manualacquisitioniseasytoperformandonlyacquiresthedatathatappearsonamobilephone.
PotentialevidencestoredonmobilephonesTherangeofinformationthatcanbeobtainedfrommobilephonesisdetailedinthissection.Dataonamobilephonecanbefoundinanumberoflocations:SIMcard,externalstoragecard,andphonememory.Inaddition,theserviceprovideralsostorescommunication-relatedinformation.Thebookprimarilyfocusesondataacquiredfromthephonememory.Mobiledevicedataextractiontoolsrecoverdatafromthephone'smemory.Eventhoughdatarecoveredduringaforensicacquisitiondependsonthemobilemodel,ingeneral,thedatainthenextsetofbulletitemsiscommonacrossallmodelsandusefulasevidence.Notethatmostofthefollowingartifactscontaindateandtimestamps:
AddressBook:Thisstorescontactnames,numbers,e-mailaddresses,andsoonCallHistory:Thiscontainsdialed,received,missedcalls,andcalldurationsSMS:ThiscontainssentandreceivedtextmessagesMMS:ThiscontainsmediafilessuchassentandreceivedphotosandvideosE-mail:Thiscontainssent,drafted,andreceivede-mailmessagesWebbrowserhistory:ThiscontainsthehistoryofwebsitesthatwerevisitedPhotos:Thiscontainspicturesthatarecapturedusingthemobilephonecamera,thosedownloadedfromtheInternet,andtheonestransferredfromotherdevicesVideos:Thiscontainsvideosthatarecapturedusingthemobilecamera,thosedownloadedfromtheInternet,andtheonestransferredfromotherdevicesMusic:ThiscontainsmusicfilesdownloadedfromtheInternetandthosetransferredfromotherdevicesDocuments:Thiscontainsdocumentscreatedusingthedevice'sapplications,thosedownloadedfromtheInternet,andtheonestransferredfromotherdevicesCalendar:ThiscontainscalendarentriesandappointmentsNetworkcommunication:ThiscontainsGPSlocationsMaps:Thiscontainslooked-updirections,andsearchedanddownloadedmaps
Socialnetworkingdata:Thiscontainsdatastoredbyapplications,suchasFacebook,Twitter,LinkedIn,Google+,andWhatsAppDeleteddata:Thiscontainsinformationdeletedfromthephone
RulesofevidenceCourtroomsrelymoreandmoreontheinformationinsideamobilephoneasvitalevidence.Prevailingevidenceincourtrequiresagoodunderstandingoftherulesofevidence.Mobileforensicsisarelativelynewdisciplineandlawsdictatingthevalidityofevidencearenotwidelyknown.However,therearefivegeneralrulesofevidencethatapplytodigitalforensicsandneedtobefollowedinorderforevidencetobeuseful.Ignoringtheserulesmakesevidenceinadmissible,andyourcasecouldbethrownout.Thesefiverulesare—admissible,authentic,complete,reliable,andbelievable.
Admissible
Thisisthemostbasicruleandameasureofevidencevalidityandimportance.Theevidencemustbepreservedandgatheredinsuchawaythatitcanbeusedincourtorelsewhere.Manyerrorscanbemadethatcouldcauseajudgetoruleapieceofevidenceasinadmissible.Forexample,evidencethatisgatheredusingillegalmethodsiscommonlyruledinadmissible.
Authentic
Theevidencemustbetiedtotheincidentinarelevantwaytoprovesomething.Theforensicexaminermustbeaccountablefortheoriginoftheevidence.
Complete
Whenevidenceispresented,itmustbeclearandcompleteandshouldreflectthewholestory.Itisnotenoughtocollectevidencethatjustshowsoneperspectiveoftheincident.Presentingincompleteevidenceismoredangerousthannotprovidinganyevidenceatallasitcouldleadtoadifferentjudgment.
Reliable
Evidencecollectedfromthedevicemustbereliable.Thisdependsonthetoolsandmethodologyused.Thetechniquesusedandevidencecollectedmustnotcastdoubtontheauthenticityoftheevidence.Iftheexaminerusedsometechniquesthatcannotbereproduced,theevidenceisnotconsideredunlesstheyweredirectedtodoso.Thiswouldincludepossibledestructivemethodssuchaschip-offextraction.
Believable
Aforensicexaminermustbeabletoexplain,withclarityandconciseness,whatprocessestheyusedandthewaytheintegrityoftheevidencewaspreserved.Theevidencepresentedbytheexaminermustbeclear,easytounderstand,andbelievablebyjury.
GoodforensicpracticesGoodforensicpracticesapplytothecollectionandpreservationofevidence.Followingthegoodforensicpracticesensuresthatevidencewillbeacceptedinacourtasbeingauthenticandaccurate.Modificationofevidence,eitherintentionallyoraccidentally,canaffectthecase.So,understandingthebestpracticesiscriticalforforensicexaminers.
Securingtheevidence
WithadvancedsmartphonefeaturessuchasFindMyiPhoneandremotewipes,securingamobilephoneinawaythatitcannotberemotelywipedisofgreatimportance.Also,whenthephoneispoweredonandhasservice,itconstantlyreceivesnewdata.Tosecuretheevidence,usetherightequipmentandtechniquestoisolatethephonefromallnetworks.Withisolation,thephoneispreventedfromreceivinganynewdatathatwouldcauseactivedatatobedeleted.
Preservingtheevidence
Asevidenceiscollected,itmustbepreservedinastatethatisacceptableincourt.Workingdirectlyontheoriginalcopiesofevidencemightalterit.So,assoonasyourecoverarawdiskimageorfiles,createaread-onlymastercopyandduplicateit.Inorderforevidencetobeadmissible,theremustbeamethodtoverifythattheevidencepresentedisexactlythesameastheoriginalcollected.Thiscanbeaccomplishedbycreatingahashvalueoftheimage.Afterduplicatingtherawdiskimageorfiles,computeandverifythehashvaluesfortheoriginalandthecopytoensurethattheintegrityoftheevidenceismaintained.Anychangesinhashvaluesshouldbedocumentedandexplainable.Allfurtherprocessingorexaminationshouldbeperformedoncopiesoftheevidence.Anyuseofthedevicemightaltertheinformationstoredonthehandset.So,performonlythetasksthatareabsolutelynecessary.
Documentingtheevidence
Besuretodocumentallthemethodsandtoolsthatareusedtocollectandextracttheevidence.Detailyournotessothatanotherexaminercouldreproducethem.Yourworkmustbereproducible;ifnot,ajudgemayruleitinadmissible.
Documentingallchanges
It'simportanttodocumenttheentirerecoveryprocess,includingallthechangesmadeduringtheacquisitionandexamination.Forexample,iftheforensictoolusedforthedataextractionslicedupthediskimagetostoreit,thismustbedocumented.Allchangestothemobiledevice,includingpowercyclingandsyncing,shouldbedocumentedinyourcasenotes.
SummaryMobiledeviceforensicsincludesmanyapproachesandconceptsthatfalloutsideoftheboundariesoftraditionaldigitalforensics.Examinersresponsibleformobiledevicesmustunderstandthedifferentacquisitionmethodsandthecomplexitiesofhandlingthedataduringanalysis.Extractingdatafromamobiledeviceishalfthebattle.Theoperatingsystem,securityfeatures,andtypeofsmartphonewilldeterminetheamountofaccessyouhavetothedata.ThenextchapterwillprovideinsighttoiOSforensics.Youwilllearnaboutthefilesystemlayout,securityfeatures,andthewaythefilesarestoredontheiOSdevice.
Chapter2.UnderstandingtheInternalsofiOSDevicesAsofSeptember2013,Applehadsoldmorethan550millioniOSdevices(170millioniPadsand387millioniPhones)accordingtoreleasedsalesrecords.WhileiOSistheleadingoperatingsystemfortabletsworldwide,Androidcontinuestobetheleadingoperatingsystemforsmartphonesworldwide.Thefollowingscreenshotrepresentstheworldwidemobile/tabletoperatingsystemsharefrom2013to2014accordingtohttps://www.netmarketshare.com/operating-system-market-share.aspx?qprid=9&qpcustomb=1:
Regardlessofthestatistics,ifyouareaforensicexaminer,chancesareyouwillneedtoconductanexaminationofaniOSmobiledevice.
InordertoperformaforensicexaminationonaniOSdevice,theexaminermustunderstandtheinternalcomponentsandinnerworkingsofthatdevice.Developinganunderstandingoftheunderlyingcomponentsofamobiledevicewillhelptheforensicexaminerunderstandthecriticalitiesinvolvedintheforensicprocess,includingwhatdatacanbeacquired,wherethedataisstored,
andwhatmethodscanbeusedtoaccessthedatafromthatdevice.So,beforewedelveintotheexaminationofiOSdevices,itisnecessarytoknowthedifferentmodelsthatexistandtheirinternals.
ThisbookprimarilyfocusesontheiPhoneandforensictechniquesassociatedwithit.However,thesametechniquesmaybeappliedtootherAppledevices,suchastheiPodTouch,iPad,andAppleTV.
iPhonemodelsTheiPhoneisamongthemostpopularmobilephonesonthemarket.ApplereleasedthefirstgenerationiPhoneinJune2007.Eversincethefirstrelease,theiPhonehasgainedalotofpopularityduetoitsadvancedfunctionalityandusability.TheintroductionoftheiPhonehasredefinedtheentireworldofmobilecomputing.Consumersstartedlookingforfasterandmoreefficientphones.VariousiPhonemodelsexistnowwithdifferentfeaturesandstoragecapabilitiestoservetheconsumerrequirements.ThefollowingtablelistsalltheiPhonemodelsanditsinitialiOSversions.WiththeiPhone,individualscanaccesse-mail,takephotosandvideos,listentomusic,browsetheInternet,anddomuchmore.Furthermore,endlessapplicationsareavailablefordownloadtoextendthestandardcapabilitiesthatexistontheiPhone.
Device Model InitialOS Internalname Identifier Releasedate
iPhone2G A1203 iPhoneOS1.0 M68AP iPhone1,1 June2007
iPhone3G A1241 iPhoneOS2.0 N82AP iPhone1,2 July2008
iPhone3G(china) A1324
iPhone3GS A1303 iPhoneOS3.0 N88AP iPhone2,1 June2009
iPhone3GS(china) A1325
iPhone4-GSM A1332 iOS4.0 N90AP iPhone3,1 June2010
iPhone4-CDMA A1349 N92AP iPhone3,2
iPhone4S A1387 iOS5.0 N94AP iPhone4,1 October2011
iPhone4S(China) A1431
iPhone5 A1428 iOS6.0 N41AP iPhone5,1 September2012
iPhone5rev2 A1429 N42AP iPhone5,2
iPhone5rev2 A1429 N42AP iPhone5,2
A1442
iPhone5C-GSM A1456 iOS7.0 N48AP iPhone5,3 September2013
A1532
iPhone5C-CDMA A1507 N49AP iPhone5,4
A1516
A1526
A1529
iPhone5S-GSM A1433 iOS7.0 N51AP iPhone6,1
A1533
iPhone5S-CDMA A1457 N53AP iPhone6,2
A1518
A1528
A1530
iPhonemodels
ThemostrecentiPhones,theseventhgenerationiPhone5CandiPhone5S,werejustreleasedatthetimeofwritingthisbook.Currently,thereisnomethodortoolavailabletophysicallyrecoverdatafromthesedevices.However,thefilesystemandalogicalacquisitioncanbeobtainediftheiPhoneisunlocked.AcquisitionmethodsfordataextractionareavailableandwillbediscussedinChapter3,DataAcquisitionfromiOSDevices,andChapter4,DataAcquisitionfromiOSBackups.
BeforeexamininganiPhone,itisnecessarytoidentifythecorrecthardwaremodelandthefirmwareversioninstalledonthedevice.KnowingtheiPhonedetailshelpsyoutounderstandthecriticalitiesandpossibilitiesofobtainingevidencefromtheiPhone.Forexample,inmanycases,thedevicepasscodeisrequiredinordertoobtainthefilesystemorlogicalimage.DependingontheiOSversion,devicemodel,andpasscodecomplexity,itmaybepossibletoobtainthedevicepasscodeusingabruteforceattack.
Therearevariouswaystoidentifythehardwareofadevice.Theeasiestwaytoidentifythehardwareofadeviceisbyobservingthemodelnumberdisplayedonthebackofthedevice.Thefollowingimageshowsthemodelnumberetchedonthebackofthecasing.Apple'sknowledgebasearticlescanbehelpfulforthispurpose.DetailsonidentifyingiPhonemodelscanbefoundathttp://support.apple.com/kb/HT3939.
iPhonemodelnumberlocatedonthebackofthecase
ThefirmwareversionofaniPhonecanbefoundbyaccessingtheSettingsoptionandthennavigatingtoGeneral|About|Version,asshowninthefollowingscreenshot.Thepurposeofthefirmwareistoenablecertainfeaturesandassistwiththegeneralfunctioningofthedevice.
TheiPhoneAboutscreen,displayingfirmwareVersion5.1.1(9B206)
Alternatively,theideviceinfocommand-linetoolavailableinthelibimobiledevicesoftwarelibrary(http://www.libimobiledevice.org/)canbeusedtoidentifytheiPhonemodelanditsiOSversion.ThelibraryallowsyoutocommunicatewithaniPhoneevenifthedeviceislockedbyapasscode.ThesoftwarelibrarywasdevelopedbyNikiasBassen(pimskeks),anditwascompiledforMacOSXbyBenClayton(benvium).
MacOSXcanbeinstalledinvirtualmachinesforuseonaWindowsplatform.ToobtaintheiPhonemodelanditsiOSversioninformationonMacOSX10.8,thefollowingstepsmustbefollowed:
1. Opentheterminalapplication.2. Fromthecommandline,runthefollowingcommandtodownloadthe
libimobiledevicelibrary:
$gitclonehttps://github.com/benvium/libimobiledevice-
macosx.git~/Desktop/libimobiledevice-macosx/
Thecommandcreatesthelibimobiledevice-macosxdirectoryontheuser'sdesktopandplacesthelibimobiledevicecommand-linetoolsontoit.
3. Navigatetothelibimobiledevice-macosxdirectory,asfollows:
$cd~/Desktop/libimobiledevice-macosx/
4. Createandeditthe.bash_profilefileusingthenanocommand,asfollows:
$nano~/.bash_profile
5. Addthefollowingtwolinestothe.bash_profilefile,asfollows:
exportDYLD_LIBRARY_PATH=~/Desktop/libimobiledevice-
macosx/:$DYLD_LIBRARY_PATH
PATH=${PATH}:~/Desktop/libimobiledevice-macosx/
PressCtrl+X,typetheletteryandhitEntertosavethefile.6. Returntotheterminalandrunthefollowingcommand:
$source~/.bash_profile
7. ConnecttheiPhonetotheMacworkstationusingaUSBcable,andruntheideviceinfocommandwiththe-soption:
$./ideviceinfo-s
OutputoftheideviceinfocommanddisplaystheiPhoneidentifier,internalname,andtheiOSversionasshown:
BuildVersion:9B206
DeviceClass:iPhone
DeviceName:iPhone4
HardwareModel:N90AP
ProductVersion:5.1.1
ProductionSOC:true
ProtocolVersion:2
TelephonyCapability:true
UniqueChipID:1937316564364
WiFiAddress:58:1f:aa:22:d1:0a
EveryreleaseoftheiPhonecomeswithimprovedornewlyaddedfeatures.ThefollowingtablesshowthespecificationsandfeaturesoflegacyandcurrentiPhonemodels:
Specification iPhone iPhone3G iPhone3GS
Systemonchip SamsungChip SamsungChip SamsungChip
CPU 620MHzSamsung32-bitRISCARM
620MHzSamsung32-bitRISCARM
833MHzARMCortex-A8
OnboardRAM 128MB 128MB 256MB
Screensize(ininches)
3.5 3.5 3.5
Resolution 480*320 480*320 480*320
Connectivity Wi-Fi,Bluetooth2.0,GSM
Wi-Fi,Bluetooth2.0,GSM/UMTS/HSDPA,GPS
Wi-Fi,Bluetooth2.1,GSM,UMTS/HSDPA,GPS
Camera(megapixel) 2 2 3
Frontcamera N/A N/A N/A
Storage(GB) 4,8,16 8,16 8,16,32
Weight(inounces) 4.8 4.7 4.8
Dimensions 4.5*2.4*0.46 4.55*2.44*0.48 4.55*2.44*0.48
Batterylife 8/7/6/24 5/7/5/24 5/10/5/30
Talk/video/web/audio
Standbytime(hours) 250 300 300
Colors Black Black,white(whitenotin8 Black,white(whitenotin8
Colors Black Black,white(whitenotin8GB)
Black,white(whitenotin8GB)
Material Aluminum,glass,andsteel
Glass,plastic,andsteel Glass,plastic,andsteel
Connector USB2.0dockconnector
USB2.0dockconnector USB2.0dockconnector
SIMcardform-factor MiniSIM MiniSIM MiniSIM
Sirisupport No No No
ThemostrecentiPhonefeaturesareshowninthefollowingtable:
Specification iPhone4 iPhone4S iPhone5 iPhone5C
Systemonchip AppleA4 AppleA5 AppleA6 AppleA6
CPU 1GHzARMCortex-A8 800MHzdualcoreARMCortex-A9
1.3GHzdualcoreApple-designedARMv7s
1.3GHzdualcoreApple-designedARMv7s
OnboardRAM 512MB 512MB 1GB 1GB
Screensize(ininches)
3.5 3.5 4 4
Resolution 960*640 960*640 1136*640 1136*640
Connectivity Wi-Fi,Bluetooth2.1,GSM,UMTS/HSDPA/HSUPA,GPS
Wi-Fi,Bluetooth4,GSM,UMTS/HSDPA/HSUPA,GPS
Wi-Fi,Bluetooth4,UMTS/HSDPA+/DC-HSDPA,GSM,GPS
Wi-Fi,Bluetooth4,UMTS/HSDPA+/DC-HSDPA/LTE,GSM,GPS
Camera(megapixel) 5 8 8 8
Frontcamera VGA VGA 720P 720P
Storage(GB) 8,16,32 8,16,32,64 16,32,64 8,16,32,64
Storage(GB) 8,16,32 8,16,32,64 16,32,64 8,16,32,64
Weight(inounces) 4.8 4.9 3.95 4.7
Dimensions 4.5*2.31*0.37 4.5*2.31*0.37 4.87*2.31*0.30 4.98*2.33*0.353
Batterylife 7/10/10/40 8/10/9/40 8/10/10/40 10/10/10/40
Talk/video/web/audio
Standbytime(hours) 300 300 225 250
Colors Black Black,white Black,white White,pink,yellow,blue,orgreen
Material Aluminosilicateglassandstainlesssteel
Aluminosilicateglassandstainlesssteel
Black-anodizedaluminumslatemetalwhite-silveraluminummetal
White,pink,yellow,blue,orgreen
Connector USB2.0dockconnector USB2.0dockconnector Lightningconnector Lightningconnector
SIMcardform-factor MicroSIM MicroSIM Nano-SIM Nano-SIM
Sirisupport No Yes Yes Yes
OneofthemajorchangesintheiPhone5,iPhone5C,andiPhone5SistheUSBdockconnector,whichisusedtochargeandsynchronizethedevicewiththecomputer.DevicespriortotheiPhone5usea30-pinUSBdockconnector,whereastheneweriPhonesuseaneight-pinlightningconnector.
iPhonehardwareTheiPhoneisacollectionofmodules,chips,andelectroniccomponentsfromdifferentmanufacturers.DuetothecomplexitiesoftheiPhone,thelistofhardwarecomponentsisextensive.AdetailedlistofiPhonehardwarecomponentsisdefinedathttps://viaforensics.com/resources/white-papers/iphone-forensics/overview.
ThefollowingimagesshowtheinternalsoftheiPhone5S.TheimagesweretakenafterdismantlingtheiPhone5S.InternalimagesforalliPhonescanbefoundintheteardownsectionfromhttp://www.ifixit.com/Device/iPhone.
TheiPhone5Steardownimage—sideone(includedwithkindpermissionfromTechInsights)
AndthefollowingistheimageshowingthebackoftheiPhone5S:
iPadmodelsTheAppleiPhonechangedthewaycellphonesareproducedandused.Similarly,theiPad,aversionofthetabletcomputerintroducedinJanuary2010,squashedthesalesofnotebooks.WiththeiPad,individualscanshootvideo,takephotos,playmusic,readbooks,browsetheInternet,anddomuchmore.VariousiPadmodelsexistnowwithdifferentfeaturesandstoragecapabilities.ThefollowingtablelistsalltheiPadmodelsandtheirinitialiOSversions.DetailsonidentifyingiPadmodelscanbefoundathttp://support.apple.com/kb/ht5452.
Device Model InitialOSInternalname Identifier Releasedate
iPad-Wi-Fi A1219 iOS3.2 K48AP iPad1,1 January2010
iPad-3G A1337
iPad1,1
iPad2-Wi-Fi A1395
K93AP iPad2,1 March2011
iPad2-GSM A1396 iOS4.3 K94AP iPad2,2
iPad2-CDMA A1397
K95AP iPad2,3
iPad2-Wi-Firev A1395
K93AAP iPad2,4 March2012
iPad3-Wi-Fi A1416
J1AP iPad3,1
iPad3-Wi-Fi+CellularVerizon A1403 iOS5.1 J2AP iPad3,2
iPad3-Wi-Fi+CellularAT&T A1430
J2AAP iPad3,3
iPad4-Wi-Fi A1458 iOS6.0 P101AP iPad3,4 October2012
iPad4-Wi-Fi+CellularAT&T A1459
P102AP iPad3,5
iPad4-Wi-Fi+CellularVerizon A1460 iOS6.0.1 P103AP iPad3,6
iPadmini-Wi-Fi A1432 iOS6.0 P105AP iPad2,5
iPadmini-Wi-Fi+CellularAT&T A1454
P106AP iPad2,6
iPadmini-Wi-Fi+CellularVerizonandSprint
A1455 iOS6.0.1 P107AP iPad2,7
iPadAir-Wi-Fi A1474 iOS7.0.3 J71AP iPad4,1 November2013
iPadAir-Wi-Fi+Cellular A1475 J72AP iPad4,2
EveryreleaseoftheiPadcomeswithimprovedornewlyaddedfeatures.ThefollowingtableshowsthespecificationsandfeaturesoflegacyandcurrentiPadWi-Fimodels:
Specification iPad iPad2 iPad3 iPad4 iPadMini iPadAir
Systemonchip AppleA4 AppleA5 AppleA5X AppleA6X AppleA5 AppleA7
CPU 1GHzdualcoreSamsung-Intrinsity
1GHzdualcoreARMCortex-A9
1GHzdualcoreARMCortex-A9
1.4GHzdualcoreAppleSwift
1GHzdualcoreARMCortex-A9
1.4GHzdualcoreARMv8-A
OnboardRAM 256MB 512MB 1GB 1GB 512MB 1GB
Screensize(ininches)
9.7 9.7 9.7 9.7 7.9 9.7
Resolution 1024*768 1024*768 2048*1536 2048*1536 1024*768 2048*1536
Connectivity Wi-Fi,Bluetooth2.1
Wi-Fi,Bluetooth2.1
Wi-Fi,Bluetooth4
Wi-Fi,Bluetooth4
Wi-Fi,Bluetooth4
Wi-Fi,Bluetooth4
Camera(megapixel)
N/A 0.7 5 5 5 5
Frontcamera N/A 0.3MP 0.3MP 1.2MP 1.2MP 1.2MP
Storage(GB) 16,32,64 16,32,64 16,32,64 16,32,64,128
16,32,64 16,32,64,128
Weight(inounces)
24 21.6 22.9 22.9 10.8 16
Dimensions 9.56*7.47*0.5
9.5*7.31*0.34
9.5*7.31*0.37
9.5*7.31*0.37
7.87*5.3*0.28
9.4*6.6*0.29
Batterylife 10/10/140 10/10/140 10/10/140 10/10/140 10/10/140 10/10/140
Video/web/audio
Standbytime(hours)
1month 1month 1month 1month 1month 1month
Connector USB2.0dockconnector
USB2.0dockconnector
USB2.0dockconnector
Lightningconnector
Lightningconnector
Lightningconnector
iPadhardwareOneofthekeysuccessesofAppleiOSdevicesistheproperselectionofitshardwarecomponents.JustliketheiPhone,theiPadisalsoacollectionofmodules,chips,andelectroniccomponentsfromdifferentmanufacturers.InternalimagesforalliPadscanbefoundintheteardownsectionofhttp://www.ifixit.com/Device/iPad.
ThefollowingimagesshowtheinternalsoftheiPad3.TheimagesweretakenafterdismantlingtheiPad3cellularmodelandwereobtainedfromhttp://www.chipworks.com/.
TheiPad3cellularmodelteardownimage—sideone(includedwithkindpermissionfromChipworks)
ThefollowingimageshowssidetwooftheiPad3cellularmodel:
FilesystemTobetterunderstandtheforensicprocessofaniPhone,itisgoodtoknowaboutthefilesystemthatisused.ThefilesystemusedintheiPhoneandotherAppleiOSdevicesisHFSX,avariationofHFSPluswithonemajordifference.HFSXiscasesensitivewhereasHFSPlusiscaseinsensitive.Otherdifferenceswillbediscussedlaterinthischapter.OSXusesHFSPlusbydefaultandiOSusesHFSX.
TheHFSPlusfilesystemIn1996,Appledevelopedanewfilesystem,HierarchicalFileSystem(HFS),toaccommodatethestorageoflargedatasets.InanHFSfilesystemthestoragemediumisrepresentedasvolumes.HFSvolumesaredividedintologicalblocksof512bytes.Thelogicalblocksarenumberedfromfirsttolastonagivenvolumeandwillremainstaticwiththesamesizeasphysicalblocks,thatis,512bytes.Theselogicalblocksaregroupedtogetherintoallocationblocks,whichareusedbytheHFSfilesystemtotrackdatainamoreefficientway.HFSusesa16-bitvaluetoaddressallocationblocks,whichlimitsthenumberofallocationblocksto65,535.ToovercometheinefficientallocationsofdiskspaceandsomeofthelimitationsofHFS,AppleintroducedtheHFSPlusfilesystem(http://dubeiko.com/development/FileSystems/HFSPLUS/tn1150.html).
TheHFSPlusfilesystemwasdesignedtosupportlargerfilesizes.HFSvolumesaredividedintosectorsthatareusually512bytesinsize.Thesesectorsaregroupedtogetherintoallocationblocks.Thenumberofallocationblocksdependsonthetotalsizeofthevolume.HFSPlususesblockaddressesof32bitstoaddressallocationblocks.HFSPlususesjournalingbydefault.Journalingistheprocessofloggingeverytransactiontothedisk,whichhelpsinpreventingfilesystemcorruption.ThekeycharacteristicsoftheHFSPlusfilesystemare:efficientuseofdiskspace,unicodesupportforfilenames,supportfornameforks,filecompression,journaling,dynamicresizing,dynamicdefragmentation,andanabilitytobootonoperatingsystemsotherthanMacOS.
TheHFSPlusvolume
TheHFSPlusvolumecontainsanumberofinternalstructurestomanagetheorganizationofdata.Thesestructuresincludeaheader,alternateheader,andfivespecialfiles:anallocationfile,anExtentsOverflowfile,aCatalogfile,anAttributesfile,andaStartupfile.Amongthefivefiles,threefiles,theExtentsOverflowfile,theCatalogfile,andtheAttributefile,useaB-treestructure,adatastructurethatallowsdatatobeefficientlysearched,viewed,modified,orremoved.TheHFSPlusvolumestructureisshowninthefollowingfigure:
Thevolumestructureisdescribedasfollows:
Thefirst1,024bytesarereservedforbootloadinformation.VolumeHeader:Thisstoresvolumeinformation,suchasthesizeofallocationblocks,atimestampofwhenthevolumewascreated,andmetadataabouteachofthefivespecialfiles.AllocationFile:Thisfileisusedtotrackwhichallocationblocksareinusebythesystem.Thefileformatconsistsofonebitforeveryallocationblock.Ifthebitisset,theblockisinuse.Ifitisnotset,theblockisfree.
ExtentsOverflowFile:Thisfilerecordstheallocationblocksthatareallocatedwhenthefilesizeexceedseightblocks,whichhelpsinlocatingtheactualdatawhenreferred.Badblocksarealsorecordedinthefile.CatalogFile:Thisfilecontainsinformationaboutthehierarchyoffilesandfolders,whichisusedtolocateanyfileandfolderwithinthevolume.AttributeFile:Thisfilecontainsinlinedataattributerecords,forkdataattributerecords,andextensionattributerecords.StartupFile:ThisfileholdstheinformationneededtoassistinbootingasystemthatdoesnothaveHFSPlussupport.AlternateVolumeHeader:Thisisabackupofthevolumeheader,anditisprimarilyusedfordiskrepair.Thelast512bytesarereservedforusebyApple,anditisusedduringthemanufacturingprocess.
DisklayoutBydefault,thefilesystemisconfiguredastwologicaldiskpartitions:system(rootorfirmware)partitionanduserdatapartition.
ThesystempartitioncontainstheOSandallofthepreloadedapplicationsusedwiththeiPhone.Thesystempartitionismountedasread-onlyunlessanOSupgradeisperformedorthedeviceisjailbroken.Thepartitionisupdatedonlywhenafirmwareupgradeisperformedonthedevice.Duringthisprocess,theentirepartitionisformattedbyiTuneswithoutaffectinganyoftheuserdata.Thesystempartitiontakesonlyasmallportionofstoragespace,normallybetween0.9GBand2.7GB,dependingonthesizeoftheNANDdrive.AsthesystempartitionwasdesignedtoremaininfactorystatefortheentirelifeoftheiPhone,thereistypicallylittleusefulevidentiaryinformationthatcanbeobtainedfromit.IftheiOSdevicewasjailbroken,filescontaininginformationregardingthejailbreakmayberesidentonthesystempartition.JailbreakinganiOSdeviceallowstheuserrootaccesstothedeviceandvoidsthemanufacturerwarranty.Jailbreakingwillbediscussedlaterinthischapter.
Theuserdatapartitioncontainsalluser-createddatarangingfrommusictocontacts.TheuserdatapartitionoccupiesmostoftheNANDmemoryandismountedat/private/varonthedevice.Mostoftheevidentiaryinformationcanbefoundinthispartition.Duringaphysicalacquisition,boththeuserdataandsystempartitionscanbecapturedandsavedasa.dmgor.imgfile.Theserawimagefilescanbemountedasread-onlyforforensicanalysis,whichiscoveredindetailinChapter3,DataAcquisitionfromiOSDevices.Evenonnon-jailbrokeniOSdevices,itisrecommendedtoacquireboththesystemanduserdatapartitionstoensurealldataisobtainedforexamination.
ToviewthemountedpartitionsontheiPhone,connectajailbrokeniPhonetoaworkstationoverSSH,andrunthemountcommand.Forthisexample,iPhone4with5.1.1isused.
Themountcommandshowsthatthesystempartitionismountedon/(root),andtheuserdatapartitionismountedon/private/var,asshowninthefollowingcommandlines.BothpartitionsshowHFSasthefilesystem,andtheuserdatapartitionevenshowsthatjournalingisenabled.
iPhone4:~root#mount
/dev/disk0s1s1on/(hfs,local,journaled,noatime)
devfson/dev(devfs,local,nobrowse)
/dev/disk0s1s2on/private/var(hfs,local,journaled,noatime,
protect)
ToviewtherawdiskimagesontheiPhone,connectajailbrokeniPhonetoaworkstationoverSSH,andrunthels-lhrdisk*command.rdisk0istheentirefilesystemandrdisk0s1isthefirmwarepartition.rdisk0s1s1istherootfilesystemandrdisk0s1s2istheuserfilesystem,asshowninthefollowingcommandlines:
iPhone4:/devroot#ls-lhrdisk*
crw-r-----1rootoperator14,0Oct1004:28rdisk0
crw-r-----1rootoperator14,1Oct1004:28rdisk0s1
crw-r-----1rootoperator14,2Oct1004:28rdisk0s1s1
crw-r-----1rootoperator14,3Oct1004:28rdisk0s1s2
iPhoneoperatingsystemiOSisApple'smostadvancedandfeature-richproprietarymobileoperatingsystem.ItwasreleasedwiththefirstgenerationoftheiPhone.Whenintroduced,itwasnamediPhoneOS,andlateritwasrenamedtoiOStoreflecttheunifiednatureoftheoperatingsystemthatpowersallAppleiOSdevices,suchastheiPhone,iPodTouch,iPad,andAppleTV.iOSisderivedfromcoreOSXtechnologiesandstreamlinedtobecompactandefficientformobiledevices.
Itutilizesamultitouchinterfacewheresimplegesturesareusedtooperateandcontrolthedevice,suchasswipingyourfingeracrossthescreentomovetothesuccessivepageorpinchingyourfingerstozoom.Insimpleterms,iOSassistswiththegeneralfunctioningofthedevice.iOSisreallyMacOSXwithsomesignificantdifferences:
ThearchitectureforwhichthekernelandbinariesarecompiledisARM-basedratherthanIntelx86_64TheOSXkernelisopensource,whereastheiOSkernelremainsclosedMemorymanagementismuchtighterThesystemishardenedanddoesnotallowaccesstotheunderlyingAPIs
iOShistory
iOS,likeanyotheroperatingsystem,hasgonethroughmultipleupdatessinceitsrelease.Appleoccasionallyreleasesnewerversionstoenablenewfeatures,tosupportlatesthardware,andtofixbugs.ThelatestversionofiOSatthetimeofthiswritingisiOS7.0.3.ThoughApplestickswithanumericapproachfornewiOSbuilds,alliOSversionshavecodenamesthatareprivatetoApple.ThefollowingsectionsdescribethehistoryofiOSdevelopment.
1.x–thefirstiPhone
iPhoneOS1.xwasthefirstreleaseofApple'stouch-centricmobileoperatingsystem.Onitsinitialrelease,ApplestatedthattheiPhoneusesaversionofthedesktopoperatingsystem,OSX.LateritwasnamediPhoneOS.TheoriginalbuildwasknownasAlpine,butthefinalreleasedversionwasHeavenly.
2.x–AppStoreand3G
iPhoneOS2.0(knownasBigBear)wasreleasedalongwithiPhone3G.FeaturesrequiredforcorporateneedssuchasVPNandMicrosoftExchangewereintroducedwiththisrelease.ThebigadditiontotheOSwiththisreleasewastheAppStore,amarketplaceforthethird-partyapplicationsthatcouldrunontheiPhone.ApplealsoreleasedtheiPhoneSoftwareDevelopmentKit(SDK)toassistdevelopersincreatingapplicationsontheAppStoreforfreeorforpurchase.GlobalPositioningSystem(GPS)wasalsoaddedtotheiPhonewiththisrelease.
3.x–thefirstiPad
iPhoneOS3.0(knownasKirkwood)becameavailablewiththereleaseofiPhone3GS.TheiOSreleasebroughtthecopy/pastefeature,spotlightsearches,andpushnotificationsforthird-partyapplications,andmanyotherenhancementstothebuilt-inapplications.Multitaskingwasintroduced,butitwaslimitedtoaselectionoftheapplicationsAppleincludedonthedevice.ThefirstiPadwasintroducedwithiPhoneOS3.2(knownasWildcat)andlaterupdatedto3.2.2,aversionspecificallymadefortheiPad.
4.x–GameCenterandmultitasking
iOS4.0(knownasApex)wasthefirstmajorreleaseafterrenamingtheiPhoneOStoiOS.Thisreleasebroughtover100newfeatures,suchasFaceTime,iBooks,voicecontrol,and1,500newAPIstothedevelopers.Startingwiththisrelease,multitaskingwasextendedtothird-partyiOSapplications.ApplealsoreleasedGameCenter,anonlinemultiplayersocialgamingnetworkalongwiththisrelease.
5.x–SiriandiCloud
iOS5.0(knownasTelluride)wasreleasedwithiPhone4S.iOS5withiPhone4SintroducedApple'snaturallanguage-basedvoicecontrol,Siri—avirtualassistant.Thisupdatebroughtmanynewfeatures,suchasnotificationcenter,iMessages,Newsstand,Twitterintegration,theRemindersapplication,andovertheair(OTA)softwareupdates.ThebiggestadditiontothereleasewastheiCloud,Apple'scloud-basedservicethatallowsuserstosynchronizetheircontacts,calendar,pictures,andmuchmoretothecloud.
6.x–AppleMaps
iOS6.0(knownasSundance)wasreleasedinJune2012withthereleaseofiPhone5.WithiOS6,theold,Google-poweredMapsapplicationwasremoved,andanall-newAppleMapswithdatasuppliedbyTomTomwasadded.TheYouTubeapplicationwasalsoremovedinthisupdate.iOS6broughtmanynewfeatures,suchasFacebookintegration,FaceTimeovercellularnetwork,Passbook,andmanyenhancementstothebuilt-inapplications.Betterprivacycontrolswereaddedwiththisrelease.
7.x–theiPhone5Sandbeyond
iOS7.0(knownasInnsbruck)wasreleasedinSeptember2013withthereleaseofiPhone5S.ThebiggestchangeiniOS7andthemostimportantwasthesystem-wideredesign.Withthisrelease,Appletooktheinterfaceexperiencefromstatictodynamic.Atonofnewfeatureswereintroduced,suchascontrolcenter,Airdrop,iTunesRadio,FaceTimeaudio,automaticupdatesforapplications,activationlock,andmanymore.WithiPhone5S,Apple'sTouchIDfingerprintidentitysensor,abiometricauthenticationtechnology,wasintroduced.
AlltheiOSversionsarenotsupportedbyalltheiOSdevices.EachiOSversion
iscompatibleonlywithafewdevices,asshowninthefollowingiOScompatibilitymatrix.Thistablewascreatedusinghttp://iossupportmatrix.com/.TheblocksingreensignifythataniOSversionwassupportedforthatdevice.Ifaversionislisted,itistheearliestversionsupportedforthatdevice.Theblocksinredmeannosupportforthatdevice,andtheblocksinbluearestilliOSversionssupportedbyApple.
TheOScompatibilitymatrix
TheiOSarchitecture
iOSactsasanintermediarybetweentheunderlyinghardwarecomponentsandtheapplicationsthatappearonthescreen.Theapplicationsdonottalktotheunderlyinghardwaredirectly.Instead,theycommunicatethroughawell-definedsysteminterfacethatprotectstheapplicationsfromhardwarechanges.Thisabstractionmakesiteasytobuildapplicationsthatworkondeviceswithdifferenthardwarecapability.
TheiOSarchitectureconsistsoffourlayers:theCocoaTouchlayer,Medialayer,CoreServiceslayer,andCoreOSlayer,asshowninthefollowingfigure.Eachlayerconsistsofseveralframeworksthatwouldhelptobuildanapplication.
TheiOSlayers
TheCocoaTouchlayer
TheCocoaTouchlayercontainsthekeyframeworksrequiredtodevelopthevisualinterfaceforiOSapplications.Frameworksinthislayerprovidethebasicapplicationinfrastructureandsupportkeytechnologies,suchasmultitaskingandtouch-basedinput,andmanyhigh-levelsystemservices.
TheMedialayer
TheMedialayerprovidesthegraphicsandaudioandvideoframeworkstocreate
thebestmultimediaexperienceavailableonamobiledevice.Thetechnologiesinthislayerhelpdeveloperstobuildapplicationsthatlookandsoundgreat.
TheCoreServiceslayer
ThisCoreServiceslayerprovidesthefundamentalsystemservicesthatarerequiredfortheapplications.Alltheseservicesarenotusedbythedevelopersthoughmanypartsofthesystemarebuiltontopofthem.Thelayercontainsthetechnologiestosupportfeaturessuchaslocation,iCloud,andsocialmedia.
TheCoreOSlayer
TheCoreOSlayeristhebaselayerandsitsdirectlyontopofthedevicehardware.Thislayerdealswithlow-levelfunctionalitiesandprovidesservicessuchasnetworking(BSDsockets),memorymanagement,threading(POSIXthreads),filesystemhandling,externalaccessoriesaccess,andinter-processcommunication.
iOSsecurity
iOSwasdesignedwithsecurityatitscore.Atthehighestlevel,theiOSsecurityarchitectureappearsasshowninthefollowingfigure:
TheiOSsecurityarchitecture
AppleiOSdevicessuchasiPhone,iPad,andiPodToucharedesignedwithlayersofsecurity.Low-levelhardwarefeaturessafeguardfrommalwareattacksandthehigh-levelOSfeaturespreventunauthorizeduse.AbriefoverviewoftheiOSsecurityfeaturesareprovidedinthefollowingsections.
Passcode
Passcodesrestrictunauthorizedaccesstothedevice.Onceapasscodeisset,eachtimeyouturnonorwakeupthedevice,itwillaskforthepasscodetoaccessthedevice.iPhonesupportssimpleaswellascomplexpasscodes.iPhone5SalsosupportstouchIDfingerprintsasapasscode.
Codesigning
Codesigningpreventsusersfromdownloadingandinstallingunauthorizedapplicationsonthedevice.Applesays"CodeSigningistheprocessbywhichyourcompilediOSapplicationissealedandidentifiedasyours.Also,iOSdeviceswon'trunanapplicationorloadalibraryunlessitissignedbyatrustedparty.Toensurethatallappscomefromaknownandapprovedsourceandhavenotbeentamperedwith,iOSrequiresthatallexecutablecodebesignedusinganApple-issuedcertificate."
Sandboxing
Sandboxingmitigatesthepost-code-executionexploitationbyplacingtheapplicationintoatightlyrestrictedarea.ApplicationsinstalledontheiOSdevicearesandboxed,andoneapplicationcannotaccessthedatastoredbytheotherapplication.
Encryption
OniOSdevices,theentirefilesystemisencryptedwithafilesystemkey,whichiscomputedfromthedevice'suniquehardwarekey.
Dataprotection
Dataprotectionisdesignedtoprotectdataatrestandtomakeofflineattacksdifficult.Itallowsapplicationstoleveragetheuser'sdevicepasscodeinconcertwiththedevicehardwareencryptiontogenerateastrongencryptionkey.Later,thestrongencryptionkeyisusedtoencryptthedatastoredonthedisk.Thiskey
preventsdatafrombeingaccessedwhenthedeviceislocked,ensuringthatcriticalinformationissecuredevenifthedeviceiscompromised.
AddressSpaceLayoutRandomization
AddressSpaceLayoutRandomization(ASLR)isanexploitmitigationtechniqueintroducedwithiOS4.3.ASLRrandomizestheapplicationobjects'locationinthememory,makingitdifficulttoexploitthememorycorruptionvulnerabilities.
Privilegeseparation
iOSrunswiththeprincipleofleastprivileges.Itcontainstwouserroles:rootandmobile.Themostimportantprocessesinthesystemrunwithrootuserprivileges.Allotherapplicationsthattheuserhasdirectaccessto,suchasthebrowserandthird-partyapplications,runwithmobileuserprivileges.
Stacksmashingprotection
Stacksmashingprotectionisanexploitmitigationtechnique.Itprotectsagainstbufferoverflowattacksbyplacingarandomandknownvalue(calledstackcanary)betweenabufferandcontroldataonthestack.
Dataexecutionprevention
Dataexecutionprevention(DEP)isanexploitmitigationtechniquemechanisminwhichaprocessorcandistinguishtheportionsofmemorythatareexecutablecodefromdata.
Datawipe
iOSprovidesanoptionEraseAllContentandSettingstowipethedataontheiPhone.Thistypeofdatawipeerasesusersettingsandinformationbyremovingtheencryptionkeysthatprotectsthedata.Astheencryptionkeysareerasedfromthedevice,itisnotpossibletorecoverthedeleteddatainforensicinvestigations.Otherwipingmethodsareavailablethatoverwritethedatainthedevicememory.Moreinformationonwipingcanbefoundathttp://support.apple.com/kb/ht2110.
ActivationLock
ActivationLock,introducedwithiOS7,isatheftdeterrentthatworksby
leveragingFindMyiPhone.WhenFindMyiPhoneisenabled,itenablestheActivationLock,andyourAppleIDandpasswordwillberequiredtoturnoffFindMyiPhone,toeraseyourdevice,andtoreactiveyourdevice.
AppStore
TheAppStoreisanapplicationdistributionplatformforiOS,developedandmaintainedbyApple.Itisacentralizedonlinestorewhereuserscanbrowseanddownloadbothfreeandpaidapps.Theseappsexpandthefunctionalityofamobiledevice.AsofDecember2013,therearemorethan1millionapplicationsintheAppStore,andusershavedownloadedthemover60billiontimes.AppsavailableintheAppStorearegenerallywrittenbythird-partydevelopers.DevelopersuseXCodeandtheiPhoneSDKtodevelopiOSapplications.Later,theysubmittheapptoAppleforapproval.Applefollowsanextensivereviewprocesstochecktheappagainstthecompanyguidelines.IfAppleapprovestheapp,itispublishedtotheAppStorewhereuserscandownloadorbuyit.ThestrictreviewprocessmakestheAppStorelesspronetomalware.Currently,userscanaccesstheAppStoreviaiTunesandalsofromtheiriOSdevices.
Jailbreaking
JailbreakingistheprocessofremovinglimitationsimposedbyApple'smobileoperatingsystemthroughtheuseofsoftwareandhardwareexploits.Jailbreakingpermitsunsignedcodetorunandgainrootaccessontheoperatingsystem.ThemostcommonreasonforjailbreakingistoexpandthelimitedfeaturesetimposedbyApple'sAppStoreandtoinstallunapprovedapps.Manypubliclyavailablejailbreakingtoolsaddanunofficialapplicationinstallertothedevice,suchasCydia,whichallowsuserstoinstallmanythird-partyapplications,tools,tweaks,andappsfromanonlinefilerepository.ThesoftwaredownloadedfromCydiaopensupendlesspossibilitiesonadevicethatanon-jailbrokendevicewouldneverbeabletodo.Themostpopularjailbreakingtoolsareredsn0w,sn0wbreeze,evasi0n,Absinthe,seas0npass,andsoon.NotalltheiOSversionsarejailbreakable.Thewebsitehttp://www.guidemyjailbreak.com/choose-iphone-to-jailbreak/canbehelpfultofindoutwhetheraparticulariOSversionisjailbreakableornotandwithwhichmethod.InOctober2012,TheU.S.CopyrightOfficedeclaredthatjailbreakingtheiPadisillegal,whilejailbreakingtheiPhoneisdeemedlegal.Thegoverninglawisreviewedeverythreeyears.
SummaryThefirststepinaforensicexaminationofaniOSdeviceshouldbeidentifyingthedevicemodel.ThemodelofaniOSdevicecanbeusedtohelptheexaminerdevelopanunderstandingoftheunderlyingcomponentsandcapabilitiesofthedevice,whichcanbeusedtodrivethemethodsforacquisitionandexamination.LegacyiOSdevicesshouldnotbedisregardedbecausetheymaysurfaceaspartofaninvestigation.ExaminersmustbeawareofalliOSdevicesasolddevicesaresometimesstillinuseandmaybetiedtoacriminalinvestigation.ThenextchapterwillprovidetipsandtechniquesforacquiringdatafromtheiOSdevicesdiscussedinthischapter.
Chapter3.DataAcquisitionfromiOSDevicesAniPhonerecoveredfromacrimescenecanprovidearichsourceofevidenceduetoitsincreasedstoragecapabilitiesandInternetconnectivity.Accordingtoseveralnewsreferences,OcsarPistorius'iPadswereexaminedbyamobileexpertandpresentedduringthemurdertrialtoshowInternetactivityhoursbeforethemurderofhisgirlfriend.TherearedifferentwaystoacquireforensicdatafromaniPhone.Thougheachmethodwillhaveitspositivesandnegatives,thefundamentalprincipleofanyacquisitionmethodistoobtainabit-by-bitpictureoftheoriginaldata.
Thischaptercoversphysicalacquisitiontechniquesthattargetthephysicalstoragemediumdirectlyandextractadiskimagefromthedeviceintoanexternalfile,whichcanbeexaminedlaterusingforensictools.
OperatingmodesofiOSdevicesBeforewediveintotheforensictechniquesandacquisitionmethods,itisimportanttoknowthedifferentoperatingmodesofaniPhone.Manyforensictoolsandmethodsrequireyoutoplacethedeviceintooneoftheoperatingmodes.UnderstandingtheiOSdeviceoperatingmodesisrequiredinordertoperformaparticularactiononthedevice.iOSdevicesarecapableofrunningindifferentoperatingmodes:normalmode,recoverymode,andDFUmode.Mostforensictoolsrequiretheexaminertoknowwhichmodethedeviceiscurrentlyutilizing.Wewilldefineeachmodeinthissection.Whentheterm"iPhone"isreferenced,itshouldbeunderstoodthatthestatementremainstrueforalliOSdevices.
Normalmode
WhenaniPhoneisswitchedon,itisbootedtoitsoperatingsystem.Thismodeisknownasnormalmode.Mostoftheregularactivities(calling,texting,andsoon)performedonaniPhonewillberuninnormalmode.
WhenaniPhoneisturnedon,internally,itgoesthroughasecurebootchain,asshowninthefollowingfigure.Eachstepintheboot-upprocesscontainssoftwarecomponentsthatarecryptographicallysignedbyAppletoensureintegrity.
AsecurebootchainofaniPhoneinnormalmode
TheBootROM,knownasthesecureROM,isaread-onlymemory(ROM)andisthefirstsignificantcodethatrunsonaniPhone(http://images.apple.com/ipad/business/docs/iOS_Security_Feb14.pdf).TheBootROMcodecontainstheApplerootCApublickey,whichisusedtoverifythesignatureofthenextstagebeforeallowingittoload.WhentheiPhoneisstarted,theapplicationprocessorexecutesthecodefromtheBootROM,which,
inturn,verifieswhethertheLowLevelBootloader(LLB)issignedbyAppleornotandloadsitaccordingly.WhenLLBfinishesitstasks,itverifiesandloadsthesecondstagebootloader(iBoot).iBootverifiesandloadstheiOSkernel,which,inturn,verifiesandrunsalltheuserapplicationsasshownintheprecedingfigure.ThesecurebootchainensuresiOSrunsonlyonvalidatedAppledevices.
Recoverymode
Duringtheboot-upprocess,ifonestepisunabletoloadorverifythenextstep,thentheboot-upisstoppedandtheiPhonedisplaysascreen,asshowninthefollowingscreenshot.Thismodeisknownastherecoverymode.TherecoverymodeisrequiredtoperformupgradesorrestoretheiPhone.
Toenterrecoverymode,performthefollowingsteps:
1. Turnoffthedevice—pressandholddowntheSleep/PowerbuttonlocatedatthetopoftheiPhoneuntiltheredsliderappears.Then,movethesliderandwaitforthedevicetoturnoff.
2. HolddowntheiPhoneHomebuttonandconnectthedevicetoacomputerviaaUSBcable.Thedeviceshouldturnon.
3. ContinueholdingtheHomebuttonuntiltheConnecttoiTunesscreenappears,asshowninthefollowingscreenshot.Then,youcanreleasetheHomebutton.(Onajail-brokeniOSdevice,thisscreenmayappearwithdifferenticons.)MostforensictoolsandextractionmethodswillalerttheexaminertothecurrentstateoftheiOSdevice.
YoucanreadabouttheiPhonerecoverymodeathttp://support.apple.com/kb/HT1808.
Toexittherecoverymode,reboottheiPhone.ThiscanbecompletedbyholdingtheHomeandSleep/PowerbuttonuntiltheApplelogoappears.Normally,theprocessofrebootingreturnstheiPhonefromrecoverymodetonormalmode.TheexaminermayexperienceasituationwheretheiPhoneconstantlyrebootsintorecoverymode.Thisisknownasarecoveryloop.ArecoveryloopoftenoccurswhentheuserattemptstojailbreaktheiriOSdeviceandanerroroccurs.
Severalopensourcemethodsexisttorepairarecoveryloop.Thefollowingexampleshowstheredsn0wtool,whichcanbeusedtoexitarecoveryloop.Youcandownloadthelatestversionofredsn0wfromthefollowinglink:https://sites.google.com/a/iphone-dev.com/files/.
Then,navigatetoExtras|Recoveryfix,asshowninthefollowingscreenshot.Anexternalmethodortoolmaynotberequired.Sometimes,placingthedeviceinDFUmodeandconnectingthedevicetoiTuneswillproperlyreboottheiPhone.
DFUmode
Duringtheboot-upprocess,iftheBootROMisnotabletoloadorverifyLLB,thentheiPhonedisplaysablackscreen.ThismodeisknownastheDeviceFirmwareUpgrade(DFU)mode.DFUmodeisalow-leveldiagnosticmodeandisdesignedtoperformfirmwareupgradesfortheiPhone.Duringafirmwareupgrade,theiPhonegoesthroughadifferentbootsequenceasshowninthefollowingfigure.MostforensictoolsuseDFUmodetoperformaphysicalacquisition.
AsecurebootchainofaniPhoneinDFUmode
InDFUmode,theBootROMbootsfirst,which,inturn,verifiesandrunsthesecondstagebootloaders,iBSSandiBEC.TheiBECloaderverifiesandloadsthekernel.Thekernelverifiesandloadstheramdiskintomemory.Again,mostforensicacquisitionmethodsrequiretheiOSdevicetobesuccessfullyenteredinDFUmode.AsmentionedinChapter1,IntroductiontoMobileForensics,allstepsmustbewelldocumentedbytheexaminer.ThehandlingoftheiOSdeviceisnoexception.DFUmodeisamethodrecognizedinmobiledeviceforensics
andisdeemedtobeaforensicallysoundactiontopreparethedeviceforforensicacquisition.
ToenterDFUmode,performthefollowingsteps:
1. DownloadandinstalliTunesonyourforensicworkstationfromhttp://www.apple.com/itunes/download/.
2. ConnectyourdevicetotheforensicworkstationviaaUSBcable.3. Turnoffthedevice.4. HolddownthePowerbuttonfor3seconds.5. HolddowntheHomebuttonwithoutreleasingthePowerbuttonforexactly
10seconds.6. ReleasethePowerbuttonandcontinuetoholddowntheHomebuttonuntil
youarealertedbyiTuneswiththeiTuneshasdetectedaniPhoneinrecoverymode.YoumustrestoretheiPhonebeforeitcanbeusedwithiTunesmessage.
7. Atthispoint,theiPhonescreenwillbeblackandshouldnotdisplayanything.TheiPhoneisreadytobeusedinDFUmode.IfyouseetheApplelogoorothersignalsthatthedeviceisbooting,repeatsteps2through6untiliTunesdisplaysthatmessage.
ToverifywhethertheiPhoneisinDFUmodeonMacOSX,launchSystemInformationandgototheUSBoption.Youshouldseeadevicesimilartowhatisshowninthefollowingscreenshot:
TheMACsysteminformationdisplayingaDFU-modedevice
Justlikeinrecoverymode,toexitDFUmode,holddowntheHomebuttonandthePowerbuttonuntiltheApplelogoappearsonthedevice.MoreinformationcanbefoundonmethodstoverifyDFUmodeathttp://www.zdziarski.com/blog/wp-content/uploads/2013/05/iOS-Forensic-Investigative-Methods.pdf.
PhysicalacquisitioniOSdeviceshavetwotypesofmemory:volatile(RAM)andnon-volatile(NANDFlash).RAMisusedtoloadandexecutethekeypartsoftheoperatingsystemortheapplication.ThedatastoredontheRAMislostafteradevicereboots.RAMusuallycontainsveryimportantapplicationinformationsuchasactiveapplications,usernames,passwords,andencryptionkeys.ThoughtheinformationstoredintheRAMcanbecrucialinaninvestigation,currentlythereisnomethodortoolavailabletoacquiretheRAMmemoryfromaliveiPhone.
UnlikeRAM,NANDisnon-volatilememoryandretainsthedatastoredinitevenafteradevicereboots.NANDflashisthemainstorageareaandcontainsthesystemfilesanduserdata(http://www.nist.gov/forensics/research/upload/draft-guidelines-on-mobile-device-forensics.pdf).Thegoalofphysicalacquisitionistoperformabit-by-bitcopyoftheNANDmemory,similartothewayinwhichacomputerharddrivewouldbeforensicallyacquired.Whiledatastorageseemssimilar,NANDdiffersfromthemagneticmediafoundinmodernharddrives.NANDmemoryischeaper,faster,andholdsagreatamountofdata.Thus,NANDistheidealstorageformobiledevicesasmentionediniPhoneandiOSForensics,AndrewHoogAndKatieStrzempka,ElsevierBV.
PhysicalacquisitionhasthegreatestpotentialforrecoveringdatafromiOSdevices;however,evolvingsecurityfeatures(securebootchain,storageencryption,andpasscode)onthesedevicesmayhindertheaccessibilityofthedataduringforensicacquisition.ResearchersandcommercialforensictoolvendorsarecontinuallyattemptingnewtechniquestobypassthesecurityfeaturesandperformphysicalacquisitiononiOSdevices.Currently,therearetwomethodsthatcanbeusedtogainaccesstotheiOSdeviceandgrabaphysicalimageoftheNAND.Thetwomethodsareexplainedindetailinthefollowingsections.
AcquisitionviaacustomramdiskAcquisitionviaacustomramdiskisanovelmethodtoacquiredatafromaniPhone.ItgainsaccesstothefilesystembyloadingacustomramdiskintothememoryandexploitingaweaknessinthebootprocesswhilethedeviceisintheDFUmode.AcustomramdiskcontainstheforensictoolsnecessarytodumpthefilesystemoverUSBviaanSSHtunnel.Loadingacustomramdiskontoadevicewillnotaltertheuserdata,andthustheevidencewillnotbedestroyed.
ImagineacomputerthatisprotectedwithanOS-levelpassword,wecanstillaccesstheharddiskcontentsbybootingwithaliveCD.Similarly,ontheiPhone,wecanloadacustomramdiskoverUSBandaccessthefilesystem.However,theiPhonesecurebootchainpreventsusfromloadingthecustomramdisk.WecanachievethisbyexploitingaBootROMvulnerabilityandpatchingsuccessivestages,asshowninthefollowingfigure:
AnexploitedbootchainofaniPhoneinDFUmode
HackercommunitieshavefoundseveralBootROMvulnerabilitiesinA4
devices(iPhone4andolderiPhonemodels).Currently,therearenoBootROMexploitsforA5+devices(iPhone4Sandlatermodels)thatallowaccessforphysicalacquisitionofthedevice.BootROMvulnerabilitiescannotbefixedwithsoftwareupdates,effectivelymakingadevicevulnerableforever.
Inadditiontothis,thefilesystemontheiPhoneisencrypted.SincethereleaseoftheiPhone3GS,thehardwareandfirmwareencryptionarebuiltintoiOSdevices.EveryiOSdevicehasadedicatedAES256-bitcryptoengine(theAEScryptographicaccelerator)withtwohardcodedkeys:UID(UniqueID)andGID(GroupID)(asstatedbyZdziarskiinoneofhisbooks).TheCPUonthedevicecannotreadthehardcodedkeysbutcanusethemforencryptionanddecryptionthroughtheAESaccelerator.TheUIDkeyisuniqueforeachdeviceandisusedtocreatedevice-specifickeys(the0x835keyandthe0x89Bkey)thatarelaterusedforfilesystemencryption.TheUIDallowsdatatobecryptographicallytiedtoaparticulardevice;so,eveniftheflashchipismovedfromonedevicetoother,thefilesarenotreadableandremainencrypted.TheGIDkeyissharedbyalldeviceswiththesameapplicationprocessor(forexample,alldevicesthatusetheA4chip)andisusedtodecrypttheiOSfirmwareimages(IPSW)duringinstallation,restore,andupdate.TheGIDpreventshackersfromreversingthefirmwareandfindingsecurityvulnerabilities.
ApartfromtheUIDandGID,allothercryptographickeysarecreatedbythesystem'srandomnumbergenerator(RNG)usinganalgorithmbasedonYarrow.MoreinformationonencryptionandYarrow-basedalgorithmscanbefoundathttp://images.apple.com/ipad/business/docs/iOS_Security_Feb14.pdf.
iPhoneDataProtectionToolsisanopensourceiOSforensictoolkitwrittenbyJean-BaptisteandJeanSigwald,whichusesthecustomramdisktechnique.TheforensictoolkitbuildsacustomramdiskandloadsittothedevicebyexploitingtheBootROMvulnerabilityintheDFUmode.Thecustomramdiskincludestoolstoenumeratedeviceinformation,bruteforcepasscodeattempts,andcreatearawimageofthediskpartition.Theforensictoolkitalsoobtainsdeviceencryptionkeys,decryptsthefilesystem,andrecoversthedeletedfiles.TheiPhoneDataProtectionToolscurrentlyworkwiththeiPhone3G,3GSand4;iPodtouch2G,3Gand4G;andiPad1models.Moreinformationonthiscanbefoundathttps://code.google.com/p/iphone-dataprotection/wiki/README.
Theforensicenvironmentsetup
ThefollowingstepsexplainhowtousetheiPhoneDataProtectionToolsonMacOSX10.8.5withXcode4.6.1andiOS6.1SDK(otherversionsshouldworkwiththesamesteps).AssumingthatyoualreadyhaveXcodewithUNIXtoolsinstalled,youwillneedtoinstallsomeadditionalcommand-linetools,Pythonmodules,andbinariestobuildandusetheiPhoneDataProtectionTools.
Downloadingandinstallingtheldidtool
First,youneedtodownloadtheldidtool,whichisusedtoviewandmanipulatecodesignaturesandembeddedentitlementsplistfilesofbinaries.OnMacOSX,opentheterminalwindowandusethecurlcommand,asshown,todownloadtheIdidtool:
$curl-Ohttp://networkpx.googlecode.com/files/ldid
%Total%Received%XferdAverageSpeedTimeTimeTimeCurrent
DloadUploadTotalSpentLeftSpeed
100320161003201600522140--:--:----:--:----:--:--
279k
Grantexecutionpermissiontotheldidtoolandmoveittothebindirectoryintheusrfolder,usingthecommandsshown:
$chmod+xldid
$sudomvldid/usr/bin/
Verifyingthecodesign_allocatetoolpath
CreateasymboliclinktotheXcodefolder,asshown:
$sudoln-s/Applications/Xcode.app/Contents/Developer/
iPhoneDataProtectionToolsrequirethecodesign_allocatetool,whichispresentbydefaultiftheUNIXtoolswereinstalledwithXcode.Tofindwhethercodesign_allocateexistsornot,usethecommandshown:
$whichcodesign_allocate/usr/bin/codesign_allocate
Ifyoudonotseethelocationofcodesign_allocatefromthecommand-lineoutput,createasymboliclinktoit,asshown:
$sudoln-
s/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/codesign_
allocate/usr/bin
InstallingOSXFuse
iOSfirmwarefilesareintheIMG3fileformat.Tomodifytheramdisk,theiPhoneDataProtectionToolsincludeaFUSEfilesystemthatunderstandstheIMG3format.ThelatestversionofOSXFuseshouldbeinstalledonyourforensicworkstation.OSXFuseextendsthenativefilehandlingcapabilitiesofOSXandallowsyoutomountthefilesystemsthatarenotnativelysupportedbyOSX.YoucandownloadandinstallOSXFusebyexecutingthecommandsshownordirectlyfromthefollowinglink:http://sourceforge.net/projects/osxfuse/files/osxfuse-2.6.2/osxfuse-2.6.2.dmg.
$sudocurl-O-L
http://sourceforge.net/projects/osxfuse/files/osxfuse-
2.6.2/osxfuse-2.6.2.dmg
%Total%Received%XferdAverageSpeedTimeTimeTime
Current
DloadUploadTotalSpentLeftSpeed
1008608k1008608k00546k00:00:150:00:15--:--:-
-698k
Next,runthethreecommandsasshown:
$hdiutilmountosxfuse-2.6.2.dmg
ChecksummingGesamteDisk(Apple_HFS:0)…
...................................................................
..
GesamteDisk(Apple_HFS:0):verifiedCRC32$6D4256E4
verifiedCRC32$D09075DF
/dev/disk2/Volumes/FUSEforOS
X
$sudoinstaller-pkg/Volumes/FUSE\for\OS\X/Install\OSXFUSE\
2.6.pkg-target/
installer:PackagenameisFUSEforOSX(OSXFUSE)
installer:Installingatbasepath/
installer:Theinstallwassuccessful.
$hdiutileject/Volumes/FUSE\for\OS\X/
"disk3"unmounted.
"disk3"ejected.
InstallingPythonmodules
ThePythonscriptsofiPhoneDataProtectionToolsrequireinstallationofseveralPythonmodules:construct,progressbar,andsetuptools.YoucaninstalltherequiredPythonmodulesusingPython'seasy_installcommand,asshown:
$sudoeasy_installconstructprogressbar
Searchingforconstruct
Readinghttp://pypi.python.org/simple/construct/
Bestmatch:construct2.5.1
Downloading
https://pypi.python.org/packages/source/c/construct/construct-
2.5.1.zip#md5=4616eb3c12e86ba859ff2ed2f01ddb1c
Processingconstruct-2.5.1.zip
[...]
Installed/Library/Python/2.7/site-packages/construct-2.5.1-
py2.7.egg
Processingdependenciesforconstruct
Searchingforsix
Readinghttp://pypi.python.org/simple/six/
Bestmatch:six1.4.1
Downloadinghttps://pypi.python.org/packages/source/s/six/six-
1.4.1.tar.gz#md5=bdbb9e12d3336c198695aa4cf3a61d62
Processingsix-1.4.1.tar.gz
[...]
Installed/Library/Python/2.7/site-packages/six-1.4.1-py2.7.egg
Finishedprocessingdependenciesforconstruct
Searchingforprogressbar
Readinghttp://pypi.python.org/simple/progressbar/
Readinghttp://code.google.com/p/python-progressbar
Bestmatch:progressbar2.3
Downloadinghttp://python-
progressbar.googlecode.com/files/progressbar-2.3.tar.gz
Processingprogressbar-2.3.tar.gz
[...]
Installed/Library/Python/2.7/site-packages/progressbar-2.3-
py2.7.egg
Processingdependenciesforprogressbar
Finishedprocessingdependenciesforprogressbar
Searchingforsetuptools
Bestmatch:setuptools0.6c12dev-r88846
Addingsetuptools0.6c12dev-r88846toeasy-install.pthfile
Installingeasy_installscriptto/usr/local/bin
[...]
Processingdependenciesforsetuptools
Finishedprocessingdependenciesforsetuptools
ThePythonscriptsalsorequirethecryptographymodulesPyCryptoandM2CryptotodecryptiOSfirmwareimages,files,andkeychainitems.YoucandownloadandinstallthePyCryptotooldirectlyfromthefollowinglink:https://rudix-mountainlion.googlecode.com/files/pycrypto-2.6-1.pkg.
YoucaninstalltheM2Cryptomoduleusingthecommandsshown:
$sudocurl-O-L
http://chandlerproject.org/pub/Projects/MeTooCrypto/M2Crypto-
0.21.1-py2.7-macosx-10.8-intel.egg
%Total%Received%XferdAverageSpeedTimeTimeTimeCurrent
DloadUploadTotalSpentLeftSpeed
100477k100477k006329000:00:070:00:07--:--:--
102k
$sudoeasy_installM2Crypto-0.21.1-py2.7-macosx-10.8-intel.egg
ProcessingM2Crypto-0.21.1-py2.7-macosx-10.8-intel.egg
[...]
Installed/Library/Python/2.7/site-packages/M2Crypto-0.21.1-py2.7-
macosx-10.8-
intel.egg
ProcessingdependenciesforM2Crypto==0.21.1
FinishedprocessingdependenciesforM2Crypto==0.21.1
Finally,todownloadthelatestcopyofiPhoneDataProtectionToolsfromtheGooglecoderepository,youneedtoinstalltheMercurialsourcecodemanagementsystem.Youcandownloadandinstallthisusingtheeasy_installcommand,asshown,ordirectlyfromthefollowinglink:http://mercurial.berkwood.com/binaries/Mercurial-2.6.2-py2.7-macosx10.8.zip.
$sudoeasy_installmercurial
Searchingformercurial
Readinghttp://pypi.python.org/simple/mercurial/
Bestmatch:mercurial2.8
Downloading
https://pypi.python.org/packages/source/M/Mercurial/mercurial-
2.8.tar.gz#md5=76b565f48000e9f331356ab107a5bcbb
Processingmercurial-2.8.tar.gz
[...]
Processingdependenciesformercurial
Finishedprocessingdependenciesformercurial
DownloadingiPhoneDataProtectionTools
DownloadthelatestcopyofiPhoneDataProtectionToolsusingMercurial(hg),
asshown:
$sudohgclonehttps://code.google.com/p/iphone-dataprotection/
warning:code.google.comcertificatewithfingerprint
ad:3c:56:fb:e8:c0:62:b0:ff:89:21:52:98:b1:a1:d4:94:a4:1c:84not
verified(checkhostfingerprintsorweb.cacertsconfigsetting)
destinationdirectory:iphone-dataprotection
requestingallchanges
addingchangesets
addingmanifests
addingfilechanges
added72changesetswith2033changesto1865files
updatingtobranchdefault
152filesupdated,0filesmerged,0filesremoved,0files
unresolved
Thecommandintheprecedingscreenshotcreatestheiphone-dataprotectiondirectoryanddownloadsiPhoneDataProtectionToolstoit.
BuildingtheIMG3FStool
BuildtheIMG3FUSEfilesystemfromtheimg3fsdirectory.ThismoduleenablesyoutodirectlymountthefirmwarediskimagesincludedintheiOSfirmwarepackages(IPSW),asshowninthefollowingcommandlines:
$cdiphone-dataprotection
$sudomake-Cimg3fs/gcc-oimg3fsimg3fs.c-Wall-lfuse_ino64-
lcrypto-I/usr/local/include/osxfuse||gcc-oimg3fsimg3fs.c-
Wall-losxfuse_i64-lcrypto-I/usr/local/include/osxfuse
img3fs.c:Infunction'img3_check_decrypted_data':img3fs.c:100:
warning:pointertargetsinpassingargument2of'strncmp'differ
insignedness
img3fs.c:104:warning:pointertargetsinpassingargument2of
'strncmp'differinsignedness
img3fs.c:108:warning:pointertargetsinpassingargument2of
'strncmp'differinsignedness
[...]
Afterrunningthemakecommand,youwillnoticeafewcompilerwarningmessages,whichyoucanignore.
Downloadingredsn0w
FirmwarediskimagesincludedintheiOSfirmwarepackagesareencrypted.The
redsn0wapplication,afamousiOSjailbreakingutilitydevelopedbytheiPhoneDevTeam,containsaplistfilewiththedecryptionkeysforallpreviouslyreleasediOSfirmwareimages.TheiPhoneDataProtectionbuildscriptswillusethedecryptionkeystoautomaticallydecryptthekernelandramdisk.Todothis,downloadthelatestversionofredsn0wandcreateasymboliclinktoitsKeys.plistfileinthecurrentdirectory,asshowninthefollowingcode.Laterinthischapter,youwillalsouseredsn0wtobootthecustomramdiskontothedevice.
$sudocurl-O-Lhttps://sites.google.com/a/iphone-
dev.com/files/home/redsn0w_mac_0.9.15b3.zip
%Total%Received%XferdAverageSpeedTimeTimeTimeCurrent
DloadUploadTotalSpentLeftSpeed
10017.1M10017.1M00298k00:00:580:00:58--329k
$sudounzipredsn0w_mac_0.9.15b3.zip
Archive:redsn0w_mac_0.9.15b3.zip
creating:redsn0w_mac_0.9.15b3/
inflating:redsn0w_mac_0.9.15b3/boot-ipt4g.command
inflating:redsn0w_mac_0.9.15b3/credits.txt
inflating:redsn0w_mac_0.9.15b3/license.txt
[...]
extracting:redsn0w_mac_0.9.15b3/redsn0w.app/Contents/PkgInfo
creating:redsn0w_mac_0.9.15b3/redsn0w.app/Contents/Resources/
inflating:
redsn0w_mac_0.9.15b3/redsn0w.app/Contents/Resources/redsn0w.icns
$sudocpredsn0w_mac_0.9.15b3/redsn0w.app/Contents/MacOS/Keys.plist
.
Creatingandloadingtheforensictoolkit
Atthispoint,alloftheprerequisitesshouldbeinstalled,andyoushouldbereadytobuildandloadthecustomramdiskontoyourtargetiOSdevice.First,wepatchtheramdisksignaturechecksinthekernelandbuildacustomramdiskwithourforensictools.Later,weuseredsn0wtoloadthemodifiedkernelandthecustomramdiskbyexploitingtheBootROMvulnerability.
DownloadingtheiOSfirmwarefile
AniOSfirmwareupdatesoftwarearchive(IPSW)fileforthehardwaremodelwithwhichyouintendtousethecustomramdiskisrequired.iPhoneDataProtectionToolssupportstheramdiskcreationforiOS6IPSWandlowerversions.Forbestresults,usethelatestversionofiOS5IPSWtocreatetheramdisk.iOS5kerneliscompatiblewiththepreviousandforthcomingiOSversions.So,evenifyourdeviceisrunningoniOS7oriOS4,youcanpreparetheramdiskwithiOS5.YoucandownloadtheIPSWfileforthetargetdevicefromhttp://getios.com/index.php.
CopythedownloadedIPSWtothedataprotectiondirectoryinsidetheiphonefolder,asshowninthefollowingcommand:
$cp~/Downloads/iPhone3,1_5.1.1_9B208_Restore.ipsw.
Note
Theabovecommandendswith.whichrepresentsthecurrentworkingdirectory.
TheiPhone3,1_5.1.1_9B208_Restore.ipswfileusedintheprecedingcommandtargetstheiPhone4device.TheIPSWfilenamesincludethehardwaremodel(iPhone3,1),theiOSversionnumber(5.1.1),andthespecificbuildnumber(9B208).
Modifyingthekernel
Forthecustomramdisktoworkproperly,amodifiedkernelisrequired.Thekernel_patcher.pyscriptiniPhoneDataProtectionToolsextractsthekernelcachefromthesuppliedIPSWfileandpatchesit.Thekernelpatchingutilitymakesappropriatechangestothekerneltodisablethecodesigningtorunarbitrarybinariesandtoallowaccesstorestrictedfunctions.Runthe
kernel_patcher.pyscriptonyourIPSWtocreateapatchedkernelcacheandashellscriptthatbuildstheramdisk,asshowninthefollowingcommands:
$sudopythonpython_scripts/kernel_patcher.py
iPhone3,1_5.1.1_9B208_Restore.ipsw
Decryptingkernelcache.release.n90
Unpacking...
DoingCSEDpatch
Doinggetxattrsystempatch
Doingnand-disable-driverpatch
Doingtask_for_pid_0patch
DoingIOAESgidpatch
DoingAMFIpatch
Doing_PE_i_can_has_debuggerpatch
DoingIOAESAcceleratorenableUIDpatch
Patchedkernelwrittentokernelcache.release.n90.patched
Createdscriptmake_ramdisk_n90ap.sh,youcanuseitto(re)build
theramdisk
Thescriptcreatesapatchedkernelfilecalledkernelcache.release.n90.patchedtothecurrentworkingdirectory.FortheiOS5IPSWfile,italsocreatesascriptcalledmake_ramdisk_n90ap.shtobuildthecustomramdisk.PayattentiontothefilenamesbecausetheymaydifferdependingontheiOSdevicemodel.
Buildingacustomramdisk
Givepermissiontoexecutethemake_ramdisk_n90ap.shramdiskbuildscriptandexecutethisscripttocreatethecustomramdiskasfollows:
$chmod+xmake_ramdisk_n90ap.sh
Beforeexecutingthescript,editthefileandfixtheiOSSDKpathasfollows:
$sudonanomake_ramdisk_n90ap.sh
AsweareusingiOSSDK6.1,append6.1totheforloop,asshowninthefollowingcode:
forVERin4.24.35.05.16.06.1
FixtheIOKitpathbyreplacing/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS$VER.sdk/System/Library/Frameworks/IOKit.framework/IOKit
with
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS$VER.sdk/System/Library/Frameworks/IOKit.framework/IOKit
intheifstatement.
Aftermakingthenecessarychanges,pressCtrl+X,typetheletteryandhittheEnterkeyonthekeyboardtosavethefile.
Executethemake_ramdisk_n90ap.shscript;itwilldownloadssh.tar.gzfromGoogleCode.Next,compiletheramdisktoolslocatedintheramdisk_toolsfolderandaddthemtotheexistingramdisktoprepareaforensicramdisk,asshowninthefollowingcommand:
$sudo./make_ramdisk_n90ap.sh
FoundiOSSDK6.1
[somewarningmessages]
Archive:iPhone3,1_5.1.1_9B208_Restore.ipsw
inflating:038-5512-003.dmg
TAG:TYPEOFFSET14data_length:4
[...]
"disk2"unmounted.
"disk2"ejected.
Youcanboottheramdiskusingthefollowingcommand(fix
paths)redsn0w-iiPhone3,1_5.1.1_9B208_Restore.ipsw-r
myramdisk_n90ap.dmg-kkernelcache.release.n90.patched
Add-a"-vrd=md0nand-disable=1"fornanddump/readonlyaccess
IfyouareusinganiOS6IPSWfile,runthebuild_ramdisk_ios6.shfiletocreatethecustomramdisk.Beforerunningthescript,youneedtoeditMakefileintheramdisk_toolsdirectory,fixtheiOSSDKversion,andcompileitusingthemakecommand.
Bootingthecustomramdisk
Toloadthecustomramdiskontothedevice,startredsn0wfromthecommandlineusingtheIPSW,customramdisk,andpatchedkernelasshowninthefollowingcommand:
$sudo./redsn0w_mac_0.9.15b3/redsn0w.app/Contents/MacOS/redsn0w-i
iPhone3,1_5.1.1_9B208_Restore.ipsw-rmyramdisk_n90ap.dmg-k
kernelcache.release.n90.patched
TurnoffyouriOSdeviceandconnectittothecomputer,whichisrunningredsn0w,withaUSBcable.Whenthedeviceisconnected,redsn0wisdisplayedonthescreenasshowninthefollowingscreenshot:
Theredsn0wwelcomescreen
ClickonNextandfollowthestepsdisplayedonthescreentoplacethedeviceintheDFUmode.OnceyourdeviceisintheDFUmode,redsn0wexploitsoneoftheBootROMvulnerabilitiesandloadsthemodifiedkernelandcustomramdisk.Iftheprocessissuccessful,youwillnoticetheimageofapineappleontheiPhone,followedbybootmessagesinsmalltext.Oncetheprocessis
Establishingcommunicationwiththedevice
ThecustomramdiskbootedontotheiPhonecontainsanSSHserver,whichwillallowremotecommand-lineaccesstothedevicethroughtheUSBprotocol.TheUSBmultiplexingdaemon(usbmuxd),abackgrounddaemoninApple'smobiledeviceframework,isusedtotunneltheTCPsocketconnectionovertheUSBprotocoltoalocalTCPsocketlisteningonthedevice.Inthiscase,runtcprelay.py,asshowninthefollowingcommandline,toconnecttotheSSHserverthatisrunningonthecustomramdisk:
$pythonusbmuxd-python-client/tcprelay.py-t22:22221999:1999
Forwardinglocalport2222toremoteport22
Forwardinglocalport1999toremoteport1999
OtherpythonscriptsincludediniPhoneDataProtectionToolscommunicatewiththedeviceoverSSH.So,youshouldkeeprunningtcprelay.pyinanotherterminaluntilyouacquiredatafromthedevice.
Bypassingthepasscode
TheiPhoneprovidesanoptionforitsuserstosetapasscodeontheirdevicetopreventunauthorizedaccess.Onceapasscodeisset,wheneverthedeviceisturnedonorawakenedfromsleepmode,thepasscodeisrequiredtoaccessthedata.iOSsupportsasimplefour-digitcodeandcomplexalphanumericpasscodesofanylength.WiththeiPhone5S,theuserfingerprintscancanalsobeusedtolock/unlockthedevice.ForiPhone5S,theusercanalsoselectasimplefour-digitcodetouseincasethefingerprintisnotrecognized.Bydefault,thepasscodeisafour-digitnumericcodebutbymodifyingthesettings,itcanbesettobeacomplexpasscode.TheuseralsohastheoptiontoeraseallthecontentsontheiPhoneafter10failedpasscodeattempts.
Passcode-lockeddevicesarebeingutilizedmorefrequentlyduetogeneraluserawarenessoftheftandsecuritypoliciesfromorganizations.CircumventingthepasscodeisnotalwayspossibleduetosecurityimprovementsiniOS.Theforensicexaminershouldtrytosecurethepasscodefromtheownertopreventissuesinacquiringdatafromnewer,lockediOSdevices.
IntheinitialreleasesofiOSuntiliOS3,thepasscodeforunlockingthedevicewasstoreddirectlyinthekeychain,aplacetostorepasswordssecurelyontheiPhone.ThispasscodesecuritycanbebypassedbyjustremovingtherecordfromthekeychainorbyremovingtheUIsettingthatasksforthepasscodeafterbootingwiththecustomramdisk.
SinceiOS4,thepasscodeisnotstoredonthedeviceinanyformat.Bysettingadevicepasscode,theuserautomaticallyenablesdataprotection,whichprotectsthedataatrest.Withdataprotection,thedataonthedeviceisencryptedwithasetofclasskeysstoredintheSystemkeybag.TheSystemkeybagitselfisprotectedwithapasscodekey,generatedfromtheuser'spasscodeandthedevice'sUID.So,inordertodecrypttheprotectedkeychainitemsandfilesonthefilesystem,youfirstneedtodecrypttheSystemkeybag.Ifthereisnopasscode,theSystemkeybagcanbeeasilydecrypted.Ifthereisasimplefour-digitpasscode,youwillhavetoguessittodecrypttheSystemkeybag.Asthepasscodeistangledwiththedevice'sUIDkey,bruteforceattemptsmustbeperformedonthedevice.Also,thesamepasscodeondifferentdevicesgeneratesdifferentpasscodekeysastheUIDisuniqueperdevice.Passcodebruteforce
attacksperformedatthespringboardlevelintroducedelays,lockthedevice,andmayleadtothewipingofdata.However,theseprotectionmechanismsarenotapplicablewhenyouareperformingabruteforceattackonakernelextension(AppleKeyStore)todecrypttheSystemkeybag.ItisworthmentioningthatsometoolswillattempttocrackthepasscodeonaniOSdevicebyaccessingthehostcomputerforwhichthatiOSdevicewasconnectedandsynced.Thetoolaccessesthepairingkeythroughanescrowfiletodecryptthelockeddevice.Forthistowork,theexaminerwouldneedtohaveaccesstoboththeiOSdeviceandthehostcomputertowhichthedeviceisbackedup.
Shouldthehostcomputernotbeavailable,asmentioned,thedemo_bruteforce.pyPythonscriptincludediniPhoneDataProtectionToolscanperformbruteforceattackandguessanyfour-digitpasscodewithin18minutes.Bruteforceonthedeviceisslow,andthetimerequiredtobruteforceapasscodedependsonthedevice'scapability.ThefollowingtableliststhetimerequiredtobruteforcepasscodesofvariouslengthsandcomplexityrequirementsontheiPhone4:
Passcodelength Complexity Time
4 Numeric 18minutes
4 Alphanumeric 19days
6 Alphanumeric 196days
8 Alphanumeric 755thousandyears
8 Alphanumeric,complex 27millionyears
OnMacOSX,openanewterminalandrunthefollowingcommand.Thebruteforcescriptusesthe1999portopenedwithtcprelay.pytocommunicatewiththeramdisktoolsonthedevice.Thescriptbruteforcesthepasscode,decryptstheSystemkeybag,dumpsthedataprotectionkeys,andplacesthemintoadirectorynamedwiththeUniqueDeviceIdentifier(UDID)ofthetargetdeviceina.plistformat.
$sudopythonpython_scripts/demo_bruteforce.py
Connectingtodevice:
b716de79051ef093a98fc3ff1c46ca5e36faabc3KeybagUUID:
5b14620bd1e74013bfa66325b6946773
Enterpasscodeorleaveblankforbruteforce:
HitEnteronthekeyboardtostartthebruteforceprocess:
Tryingall4-digitspasscodes...
0of10000ETA:--:--:--
10of10000ETA:0:30:48
20of10000ETA:0:30:33
30of10000ETA:0:30:18
40of10000ETA:0:30:02
50of10000ETA:0:29:51
1100of10000ETA:0:25:54
1110of10000ETA:0:25:53
10000of10000Time:0:03:14
100%|############################################################|
BruteforceSystemKeyBag:0:03:14.543986
{'passcode':'1111','passcodeKey':
'1f5c25823297f97f3cb38d998726fc22787ca3f31b8932c2b868700a341145b5'}
True
Keybagtype:Systemkeybag(0)
Keybagversion:3
KeybagUUID:5b14620bd1e74013bfa66325b6946773
-------------------------------------------------------------------
--
ClassWRAPTypeKeyPublickey
-------------------------------------------------------------------
--
NSFileProtectionComplete3AES
746f01658ec28b3ba99339e35beb37232f89658fd0214eb4c4cac99976b05039
NSFileProtectionCompleteUnlessOpen3
Curve25519
65db69526ea4026227d5faa0dc9066c1092e510aa586a2f62d9101e419600703
a035e0f5a6ee59b9e5928cc67b644c6a5cc8c5235c1a5440a02686d222fc3a08
NSFileProtectionCompleteUntilFirstUserAuthentication3AES
a32826f0abdf6fb1c049d395baa12b07e05a310fb49626a5cef078ca4a7a46f4
NSFileProtectionRecovery?3AES
28ec11f7719c7b36d6f4621a07c3b088fe65c9909c7adb45cf73ad8b9814a330
kSecAttrAccessibleWhenUnlocked3AES
bab62b621ebcf0fbc97ee9a2f1fb6d3ee4a198f5a49a7e233c9dcdf2805292e0
kSecAttrAccessibleAfterFirstUnlock3AES
638ae8c4a1a694b8db2968eba28ef39a14d5397ef102e4872395df619bd00d31
kSecAttrAccessibleAlways1AES
5071e2058e148b7deee5b08fd685c0b29cd9d717f57732647dee0239513c7c79
kSecAttrAccessibleWhenUnlockedThisDeviceOnly3AES
3702f4d05b3b910860b9f17577d5f34bbf26e9a6f20594ea308d72919e182531
kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly3AES
3d8fbd6b41c520f1dc8ebe6786abe4848fa1799456300b89c630c23ff931d6c8
kSecAttrAccessibleAlwaysThisDeviceOnly1AES
1774408c99198fb048ca5fbcd06feadc7d5e4c28a571111df557db9f58040ba5
[...]
Iftheuserchoosesastrongpasscodethatisnoteasytoguess,wecanstillaccessthefilesprotectedwithNSFileProtectionNoneandkeychainitemsprotectedbythekSecAttrAccessibleAlwaysdataprotectionclasses.
Imagingthedatapartition
Physicalimagingreferstotheddimageofthelogicalpartitions.AsdiscussedinChapter2,UnderstandingtheInternalsofiOSDevices,NANDflashoniOSdevicescontainstwologicaldiskpartitions:systempartitionanduserdatapartition.Onanon-jailbrokendevice,thesystempartitionwillbekeptintheread-onlyformat.Theuserdatapartitioncontainsalltheuser-installedapplicationsanddata.Forfullforensicanalysis,itispreferredthatboththesystemanddatapartitionareacquired.Mostforensictoolswillcapturebothpartitionsinoneimage.Iftheexaminerhasatimecrunch,attheminimum,theyshoulddumptheentiredatapartition.Toacquireadiskimageoftheuserdatapartition,runthedump_data_partition.shshellscript,asshowninthefollowingcommandlines:
$sudo./dump_data_partition.sh
Warning:Permanentlyadded'[localhost]:2222'(RSA)tothelistof
knownhosts.
root@localhost'spassword:
Enteralpineasthepassword,whichisthedefaultSSHpasswordoniOSdevices,andhitEnteronthekeyboard:
DeviceUDID:b716de79051ef093a98fc3ff1c46ca5e36faabc3
Dumpingdatapartitionin
b716de79051ef093a98fc3ff1c46ca5e36faabc3/data_20131209-1956.dmg...
Warning:Permanentlyadded'[localhost]:2222'(RSA)tothelistof
knownhosts.
[...]
Therawdiskimagewillbegintransferring,asshowninthefollowingcommandlines,whichshouldalsobereflectedbyagradualincreaseinthesizeofthefileonthedesktop.Thescriptrunsforseveralminutestohoursdependingonthesizeofthefilesystem.Forexample,acquiringanimagefroman8GBiPhone4roughlytakes30minutes.
1801554+0recordsin
1801554+0recordsout
14758330368bytes(15GB)copied,2463.01s,6.0MB/s
ThescriptdumpstheentireuserdatapartitionandplacesitintoadirectorynamedUDIDofthetargetdeviceinaDMGformatthatcanbemounteddirectly
ontoMacOSX.Onlytheuserdatapartitioniscopied,sotheactualfilesizewillbelessthantheiPhonesize.Double-clickingontheDMGfilemountsitinread-writemodeandmighteffecttheimageintegrity.Tomaintaintheintegrity,youcanusethehdiutilcommandtomounttheimageinread-onlymode,asshowninthefollowingcommand.(NotethatthefilepathreflectstheDMGfileyoucreated.)
$hdiutilattach-readonly
b716de79051ef093a98fc3ff1c46ca5e36faabc3/data_20131209-1956.dmg
/dev/disk3/Volumes/Data
Theoutputofthehdiutilcommandshowsthatthediskimagehasbeenattachedtothe/dev/disk3devicefileandcanbemountedon/Volumes/Datawiththefollowingcommand:
$cd/Volumes/Data/
Youcannowbrowsethefilesystemin/Volumes/Data/andobservethatallfilecontentsareencrypted,asshowninthefollowingcommand:
$hexdump-Cmobile/Library/AddressBook/AddressBook.sqlitedb|head
Theoutputisasshowninthefollowingscreenshot:
TheencryptedaddressBookfile
Tounmounttheimage,usethehdiutilejectcommandasfollows:
$cd/
$hdiutileject/Volumes/Data/
"disk3"unmounted.
"disk3"ejected.
WhentheextracteddiskimageismountedonMacOSX,youcanbrowsethefilesystem.However,youcannotreadthefilesastheyareencrypted.Toreadanyfiledata,thefilecontentsmustbedecryptedusingthekeysintheSystemkeybag.
Decryptingthedatapartition
TheentirefilesystemisencryptedwithanEMFkey,withtheexceptionofactualfilesonthefilesystem,whichareencryptedwithotherkeys(thedataprotectionclasskeys).TheEMFkeyisencryptedwiththe0x89Bkey.Theemf_decrypter.pyPythonscriptincludediniPhoneDataProtectionToolscanbeusedtodecrypttherawdiskimage.Thisscriptusestherawdiskimageandkeysintheaforementionedplisttodecryptalloftheencryptedfilesonthefilesystem,asshowninthefollowingcommandlines:
$sudopythonpython_scripts/emf_decrypter.py
b716de79051ef093a98fc3ff1c46ca5e36faabc3/data_20131209-1956.dmg
b716de79051ef093a98fc3ff1c46ca5e36faabc3/f03d282cc7182d46.plist
Password:Usingplistfile
b716de79051ef093a98fc3ff1c46ca5e36faabc3/f03d282cc7182d46.plist
Keybagunlockedwithpasscodekey
cprotectversion:4(iOS5)
Testmode:theinputfilewillnotbemodified
PressakeytocontinueorCTRL-Ctoabort
HitEntertocontinuethescriptexecution:
DecryptingiNode1559014
DecryptingiNode3056993
DecryptingiNode3056996
DecryptingiNode6811
[...]
DecryptingAddressBook.sqlitedb
DecryptingAddressBook.sqlitedb-shm
DecryptingAddressBook.sqlitedb-wal
DecryptingAddressBookImages.sqlitedb
DecryptingAddressBookImages.sqlitedb-shm
[...]
DecryptingIMG_1117.JPG
DecryptingIMG_1128.PNG
DecryptingIMG_1139.JPG
[...]
DecryptingKeywordIndex.plist
DecryptingManifest.sqlitedb
Decryptingexpress.psa
Decrypted50518files
Thescriptmodifiesthediskimagedirectlyandthefilesarenowdecryptedandreadable.Toverifythis,youcanmountthediskimageandexamine
AddressBook.sqlitedb,whichwaspreviouslyunreadable,withthefollowingcommand:
$hdiutilattach-readonlydata_20131209-1956.dmg
/dev/disk3/Volumes/Data
$cd/Volumes/Data/
$hexdump-Cmobile/Library/AddressBook/AddressBook.sqlitedb|head
Theoutputisasshowninthefollowingscreenshot:
ThedecryptedAddressBookfile
Now,youshouldbeabletofullyexaminetheartifactsonthedatapartition,whichwillbecoveredindetailinChapter5,iOSDataAnalysisandRecovery.
Recoveringthedeleteddata
Oncearawimageofthedeviceisobtained,youcanrecoverthedeletedfilesintheunallocatedspacebycarvingtheHFSjournalusingtheemf_undelete.pyscript.Thisscriptrecoversonlyalimitednumberoffiles,asshowninthefollowingcommand:
$sudopythonpython_scripts/emf_undelete.pyUDID/data_20131209-
1956.dmg
Torecovermoredeletedfilesorphotos,acquirealow-levelNANDimageusingios_examiner.pyandruntheundeletecommand.
Toacquirealow-levelNANDimage,bootthecustomramdiskandthepatchedkernelontotheiPhonewiththenand-disablebootflag,asshowninthefollowingcommand:
$sudo./redsn0w_mac_0.9.15b3/redsn0w.app/Contents/MacOS/redsn0w-i
iPhone3,1_5.1.1_9B208_Restore.ipsw-rmyramdisk_n90ap.dmg-k
kernelcache.release.n90.patched-a"-vrd=md0nand-disable=1"
Oncetheramdiskisbootedsuccessfully,runtheios_examiner.pyscriptwithoutparameters.Itallowsyoutoentercommandsintheios_examinershell,asshowninthefollowingcommandlines:
$cdiphone-dataprotection$sudopython
python_scripts/ios_examiner.py
Connectingtodevice:b716de79051ef093a98fc3ff1c46ca5e36faabc3
Devicemodel:iPhone4GSM
UDID:b716de79051ef093a98fc3ff1c46ca5e36faabc3
ECID:1937316564364
Serialnumber:870522V6A4S
key835:ef8f36fb3a85b42a72e8c5efa6b1a844
key89B:de75b5f5fa6abc5bf25293b38f980a52
[...]
YaFTL_readCxtInfoFAIL,restoreneededmaxUsn=4491408
FTLrestoreinprogress
100%|########################################|
BTOCnotfoundforblock13(usn4491530),scanningallpages
402usedpagesinblock
LwVMheaderCRCOK
cprotectversion:4(iOS5)
iOSversion:5.1.1
Keybagstate:locked
(iPhone4-data)/
Runthebruteforcecommandtobruteforcethepasscodeandunlockthekeybag:
(iPhone4-data)/bruteforce
Passcodecomlexity(fromOpaqueStuff):4digits
Enterpasscodeorleaveblankforbruteforce:
HitEnterandyouwillseethefollowingcommandlines:
Passcode""OKKeybagstate:unlocked
Savedeviceinformationplistto[b716de7905.plist]:
HitEntertosavetheencryptionkeystoaplistfile(b716de7905.plist).
Runthenand_dumpcommandasshowninthefollowingcommandlines.ItcopiestheNANDimagetothedataprotectionfolder.
(iPhone4-data)/nand_dumpiphone4-nand.bin
Dumping16GBNANDtoiphone4-nand.bin
100%|############################################|
NANDdumptime:0:45:36.200233
SHA1:a16aa578679ef6a787c8c26a40de4b745a3ae179
OncetheNANDimageandtheplistfileareobtained,youcanuseios_examiner.pyandruntheundeletecommandtorecoverthedeletedfiles,asshowninthefollowingcommandlines:
$sudopythonpython_scripts/ios_examiner.pyiphone4-nand.bin
b716de7905.plist
Loadingdeviceinformationfromb716de7905.plist
Devicemodel:iPhone4GSM
UDID:b716de79051ef093a98fc3ff1c46ca5e36faabc3
ECID:1937316564364
Serialnumber:870522V6A4S
key835:ef8f36fb3a85b42a72e8c5efa6b1a844
key89B:de75b5f5fa6abc5bf25293b38f980a52
[...]
cprotectversion:4(iOS5)
iOSversion:5.1.1
(iPhone4-data)/undelete
BuildingFTLlookuptablev1
100%|###################################|
Collectingexistingfileids
23297fileIDs
Carvingcatalogfile
Founddeletedfilerecord51657shaders.datacreated2012-06-09
02:19:28
Founddeletedfilerecord51656shaders.mapscreated2012-06-09
02:19:28
[...]
Carvingattributefileforfilekeys
20261files,50997keys
_FBStory.h
[...]
Thecommandrecoversthedeletedfilesandplacesthemintoadirectorynamedundelete.Therecoveryprocessisslowandtakeshourstorecoverallthefiles.
Ifadeviceisrestored,wiped,orupgradedtoanewOSversion,thefilesystemkey(EMF)iserasedandanewkeyisrecreated.WithouttheoriginalEMFkey,itisnotpossibletorecovertheunderlyingfilesystemstructure.So,itisnotpossibletorecoverthedeletedfileswhenaniPhoneisrestored,wiped,orupgraded.Also,iOSdevicesincludeafeaturecalledEffaceableStoragetosecurelyerasethekeys.Thisfeatureaccessestheunderlyingstorage(NAND)todirectlyaddressanderaseasmallnumberofblocksataverylowlevel,whichmakesitimpossibletorecoverdeletedkeys.
AcquisitionviajailbreakingToperformphysicalacquisitionondevicesthatarenotvulnerabletotheBootROMexploit,thedevicemustbejailbroken.JailbreakinganiPhoneallowstheexaminertoinstalltoolsthatwouldnotnormallybeonthedevice,suchasSSH.Byfar,themostpopularmethodforjailbreakingiswithredSn0worevasi0n.BothtoolshavesimplewizardsthatwillsteptheiOSdevicethroughthejailbreakprocessandinstalltheCydiaapplication.Anexaminershouldonlyjailbreakadeviceasalastresortandshouldusegreatcautionwhendoingso.Again,allstepstakenbytheexaminermustbewell-documented.Thejailbreakingprocessmakeschangestothedevice,whichmaydamageevidenceorrenderitinadmissibleincourt.Ifpossible,considerperformingalogicalacquisitionfirsttopreserveevidencethatmaybelostduringthejailbreakingprocess.
Toobtainanimageoftheuserdatapartition,theforensicworkstationandthetargetiOSdevicemustbeplacedonthesamewirelessnetwork.Fromtheforensicworkstation,runthefollowingSSHcommandtostarttheprocess.MakesurethatyoureplacetheIPaddressusedinthecommandwithyourdevice'sIPaddressbeforerunningit.
[email protected]"ddif=/dev/rdisk0s1s2bs=8192">data.dmg
EnteralpineasthepasswordandhitEnteronthekeyboard.ThisprocessmaytakeseveralhoursdependingonthecapacityoftheiPhone.Oncecompleted,itdisplaysacertainnumberofbytesthathavebeencopied,asshowninthefollowingcommandlines:
1801554+0recordsin
1801554+0recordsout
14758330368bytes(15GB)copied,2722.38s,5.4MB/s
TheSSHcommandconnectstotheSSHserverontheiOSdeviceasarootuser.Theddif=/dev/rdisk0s1s2bs=8192commandexecutesthediskcopyutilityontheiPhoneandreadstheuserdatapartitionlocatedat/dev/rdisk0s1s2withablocksizeof8K.Thecommandoutputsthedata.dmgfileontotheforensicworkstationdrive.Theresultedimagefilecanbemanipulatedbytheforensicanalyst'schoiceoftools.
Itisnotpossibletojailbreakadevicethatisprotectedwithapasscode.So,ifadevice(A5+)isprotectedwithapasscodeandisnotjailbroken,itisnotpossibletoperformphysicalacquisitiononthatdevice.Also,itshouldbenotedthattherawdiskimageobtainedfromtheiPhoneisencryptedandcannotbeparsed.Inordertodecrypttheimage,wemustobtainencryptionkeysfromthedevice.Theencryptionkeysaretiedtothedevice'sUIDkey,whichcanbeusedonlywhentheIOAESAcceleratorkernelextensionispatched.ItiseasytoobtainencryptionkeysondevicesthatrunoniOS5andearlierversions.SinceiOS6,AppleintroducednewsecurityfeaturestothekernelsuchasKernelAddressSpaceLayoutRandomizationandKernelAddressSpaceProtection,whichpreventexaminersfrompatchingthekernelcodedirectly.However,theElcomsoftiOSForensicToolkit,acommercialtoolforiOSforensics,claimsthatitiscapableofperformingphysicalacquisitionondevicesthatrunoniOS6andiOS7.ThisclaimassumesthattheiOSdeviceisjailbroken,orthattheexaminerhasaccesstothehostcomputerthatcontainsthepairingkeysinescrowfiles.ThetoolisdiscussedindetailinChapter6,iOSForensicTools.
ThefollowingdetailsexplainthestepsinvolvedinobtainingadiskimagefromtheiPhone4SthathasiOS5andisprotectedwithapasscodeinthisexample.
Asaprerequisite,theiPhone4SshouldalreadybejailbrokenandOpenSSHisinstalledonitwiththedefaultrootuserpassword.
SetuptheiPhoneDataProtectionToolsasexplainedintheprevioussections.EditMakefileintheramdisk_toolsfolder,fixtheiOSSDKversion,andrunthemakecommand:
$cdiphone-dataprotection
$cdramdisk_tools
$sudomake
ConnecttheiPhonetothecomputerviaUSBandestablishthecommunicationbyrunningthetcprelay.pyscriptasfollows:
$cdiphone-dataprotection
$pythonusbmuxd-python-client/tcprelay.py-t22:2222
DumptheiPhoneuserdatapartitionusingthefollowingcommand:
[email protected]"ddif=/dev/rdisk0s1s2bs=8192">data.dmg
EnteralpineasthepasswordandhitEnter.
Downloadkernel_patcherfromhttps://code.google.com/p/iphone-dataprotection/issues/detail?id=49&q=a5andmoveittotheramdisk_toolsfolderwiththefollowingcommand:
$mv~/Downloads/kernel_patcher~/Documents/iphone-dataprotection/
Copykernel_patcher,bruteforce,anddevice_infosscriptstotheiPhoneusingthescpcommand:
$cdramdisk_tools
$scp-P2222kernel_patcherdevice_infosbruteforce
[email protected]:/var/root/
EnteralpineasthepasswordandhitEnter.
Runthesshcommandandgrantexecutepermissionstotheuploadedscriptswiththefollowing:
EnteralpineasthepasswordandhitEnter:
iPhone#chmod+xkernel_patcherbruteforcedevice_infos
Runthekernel_patcherandbruteforcescripts.Itpatchesthekernel,bruteforcesthepasscode,decryptstheSystemkeybag,andcreatesaplistfileontheiPhonerootdirectory,asshowninthefollowingcommandlines:
iPhone#./kernel_patcher
iPhone#./bruteforce
Writingresultstof04d282cc7182d47.plist
[...]
CopytheplistfilefromtheiPhonetothedesktopusingthescpcommand:
[email protected]:/var/root/f04d282cc7182d47.plist.
Todecryptthediskimage,runemf_decrypter.py,asfollows:
$sudopythonpython_scripts/emf_decrypter.pydata.dmg
f04d282cc7182d47.plist
Now,youshouldbeabletofullyexaminetheartifactsonthedatapartition.
SummaryThefirststepintheiPhoneforensicexaminationistoacquirethedatafromthedevice.TherearedifferentwaystoacquiredatafromaniPhone.Thischaptercoveredphysicalacquisitiontechniquesandtechniquestobypasspasscodesanddataencryptionsusingopensourcemethods.Physicalacquisitionispreferredasitrecoversmoredatafromthedevice;however,itisnotpossibletoperformphysicalacquisitiononalliOSdevices.ThefollowingtablesummarizesthephysicalacquisitionpossibilitiesoniOSdevices:
Model Physicalacquisition
iPhone3G,3GS,4 Yes(ifno/easypasscode)
iPad1
iPodtouch2G,3G,4G
iPhone4S,5 Onlyifjailbroken,anduntiliOS6.1.2(ifno/easypasscode)
iPad2,3,4andiPadmini
iPodtouch5G
iPhone5Sand5C No
WhilephysicalacquisitionisthebestmethodforforensicallyobtainingthemajorityofthedatafromiOSdevices,logicalorbackupfilesmayexistorbetheonlymethodtoextractdatafromthedevice.ThenextchapterdiscussesiOSdevicebackupfilesindetailtoincludeuser,forensic,encrypted,andiCloudbackupfilesandthemethodstoconductyourforensicexamination.
Chapter4.DataAcquisitionfromiOSBackupsThephysicalacquisitionofaniPhoneprovidesthemostdatainaninvestigation,butyoucanalsofindawealthofinformationoniPhonebackups.iPhoneusershaveseveraloptionstobackupdatapresentontheirdevices.iPhoneuserscanchoosetobackupdatatotheircomputerusingtheAppleiTunessoftwareortotheApplecloudstorageserviceknownasiCloud.EverytimeaniPhoneissyncedwithacomputerortoiCloud,itcreatesabackupbycopyingtheselectedfilesfromthedevice.Theusercandeterminewhatiscontainedinthebackup,sosomemaybemoreinclusivethanothers.Also,theusercanbackuptobothacomputerandiCloud,andthedataderivedfromeachlocationmaydiffer.Sometimes,thebestinformationavailableonaniOSdeviceisrecoveredfromabackupfile.
Inthepreviouschapter,wecoveredtechniquestoacquiredatafromaniPhone.ThischaptercoversbackupfileacquisitiontechniquesusingApple'ssynchronizationprotocolfromthedeviceontoacomputerortoiCloud.Chapter5,iOSDataAnalysisandRecovery,willthenteachyouhowtoanalyzethedatapulledfromChapter3,DataAcquisitionfromiOSDevices,andChapter4,DataAcquisitionfromiOSBackups.
iTunesbackupAwealthofinformationisstoredonanycomputerthathasbeenpreviouslysyncedwithaniPhone.Thesecomputers,commonlyreferredtoashostcomputers,canhavehistoricaldataandpasscode-bypasscertificates.So,inacriminalinvestigation,asearchwarrantcanbeobtainedtoseizeacomputerthatbelongstothesuspect.iOSbackupfileforensicsmainlyinvolveanalyzinganofflinebackupproducedbyaniPhone.However,theiTunesbackupmethodisalsousefulincaseswhenphysicalacquisitionofadeviceisnotfeasible.Inthissituation,examinersessentiallycreateaniTunesbackupofthedeviceandanalyzeitusingforensicsoftware.Thus,itisimportantforanexaminertocompletelyunderstandthebackupprocessandthetoolsinvolved.
iPhonebackupfilescanbecreatedusingtheiTunessoftware,whichisavailableforMACOSXandWindowsplatforms.iTunesisafreeutilityprovidedbyApplefordatasynchronizationandmanagementbetweentheiPhoneandthecomputer.iTunesusesApple'sproprietarysynchronizationprotocoltocopydatafromtheiPhonetoacomputer.AniPhonecanbesyncedwithacomputerusingaUSBorWi-Fi.iTunesprovidesanoptionforencryptedbackup,butbydefaultitcreatesanunencryptedbackupwheneveraniPhoneissynced.ThebackupcopiesoftheiPhonecanalsobeusefultorecoverdataifthephoneislostordamaged.
iTunesisconfiguredtoautomaticallyinitiatethesynchronizationprocessoncetheiPhoneisconnectedtothecomputer.ToavoidunintendeddataexchangebetweentheiPhoneandthecomputer,disabletheautomaticsynchronizationprocessbeforeconnectingyouriPhonetotheforensicworkstation.ThefollowingscreenshotillustratestheoptionthatdisablesautomaticsyncinginiTunesVersion11.1.3.
Todisableauto-syncinginiTunes,performthefollowingsteps:
1. NavigatetoiTunes|Preferences|Devices.2. CheckPreventiPods,iPhonesandiPadsfromsyncingautomatically
andclickontheOKbutton.
iTunes—disablingautomaticsync
3. Onceyouverifythesynchronizationsettings,connecttheiPhonetothecomputerusingaUSBcable.IftheconnectediPhoneisnotprotectedwithapasscode,iTunesimmediatelyrecognizesthedevice.ThiscanbeverifiedbytheiPhoneicondisplayedontheupper-rightcorneroftheiTunesinterfaceasshowninthefollowingscreenshot:
4. IftheconnectediPhoneisprotectedwithapasscode,iTunespromptsthe
usertounlockthedevicebeforestartingthesyncprocess,asshowninthefollowingscreenshot.OncetheiPhoneisunlockedwithavalidpasscode,iTunesrecognizesthedeviceandallowstheusertobackupandsyncwiththecomputer.OnceaniPhoneissuccessfullysyncedwithacomputer,iTunesallowsittobackupwithoutunlockingthedevicewhenthesameiPhoneisconnectedtothatcomputeragain.
iTunes—iPhonelockedmessage
5. OnceiTunesrecognizesthedevice,asingleclickontheiPhoneicondisplaystheiPhonesummaryincludingtheiPhone'sname,capacity,firmwareversion,serialnumber,freespace,andphonenumber,asshowninthefollowingscreenshot.TheiPhoneSummarypagealsodisplaystheoptionstocreatebackups.
Pairingrecords
WheniTunesdetectstheiPhone,setsofpairingrecordsareexchangedbetweentheiPhoneandthecomputer.PairingisthemechanismbywhichyourcomputerestablishesatrustedrelationshipwithyourdevicesothatiTunescancommunicatewithit.Onceacomputerhasbeenpaired,itcanaccesspersonalinformationonthedeviceandcaneveninitiateabackupofthedevice.SimilarpairingoccursiniOS7withcommercialforensictools.
OntheiPhone,pairingrecordsarestoredinthe/var/root/Library/Lockdown/pair_records/directory.Thedirectorywillcontainmultiplepairingrecordsifthedeviceispairedwithmultiplecomputers.Pairingrecordsarestoredasapropertylist(.plist)filewithafilenamerepresentingtheuniqueidentifiergiventothecomputer.PropertylistfilesarebinaryformattedXML-likefiles,explainedindetailinChapter5,iOSDataAnalysisandRecovery.PairingrecordsonthedevicecontaintheHostID,rootcertificate,devicecertificate,andhostcertificate.Forexample,thecontentshowninthefollowingscreenshotwaslocatedinapairingrecordononeparticulariPhonewithafilenamed97D6299A-8EDA-454F-9C62-4BB031F45DD6.plist.PairingrecordsstoredontheiPhonearedeletedonlywhenthephoneisrestoredtofactorystate.
PairingrecordsontheiPhone
Onthecomputer,pairingrecordsarestoredinapreconfiguredlocationdependingontheoperatingsystemasshowninthefollowingtable.PairingrecordsarestoredasapropertylistfilewithafilenamerepresentingtheiPhone'suniquedeviceidentifier.Pairingrecordsonthecomputerareknownaslockdowncertificates.
Operatingsystem Location
Windows %AllUserProfile%\Apple\Lockdown\
MacOSX /private/var/db/lockdown/
Pairingrecordsonthecomputercontainthedevicecertificate,Escrowkeybag,rootcertificate,hostcertificate,hostprivatekey,androotcertificateandprivatekey.Forexample,thecontentshowninthefollowingscreenshotwaslocatedinapairingrecordononeparticularcomputerwithafilenamed6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898.plist.
Pairingrecordonacomputer
TheEscrowkeybagstoredonthecomputerallowsiTunestobackupandsyncwiththedeviceeveninalockedstate.TheEscrowkeybagisacopyoftheSystemkeybagandcontainsacollectionofdataprotectionclasskeysthatareusedforencryptionontheiPhone.CommercialtoolsthatclaimtobeabletocrackalockediPhonewithoutbruteforcerequireaccesstothehostcomputerandthus,theEscrowkeybag.Thekeybagimprovestheuserexperienceduringdevicesynchronizationandgivesaccesstoallclassesofdataonthedevicewithoutenteringthepasscode.
TheEscrowkeybagisprotectedwithanewlygeneratedkeycomputedfromthekey0x835andstoredinanescrowrecordonthedevice.Theescrowrecordisapropertylistfilestoredinthe/private/var/root/Library/Lockdown/escrow_records/directorywithafilenamethatrepresentsthecomputer'suniqueidentifier.StartingwithiOS5,
escrowrecordsareprotectedwiththeUntilFirstUserAuthenticationdataprotectionclass,whichtiestheencryptiontotheuser'spasscode.So,thedevicepasscodemustbeenteredbeforebackingupwithiTunesforthefirsttime.
Understandingthebackupstructure
WhentheiPhoneisbackeduptoacomputer,thebackupfilesarestoredinabackupdirectory,whichexistsasa40-characterhexadecimalstring,andcorrespondstotheUniqueDeviceIdentifier(UDID)ofthedevice.ThebackupprocessmaytakeaconsiderableamountoftimedependingonthesizeofthedatastoredontheiPhoneduringthefirstbackup.Thelocationofthebackupdirectorywhereyourbackupdataisstoreddependsonthecomputer'soperatingsystem.ThefollowingtabledisplaysalistofthecommonoperatingsystemsandthedefaultlocationoftheiTunesbackupdirectory:
Operatingsystem Backupdirectorylocation
WindowsXP \DocumentsandSettings\[username]\ApplicationData\Apple
Computer\MobileSync\Backup\
WindowsVista/7/8
\Users\[username]\AppData\Roaming\AppleComputer\MobileSync\Backup\
MacOSX ~/Library/ApplicationSupport/MobileSync/Backup/
(~representsyourHomefolder)
Duringthefirstsync,iTunescreatesabackupdirectoryandtakesacompletebackupofthedevice.Onsubsequentsyncs,iTunesonlybacksupthefilesthataremodifiedonthedeviceandupdatestheexistingbackupdirectory.Also,whenadeviceisupdatedorrestored,iTunesautomaticallyinitiatesabackupandtakesadifferentialbackup.Adifferentialbackuphasthesamenameasthebackupdirectory,butappendedwithadash(-),theISOdateofthebackup,adash(-),andthetimeina24-hourformatwithseconds([UDID]+'-'+[Date]+'-'+[Timestamp]).
TheiTunesbackupmakesacopyofeverythingonthedevicetoincludecontacts,SMSes,photos,thecalendar,music,calllogs,configurationfiles,documents,thekeychain,networksettings,offlinewebapplicationcache,bookmarks,cookiesandapplicationdata,andsoon.Thebackupalsocontainsdevicedetailssuchastheserialnumber,UDID,SIMdetails,andphonenumber.
Thisinformationcanalsobeusedtoprovearelationshipbetweenthedesktopandthemobiledevice.
Thebackupdirectorycontainsfourstandardfilesalongwiththeindividualdatafiles,whichmayexistinvariousformatsdependingontheversionofiTunes.Olderversionswillcontain*.mdbackup,*.mdata,*.mdinfo,andsomefileswithnofileextensions.Thestandardfilesstoredetailsaboutthebackupandthedevicefromwhichitwasderived.Thesefilenamesareasfollows:
info.plist
manifest.plist
status.plist
manifest.mbdb
ThefirstthreefilesarepropertylistfilesthatcanbeeasilyanalyzedusingthePropertyListEditorapplicationonMacOSX.
info.plist
Theinfo.plistfilestoresdetailsaboutthebackedupdeviceandtypicallycontainsthefollowinginformation:
Devicenameanddisplayname:Thisisthenameofthedevice,whichtypicallyincludestheowner'snameICCID:ThisistheIntegratedCircuitCardIdentifier,whichistheserialnumberoftheSIMLastbackupdate:ThisisthetimestampofthelastsuccessfulbackupIMEI:ThisistheInternationalMobileEquipmentIdentity,whichisusedtouniquelyidentifythemobilephonePhoneNumber:ThisisthephonenumberofthedeviceatthetimeofbackupInstalledapplications:ThisisthelistofapplicationidentifiersonthedeviceProducttypeandproductionversion:ThisisthedevicemodelandfirmwareversionSerialnumber:ThisistheserialnumberofthedeviceiTunesversion:ThisistheversionofiTunesthatgeneratedthebackupTargetIdentifierandUniqueIdentifier:ThisistheUDIDofthedevice
manifest.plist
Themanifest.plistfiledescribesthecontentsofthebackupandtypicallycontainsthefollowinginformation:
Applications:Thisisalistofthird-partyapplicationsinstalledonthebackedupdevice,theirversionnumbers,andbundleidentifiersDate:ThisisthetimestampofabackupcreatedorlastupdatedIsEncrypted:Thisidentifieswhetherthebackupisencryptedornot.ForencryptedbackupsthevalueisTrue,otherwiseitisFalseLockdown:Thiscontainsdevicedetails,lastbackupcomputer'sname,andotherremotesyncingprofilesWasPasscodeSet:ThisidentifieswhetherapasscodewassetonthedevicewhenitwaslastsyncedBackupkeybag:StartingwithiOS4,aBackupkeybagiscreatedforeachbackupmadebyiTunes.TheBackupkeybagcontainsanewsetofdataprotectionclasskeysthataredifferentfromthekeysintheSystemkeybag,andbackedupdataisre-encryptedwiththenewclasskeys.KeysintheBackupkeybagfacilitatethestorageofbackupsinasecuremanner
status.plist
Thestatus.plistfilestoresdetailsaboutthebackupstatusandtypicallycontainsthefollowinginformation:
BackupState:ThisidentifieswhetherthebackupisanewbackuporonethathasbeenupdatedDate:ThisisthetimestampofthelasttimethebackupwasmodifiedIsFullBackup:Thisidentifieswhetherornotthebackupwasafullbackupofthedevice
manifest.mbdb
Themanifest.mbdbfileisabinaryfileandcontainsrecordsaboutallotherfilesinthebackupdirectoryalongwiththefilesizes,filetype,andfilestructure.Themanifest.mbdbfileheaderandrecordformatareshowninthefollowingtables.
Header
Thefileheaderisafixedvalueof6bytes.Thisvalueactsasamagicstringtoidentifythefileformat.
Type Data Description
uint8 mbdb\5\0 Thisfilesamagicstring
Record
Eachrecordinthemanifest.mbdbfilecontainsdetailsaboutafileinthebackup.
Type Data Description
String Domain Thisisthedomainname.
String Path Thisisthefilepath.
String Target Thisisanabsolutepathforsymboliclinks.
String Digest ThiscontainsSHA1hash0xFF0xFFfordirectoriesandforAppDomainfiles,and0x000x14forSystemDomainfiles.
String Encryptionkey
Thisindicatesencryptedfilesand0xFF0xFFforunencryptedfiles.
uint16 Mode Thisidentifiesfiletype0xA000forsymboliclink,0x4000fordirectory,and0x8000forregularfiles.
uint64 inodenumber Thisisalookupentryintheinodetable.
uint32 UserID Thisismostly501.
uint32 GroupID Thisismostly501.
uint32 Lastmodifiedtime
Thisisthefile'slastmodifiedtimeintheUnixtimeformat.
uint32 Lastaccessedtime
Thisisthefile'slastaccessedtimeintheUnixtimeformat.
uint32 Createdtime ThisisthefilecreatedtimeintheUnixtimeformat
uint64 Size Thisisthelengthofafile.Itis0forasymboliclinkandadirectory.
uint64 Size Thisisthelengthofafile.Itis0forasymboliclinkandadirectory.
uint8 Protectionclass
Thisisthedataprotectionclass0x1To0xB.
uint8 Numberofproperties
Thisisthenumberofextendedattributes.
Themanifest.mbdbfileheader
Apartfromthestandardfiles,thebackupdirectoryalsocontainshundredsofbackupfileswithvaryingfileextensionsdependingontheversionofiTunesusedtocreatethebackup,asdescribedearlier.Inthefollowingscreenshot,thebackupwascreatedwiththelatestversionofiTunesinwhichthefilesdonotcontainafileextension.Thebackupfilesareuniquelynamedwitha40-characterhexadecimalstring.ThesefilenamessignifyauniqueidentifierforeachdatasetcopiedfromtheiPhone.
iPhonebackupfiles
IniOS,filesarecategorizedinto12domains.AlloftheapplicationfilesareclassifiedintoAppDomainandotherfilesonthefilesystemareclassifiedinto11systemdomainsshowninthefollowingscreenshot.Thelistofsystemdomainsisstoredinapropertylistfilelocatedunder/System/Library/Backup/Domains.plistonthedevice.
The40-characterhexadecimalfilenameinthebackupdirectoryistheSHA1hashvalueofthefilepathappendedtotherespectivedomainnamewithadash(-)symbol.
Forinstance,theAddressBookdatabasefileisamemberofHomeDomainandislocatedunderLibrary/AddressBook/AddressBook.sqlitedb.Thebackupfile
nameofAddressBookis31bb7ba8914766d4ba40d6dfb6113c8b614be442,whichcanbeobtainedbycomputingtheSHA1hashvalueofthefollowingstring:HomeDomain-Library/AddressBook/AddressBook.sqlitedb.
SystemdomainsontheiPhone
Unencryptedbackup
Tocreateanunencryptedbackup,performthefollowingsteps:
1. ConnecttheiPhonetotheforensicworkstationusingaUSBcable.2. Ontheforensicworkstation,launchiTunes.3. ClickontheiPhoneicondisplayedintheupper-rightcorneroftheiTunes
interface.ItdisplaystheiPhoneSummarypage.4. IntheiPhonesummarypage,selecttheThiscomputercheckboxandclick
ontheBackUpNowbutton.
Extractingunencryptedbackups
Therearemanyfreetoolsavailabletoanalyzedatafromunencryptedbackups.Thesetoolsparsethemanifest.mbdbfile,restorethefilenames,andcreatethefilestructurethatusersseeontheiPhone.SomeofthepopulartoolsincludeiPhoneBackupExtractor,iPhoneBackupBrowser,andiPhoneDataProtectionTools.
iPhoneBackupExtractor
iPhoneBackupExtractorisafreetoolforMacOSX,whichcanbedownloadedfromhttp://supercrazyawesome.com/.Thebackupextractorexpectsbackupfilestobelocatedinthedefaultlocation~/Library/ApplicationSupport/MobileSync/Backup/.So,youwillneedtocopyanybackupsyouwishtoextracttothedefaultlocation.iPhoneBackupExtractorisaveryeasytooltouse.
Toextractthebackup,followthesesteps:
1. LaunchtheappandclickontheReadBackupsbutton.Itdisplaysalistofbackupsavailableontheforensicworkstation.SelectthebackupthatyouwishtoextractandclickontheChoosebutton,asshowninthefollowingscreenshot:
iPhoneBackupExtractor—choosingbackups
2. Whenyouchoosethebackup,iPhoneBackupExtractorallowsyoutoextracttheindividualapplicationsandtheiOSfilesystembackup,asshowninthefollowingscreenshot:
iPhoneBackupExtractor
3. ChoosethefilesyouwouldliketoextractandthenclickonExtract.Itpromptsforadestinationdirectorytosavetheextractedfiles.
iPhoneBackupBrowser
iPhoneBackupBrowserisafreetoolforWindowsandcanbedownloadedfromhttp://code.google.com/p/iphonebackupbrowser/.ThetoolrequiresMicrosoft.NETFramework4andVisualC++2010runtimetobeinstalledontheforensicworkstation.Thebackupbrowserexpectsbackupfilestobelocatedinthedefaultlocationasmentionedintheprecedingtable.iPhoneBackupBrowserprovidesaGUItoviewthebackupdata,asshowninthefollowingscreenshot:
iPhoneBackupBrowser
iPhoneDataProtectionTools
iPhoneDataProtectionTools,anopensourceiOSforensictoolkit,canalsobeusedtoextractthebackupfiles.Toanalyzedatafromtheunencryptedbackup
file,setupiPhoneDataProtectionToolsasexplainedinChapter3,DataAcquisitionfromiOSDevices,andrunthebackup_tool.pyscriptonyourbackupdirectoryinaterminalwindow,asfollows:
$cdiphone-dataprotection
$cdpython_scripts
$sudopythonbackup_tool.py~/Library/Application\
Support/MobileSync/Backup/6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898/
DeviceName:Satishb3
DisplayName:Satishb3
LastBackupDate:2014-01-0712:58:13
IMEI:012856001945212
SerialNumber:85137505EDG
ProductType:iPhone2,1
ProductVersion:6.1
iTunesVersion:11.1.3
Extractbackupto/Users/satishb3/Library/Application
Support/MobileSync/Backup/6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_
extract?(y/n)
TypetheletteryandhitEnter.Theprecedingscriptdisplaysanumberofmessagesindicatingthecurrentfilebeingoperatedon,asshowninthefollowingcommandlines:
Backupisnotencrypted
Writing/Users/satishb3/Library/Application
Support/MobileSync/Backup_extract/HomeDomain/Library/Preferences/co
m.apple.voiceservices.plist
Writing/Users/satishb3/Library/Application
Support/MobileSync/Backup_extract/CameraRollDomain/Media/DCIM/100AP
PLE/IMG_0038.JPG
Writing/Users/satishb3/Library/Application
Support/MobileSync/Backup_extract/SystemPreferencesDomain/SystemCon
figuration/preferences.plist
Writing/Users/satishb3/Library/Application
Support/MobileSync/Backup_extract/HomeDomain/Library/Preferences/co
m.apple.mobileipod.plist
[...]
Writing/Users/satishb3/Library/Application
Support/MobileSync/Backup/6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_
extract/HomeDomain/Library/Preferences/com.apple.springboard.plist
Youcandecryptthekeychainusingthefollowingcommand:
pythonkeychain_tool.py-d"/Users/satishb3/Library/Application
Support/MobileSync/Backup/6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_
extract/KeychainDomain/keychain-backup.plist"
"/Users/satishb3/Library/Application
Support/MobileSync/Backup/6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_
extract/Manifest.plist"
Theprecedingscriptcreatesthe6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_extractfolderinthebackupdirectorylocationandextractsthebackupfilesintoitbyrestoringtheoriginalfilenames.Theextractedbackupfilesarestoredinanumberofdomaindirectoriesasshowninthefollowingscreenshot.Now,youshouldbeabletocompletelyexaminetheartifactsonthebackupfiles,whichwillbecoveredindetailinChapter5,iOSDataAnalysisandRecovery.Payattentiontothedirectorynamesusedinthecommandlineastheyvaryforeachdevice.
ExtractediPhonebackupfiles
Decryptingthekeychain
Forunencryptedbackups,allthebackupfilesarestoredunencryptedexceptthekeychain.ThekeychainfilecontentsareencryptedwithasetofclasskeysintheBackupkeybag.TheBackupkeybagitselfisprotectedwithakey(0x835)derivedfromtheiPhonehardwarekey(UIDkey).So,inordertodecryptthekeychain,youneedtoextractthekey0x835fromthedeviceusingthedemo_bruteforce.pytechniquesexplainedinChapter3,DataAcquisitionfromiOSDevices.
TheiPhoneDataProtectiontoolsalsocontainpythonscriptstodecryptthekeychainfilefromthebackup.Todecryptthekeychain,runthefollowingcommandinaterminalwindowandenteryourdevicekey0x835whenprompted:
$sudopythonkeychain_tool.py-d
"/Users/satishb3/Library/Application
Support/MobileSync/Backup/6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_
extract/KeychainDomain/keychain-backup.plist"
"/Users/satishb3/Library/Application
Support/MobileSync/Backup/6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_
extract/Manifest.plist"
Thisbackupisnotencrypted,withoutkey835nothinginthe
keychaincanbedecrypted
Ifyouhavekey835fordevice
6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898enterit(inhex)
33403aec43adea127459485bf5969502
Thescriptextractsgenericpasswords,Internetpasswords,certificates,andprivatekeysfromthekeychainanddisplaystheminatableasshowninthefollowingscreenshot:
Encryptedbackup
iTunesprovidesanoptionfortheuserstoencrypttheirbackupsusingapassword.Forensicexaminersmayelecttocreateanencryptedbackuptoprotecttheevidence.Itispertinentthattheexaminerdocumentsthepasswordshouldthismethodbeused.
Tocreateanencryptedbackup,performthefollowingsteps:
1. ConnecttheiPhonetotheforensicworkstationusingaUSBcable.2. Ontheforensicworkstation,launchiTunes.3. ClickontheiPhoneicondisplayedintheupper-rightcorneroftheiTunes
interface.ItdisplaystheiPhonesummarypage.4. IntheiPhonesummarypage,selecttheThiscomputercheckboxandselect
theEncryptiPhonebackupoption.Selectingtheoptionpromptsyoutoenterapassword,asshowninthefollowingscreenshot.
5. SetapasswordandclickontheBackUpNowbutton.Itcreatesanencryptedbackup.
iTunes—encryptedbackup
Ifabackupispasswordprotected,thepasswordissetonthedeviceitselfandstoredinthekeychainfile.Also,wheneverthedeviceisconnectedtoiTunes,itautomaticallychoosestheEncryptiPhonebackupoptionregardlesswhethertheusersownacopyofiTunesbeingusedontheircomputerorsomeoneelse's.So,evenifyouhaveaccesstothesuspect'siPhone,youcannotproduceanunencryptedbackupunlessyouknowthebackuppassword.
Extractingencryptedbackups
Forencryptedbackups,thebackupfilesareencryptedusingtheAES256algorithmintheCBCmode,withauniquekeyandanullIV(initializationvector).TheuniquefilekeysareprotectedwithasetofclasskeysfromtheBackupkeybag.TheclasskeysintheBackupkeybagareprotectedwithakeyderivedfromthepasswordsetiniTunesthrough10,000iterationsofPBKDF2(Password-BasedKeyDerivationFunction2).Bothopensourceandcommercialtoolsprovidesupportforanencryptedbackupfileparsingifthepasswordisknown.Sometoolswon'tevenpromptforapassword,whichmakethemuselessinaforensicinvestigation.iPhoneDataProtectionToolsiscapableofextractingdatafromencryptedbackupfilesifthepasswordisknown.
iPhoneDataProtectionTools
iPhoneDataProtectionToolscontainsPythonscriptstodecryptthebackupwhenthebackuppasswordisavailable.Todecryptandacquiredatafromtheencryptedbackup,inaterminalwindow,runthebackup_tool.pyscriptonyourbackupdirectoryandenterthebackuppasswordwhenprompted,asshowninthefollowingcommands:
$cdiphone-dataprotection
$cdpython_scripts
$sudopythonbackup_tool.py~/Library/Application\
Support/MobileSync/Backup/6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898/
DeviceName:Satishb3
DisplayName:Satishb3
LastBackupDate:2014-01-1516:34:13
IMEI:012856001945212
SerialNumber:85137505EDG
ProductType:iPhone2,1
ProductVersion:6.1
iTunesVersion:11.1.3
Extractbackupto/Users/satishb3/Library/Application
Support/MobileSync/Backup/6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_
extract?(y/n)
TypetheletteryandhitEnter.Thescriptdisplaysanumberofmessagesindicatingthecurrentfilebeingoperatedupon,asfollows:
Backupisencrypted
Enterbackuppassword:
12345
Writing/Users/satishb3/Library/Application
Support/MobileSync/Backup/6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_
extract/HomeDomain/Library/Preferences/com.apple.voiceservices.plis
t
Writing/Users/satishb3/Library/Application
Support/MobileSync/Backup/6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_
extract/CameraRollDomain/Media/DCIM/100APPLE/IMG_0038.JPG
Writing/Users/satishb3/Library/Application
Support/MobileSync/Backup/6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_
extract/SystemPreferencesDomain/SystemConfiguration/preferences.pli
st
[...]
Writing/Users/satishb3/Library/Application
Support/MobileSync/Backup/6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_
extract/HomeDomain/Library/Preferences/com.apple.springboard.plist
Youcandecryptthekeychainusingthefollowingcommand:
pythonkeychain_tool.py-d"/Users/satishb3/Library/Application
Support/MobileSync/Backup/6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_
extract/KeychainDomain/keychain-backup.plist"
"/Users/satishb3/Library/Application
Support/MobileSync/Backup/6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_
extract/Manifest.plist"
Thescriptcreatesthe6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_extractfolderinthebackupdirectorylocation,thendecryptsandextractsthebackupfilesintoanumberofdomaindirectoriesbyrestoringtheoriginalfilenames.
Decryptingthekeychain
EncryptedbackupfilescanbecrackedusingbruteforceattacksinboththecommandlineandGUItools.Forencryptedbackups,thekeychainitemsprotectedwiththeThisDeviceOnlydataprotectionclassareencryptedusingasetofclasskeysthatareprotectedwiththekey0x835.AllotherkeychainitemsareencryptedusingasetofclasskeysthatareprotectedwithapasswordsetiniTunes.IfyouwanttoextracttheThisDeviceOnlyprotecteditems,youneedtoextractakey0x835fromthedeviceusingthedemo_bruteforce.pytechniques
explainedinChapter3,DataAcquisitionfromiOSDevices.
iPhoneDataProtectionToolscontainPythonscriptstodecryptthekeychainfilefromtheencryptedbackup.Todecryptthekeychain,runthefollowingcommandinaterminalwindowandenterthebackuppasswordwhenprompted.Thescriptalsopromptstoenterthekey0x835;pressEnterifyoudon'thavethekey0x835.
$sudopythonkeychain_tool.py-d
"/Users/satishb3/Library/Application
Support/MobileSync/Backup/6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_
extract/KeychainDomain/keychain-backup.plist"
"/Users/satishb3/Library/Application
Support/MobileSync/Backup/6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_
extract/Manifest.plist"
Oncecompleted,thescriptextractsgenericpasswords,Internetpasswords,andcertificatesandprivatekeysfromthekeychain,anddisplaystheminatable.
iPhonePasswordBreaker
iPhonePasswordBreakerisaGPU-acceleratedcommercialtoolfromElcomsoftdevelopedfortheWindowsplatform.Thetoolcandecrypttheencryptedbackupfilewhenthebackuppasswordisnotavailable.Thetoolprovidesanoptiontolaunchapasswordbrute-forceattackontheencryptedbackupifthebackuppasswordisnotavailable.iPhonePasswordBreakertriestorecovertheplain-textpasswordthatprotectstheencryptedbackupusingdictionaryandbruteforceattacks.Passwords,whicharerelativelyshortandsimple,canberecoveredinareasonabletime.Butifthebackupisprotectedwithastrongandcomplexpassword,breakingitcantakeforever.
Tobruteforcethebackuppassword,performthefollowingsteps:
1. LaunchtheiPhonePasswordBreakertoolandthetool'smainscreenwillappear,asshowninthefollowingscreenshot.
2. NavigatetoFile|Open|Backup.Alistofavailabledevicebackupsisdisplayedandalocksymbolisshownnexttotheencrypteddevicebackups,asshowninthefollowingscreenshot:
iPhonePasswordBreaker-Choosebackup
3. Configurethebrute-forcepatternintheAttackssectionandclickontheStartbuttontostartthebruteforceattack.Ifthebruteforceattackissuccessful,thetooldisplaysthepasswordonthemainscreen,asshowninthefollowingscreenshot:
iCloudbackupiCloudisacloudstorageandcloudcomputingservicebyApplelaunchedinOctober2011.Theserviceallowsuserstokeepdatasuchascalendars,contacts,reminders,photos,documents,bookmarks,applications,notes,andmoreinsyncacrossmultiplecompatibledevices(iOSdevicesrunningwithiOS5orlater,computerswithMacOSX10.7.2orlater,andMicrosoftWindows)usingacentralizediCloudaccount.TheservicealsoallowsuserstowirelesslyandautomaticallybackuptheiriOSdevicestoiCloud.iCloudalsoprovidesotherservicessuchasFindMyiPhone—totrackalostphoneandwipeitremotely,FindMyFriends—tosharelocationwithfriendsandnotifytheuserwhenadevicearrivesatacertainlocation,andsoon.
SigningupwithiCloudisfreeandsimpletodowithanAppleID.WhenyousignupforiCloud,Applegrantsyouaccessto5GBoffreeremotestorage.Ifyouneedmorestorage,youcanpurchasetheupgradeplan.Tokeepyourdatasecure,AppleenforcesuserstochooseastrongpasswordwhencreatinganAppleIDtousewithiCloud.Thepasswordmusthaveaminimumofeightcharacters,anumber,anuppercaseletter,andalowercaseletter.
iOSdevicesrunningoniOS5andlaterallowuserstobackupthedevicesettingsanddatatoiCloud.Databackedupincludesphotos,videos,documents,applicationdata,devicesettings,messages,contacts,calendar,e-mail,keychain,andsoon.YoucanturnoniCloudbackuponyourdevicebynavigatingtoSettings|iCloud|Storage&Backup,asshowninthefollowingscreenshot.iCloudcanautomaticallybackupyourdatawhenyourphoneispluggedin,locked,andconnectedtoWi-Fi.Thisistosay,iCloudbackupsrepresentafreshandnearreal-timecopyofinformationstoredonthedevice.
iCloudbackuptoggleontheiPhone
YoucanalsoinitiateaniCloudbackupfromacomputerbyconnectingthedevicetoiTunesandchoosingtheiCloudoption.iCloudbackupsareincremental,thatis,oncetheinitialiCloudbackupiscompleted,allthesubsequentbackupsonlycopythefilesthatarechangedonthedevice.iCloudsecuresyourdatabyencryptingitwhenitistransmittedovertheInternet,storingitinanencryptedformatontheserver,andusingsecuretokensforauthentication.
Tip
iClouddoesnotencryptEmailandNotesstoredontheservertobeconsistentwithstandardindustrypractices.
Apple'sbuilt-inapps(forexample,EmailandContacts)useasecuretokentoaccessiCloudservices.UseofsecuretokensforauthenticationeliminatestheneedtostoretheiCloudpasswordondevicesandcomputers.
ExtractingiCloudbackups
OnlinebackupsstoredontheiCloudarecommonlyretrievedwhentheoriginaliPhoneisdamagedorlost.ToextractabackupfromiCloud,youmustknowtheuser'sAppleIDandpassword.WiththeknownAppleIDandpassword,youcanlogontowww.icloud.comandgetaccesstocontacts,notes,e-mail,calendar,photos,reminders,andmore.ToextractthecompletebackupfromiCloud,youcanuseElcomsoftiPhonePasswordBreaker.AsiCloudisnotthefastestcloudstorage,downloadingalargebackupwithiPhonePasswordBreakercantakehours.Tospeeduptheinvestigation,thetoolprovidesanoptiontodownloadtheselectedfiles.
ToextracttheiCloudbackup,performthefollowingsteps:
1. LaunchtheiPhonePasswordBreaker.2. NavigatetoFile|Apple|GetBackupfromiCloud.Itdisplaysaprompt
tosigninwithyourAppleID,asshowninthefollowingscreenshot:
3. SuccessfullysigninginwithyourAppleIDliststheavailabledevicebackups,asshowninthefollowingscreenshot:
4. SelectthebackupyouneedandclickonDownload.Itpromptsyouforadestinationdirectorytosavetheextractedfilesintoanumberofdomaindirectoriesbyrestoringtheoriginalfilenames.Thetoolalsoprovidesanoptiontodownloadthebackupwithoutrestoringtheoriginalfilenamessothatyoucanusethird-partysoftwareforanalysis.
ForiCloudbackups,thekeychainfilecontentsareencryptedwithasetofclasskeysintheBackupkeybag.TheBackupkeybagitselfisprotectedwithakey(0x835)derivedfromtheiPhonehardwarekey(UIDkey).YoucanfollowthetechniquesexplainedintheprecedingsectionstodecryptthekeychainfromtheextractediCloudbackup.
SummaryiPhonebackupscontainessentialinformationthatmaybeyouronlysourceofevidencefortheiPhone.InformationstorediniPhonebackupsincludesphotos,videos,contacts,e-mail,calllogs,useraccountsandpasswords,applications,devicesettings,andsoon.ThischaptercoveredtechniquestocreatebackupfilesandretrievedatafromiTunesandiCloudbackupsincludingencryptedbackupfiles,whereverpossible.Chapter5,iOSDataAnalysisandRecovery,goesfurtherintotheforensicinvestigationbyshowingtheexaminerhowtoanalyzethedatarecoveredfromthebackupfiles.Areascontainingdataofpotentialevidentiaryvaluewillbeexplainedindetail.
Chapter5.iOSDataAnalysisandRecoveryAkeyaspectiniPhoneforensicsistoexamineandanalyzethedataacquiredfromaniPhonetointerprettheevidence.DataonmostiOSdevicesisencryptedandrequiresthatthedatapartitionbedecryptedpriortoanexamination.Inthepreviouschapters,youlearnedvarioustechniquestoacquiredatafromaniPhone.Therawdiskimageobtainedduringphysicalacquisition,thefilesystemdumporthelogical/backupfilecontainshundredsofdatafiles.ThischapterwillhelpyoutounderstandhowdataisstoredontheiPhoneandwillwalkyouthroughtheimportantfilesinordertorecoverthemostdatapossible.
TimestampsBeforeexaminingthedata,itisimportanttounderstandthedifferenttimestampsusedontheiPhone.TimestampsfoundontheiPhonearepresentedeitherintheUnixtimestamporMacabsolutetimeformat.Theexaminermustensurethatthetoolsproperlyconvertthetimestampsforthefiles.AccesstotherawSQLitefileswillallowtheexaminertoverifythetimestampsmanually.
Unixtimestamps
AUnixtimestampisthenumberofsecondsthatoffsetstheUnixepochtime,whichstartsonJanuary1,1970.AUnixtimestampcanbeconvertedeasilyusingthedatecommandonaMacworkstationorusinganonlineUnixepochconvertoronaWindowsworkstation.Thedatecommandisshownasfollows:
$date-r1388538061
WedJan106:31:01IST2014
Macabsolutetime
iOSdevicesadoptedtheuseofMacabsolutetimewithiOS5formostofthedata.MacabsolutetimeisthenumberofsecondsthatoffsetstheMacepochtime,whichstartsonJanuary1,2001.ThedifferencebetweentheUnixepochtimeandtheMacepochtimeisexactly978,307,200seconds.ToconverttheUnixepochtimetoMacabsolutetime,add978,307,200toitandcalculateitasaUnixtimestamp.Forexample,thedatecommandcanbeusedtocovertMacabsolutetimeisshownasfollows:
$date-r`echo'389894124+978307200'|bc`
FriMay1021:25:24IST2013
OnlineconvertersprovetobeusefultoconvertbothMacepochandUnixtimestampsforiOSdevices.
SQLitedatabasesSQLiteisanopensource,in-processlibrarythatimplementsaself-contained,zeroconfiguration,andtransactionalSQLdatabaseengine.It'sacompletedatabasewithmultipletables,triggers,andviewsthatarecontainedinasinglecross-platformfile.AsSQLiteisportable,reliable,andsmall,itisapopulardatabaseformatthatappearsinmanymobileplatforms.
AppleiOSdevices,likeothersmartphones,makeheavyuseofSQLitedatabasesfordatastorage.Manyofthebuilt-inapplicationssuchasPhone,Messages,Mail,Calendar,andNotesstoredatainSQLitedatabases.Apartfromthat,third-partyapplicationsinstalledonthedevicealsoleverageSQLitedatabasesfordatastorage.
SQLitedatabasesarecreatedwithorwithoutafileextension.Theytypicallyhave.sqlitedbor.dbfileextensions,butsomedatabasesaregivenotherextensionsaswell.DatainSQLitefilesisbrokenupintotablesthatcontaintheactualdata.Toaccessthedatastoredinthesefiles,youneedatoolthatcanreadthem.Somegoodfreetoolsare:
SQLiteBrowser,whichcanbedownloadedfromhttps://github.com/rp-/sqlitebrowser.SQLitecommand-lineclient,whichyoucandownloadfromhttp://www.sqlite.org/.SQLiteProfessional(https://www.sqlitepro.com/),afreegraphicaluserinterface(GUI)fromHankinsoftDevelopmentforMacOSXusers.YoucandownloaditfromMac'sAppStore.SQLiteSpy,afreeGUItoolforWindows.Youcandownloaditfromhttp://www.yunqa.de/delphi/doku.php/products/sqlitespy/index.
MacOSXincludestheSQLitecommand-lineutility(sqlite3)bydefault.Thiscommand-lineutilitycaneasilyaccessindividualfilesandissueSQLqueriesagainstadatabase.So,inthefollowingsectionswewillusethesqlite3command-lineutilitytoretrievedatafromvariousSQLitedatabases.Beforeretrievingthedata,thebasiccommandsyouwillneedtolearnareexplainedinthefollowingsections:
Connectingtoadatabase
ManualexaminationofiOSSQLitedatabasefilesispossiblewiththeuseoffreetools.ThefollowingisanexampleofhowtoexamineadatabaseusingnativeMaccommandsintheterminal.Makesureyourdeviceimageismountedasread-onlytopreventchangesbeingmadetotheoriginalevidence.ToconnecttoaSQLitedatabasefromthecommandline,runthesqlite3commandintheterminalbyenteringyourdatabasefile.ThiswillgiveyouaSQLpromptwhereyoucanissueSQLqueries:
$sqlite3filename.sqlitedb
SQLiteversion3.7.122012-04-0319:43:07
Enter".help"forinstructions
EnterSQLstatementsterminatedwitha";
"
sqlite>
Todisconnect,usethe.exitcommand.ItexitstheSQLiteclientandreturnstotheterminalprompt.
SQLitespecialcommands
Onceyouconnecttoadatabase,thereareanumberofbuilt-inSQLitecommandsknownasdotcommandsthatcanbeusedtoobtaininformationfromthedatabasefiles.Youcanobtainthelistofspecialcommandsbyissuingthe.helpcommandintheSQLiteprompt.TheseareSQLite-specificcommandsanddonotrequireasemicolonattheendofthecommand.Mostcommonlyuseddotcommandsincludethefollowing:
.tables:Thislistsallofthetableswithinadatabase.Thefollowingexampledisplaysthelistoftablesfoundinsidethesms.dbdatabase:
sqlite>.tables
_SqliteDatabasePropertieschat_message_joinattachment
handlechatmessage
chat_handle_joinmessage_attachment_join
.schematable-name:ThisdisplaystheSQLCREATEstatementusedtoconstructthetable.Thefollowingexampledisplaystheschemaforthehandletable,whichisfoundinsidethesms.dbdatabase:
sqlite>.schemahandle
CREATETABLEhandle(ROWIDINTEGERPRIMARYKEYAUTOINCREMENT
UNIQUE,idTEXTNOTNULL,countryTEXT,serviceTEXTNOTNULL,
uncanonicalized_idTEXT,UNIQUE(id,service));
.dumptable-name:ThisdumpstheentirecontentofatableintoSQLstatements.Thefollowingexampledisplaysthedumpofthehandletable,whichisfoundinsidethesms.dbdatabase:
sqlite>.dumphandle
PRAGMAforeign_keys=OFF;
BEGINTRANSACTION;
CREATETABLEhandle(ROWIDINTEGERPRIMARYKEYAUTOINCREMENT
UNIQUE,idTEXTNOTNULL,countryTEXT,serviceTEXTNOTNULL,
uncanonicalized_idTEXT,UNIQUE(id,service));
INSERTINTO"handle"
VALUES(7,'9951512182','in','SMS','9908923323');
COMMIT;
.outputfile-name:Thisredirectstheoutputtoafileonthediskinsteadofshowingitonthescreen..headerson:ThisdisplaysthecolumntitlewheneveryouissueaSELECTstatement.
.help:ThisdisplaysthelistofavailableSQLitedotcommands.
.exit:ThisdisconnectsfromthedatabaseandexitstheSQLitecommandshell..modeMODE:ThissetstheoutputmodewhereMODEcanbecsv,HTML,tabs,andsoon.
Tip
MakesurethereisnospaceinbetweentheSQLitepromptandthedotcommand,otherwisetheentirecommandwillbeignored.
StandardSQLqueries
InadditiontotheSQLitedotcommands,standardSQLqueriessuchasSELECT,INSERT,ALTER,DELETE,andmorecanbeissuedtoSQLitedatabasesonthecommandline.UnliketheSQLitedotcommands,thestandardSQLqueriesexpectasemicolonattheendofthecommand.
Mostofthedatabasesyouwillexaminewillcontainonlyareasonablenumberofrecords,soyoucanissueaSELECTstatement,whichoutputsallofthedatacontainedinthetable.Thefollowingexampledisplaysthevaluesinthehandletable,whichisfoundinsidethesms.dbdatabase:
sqlite>select*fromhandlelimit1;
7|9951512182|in|SMS|9908923323
Importantdatabasefiles
Rawdiskimages,filesystemdumpsthebackupthatyouextractedaspertheinstructionsinChapter3,DataAcquisitionfromiOSDevices,andChapter4,DataAcquisitionfromiOSBackups,willcontainthefollowingSQLitedatabasesthatmaybeimportanttoyourinvestigation.ThefilesshowninthefollowingsectionsareextractedfromaniOS6device.AsAppleaddsnewfeaturestothebuilt-inapplicationswitheveryiOSrelease,theformatofthefilesmayvaryfordifferentiOSversions.So,youmayneedtomodifythequerieslistedslightlytoworkonyouriOSversion.Moreinformationregardingimportantdatabasefilescanbefoundathttp://www.zdziarski.com/blog/wp-content/uploads/2013/05/iOS-Forensic-Investigative-Methods.pdf.
Addressbookcontacts
Theaddressbookcontainsawealthofinformationabouttheowner'spersonalcontacts.Withtheexceptionofthird-partyapplications,theaddressbookcontainscontactentriesforallofthecontactsstoredonthedevice.TheaddressbookdatabaseisaHomeDomainfileandcanbefoundatprivate/var/mobile/Library/AddressBook/AddressBook.sqlitedb.
AddressBook.sqlitedbcontainsseveraltables,ofwhichthreeareofparticularinterest:
ABPerson:Thiscontainsthename,organization,notes,andmoreforeachcontact.ABMultiValue:Thiscontainsphonenumbers,e-mailaddresses,websiteURLs,andmorefortheentriesintheABPersontable.TheABMultiValuetableusesarecord_idfiletoassociatethecontactinformationwitharowidfromtheABPersontable.ABMultiValueLabel:ThistablecontainslabelstoidentifythekindofinformationstoredintheABMultiValuetable.
SomeofthedatastoredwithintheAddressBook.sqlitedbfilecouldbefromthird-partyapplications.Theexaminershouldmanuallyexaminetheapplicationfilefolderstoensurethatallthecontactsareaccountedforandexamined.
YoucanrunthefollowingcommandstodumptheaddressbookintoaCSVfilenamedAddressBook.csv:
$sqlite3AddressBook.sqlitedbSQLiteversion3.7.122012-04-03
19:43:07
Enter".help"forinstructions
EnterSQLstatementsterminatedwitha";"
sqlite>.modecsv
sqlite>.outputAddressBook.csv
sqlite>.headerson
sqlite>SELECTp.rowid,p.first,p.middle,p.last,
datetime(p.creationDate+978307200,'unixepoch')ascreationdate,
casewhenm.labelin(SELECTrowidfromABMultiValueLabel)
then(SELECTvaluefromABMultiValueLabelwhere
m.label=rowid)
else
m.labelendasType,m.value,p.organization,
p.department,p.note,p.birthday,p.nickname,
p.jobtitle,datetime(p.modificationDate+978307200,'unixepoch')as
modificationdate
FROMABPersonp,ABMultiValuem
WHEREp.rowid=m.record_idandm.valuenotnull
ORDERbyp.rowidASC;
sqlite>.exit
Theprecedingquerycross-referencesthedataacrossthethreetablesandretrievesthecontactinformationstoredinthedatabase.ThequeryalsoconvertstheMacabsolutetimeintoareadableformusingtheSQLitedatetimefunction.
Addressbookimages
Inadditiontotheaddressbook'sdata,eachcontactmaycontainanimageassociatedwithit.Thisimageisdisplayedonthescreenwhenevertheuserreceivesanincomingcallfromaparticularcontact.TheaddressbookimagesdatabaseisaHomeDomainfileandcanbefoundat/private/var/mobile/Library/AddressBook/AddressBookImages.sqlitedb.
TheABFullSizeImagetableintheAddressBookImages.sqlitedbfilecontainsimagesinbinarydata.Toextracttheimages,useSQLite's.outputand.dumpcommandstocreateatextfileanddumpthedatabaseintothisfileinaSQLtextformat,asshowninthefollowingcommandlines:
$sqlite3AddressBookImages.sqlitedb
SQLiteversion3.7.122012-04-0319:43:07
Enter".help"forinstructions
EnterSQLstatementsterminatedwitha";"
sqlite>.outputAddressBookImages.txt
sqlite>.dumpABFullSizeImage
sqlite>.exit
Thetextfilecontainstheimagedatainahexadecimalencodingformat.Toconvertthisoutputbacktobinarydataandgrabtheimages,runtheAddressBookImageGrabber.pyPythonscriptonthedumpfile,asshowninthefollowingcommand.ThePythonscriptsourcecodeisavailableinthecodebundleofthebook.
$PythonAddressBookImageGrabber.pyAddressBookImages.txt
Writing./AddressBookImages-Output/397.jpeg
Writing./AddressBookImages-Output/129.jpeg
Writing./AddressBookImages-Output/73.jpeg
Writing./AddressBookImages-Output/508.jpeg[...]
Writing./AddressBookImages-Output/456.jpeg
Writing./AddressBookImages-Output/141.jpeg
Total93imagesareextracted
Tip
Downloadingtheexamplecode
YoucandownloadtheexamplecodefilesforallPacktbooksyouhavepurchasedfromyouraccountathttp://www.packtpub.com.Ifyoupurchasedthisbookelsewhere,youcanvisithttp://www.packtpub.com/supportandregistertohavethefilese-maileddirectlytoyou.
ThescriptwillcreateadirectorynamedAddressBookImages-OutputandplacetheextractedJPEGimagesontoit.Theimagescanbeviewedusingastandardimageviewer.
Thefilenameofeachimagewillbetherecordidentifier,whichisassociatedwiththeAddressBook.sqlitedatabasesothatyoucanassociateeachimagewithacontact.
Tip
MakesureyouareusingPython2.7torunthePythonscripts.
Callhistory
PhoneorFaceTimecallsplaced,missed,andreceivedbytheuserareloggedinthecallhistory,alongwithothermetadatasuchascallduration,date/time,andmore.Thiscouldbeofinteresttoanexaminer.ThecallhistorydatabaseisaWirelessDomainfileandcanbefoundat/private/var/wireless/Library/CallHistory/call_history.db.Thedatabasecontainsamaximumof100callslistedasactivemessages.Anycallsplaced,missed,orreceivedabove100willbestoredinthedatabaseandtheoldestrecordwillberemoved.However,thisdatawillremainintheSQLitefreepagesandcanberecoveredthroughmanualhexexamination.
TheCalltableinthecall_history.dbfilecontainsthecallhistory.Eachrecordinthecalltableindicatesthephonenumberofaremoteparty,aUNIXtimestampofwhenthecallwasinitiated,thedurationofthecallinseconds,astatusflagtoidentifywhetherthecallwasanoutgoingcall(flag5),incomingcall(flag4),blockedcall(flag8),orFaceTimecall(flag16),anidentifierthatisassociatedwiththeaddressbookcontacts(-1forunknowncontact),themobilecountycode(MCC),andthemobilenetworkcode(MNC).YoucanfindalistofMCC/MNCcodesathttp://en.wikipedia.org/wiki/Mobile_country_code.
FaceTimestatusflagsmayvarydependingonthemethodusedtoinitiatethecall.Forexample,dataplansutilizedifferentflagsthanWi-Ficalls.Ifthestatusflagstartswitha2,itislikelytobeaWi-Fiinitiatedcall.Ifitstartswitha1,asdefinedearlier,itrepresentsaFaceTimecallinitiatedwithadataplanonthedevice.ThereareseveralstatusflagsavailableforFaceTimecallsandthesevarybetweeniOSdevices.
YoucanrunthefollowingcommandstodumpthecallhistoryintoaCSVfilenamedcallhistory.csv:
$sqlite3call_history.db
SQLiteversion3.7.122012-04-0319:43:07
Enter".help"forinstructions
EnterSQLstatementsterminatedwitha";"
sqlite>.modecsv
sqlite>.outputcallhistory.csv
sqlite>.headerson
sqlite>SELECTrowid,address,
datetime(date,'unixepoch','localtime')asdate,duration||"sec"
asduration,caseflags
when4then"Incoming"
when5then"Outgoing"
when8then"Blocked"
when16then"Facetime"
else"Dropped"
endasflags,id,country_code,network_code
FROMcall
ORDERBYrowidASC;
sqlite>.exit
SMSmessages
TheShortMessageService(SMS)databasecontainstextandmultimediamessagesthatweresentfromandreceivedbythedevice,alongwiththephonenumberoftheremoteparty,dateandtime,andothercarrierinformation.StartingwithiOS5,iMessagesdataisalsostoredintheSMSdatabase.iMessageallowsuserstosendSMSandMMSmessagesoveracellularorWi-FinetworktootheriOSorOSXusers,thusprovidinganalternativetoSMS.TheSMSdatabaseisaHomeDomainfileandcanbefoundat/private/var/mobile/Library/SMS/sms.db.
YoucanrunthefollowingcommandstodumptheSMSdatabaseintoaCSVfilenamedsms.csv:
$sqlite3sms.db
SQLiteversion3.7.122012-04-0319:43:07
Enter".help"forinstructions
EnterSQLstatementsterminatedwitha";"
sqlite>.modecsv
sqlite>.outputsms.csv
sqlite>.headerson
sqlite>SELECTm.rowidasrowid,datetime(date+978307200,
'unixepoch')asdate,h.idas"phonenumber",m.serviceas
service,caseis_from_me
when0then"Received"
when1then"Sent"
else"Unknown"
endastype,
case
whendate_read>0
thendatetime(date_read+978307200,'unixepoch')
whendate_delivered>0
then
datetime(date_delivered+978307200,'unixepoch')
elseNULL
endas"DateRead/Sent",text
FROMmessagem,handlehWHEREh.rowid=m.handle_idORDERBY
m.rowidASC;
sqlite>.exit
SMSSpotlightcache
Spotlightisadevice-widesearchfeature,whichallowstheusertosearchacrossalltheapplicationsonthedevice.TheSMSdataisindexedandstoredinadatabaseforaquicksearch.TheSMSSpotlightcachedatabaseisaHomeDomainfileandcanbefoundat/private/var/mobile/Library/Spotlight/com.apple.MobileSMS/SMSSeaerchIndex.sqlite
ThefilecontainsbothactiveanddeletedSMSmessages.ThefollowingscreenshotisanexampleoftheoutputasviewedinSQLiteBrowser.ThisisagreatplacetorecoverSMSmessagesthatarenolongerpresentintheSMSdatabasefile.NotethattheSMSSpotlightcachefilenamemayvarydependingontheversionoftheiOSdevice.
TheSMSSpotlightCachefile
YoucanrunthefollowingcommandstodumptheSMSSpotlightcachedatabaseintoaCSVfilenamedsmsspotlightcache.csv:
$sqlite3smssearchindex.sqlite
SQLiteversion3.7.122012-04-0319:43:07
Enter".help"forinstructions
EnterSQLstatementsterminatedwitha";"
sqlite>.modecsv
sqlite>.outputsmsspotlightcache.csv
sqlite>.headerson
sqlite>SELECT*FROMContent;
sqlite>.exit
Calendarevents
Calendareventsthathavebeenmanuallycreatedbytheuserorsyncedusingamailapplicationorotherthird-partyapplicationsarestoredinthecalendardatabase.ThecalendardatabaseisaHomeDomainfileandcanbefoundat/private/var/mobile/Library/Calendar/Calendar.sqlitedb.
TheCalendarItemtableintheCalendar.sqlitedbfilecontainsthecalendareventssummary,description,startdate,enddate,andmore.YoucanrunthefollowingcommandlinestodumpthecalendardatabaseintoaCSVfilenamedcalendar.csv.NotethatremindersandtasksareoftensavedintheCalendar.sqlitedbfile.Thesefilesmaynotcontainastartorendtimedependingontheevent:
$sqlite3Calendar.sqlitedb
SQLiteversion3.7.122012-04-0319:43:07
Enter".help"forinstructions
EnterSQLstatementsterminatedwitha";"
sqlite>.modecsv
sqlite>.outputcalendar.csv
sqlite>.headerson
sqlite>SELECTrowid,summary,description,datetime(start_date+
978307200,'unixepoch')asstart_date,datetime(end_date+
978307200,'unixepoch')asend_date
FROMCalendarItem;
sqlite>.exit
E-maildatabase
Alle-mailormailapplicationsonthedevicearestoredinaSQLitedatabasefile.ThedatabaseisaHomeDomainfileandcanbefoundat/private/var/mobile/Library/Mail/ProtectedIndex.Thedatabasefilehasnoextensionandcontainslocallystored,sent,anddeletedmessages.
Youcanrunthefollowingcommandstoobtaine-mailsstoredinthemaildatabase:
$sqlite3Protected\Index
SQLiteversion3.7.122012-04-0319:43:07
Enter".help"forinstructions
EnterSQLstatementsterminatedwitha";"
sqlite>.outputEmail.csv
sqlite>.headerson
sqlite>SELECT*FROMmessages;
sqlite>.exit
Inadditiontothemessages,e-mailattachmentsarealsooftenstoredonthefilesystemwithintheMaildirectory.
Notes
TheNotesdatabasecontainsthenotescreatedbytheuserusingthedevice'sbuilt-inNotesapplication.Notesisthesimplestapplication,oftencontainingthemostsensitiveandconfidentialinformation.TheNotesdatabaseisaHomeDomainfileandcanbefoundat/private/var/mobile/Library/Notes/notes.sqlite.
TheZnoteandZnotebodytablesinthenotes.sqlitefilecontainthenotestitle,content,creationdate,modificationdate,andmore.YoucanrunthefollowingcommandstodumptheNotesdatabaseintoaCSVfilenamednotes.csv:
$sqlite3notes.sqlite
SQLiteversion3.7.122012-04-0319:43:07
Enter".help"forinstructions
EnterSQLstatementsterminatedwitha";"
sqlite>.modecsv
sqlite>.outputnotes.csv
sqlite>.headerson
sqlite>SELECTdatetime(zcreationdate+978307200,'unixepoch')as
zcreationdate,datetime(zmodificationdate+978307200,'unixepoch')as
zmodificationdate,ztitle,zsummary,zcontent
FROMznote,znotebody
WHEREznotebody.z_pk=znote.z_pk
ORDERBYznote.z_pkASC;
sqlite>.exit
Safaribookmarks
TheSafaribrowserusedonanAppledeviceallowsuserstobookmarktheirfavoritewebsites.ThebookmarksdatabaseisaHomeDomainfileandcanbefoundat/private/var/mobile/Library/Safari/Bookmarks.db.
Youcanrunthefollowingcommandstoviewthebookmarksstoredinthedatabase:
$sqlite3bookmarks.db
SQLiteversion3.7.122012-04-0319:43:07
Enter".help"forinstructions
EnterSQLstatementsterminatedwitha";"
sqlite>.headerson
sqlite>selecttitle,urlfrombookmarks;
sqlite>.exit
TheSafariwebcaches
TheSafaribrowserstorestherecentlydownloadedandcacheddatainadatabase.ThedatabaseisaHomeDomainfileandcanbefoundat/private/var/mobile/Library/Caches/com.apple.mobilesafari/Cache.db.ThefilecontainscachedURLsandthewebserver'sresponsesalongwiththetimestamps.
Thewebapplicationcache
Offlinedatacachedbywebapplications,suchasimages,HTML,JavaScript,stylesheets,andmorearestoredinadatabase.ThedatabaseisaHomeDomainfileandcanbefoundat/private/var/mobile/Library/Caches/com.apple.WebAppCache/ApplicationCache.db
TheWebKitstorage
SafaristoresinformationfromvarioussitesintheWebKitdatabaselocatedinthe/private/var/mobile/Library/WebKit/LocalStorage/directory.Thedirectorycontainsuniquedatabasesforeachwebsite,asshowninthefollowingscreenshot:
TheLocalStoragefoldercontents
Thephotosmetadata
Amanifestationofthephotosinthedevice'sphotoalbumisstoredinadatabaselocatedat/private/var/mobile/Media/PhotoData/Photos.sqlite.The
photosmetadatadatabasefileisamemberofCameraRollDomain.
Youcanrunthefollowingcommandstoviewthephotosstoredinthedatabase:
$sqlite3Photos.sqlite
SQLiteversion3.7.122012-04-0319:43:07
Enter".help"forinstructions
EnterSQLstatementsterminatedwitha";"
sqlite>.modecsv
sqlite>.outputphotos.csv
sqlite>.headerson
sqlite>SELECTz_pk,ztitle,datetime(zdatecreated+
978307200,'unixepoch')aszdatecreated,datetime(zmodificationdate+
978307200,'unixepoch')aszmodificationdate,zfilename,zdirectory,
zwidth,zheight
FROMzgenericasset
ORDERBYz_pkASC;
sqlite>.exit
ConsolidatedGPScache
GeolocationhistoryofcelltowersandWi-Fionthedeviceisstoredinoneofthetwopossibledatabasesthatarelocatedat/private/var/root/Caches/locationd/.Thedatabasesareeitherconsolidated.dborcache_encryptedA.db.BothdatabasefilesaremembersofRootDomain.TheversionofiOSwilldeterminewhichdatabaseisused.ThesedatabasescontainlocationinformationforcelltowersthatthedevicecameintocloseproximitywithaswellasWi-Finetworksthatwereavailableforthedevicetoconnectto.Thesedatabasesareoftenusedtoplaceapersonnearaspecificlocationasthisdataiscachedtooneofthesedatabasefileswithouttheuser'sconsent.
Forthisexample,wewillexaminetheconsolidated.dbfile.TheCompassCalibrationtableintheconsolidated.dbfilecontainsthelocationinformationalongwiththetimestamps.Thefile,whenopenedwithSQLiteProfessional,displaysthedataasshowninthefollowingscreenshot.Notethatthecache_encryptedA.dbfileisnolongerbackedupwhentheusersyncswithiTunes.
TheConsolidated.dbviewwithSQLiteProfessional
Voicemail
Thevoicemaildatabasecontainsmetadataabouteachvoicemailstoredonthedevicethatincludesthesender'sphonenumber,callbacknumber,timestampandmessageduration,andmore.ThevoicemailrecordingsarestoredasAMRaudiofilesthatcanbeplayedbyanymediaplayerthatsupportstheAMRcodec(forexample,QuickTimePlayer).ThevoicemaildatabaseisaHomeDomainfileandcanbefoundat/private/var/mobile/Library/Voicemail/voicemail.db,whiletheactualvoicemailrecordingsarestoredinthe/private/var/mobile/Library/Voicemail/directory.
Youcanrunthefollowingcommandstoviewthelistofvoicemailsstoredinthedatabase:
$sqlite3voicemail.sqlite
SQLiteversion3.7.122012-04-0319:43:07
Enter".help"forinstructions
EnterSQLstatementsterminatedwitha";"
sqlite>.headerson
PropertylistsApropertylist,commonlyreferredtoasaplist,isastructureddataformatusedtostore,organize,andaccessvariousdatatypesofdataonaniOSdeviceaswellasaMacOSXdevice.Plistsarebinary-formattedfilesandcanbeviewedusingaPropertyListEditor,whichiscapableofreadingorconvertingthebinaryformattoASCII.
Plistfilesmayormaynothavea.plistfileextension.Toaccessthedatastoredinthesefiles,youneedatoolthatcanreadthem.Someofthegoodfreetoolsinclude:
PlistEditorforWindows,whichcanbedownloadedfromhttp://www.icopybot.com/plist-editor.htmTheplutilcommand-lineutilityonMacOSX
YoucanalsoviewtheplistfilesusingXCode.MacOSXincludestheplutilcommand-lineutilitybydefault.Thecommand-lineutilitycaneasilyconvertthebinaryformattedfilesintohumanreadablefiles.
ThefollowingexampledisplaystheSafaribrowserHistory.plistfile:
$sudoplutil-convertxml1History.plist-o-
<?xmlversion="1.0"encoding="UTF-8"?>
<!DOCTYPEplistPUBLIC"-//Apple//DTDPLIST1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plistversion="1.0">
<dict>
<key>WebHistoryDates</key>
<array>
<dict>
<key></key>
<string>http://www.securitylearn.net/</string>
<key>D</key>
<array>
<integer>1</integer>
</array>
<key>lastVisitedDate</key>
<string>411576251.8</string>
<key>title</key>
<string>securitylearn/</string>
<key>visitCount</key>
<integer>1</integer>
</dict>
<dict>
<key></key>
<string>http://www.google.com</string>
<key>D</key>
<array>
<integer>1</integer>
</array>
<key>lastVisitedDate</key>
<string>411571510.5</string>
<key>title</key>
<string>Google</string>
<key>visitCount</key>
<integer>1</integer>
</dict>
</array>
<key>WebHistoryFileVersion</key>
<integer>1</integer>
</dict>
</plist>
Importantplistfiles
RawdiskimagesorthebackupthatyouextractedinChapter3,DataAcquisitionfromiOSDevices,andChapter4,DataAcquisitionfromiOSBackups,willcontainthefollowingplistfilesthatareimportantforaninvestigation.ThefilesshownareextractedfromaniOS6device.ThefilelocationsmayvaryforyouriOSversion.
TheHomeDomainplistfiles
ThefollowingaretheHomeDomainplistfiles,whichcontaindatathatmayberelevanttoyourinvestigation:
/private/var/mobile/Library/Preferences/com.apple.mobilephone.plist
Thiscontainsthelastphonenumberenteredintothedialerregardlessofwhetheritwasdialedornot/private/var/mobile/Library/Preferences/com.apple.mobilephone.speeddial.plist
Thiscontainsalistofthecontactsthatwereaddedtothephone'sfavoritelist/private/var/mobile/Library/Preferences/com.apple.accountsettings.plist
Thiscontainsalistofthee-mailaccountsconfiguredonthedevice/private/var/mobile/Library/Preferences/com.apple.AppSupport.plist
ThiscontainsthecountrycodeusedfortheAppStoreonthedevice/private/var/mobile/Library/Preferences/com.apple.Maps.plist:Thiscontainsthelastlatitude,longitude,andaddresspinnedintheMapsapplication/private/var/mobile/Library/Preferences/com.apple.mobilemail.plist
Thiscontainsthee-mailfetchingdatesande-mailsignaturesused/private/var/mobile/Library/Preferences/com.apple.mobiletimer.plist
Thiscontainsalistofworldclocksused/private/var/mobile/Library/Preferences/com.apple.Preferences.plist
Thiscontainsthekeyboardlanguagethatwaslastusedonthedevice/private/var/mobile/Library/Preferences/com.apple.mobilesafari.plist
ThiscontainsalistoftherecentsearchesmadethroughSafari/private/var/mobile/Library/Preferences/Com.apple.springboard.plist
containsalistofapplicationsthatareshownintheinterfaceandiOSversion/private/var/mobile/Library/Preferences/com.apple.mobiletimer.plist
Thiscontainsinformationaboutthecurrenttimezone,timers,alarms,andstopwatches/private/var/mobile/Library/Preferences/com.apple.weather.plist:Thiscontainsthecitiesforweatherreports,date,andtimeoflastupdate/private/var/mobile/Library/Preferences/com.apple.stocks.plist:Thiscontainsalistofthestockstracked/private/var/mobile/Library/Preferences/com.apple.preferences.network.plist
ThiscontainsthestatusofBluetoothandWi-Finetworks/private/var/mobile/Library/Preferences/com.apple.conference.history.plist
ThiscontainsahistoryofthephonenumbersandotheraccountsthatwereconferencedusingFaceTime/private/var/mobile/Library/Preferences/com.apple.locationd.plist
Thiscontainsalistofapplicationidentifiersthatusethelocationserviceonthedevice/private/var/mobile/Library/Safari/History.plist:ThiscontainsthewebbrowsinghistoryofSafari/private/var/mobile/Library/Safari/SuspendState.plist:ThiscontainsthewebpagetitleandtheURLofallsuspendedwebpagesonSafari/private/var/mobile/Library/Maps/Bookmarks.plist:ThiscontainsthebookmarkedlocationswithintheMapsapplication/private/var/mobile/Library/Caches/com.apple.mobile.installation.plist
Thiscontainsalistofallsystemanduserapplicationsloadedontothedeviceandtheirdiskpaths/private/var/mobile/Library/Caches/com.apple.UIKit.pboard/pasteboard
Thiscontainsacachedcopyofthedatastoredonthedevice'sclipboardTheRootDomainplistfiles
ThefollowingRootDomainfileslistedshouldbeexaminedforrelevancetoyourinvestigation:
/private/var/root/Library/Preferences/com.apple.preferences.network.plist
Thiscontainsinformationaboutwhethertheairplanemodeispresentlyenabledonthedevice/private/var/root/Library/Lockdown/pair_records:Thisdirectorycontainspropertylistswithprivatekeysusedinordertopairthedevicetoacomputer
/private/var/root/Library/Caches/locationd/clients.plist:Thiscontainsthelocationsettingsforapplicationsandsystemservices
TheWirelessDomainplistfiles
ThefollowingWirelessDomainplistfilecontainsusefulinformationtoidentifytheSIMcardlastusedinthedevice:
/private/wireless/Library/Preferences/com.apple.commcenter.plist
TheSystemPreferencesDomainplistfiles
ThetwoplistfilescontainingdataofevidentiaryvaluefromtheSystemPreferencesDomainfilesarelisted:
/private/var/preferences/SystemConfiguration/com.apple.network.identification.plist
ThiscontainsnetworkinginformationofthecachedIP/private/var/preferences/SystemConfiguration/com.apple.wifi.plist
ThiscontainsalistofpreviouslyknownWi-Finetworksandthelasttimeeachonewasconnectedto
OtherimportantfilesApartfromSQLiteandplistfiles,severalotherlocationsmaycontainvaluableinformationtoaninvestigation.
Theotherssourcesincludethefollowing:
CookiesKeyboardcachePhotosWallpaperSnapshotsRecordingsDownloadedapplications
Cookies
Cookiescanberecoveredfrom/private/var/mobile/Library/Cookies/Cookies.binarycookies.Thisfileisastandardbinaryfilethatcontainscookiessavedwhenwebpagesareaccessedonthedevice.Thisinformationcanbeagoodindicationofwhatwebsitestheuserhasbeenactivelyvisiting.
Toconvertthebinarycookietohumanreadableformat,runtheBinaryCookieReader.pyPythonscriptonthecookiefile,asshowninthefollowingcommand.ThePythonscriptsourcecodeisavailableinthecodebundleofthebook.
$pythonBinaryCookieReader.pyCookies.binarycookies
Cookie:
__utma=167051323.813879307.1359034257.1367989551.1386632713.9;
domain=.testflightapp.com;path=/;expires=Wed,09Dec2015;
Cookie:__utmb=167051323.24.8.1386633092975;
domain=.testflightapp.com;path=/;expires=Tue,10Dec2013;
Cookie:__utmz=167051323.1386632713.9.1.utmcsr=(direct)|utmccn=
(direct)|utmcmd=(none);domain=.testflightapp.com;path=/;
expires=Tue,10Jun2014;
Cookie:tfapp=1d29da4a798a90186f1d4bfce3ce2f23;
domain=.testflightapp.com;path=/;expires=Thu,09Feb2017;
Cookie:user_segment=Prospect;domain=.testflightapp.com;path=/;
expires=Wed,08Jan2014;[...]
Keyboardcache
Keyboardcacheiscapturedandsavedinthedynamic-text.datfile.Thefileislocatedat/private/var/mobile/Library/Keyboard/dynamic-text.datandcontainskeyboardcache,whichcomprisesoftextenteredbytheuser.Thistextiscachedaspartofthedevice'sautocorrectfeatureandwasdesignedtoautocompletethepredictivecommonwords.Thefilekeepsalistofapproximately600wordsperlanguageusedontheiOSdevice.
Itisabinaryfileandcanbeviewedusingahexeditor,asshowninthefollowingscreenshot.ThisfilemaycontainpasswordscachedbytheiOSdeviceandcanbeusedtoachievebruteforceattacksonthedeviceoranencryptedbackupofthedevice.
Keyboardcacheinhexeditor
Photos
Photosarestoredinadirectorylocatedat/private/var/mobile/Media/DCIM/,whichcontainsthephotostakenwiththedevice'sbuilt-incamera,screenshots,andaccompanyingthumbnails.Somethird-partyapplicationswillalsostorephotostakeninthisdirectory.EveryphotostoredintheDCIMfoldercontainsEXIF(ExchangeableImageFileFormat)data.EXIFdatastoredinthephotocanbeextractedusingexiftool,whichcanbedownloadedfromhttp://www.sno.phy.queensu.ca/~phil/exiftool/.EXIFdatamayalsocontainthegeographicalinformationwhenaphotoistaggedwiththeuser'sgeolocationiftheuserhasenabledlocationpermissionsontheiOSdevice:
$exiftoolIMG_0107.JPG
ExifToolVersionNumber:9.50
FileName:IMG_0107.JPG
Directory:.
FileSize:73kB
FileModificationDate/Time:2014:01:0717:43:05+05:30
FileAccessDate/Time:2014:02:0917:26:40+05:30
FileInodeChangeDate/Time:2014:02:0917:26:40+05:30
FilePermissions:rw-r--r--[...]
Wallpaper
ThecurrentbackgroundwallpapersetfortheiOSdevicecanberecoveredfromtheLockBackgroundThumbnail.jpgfilefoundin/private/var/mobile/Library/SpringBoard/LockBackground.cpbitmap.Thisiscomplementedwithathumbnailnamedinthesamedirectory.Thewallpaperpicturemaycontainidentifyinginformationabouttheuser,whichcouldhelpinamissingperson'scaseoraniOSdevicerecoveredfromatheftinvestigation.
Snapshots
Thesnapshotsdirectorycontainsscreenshotsofthemostrecentstatesofbuilt-inapplicationsatthetimethattheyweresuspended.Thisdirectoryislocatedin/private/var/mobile/Library/Caches/Snapshots/.EverytimeanapplicationissuspendedtothebackgroundbypressingtheHomebutton,asnapshotistakentoproduceaniceshrinkingeffect.Third-partyapplicationsalsostorethesnapshotcacheinsidetheirapplication'sfolder.
Recordings
TheiPhoneallowsausertorecordvoicememosveryeasily.Therecordedvoicememosarestoredinthe/private/var/mobile/Media/Recordings/directory.Recordingsherecouldbeusedtoidentifyapersonbasedupontheirvoiceandmayalsocontaininformationsuchasvoicereminders,whichwon'tbestoredinthecalendardatabase.Recordingsprovidealotofinformationtotheexaminerastheyareusercreatedandoftennotdeleted.
Downloadedapplications
Third-partyapplications,whicharedownloadedandinstalledfromtheAppStore,includeapplicationssuchasFacebook,WhatsApp,Viber,Wickr,Skype,andGMail,andmorethatcontainawealthofinformationusefulforaninvestigation.Somethird-partyapplicationsusetheBase64encoding,whichneedstobeconvertedforviewingaswellasencryption.Applicationsthatencryptthedatabasefilepreventtheexaminerfromaccessingthedataresidinginthetables.EncryptionvariesamongsttheseapplicationsbasedontheapplicationandiOSversions.
AuniquesubdirectoryGUIiscreatedforeachapplicationinstalledonthedeviceinthe/private/var/mobile/Applications/directory,whichisshowninthefollowingexample.Also,thehierarchicalstructureoftheApplicationsdirectoryisshown.Mostofthefilesstoredintheapplication'sdirectoryareintheSQLiteandplistformat:
$tree-L2/var/mobile/Applications/
/var/mobile/Applications/
|--08E03CB2-26A5-4DAF-9843-3893AF4EDDF0
||--Documents
||--Library
||--WordPress.app
||--iTunesArtwork||--iTunesMetadata.plist
|`--tmp
|--0922F95C-7E40-4075-BC5A-06CE829BDD9E
||--Documents
||--Library
||--Wickr.app
||--iTunesArtwork
||--iTunesMetadata.plist
|`--tmp
|--11C7F3E9-A10E-405D-B6BB-2F86B1B2400F
||--Documents
||--Library
||--photovault.app
|`--tmp
RecoveringdeletedSQLiterecordsInadditiontotherecoveringtechniquescoveredinChapter3,DataAcquisitionfromiOSDevices,youcanalsorecoverthedeletedrecordsfromaSQLitedatabase.SQLitedatabasesstorethedeletedrecordswithinthedatabaseitself.So,itispossibletorecoverthedeleteddatasuchascontacts,SMS,calendar,notes,e-mailsandvoicemails,andmorebyparsingthecorrespondingSQLitedatabase.IfaSQLitedatabaseisvacuumedordefragmented,thelikelihoodofrecoveringthedeleteddataisminimal.TheamountofcleanupthesedatabasesrequireheavilyreliesontheiOSversion,thedevice,andtheuser'ssettingsonthedevice.
ASQLitedatabasefilecomprisesoneormorefixedsizepages,whichareusedjustonce.SQLiteusesab-treelayoutofpagestostoreindicesandtablecontent.Detailedinformationontheb-treelayoutisexplainedathttp://sandbox.dfrws.org/2011/fox-it/DFRWS2011_results/Report/Sqlite_carving_extractAndroidData.pdf.
TocarveaSQLitedatabase,youcanexaminethedatainrawhexorusesqliteparse.py,aPythonscriptdevelopedbyMariDeGrazia.ThePythonscriptcanbedownloadedfromhttp://www.arizona4n6.com/download/SQLite-Parser.zip.
Thefollowingexamplerecoversthedeletedrecordsfromthenotes.sqlitedbfileanddumpstheoutputtotheoutput.txtfile.Tovalidateyourfindingsfromrunningthescript,simplyexaminethedatabaseinahexviewertoensurenothingisoverlooked:
$pythonsqliteparse.py-fnotes.sqlitedb-r-ooutput.txt
Inadditiontoit,performingastringsdumpofthedatabasefilecanalsorevealdeletedrecordsthatmayhavebeenmissed,asshowninthefollowingcommand:
$stringsnotes.sqlitedb
SummaryThischaptercoveredvariousdataanalysistechniquesandspecifiedthelocationsofdatawithintheiOSdevice'sfilesystem.WealsoexplainedmostofthecommonfileformatsusedintheiPhoneandwalkedyouthroughimportantfilestorecoverthemostdatapossible.Mostopensourceandcommercialtoolsareabletopulldeleteddatafromcommondatabasefiles,suchascontacts,calls,SMS,andmore,buttheyoftenoverlookthethird-partyapplicationdatabasefiles.WecoveredtechniquestorecoverdeletedSQLiterecordsthatproveusefulinmostiOSdeviceinvestigations.Again,theacquisitionmethod,encoding,andencryptionschemascanaffecttheamountofdatayoucanrecoverduringyourexamination.Inthenextchapter,wewilldiscussiOSforensictools,whichwillhelpyouacquireandanalyzedata.
Chapter6.iOSForensicToolsAlthoughunderstandingacquisitionmethodsandtechniquesishelpful,aforensicexamineroftenneedsthehelpoftoolstoaccomplishtasksinthegiventime.Forensictoolsnotonlysavetimebutalsomaketheprocessaloteasier.Currently,therearemanycommercialtoolssuchasElcomsoftiOSForensicToolkit,CellebriteUFED,BlackLight,OxygenForensicSuite,AccessDataMPE+,iXAM,Lantern,XRY,SecureView,ParabeniRecoveryStick,andsoon,whichareavailableforforensicacquisitionandanalysisofaniOSdevice.Forfamiliaritypurposes,thischapterwillwalkyouthroughtheusageofafewcommercialandopensourcetoolsandprovidedetailsofthestepsrequiredtoperformacquisitionsofiOSdevices.
ElcomsoftiOSForensicToolkitElcomsoftiOSForensicToolkit(EIFT)isasetoftoolsaimedatmakingtheacquisitionofiOSdeviceseasier.EIFTisacombinationofsoftwarethatisabletoperformforensicacquisitionofiOSdevicesrunninganyversionofiOS(note:someiOSversionsrequirethedevicetobejailbroken).EIFTcanacquirebit-for-bitimagesofadevice'sfilesystem,extractdevicesecrets(passcodes,passwords,andencryptionkeys),anddecryptthefilesystemimage.FormoreinformationonEIFT,visithttp://www.elcomsoft.com/eift.html.
Thetoolkitwasinitiallyavailableonlytolawenforcementagencies,butnowitisavailabletoeveryone.ThetoolkitsupportsbothMacOSXandWindowsplatformswithiTunes10.6orlaterinstalled.
FeaturesofEIFT
ThefollowingarethefeaturesofEIFT:
Supportsphysicalandlogicalacquisition.Acquirescompletebit-for-bitdeviceimages.Quickfilesystemacquisition:20-40minutesfor32GBmodels.Supportspasscoderecoveryattacks.Extractsdevicekeysrequiredtodecryptarawdiskimageaswellaskeychainitems.Decryptsarawdiskimageandkeychainitems.Zero-footprint:thisoperationleavesnotracesandalterationstodevicecontents.Fullyaccountable:everystepofinvestigationisloggedandrecorded.
UsageofEIFT
ElcomsoftiOSForensicToolkitcanbeusedintwomodes:guidedmodeandmanualmode.TheUSBdongleshippedwiththetoolkitmustbeconnectedtothecomputerwhilethetoolkitisrunning.
Guidedmode
Theguidedmodefeaturesamenu-baseduserinterfacewhereyoucanaccomplishtypicaltasksbyselectingthecorrespondingmenuitems.Youcanstarttheguidedmodebydouble-clickingontheToolkit.cmd(Windows)orToolkit.command(MacOSX)fileinthedirectorywhereyouhavecopiedthetoolkitfiles.Thisshouldopentheterminalwindowandpresentatext-basedmenuasshowninthefollowingscreenshot:
TheElcomsoftiOSForensicToolkitwelcomescreen
Whenrunningintheguidedmode,thetoolkitlogsalltheactivitiestoatextfile.Eachtimethetoolkitisstarted,anewlogfileiscreatedintheuser'shomedirectoryandtheoutputofalltheinvokedcommandsaswellasuserchoicesare
directoryandtheoutputofalltheinvokedcommandsaswellasuserchoicesarewrittentothatfile.
ToperformthephysicalacquisitionofiPhone4andolderdeviceswithEIFT,followthestepsprovided:
1. PutthedeviceintheDFUmode.Youcandothisbyselectingthemenuitem1andfollowingtheonscreeninstructions.
2. AfterthedevicehasbeenputintheDFUmode,loadtheramdiskwiththeacquisitiontoolsbyselectingmenuitem2oranswerytothepromptthatfollowstheDFUprocedure.Itautomaticallydetectsthetypeofthedeviceandloadsthecompatibleramdiskontoit.Whenramdiskissuccessfullyloaded,thedevicescreenwillshowtheElcomsoftlogo.
3. Recoverthedevicepasscodebyselectingmenuitem3.Thetoolkitcanrecoverasimple4-digitpasscodeinlessthan20minutes.Italsoprovidesoptionstoperformdictionary(wordlist)andbruteforceattacksoncomplexpasswords,asshowninthefollowingscreenshot:
TheEIFTpasscoderecoveryoptions
4. Extracttheencryptionkeysrequiredtodecryptfilesandkeychainitemsby
selectingmenuitem4.Youwillbepromptedtosupplythedevicepasscode,ifknown,oftheescrowfileifyouhaveaccesstothehostcomputerandafilenametosavethekeys.Ifthefilenameisnotsupplied,thetoolkitextractsthekeysandstoresitinthekeys.plistfileintheuser'shomedirectory.
5. Afterextractingthekeys,todecryptthekeychainitems,selectmenuitem5.Thetoolkitusesthekeysstoredinthekeys.plistfile,decryptsthekeychainitems,andstoresitinthekeychain.txtfileintheuser'shomedirectory.
6. Toacquirethephysicalimageofthedevice'sfilesystem,selectthemenuitem6.Youwillbepromptedtochoosethedevicepartition(systemanduserdata)toimage,asshowninthefollowingscreenshot:
EIFT—selectingpartitiontoimageoption
Afterselectingthepartition,thewindowpromptsyouforafilenametosavetheimage.Ifthefilenameisnotsupplied,itextractstherawfilesystemfromthedeviceandstoresitasauser.dmgfileintheuser'shomedirectory.Bestpracticesincludeacquiringboththeuserandsystempartitions.
7. Aftertheacquisition,youcanrebootthedevicetofunctionnormallybyselectingmenuitem9.
8. Todecrypttheacquiredimage,selectmenuitem7.Youwillbepromptedtoprovidefilenamesoftheencryptedimage,devicekeys,andafilenametosavethedecryptedimage.Ifthefilenameisnotsupplied,itdecryptstheimageandstoresitasuser-decrypted.dmgintheuser'shomedirectory.ThetoolkitalsocomputestheSHA1hashofthedecryptedimagefile.EIFTisalsocapableofperformingphysicalacquisitionofajailbrokeniPhone4SandnewerdevicesrunningoniOS5/6/7.Atthetimeofwritingthis,EIFTistheonlytoolthatsupportsphysicalacquisitionoftheiPhone4SandnewerdevicesrunningwithiOS7.EIFTrequirestheOpenSSHpackagetobeinstalledonthedevicetoperformacquisitiononnewerdevices.OpenSSHrunstheSSHserveronthedeviceandallowsyoutocopyandruntheacquisitiontools.OncetheSSHserverisrunningonthedevice,youcanfollowsteps3to8toacquirearawdiskimagefromaniPhone4Sandnewerdevices.
Manualmode
Themanualmodeletsyouinteractwithtoolsdirectlyusingthecommand-lineinterface.Thismodeallowsgreaterflexibilityandisrecommendedifyouarecomfortablewithusingcommand-linetools.Thecommandsrequiredtoaccomplishtypicaltasksinthemanualmodearewelldocumentedinthetechnicalguidethatcomeswiththetoolkit.
Thetoolkitiscapableofperformingphysicalandlogicalacquisitionofthedevice'sfilesystem.Butitdoesnotprovideoptionstoanalyzetheacquireddataandrecoverthedeleteddata.However,youcansupplythe.dmgfileacquiredwithEIFTtoOxygenForensicSuite,CellebritePhysicalAnalyzer,andothertoolsfordataanalysisandrecovery.
EIFT-supporteddevices
ElcomsoftiOSForensicToolkitVersion1.23supportsmostiOSdevices,howeversomemustbejailbroken.Thefollowingfigureistakendirectlyfromthehelpdocumentthatcomeswiththetoolkit:
EIFTsupporteddevices
Compatibilitynotes
ThefollowingarethecompatibilitiesofEIFT-supporteddevices:
SupportforiPhone4S/5/5S/5C,iPad2andlaterversions,andiPodTouch5thgenerationdevicesiscurrentlylimitedtojailbrokendevices.iOSversionsbefore3.xstorethedevicepasscodeinthekeychain.Onthesedevices,thepasscodeisrecoveredinstantlyduringtheencryptionkeyandkeychaindatarecovery.DevicesrunningiOSversionsbefore3.xdonothavedataprotection
enabledanduserpartitionisnotencrypted.IfadevicewasshippedwithiOS3.xinstalledandwasupdatedtoiOS4.xwithoutreset(whicherasesallcontentsandsettings),thatis,usingtheUpdateoptioniniTunesinsteadofRestore,thendataprotectionisnotenabledandtheuserpartitionisnotencrypted.
OxygenForensicSuite2014OxygenForensicSuite2014isanadvancedforensicsoftwaretoextractandanalyzedatafromcellphones,smartphones,PDAs,andothermobiledevices.Thesoftwareprovideslogicalsupportforthewidestrangeofmobiledevicesandallowsfullyautomatedforensicacquisitionandanalysis.Currently,OxygenForensicSuite2014Version6.1supportsmorethan7,700differentmodelmobiledevices.
OxygenForensicSuite2014usesproprietarylow-levelprotocolstoextractdatafromsmartphones.Besidesdataextraction,OxygenForensicSuitealsogivesyoutheopportunitytoimportabackup/imagefileobtainedusingotherforensictools,suchasCellebrite,Elcomsoft,XRY,iTunes,andLanternLitefordataanalysis.Italsostoresthedatabaseofalltheanalyzeddevices,soyoucanalwaysviewthepreviouslyextracteddataoruseapowerfulmultiphonesearchfeaturetofindtherequireddetails.
OxygenForensicSuite2014isavailableonlyfortheWindowsplatformandrequiresiTunestobeinstalledonthecomputer.Thesoftwarecosts$2,999forthefullversion,andafreewareversionisalsoavailablewithlimitedfunctionalities.Thesoftwareoperateswithoriginalandjailbrokendevicesandextractsthefollowingdata:phonebookwithassignedphotos,calendareventsandnotes,calllogs,messages,camerasnapshots,videoandmusic,voicemail,passwords,dictionaries,geopositioningdata,Wi-Fipointswithpasswordsandcoordinates,IPconnections,locations,navigationapplications,devicedata,factoryinstalled,third-partyapplicationsdata,andsoon.ItalsorecoversdeleteddatafromSQLitedatabasesandcanrecovercalls,messages,e-mailmessages,e-mailaccounts,photothumbnails,contactphotos,andsoon.Thistooldoesnotsupportphysicalacquisition,thusafullforensicimagecannotbeobtained.Formoreinformation,visithttp://www.oxygen-forensic.com/de/compare/devices/software-for-iphone.
FeaturesofOxygenForensicSuite
ThefollowingarethefeaturesofOxygenForensicSuite:
Itsupportslogicalacquisition.Logicalacquisitionrecoverstheactivefilesonthedevice.DeleteddatamaybeobtainediftheSQLitedatabaseisrecovered.Physicalandfilesystemacquisitionarenotsupportedbythistool.BothoftheseacquisitionmethodsprovideaccesstotherawfilesystemdataoftheiOSdevice.Passwordrecoveryfromakeychain.Readbackup/imagesobtainedusingotherforensictools.Timeline:Thisprovidesasingle-placeaccesstoalltheuser'sactivitiesandmovementsarrangedbydateandtime.Zero-footprintoperation:Thisleavesnotracesandalterationstodevicecontents.Itsupportsaggregatedcontacts.Thisautomaticallycombinesaccountsfromdifferentsourcesinonemetacontactforeachperson.(Caution:Makesureyouknowwherethedataiscomingfrom!Youshouldmanuallyexamineeachfiletoensurenothingisoverlookedandthatthedataisbeingreportedcorrectly.)Itrecoversdeleteddataautomatically.Itprovidesaccesstorawfilesformanualanalysis.(Note:Thesearetherawdatabasefilesassociatedwitheachapplication,nottherawfilesystempartitions.)Itprovidesanintuitiveanduser-friendlyUItobrowsetheextracteddata.Itprovideskeywordlistsandaregularexpressionlibraryinordertosearch.Reportgenerationinseveralpopularformats—MicrosoftExcel,PDF,HTML,andsoon.
UsageofOxygenForensicSuite
TheacquisitionofaniOSdeviceissimpleandstraightforwardwithOxygenForensicSuite2014.Thesoftwarehelpsyoutoconnectadeviceinseveralmouseclicksanddownloadsalltheavailabledeviceinformationinjustafewminutes.
ToperformtheacquisitionofaniOSdeviceusingOxygenForensicSuite2014,followthestepsprovided:
1. LaunchOxygenForensicSuite2014andclickontheConnectnewdevicebutton.Youwillbepromptedtochoosetheconnectionmode,asshowninthefollowingscreenshot:
OxygenForensicSuite—theConnectionModescreen
2. ConnecttheiOSdevicetothecomputerusingaUSBcableandchoosetheAutodeviceconnectionmode.Itdetectstheconnecteddeviceanddisplaysthedeviceinformation,asshowninthefollowingscreenshot.Youcanalsomanuallychooseyourdevice.
OxygenForensicSuite—thedeviceinformationscreen
3. ClickonNext.Itpromptsyoutofillintheinformationaboutthedeviceandthecase.Continuingfurther,itpromptsyoutoselectthedatatypestobeextractedfromthedevice,asshowninthefollowingscreenshot:
4. ClickonNext.Itextractsthedatafromthedeviceandtheprocesstakesafewminutesdependingontheamountofdatastoredonthedevice.Oncetheprocessiscomplete,thesoftwaredisplaysasummaryoftheextracteddata,asshowninthefollowingscreenshot:
OxygenForensicSuite—theextracteddatasummaryscreen
5. Afterthedownloadprocessiscomplete,youcanusetheautomaticforensicreportgenerationfunctionandexporttheextracteddatatoaPDFfile.Thedevicedatareportappearsasshowninthefollowingscreenshot.YoucanalsoopenthedeviceimageinOxygenforamanuallookatthedata.
OxygenForensicSuite2014supporteddevices
OxygenForensicSuite2014Version6.1supportslogicalacquisitionofalliOSdevices.Keepinmindthataccesstonewerdevicesmayrequirethedevicetobeunlockedorjailbroken.
CellebriteUFEDPhysicalAnalyzerAsperthevendor,CellebriteUFED(UniversalForensicExtractionDevice)empowerslawenforcement,anti-terrorism,andsecurityorganizationstocapturecriticalforensicevidencefrommobilephones,smartphones,PDAs,andportablehandsetvarieties,includingupdatesfornewlyreleasedmodels.Thetoolenablesforensicallysounddataextraction,decoding,andanalysistechniquestoobtainexistinganddeleteddatafromdifferentmobiledevices.AsofFebruary2014,UFEDsupportsdataextractionfrommorethan5,320mobiledevices.
TheCellebriteUFEDPhysicalAnalyzerapplicationcanbeusedtoperformphysicalandadvancedlogicalacquisitionsofiOSdevices.Advancedlogicalacquisitionsarethesameasfilesystemacquisitionsinwhichaccesstothefilesystemdataisprovided.PhysicalacquisitiononiOSdevicesusingtheA5-A7chip(iPhone4sandnewer)isnotpossible.Thus,theadvancedlogicalacquisitionmethodisthebestsupportandwillpullthemostdatafromthesedevicesiftheyareunlocked(eveniftheyarenotjailbroken).TheapplicationisavailableonlyforWindowsplatforms.Cellebritealsooffersa30-dayfreetrialforthesoftware.Formoreinformation,visithttp://www.cellebrite.com/mobile-forensics/products/applications/ufed-physical-analyzer.
FeaturesofCellebriteUFEDPhysicalAnalyzer
ThefollowingarethefeaturesofCellebriteUFEDPhysicalAnalyzer:
Supportsphysicalandadvancedlogicalacquisition(filesystemacquisition)ExtractsdevicekeysrequiredtodecryptrawdiskimagesaswellaskeychainitemsDecryptsrawdiskimagesandkeychainitemsRevealsdevicepasswords(notavailableforalllockeddevices)AllowstoopenanencryptedrawdiskimagefilewithaknownpasswordSupportspasscoderecoveryattacksAdvancedanalysisanddecodingofextractedapplicationsdataReportsgenerationinseveralpopularformats—MicrosoftExcel,PDF,HTML,andsoon.Abilitytodumptherawfilesystempartitiontoimportandexamineitinanotherforensictool
UsageofCellebriteUFEDPhysicalAnalyzer
ToperformthephysicalacquisitionofaniPhone4andolderdeviceswithUFEDPhysicalAnalyzer,followthestepsprovided.NotethatphysicalacquisitionisnotsupportedforneweriOSdevices(iPhone4Sandnewer).
1. LaunchUFEDPhysicalAnalyzerandnavigatetotheExtract|iOSDeviceExtractionmenu.YouwillbepromptedwiththeiOSdevicedataextractionwizard,asshowninthefollowingscreenshot:
UFEDPhysicalAnalyzer—theiOSDeviceDataExtractionWizardscreen
2. ClickonPhysicalmode.ThefirsttimeyouruniOSdeviceextraction,youwillbepromptedtodownloadandinstalltheiOSsupportpackage.
3. Followtheinstructionsdisplayedonthescreentoturnoffthedeviceandplaceitintherecoverymode.Oncethetooldetectsthedeviceintherecoverymode,itdisplaysthedeviceinformation,asshowninthefollowingfigure:
UFEDPhysicalAnalyzer—thedeviceinformationscreen
4. ClickonNextandputthedeviceintheDFUmode.WhenthedeviceisdetectedintheDFUmode,thesoftwareloadstheacquisitiontoolsontothedevice.
5. Oncethedeviceisreadyforextraction,youwillbepromptedtochoosethedesiredextractiontype.ClickonPhysicalExtractionandchoosethepartitionyouwishtoextractandthelocationwhereyouwanttosavetheextraction.
6. ContinuefurtherandclickonRecoverthepasscodeformetorecoverthepasscodepriortotheextraction.
7. ClickonContinue.Thetoolextractsthefilesystemimageanddecryptsit.
Supporteddevices
UFEDPhysicalAnalyzerVersion3.9supportediOSdevicesareshowninthefollowingtable:
Model iOSversion
Physicalacquisition
Logicalacquisition
iPhone,iPhone3G,iPodTouch1,2 iOS1/2/3/4
Yes Yes
iPhone3GSiPodTouch3iPad1 iOS3/4/5 Yes Yes
iPhone4iPodTouch4 iOS4/5/6/7
Yes Yes
iPhone4S,5,5C,5SiPad2,3,4,iPadmini,andiPodTouch5
iOS5/6/7 No Yes
ParabeniRecoveryStickAsperthevendor,theiRecoveryStickcontainsspecializedinvestigationsoftwareonaUSBdrivethatallowsanyonetoinvestigatedataonAppleiOSdevicessuchasaniPhone,iPad,andiPodTouch.TheiRecoveryStickacquiresauser'sdatadirectlyfromthedeviceorfromiTunesbackupfiles.TheiRecoveryStickalsorecoversdeleteddatafromSQLitedatabasesandcanrecoverdatasuchasmessages,contacts,callhistory,Internethistory,andcalendarevents.Notethatthisisnotaphysicalacquisitionbutissimplyacquiringandparsingrawdatabasefileslogically.
TheiRecoveryStickcosts$129andworksonWindowsplatforms.Forbetterrecovery,iRecoveryStickrecommendsturningofftheantivirussoftwarerunningonthecomputer.Formoreinformation,visithttp://www.paraben.com/irecovery-stick.html.
FeaturesofParabeniRecoveryStick
ThefollowingarethefeaturesofParabeniRecoveryStick:
ItsupportslogicalacquisitionItrecoversdeleteddatafromSQLitefilesItiseasytouseandportableItisinconspicuous.ItresemblesacommonlyusedUSBthumbdrive,soitcanbeusedasaspydeviceandnoonewouldsuspectthatthedeviceisusedtorecoverdatafromaniPhone.Itlogstherecoveryprocessbasedonthepluginactivityandtrafficacrossthecommunicationport.Itsupportsdataanalysisandreportinginseveralformats,suchasExcelandPDF.
UsageofParabeniRecoveryStick
TheiRecoveryStickisaUSBflashdrivethatcontainstherecoverysoftwareiRecoveryStick.exe.
ToperformtheacquisitionofaniOSdeviceusingiRecoveryStick,followthesesteps:
1. ConnecttheiOSdevicetothecomputerusingaUSBcable.LaunchtheiRecoverySticksoftwareandclickontheStartRecoverybutton.Youwillbepromptedtochoosetheconnecteddevice,asshowninthefollowingscreenshot:
iRecoveryStick—theChooseconnecteddevicescreen
2. Clickonthedeviceiconanditstartsextractingthedatafromthedevice.Thedataextractionprocesstakesafewminutesdependingontheamountofdatastoredonthedevice.
3. Oncetheprocessiscomplete,thesoftwaredisplaysasummaryofextracteddata,asshowninthefollowingscreenshot:
DevicessupportedbyParabeniRecoveryStick
ParabeniRecoveryStickVersion3.5supportslogicalacquisitionofalliOSdevices.TheamountofdataacquiredwilldependonhowmuchdataispresentontheiOSdevice,whetherthedevicewaslocked,andwhetherthedevicewasjailbroken.
OpensourceorfreemethodsSeveralmethodsareavailabletoacquireandanalyzeiOSdevicesforfree.Mostofthesetoolshavebeenbuiltbypractitionersinmobileforensicswhorecognizetheneedforaffordablesolutionsthatworktoobtainthesameamountofdataascommercialkits.JonZdziarskihasdevelopedseveralscripts,tools,andmethodstoacquiredatafromiOSdevices.Someofhismethodssuchasphysicalacquisitionscriptsarerestrictedtolawenforcement.ZdziarksireleasedhisinstructionstoacquiredatafromiOSdevicesandthiscanbereadathttp://www.zdziarski.com/blog/wp-content/uploads/2013/05/iOS-Forensic-Investigative-Methods.pdf.
ThereareothertoolsthatexistsoyoucanlogicallyacquireandanalyzeiOSdeviceimagesandbackupfiles.SomeofthesetoolsincludeiFunBox,iExplorer,iBackupBot,andmore.Makesurethatyoutestthesetoolsbeforerelyingonthemforaforensicinvestigation.Again,theyareeitherfreeorrequestadonationforuse.Theyaredevelopedbythecommunityforexaminerstouse.Theyoftendonotgothroughrigorousamountsoftestingandvalidationandmaymissdatathatcanbemanuallyextractedbytheexaminer.Itistheexaminer'sresponsibilitytolearnthetool,testit,andknowitsflawsinordertorecoveralloftheavailabledata.
SummaryForensictoolsarehelpfulforaninvestigatorastheynotonlysavetimebutalsomaketheprocessaloteasier.ThischapterintroducedyoutoseveralavailableiOSforensictoolsandincludedthestepstoperformacquisitionofaniOSdevice.Examinersshouldtakefurtherstepstovalidateandunderstandeachtoolthatmightbeusedaspartofaninvestigation.Inthenextchapter,wewilldiveintoAndroidforensicsandprovideinformationonwhatAndroidis,howthedevicesstoredata,andhowtoaccessthefilesandapplicationsthatarerequiredforforensicexaminations.
Chapter7.UnderstandingAndroidBeforewetakeadiveintotheoceanofAndroidletusfirstspendsometimediscussingtheevolutionofAndroidorwhatwecallTheAndroidStory.Backin2005,Googlestartedinvestingmoneyinstart-upcompanies,whichitthoughtwouldbeprofitableinthefuture.AndroidInc.,foundedin2003byAndyRubin,RichMiner,NickSears,andChrisWhite,wasonesuchcompanyacquiredbyGooglethatlaterturnedouttobethebestdealever.Duringitsfirsttwoyears,AndroidInc.operatedundersecrecy.Itdescribeditselfasacompany"makingsoftwareformobilephones".RubinlaterstayedwithGoogletopioneerAndroidasanoperatingsystemthatrevolutionizedthewaymobilehandsetsoperate.WiththisacquisitionitwasclearthatGooglewaseyeingthemobilephonemarket.AtGoogle,Rubin,alongwithhisteam,developedapowerfulandflexibleoperatingsystembuiltonaLinuxkernel.TherewerespeculationsalloveraboutwhatGooglewastryingtodo.SomereportedthatGooglewastryingtoincorporatesearchandotherapplicationsintomobilehandsets.AfewothersreportedthatGooglewasdevelopingitsownmobilehandset.Finallyin2007,OpenHandsetAlliance(OHA),agroupoftechnologycompanies,devicemanufacturers,chipsetmakers,andwirelesscarriers,wasformedwiththemainobjectiveofproposingopenstandardsforthemobileplatform.TogethertheydevelopedAndroid,thefirstopenandfreemobileplatformbuiltonLinuxkernel2.6.Laterin2008,HTCDreamwasreleasedwhichwasthefirstphonetoruntheAndroidoperatingsystem.Afterthat,itwasadreamrunforAndroid,withitsmarketshareincreasingexponentiallyoverthenextfewyears.AbreakdownonthehistoryofAndroidcanbefoundathttp://www.xcubelabs.com/the-android-story.php.SeveralversionsofitsLinux-basedoperatingsystemhavebeenreleasedinalphabeticalorder.
TheversionhistoryofAndroidcanbefoundathttp://faqoid.com/advisor/android-versions.php,anoverviewofwhichisshowninthefollowingtable:
Version Versionname Releaseyear
Android1.0 Applepie 2008
Android1.1 Bananabread 2009
Android1.5 Cupcake 2009
Android1.6 Donut 2009
Android2.0 Eclair 2009
Android2.2 Froyo 2010
Android2.3 Gingerbread 2010
Android3.0 Honeycomb 2011
Android4.0 IceCreamSandwich 2011
Android4.1 JellyBean 2012
Android4.4 KitKat 2013
TheAndroidmodelToeffectivelyunderstandtheforensicconceptsofAndroid,itwouldbehelpfultohaveabasicunderstandingoftheAndroidarchitecture.Justlikeacomputer,anycomputingsystemthatinteractswiththeuserandperformscomplicatedtasksrequiresanoperatingsystemtohandlethetaskseffectively.Thisoperatingsystem(whetherit'sadesktopoperatingsystemoramobilephoneoperatingsystem)takestheresponsibilitytomanagetheresourcesofthesystemandtoprovideawayfortheapplicationstotalktothehardwareorphysicalcomponentstoaccomplishcertaintasks.Androidiscurrentlythemostpopularmobileoperatingsystemdesignedtopowermobiledevices.Youcanfindoutmoreaboutthisathttp://developer.android.com/about/index.html.AndroidisopensourceandthecodeisreleasedunderApachelicense.Practically,thismeansanyone(especiallydevicemanufacturers)canaccessit,freelymodifyit,andusethesoftwareaccordingtotherequirementsofanydevice.Thisisoneoftheprimaryreasonsforitswideacceptance.NotableplayersthatuseAndroidincludeSamsung,HTC,Sony,LG,andsoon.
Aswithanyotherplatform,Androidconsistsofastackoflayersrunningoneabovetheother.TounderstandtheAndroidecosystem,it'sessentialtohaveabasicunderstandingofwhattheselayersareandwhattheydo.ThefollowingfiguresummarizesthevariouslayersinvolvedintheAndroidsoftwarestack(https://viaforensics.com/wp-content/uploads/2009/08/Android-Forensics-Andrew-Hoog-viaForensics.pdf):
Androidarchitecture
Eachoftheselayersperformsseveraloperationsthatsupportspecificoperatingsystemfunctions(http://www.android-app-market.com/android-architecture.html).Eachlayerprovidesservicestothelayerslyingontopofit.
TheLinuxkernellayer
AndroidOSisbuiltontopoftheLinuxkernelwithsomearchitecturalchangesmadebyGoogle.ThereareseveralreasonsforchoosingtheLinuxkernel.Mostimportantly,Linuxisaportableplatformthatcanbecompiledeasilyondifferenthardware.Thekernelactsasanabstractionlayerbetweenthesoftwareandhardwarepresentonthedevice.Considerthecaseofacameraclick.Whathappenswhenyouclickaphotousingthecamerabuttononyourdevice?Atsomepoint,thehardwareinstruction(pressingabutton)hastobeconvertedtoasoftwareinstruction(totakeapictureandstoreitinthegallery).Thekernelcontainsdriverstofacilitatethisprocess.Whentheuserclicksonthebutton,theinstructiongoestothecorrespondingcameradriverinthekernel,whichsendsthenecessarycommandstothecamerahardware,similartowhatoccurswhenakeyispressedonakeyboard.Insimplewords,thedriversinthekernelcommandcontroltheunderlyinghardware.Asshownintheprecedingfigure,thekernelcontainsdriversrelatedtoWi-Fi,Bluetooth,USB,audio,display,andsoon.
TheLinuxkernelisresponsibleformanagingthecorefunctionalityofAndroid,suchasprocessmanagement,memorymanagement,security,andnetworking.Linuxisaprovenplatformwhenitcomestosecurityandprocessmanagement.AndroidhastakenleverageoftheexistingLinuxopensourceOStobuildasolidfoundationforitsecosystem.EachversionofAndroidhasadifferentversionoftheunderlyingLinuxkernel.ThecurrentKitKatAndroidversionisrumoredtouseLinuxkernel3.8(http://www.phonearena.com/news/Android-4.4-KitKat-update-release-date-features-and-rumors_id47661).
Libraries
ThenextlayerintheAndroidarchitectureconsistsofAndroid'snativelibraries.ThelibrariesarewrittenintheCorC++languageandhelpthedevicetohandledifferentkindsofdata.Forexample,theSQLitelibrariesareusefulforstoringandretrievingthedatafromadatabase.OtherlibrariesincludeMediaFramework,WebKit,SurfaceManager,SSL,andsoon.TheMediaFrameworklibraryactsasthemaininterfacetoprovideaservicetotheotherunderlyinglibraries.TheWebKitlibraryprovideswebpagesinwebbrowsersandthesurfacemanagermaintainsthegraphics.Inthesamelayer,wehaveAndroidRuntime,whichconsistsofDalvikvirtualmachine(DVM)andcorelibraries.TheAndroidruntimeisresponsibleforrunningapplicationsonAndroiddevices.Theterm"runtime"referstothelapseintimefromwhenanapplicationislauncheduntilitisshutdown.
Dalvikvirtualmachine
AlltheapplicationsthatyouinstallontheAndroiddevicearewrittenintheJavaprogramminglanguage.WhenaJavaprogramiscompiled,wegetbytecode.JVMisavirtualmachine(avirtualmachineisanapplicationthatactsasanoperatingsystem,thatis,itispossibletorunaWindowsOSonaMacorviceversabyusingavirtualmachine)thatcanexecutethisbytecode.ButAndroidusessomethingcalledDalvikvirtualmachine(DVM)torunitsapplications.
DVMrunsDalvikbytecode,whichisJavabytecodeconvertedbytheDexcompiler(http://markfaction.wordpress.com/2012/07/15/stack-based-vs-register-based-virtual-machine-architecture-and-the-dalvik-vm/).Thus,the.classfilesareconvertedtodexfilesusingthedxtool.DalvikbytecodewhencomparedwithJavebytecodeismoresuitableforlow-memoryandlow-processingenvironments.Also,notethatJVM'sbytecodeconsistsofoneormore.classfilesdependingonthenumberofJavafilesthatarepresentinanapplication,butDalvikbytecodeiscomposedofonlyonedexfile.EachAndroidapplicationrunsitsowninstanceofDalvikvirtualmachine.ThisisacrucialaspectofAndroidsecurityandwillbeaddressedindetailinChapter8,AndroidForensicSetupandPreDataExtractionTechniques.ThefollowingfigureprovidesaninsightintohowAndroid'sDVMdiffersfromJava'sJVM.
Theapplicationframeworklayer
Theapplicationframeworkisthelayerresponsibleforhandlingthebasicfunctioningofaphone,suchasresourcemanagement,handlingcalls,andsoon.Thisistheblockwithwhichtheapplicationsinstalledonthedevicedirectlytalktoit.Thefollowingaresomeoftheimportantblocksintheapplicationframeworklayer:
TelephonyManager:ThisblockmanagesallthevoicecallsContentProvider:ThisblockmanagesthesharingofdatabetweendifferentapplicationsResourceManager:Thisblockhelpsmanagevariousresourcesusedinapplications
Theapplicationslayer
Thisisthetopmostlayerwheretheusercaninteractdirectlywiththedevice.Therearetwokindsofapplications—preinstalledapplicationsanduser-installedapplications.Preinstalledapplications,suchasDialer,WebBrowser,Contacts,andmorecomealongwiththedevice.User-installedapplicationscanbedownloadedfromdifferentplaces,suchasGooglePlayStore,AmazonMarketplace,andsoon.Everythingthatyouseeonyourphone(contacts,mail,camera,andsoon)isanapplication.
AndroidsecurityAndroidwasdesignedwithaspecificfocusonsecurity.Androidasaplatformoffersandenforcescertainfeaturesthatsafeguardtheuserdatapresentonthemobilethroughmultilayeredsecurity.Therearecertainsafe-defaultsthatwillprotecttheuserandcertainofferingsthatcanbeleveragedbythedevelopmentcommunitytobuildsecureapplications.ThefollowingareissueswhicharekeptinmindwhileincorporatingtheAndroidsecuritycontrols:
Protectinguser-relateddataSafeguardingthesystemresourcesMakingsureoneapplicationcannotaccessthedataofanotherapplication
ThenextfewconceptshelpusunderstandmoreaboutAndroid'ssecurityfeaturesandofferings.AdetailedexplanationonAndroidsecuritycanbefoundathttp://source.android.com/devices/tech/security/.
Securekernel
Linuxhasevolvedasatrustedplatformovertheyears,andAndroidhasleveragedthisfactbyusingitasitskernel.Theuser-basedpermissionmodelofLinuxhasinfactworkedwellforAndroid.Asmentionedearlier,thereisalotofspecificcodebuiltintotheLinuxkernel.WitheachAndroidversionrelease,thekernelversionhasalsochanged.ThefollowingtableshowsAndroidversionsandtheircorrespondingkernelversions:
Androidversion Linuxkernelversion
1 2.6.25
1.5 2.6.27
1.6 2.6.29
2.2 2.6.32
2.3 2.6.35
3 2.6.36
4 3.0.1
4.1 3.0.31
4.2 3.4.0
4.2 3.4.39
4.4 3.8
LinuxkernelversionsusedinAndroid
Thepermissionmodel
Asshowninthefollowingscreenshot,anyAndroidapplicationmustbegrantedpermissionstoaccesssensitivefunctionality,suchastheInternet,dialer,andsoon,bytheuser.Thisprovidesanopportunityfortheusertoknowinadvancewhatfunctionalityonthedevicetheapplicationistryingtoaccess.Simplyput,itrequirestheuser'spermissiontoperformanykindofmaliciousactivity(stealingdata,compromisingthesystem,andsoon).
Thismodelhelpstheusertopreventattacks,butiftheuserisunawareandgivesawayalotofpermissions,itleavesthemintrouble(rememberwhenitcomestoinstallingmalwareonanydevice,theweakestlinkisalwaystheuser).
ThepermissionmodelinAndroid
Applicationsandbox
InLinuxsystems,eachuserisassignedauniqueuserID(UID),andusersaresegregatedsothatoneusercanaccessthedataofanotheruser.However,allapplicationsunderaparticularuserarerunwiththesameprivileges.SimilarlyinAndroid,eachapplicationrunsasauniqueuser.Inotherwords,aUIDisassignedtoeachapplicationandisrunasaseparateprocess.Thisconceptensuresanapplicationsandboxatthekernellevel.ThekernelmanagesthesecurityrestrictionsbetweentheapplicationsbymakinguseofexistingLinuxconcepts,suchasUIDandGID.Ifanapplicationattemptstodosomethingmalicious,saytoreadthedataofanotherapplication,thisisnotpermittedastheapplicationdoesnothavetheuserprivileges.Hence,theoperatingsystemprotectsanapplicationfromaccessingthedataofanotherapplication.
Secureinterprocesscommunication
Androidoffersasecureinterprocesscommunicationthroughwhichone'sactivityinanapplicationcansendmessagestoanotheractivityinthesameapplicationoradifferentapplication.Toachievethis,Androidprovidesinterprocesscommunication(IPC)mechanisms:intents,services,contentproviders,andsoon.
Applicationsigning
Itismandatorythatalltheinstalledapplicationsbedigitallysigned.DeveloperscanplacetheirapplicationsinGoogle'sPlayStoreonlyaftersigningtheapplications.Theprivatekeywithwhichtheapplicationissignedisheldbythedeveloper.Usingthesamekey,adevelopercanprovideupdatestotheirapplication,sharedatabetweentheapplications,andsoon.
AndroidfilehierarchyInordertoperformforensicanalysisonanysystem(desktopormobile),it'simportanttounderstandtheunderlyingfilehierarchy.AbasicunderstandingofhowAndroidorganizesitsdatainfilesandfoldershelpsaforensicanalystnarrowdowntheirresearchtospecificissues.Justlikeanyotheroperatingsystem,Androidusesseveralpartitions.Thischapterprovidesaninsightintosomeofthemostsignificantpartitionsandthecontentstoredinthem.
It'sworthmentioningagainthatAndroidusestheLinuxkernel.Hence,ifyouarefamiliarwithUnix-likesystems,youwillverywellunderstandthefilehierarchyinAndroid.ForthosewhoarenotverywellacquaintedwiththeLinuxmodel,hereissomebasicinformation:inLinux,thefilehierarchyisasingletreewiththetopofthetreebeingdenotedas/(calledthe"root").Thisisdifferentfromtheconceptoforganizingfilesindrives(aswithWindows).Whetherthefilesystemislocalorremote,itwillbepresentundertheroot.TheAndroidfilehierarchyisacustomizedversionofthisexistingLinuxhierarchy.BasedonthedevicemanufacturerandtheunderlyingLinuxversion,thestructureofthishierarchymayhaveafewinsignificantchanges.ThefollowingisalistofimportantfoldersthatarecommontomostAndroiddevices.Someofthefolderslistedareonlyvisiblethroughrootaccess.
/boot:Asthenamesuggests,thispartitionhastheinformationandfilesrequiredforthephonetoboot.ItcontainsthekernelandRAMdisk,andsowithoutthispartitionthephonecannotstartitsprocesses.DataresidinginRAMisrichinvalueandshouldbecapturedduringaforensicacquisition./system:Thispartitioncontainssystem-relatedfilesotherthankernelandRAMdisk.Thisfoldershouldneverbedeletedasthatwillmakethedeviceunbootable.Thecontentsofthispartitioncanbeviewedbyusingthefollowingcommand:
shell@Android:/$cd/system
cd/system
shell@Android:/system$ls
ls
CSCVersion.txt
SW_Configuration.xml
app
bin
build.prop
cameradata
cameradata
csc
csc_contents
etc
fonts
framework
hdic
lib
media
recovery-from-boot.p
sipdb
tts
usr
vendor
voicebargeindata
vsc
wakeupdata
wallpaper
xbi
/recovery:Thisisdesignedforbackuppurposesandallowsthedevicetobootintotherecoverymode.Intherecoverymode,youcanfindtoolstorepairyourphoneinstallation./data:Thisisthepartitionthatcontainsthedataofeachapplication.Mostofthedatabelongingtotheuser,suchasthecontacts,SMS,anddialednumbers,isstoredinthisfolder.Thisfolderhassignificantimportancefromaforensicpointofviewasitholdsvaluabledata.Thecontentsofthedatafoldercanbeviewedusingthefollowingcommand:
C:\Android-sdk-windows\platform-tools>adb.exeshell
root@Android:/#cd/data
cd/data
root@Android:/data#ls
ls
anr
app
app-private
backup
camera
dalvik-cache
data
dontpanic
drm
local
lost+found
misc
property
property
resource-cache
system
system.notfirstrun
user
/cache:Thisisthefolderusedtostorefrequentlyaccesseddataandsomeofthelogsforfasterretrieval.Thecachepartitionisalsoimportanttotheforensicinvestigationasthedataresidingheremaynolongerbepresentinthe/datapartition./misc:Asthenamesuggests,thisfoldercontainsinformationaboutmiscellaneoussettings.Thesesettingsmostlydefinethestateofthedevice,thatisOn/Off.Informationabouthardwaresettings,USBsettings,andsoon,canbeaccessedfromthisfolder.
AndroidfilesystemUnderstandingthefilesystemisoneessentialpartofforensicmethodologies.Knowledgeaboutpropertiesandthestructureofafilesystemprovestobeusefulduringforensicanalysis.Filesystemreferstothewaydataisstored,organized,andretrievedfromavolume.Abasicinstallationmaybebasedononevolumesplitintoseveralpartitions;hereeachpartitioncanbemanagedbyadifferentfilesystem.AsistrueinLinux,Androidutilizesmountpointsandnotdrives(thatisC:orE:).Eachfilesystemdefinesitsownrulesformanagingthefilesonthevolume.Dependingontheserules,eachfilesystemoffersadifferentspeedforfileretrieval,security,size,andsoon.Linuxusesseveralfilesystems,andsodoesAndroid.Fromaforensicpointofview,it'simportanttounderstandwhatfilesystemsareusedbyAndroidandtoidentifythefilesystemsthatareofsignificancetotheinvestigation.Forexample,thefilesystemthatstorestheuser'sdataisofprimaryconcerntousasagainstafilesystemusedtobootthedevice.
ViewingfilesystemsonanAndroiddevice
ThefilesystemssupportedbytheAndroidkernelcanbedeterminedbycheckingthecontentsofthefilefilesystemsintheprocfolder.Thecontentofthisfilecanbeviewedbyusingthefollowingcommand:
shell@Android:/$cat/proc/filesystems
cat/proc/filesystems
nodevsysfs
nodevrootfs
nodevbdev
nodevproc
nodevcgroup
nodevtmpfs
nodevbinfmt_misc
nodevdebugfs
nodevsockfs
nodevusbfs
nodevpipefs
nodevanon_inodefs
nodevdevpts
ext2
ext3
ext4
nodevramfs
vfat
msdos
nodevecryptfs
nodevfuse
fuseblk
nodevfusectl
exfat
Intheprecedingoutput,thefirstcolumntellsuswhetherthefilesystemismountedonthedevice.Theoneswiththenodevpropertyarenotmountedonthedevice.Thesecondcolumnlistsallthefilesystemspresentonthedevice.Asimplemountcommanddisplaysdifferentpartitionsavailableonthedevice,asfollows:
shell@Android:/$mount
mount
rootfs/rootfsro,relatime00
tmpfs/devtmpfsrw,nosuid,relatime,mode=75500
devpts/dev/ptsdevptsrw,relatime,mode=60000
proc/procprocrw,relatime00
sysfs/syssysfsrw,relatime00
none/acctcgrouprw,relatime,cpuacct00
tmpfs/mnt/asectmpfsrw,relatime,mode=755,gid=100000
tmpfs/mnt/obbtmpfsrw,relatime,mode=755,gid=100000
none/dev/cpuctlcgrouprw,relatime,cpu00
/dev/block/mmcblk0p9/systemext4ro,noatime,barrier=1,data=ordered
00
/dev/block/mmcblk0p3/efsext4
rw,nosuid,nodev,noatime,barrier=1,journal_async_commit,data=ordered
00
/dev/block/mmcblk0p8/cacheext4
rw,nosuid,nodev,noatime,barrier=1,journal_async_commit,data=ordered
00
/dev/block/mmcblk0p12/dataext4
rw,nosuid,nodev,noatime,barrier=1,journal_async
_commit,data=ordered,noauto_da_alloc,discard00
/sys/kernel/debug/sys/kernel/debugdebugfsrw,relatime00
/dev/fuse/storage/sdcard0fuse
rw,nosuid,nodev,noexec,relatime,user_id=1023,gro
up_id=1023,default_permissions,allow_other00
Thenextfewsectionsprovideabriefoverviewoftheimportantfilesystems.
Therootfilesystem(rootfs)isoneofthemaincomponentsofAndroidandcontainsalltheinformationrequiredtobootthedevice.Whenthedevicestartsthebootprocess,itneedsaccesstomanycorefilesandthusmountstherootfilesystem.Asshownintheprecedingmountcommand-lineoutput,thisfilesystemismountedat/(rootfolder).Hence,thisisthefilesystemonwhichalltheotherfilesystemsareslowlymounted.Ifthisfilesystemiscorrupt,thedevicecannotbebooted.
Thesysfsfilesystemmountsthe/sysfolder,whichcontainsinformationabouttheconfigurationofthedevice.ThefollowingoutputshowsvariousfoldersunderthesysdirectoryinanAndroiddevice:
shell@Android:/$cd/sys
cd/sys
shell@Android:/sys$ls
ls
block
bus
class
dev
devices
firmware
fs
kernel
module
power
Sincethedatapresentinthesefoldersismostlyrelatedtoconfiguration,thisisnotusuallyofmuchsignificancetoaforensicinvestigator.Buttherecouldbesomecircumstanceswherewemightwanttocheckifaparticularsettingwasenabledonthephone,andanalyzingthisfoldercouldbeusefulundersuchconditions.Notethateachfolderconsistsofalargenumberoffiles.Capturingthisdatathroughforensicacquisitionisthebestmethodtoensurethisdataisnotchangedduringexamination.
ThedevptsfilesystempresentsaninterfacetotheterminalsessiononanAndroiddevice.Itismountedat/dev/pts.Wheneveraterminalconnectionisestablished,forinstance,whenanadbshellisconnectedtoanAndroiddevice,anewnodeiscreatedunder/dev/pts.Thefollowingistheoutputshowingthiswhentheadbshellisconnectedtothedevice:
shell@Android:/$ls-l/dev/pts
ls-l/dev/pts
crw-------shellshell136,02013-10-2616:560
Thecgroupfilesystemstandsforcontrolgroups.Androiddevicesusethisfilesystemtotracktheirjob.Theyareresponsibleforaggregatingthetasksandkeepingtrackofthem.Thisdataisgenerallynotveryusefulduringforensicanalysis.
Theprocfilesystemcontainsinformationaboutkerneldatastructures,processes,andothersystem-relatedinformationunderthe/procdirectory.Forinstance,the/sysdirectorycontainsfilesrelatedtokernelparameters.Similarly,/proc/filesystemsdisplaysthelistofavailablefilesystemsonthedevice.ThefollowingcommandshowsallinformationabouttheCPUofthedevice:
shell@Android:/$cat/proc/cpuinfo
cat/proc/cpuinfo
Processor:ARMv7Processorrev0(v7l)
processor:0
BogoMIPS:1592.52
processor:3
BogoMIPS:2786.91
Features:swphalfthumbfastmultvfpedspneonvfpv3tls
CPUimplementer:0x41
CPUarchitecture:7
CPUvariant:0x3
CPUpart:0xc09
CPUrevision:0
Chiprevision:0011
Hardware:SMDK4x12
Revision:000c
Serial:****************
Similarly,therearemanyotherusefulfilesthatprovidevaluableinformationwhenyoutraversethroughthem.
ThetmpfsfilesystemisatemporarystoragefacilityonthedevicethatstoresthefilesinRAM(volatilememory).ThemainadvantageofusingRAMisfasteraccessandretrieval.Butoncethedeviceisrestartedorswitchedoff,thisdatawillnotbeaccessibleanymore.Hence,it'simportantforaforensicinvestigatortoexaminethedatainRAMbeforeadevicereboothappensorextractthedataviaRAMacquisitionmethods.
ExtendedFileSystem–EXT
ExtendedFileSystem(EXT),whichwasintroducedin1992specificallyfortheLinuxkernel,wasoneofthefirstfilesystemsandusedthevirtualfilesystem.EXT2,EXT3,andEXT4arethesubsequentversions.JournalingisthemainadvantageofEXT3overEXT2.WithEXT3,incaseofanunexpectedshutdown,thereisnoneedtoverifythefilesystem.theEXT4filesystem,thefourthextendedfilesystem,hasgainedsignificancewithmobiledevicesimplementingdual-coreprocessors.TheYAFFS2filesystemisknowntohaveabottleneckondual-coresystems.WiththeGingerbreadversionofAndroid,theYAFFSfilesystemwasswappedforEXT4.ThefollowingarethemountpointsthatuseEXT4onSamsungGalaxyS3mobile:
/dev/block/mmcblk0p9/systemext4ro,noatime,barrier=1,data=ordered
00
/dev/block/mmcblk0p3/efsext4
rw,nosuid,nodev,noatime,barrier=1,journal_async_commit,data=ordered
00
/dev/block/mmcblk0p8/cacheext4
rw,nosuid,nodev,noatime,barrier=1,journal_async_commit,data=ordered
00
/dev/block/mmcblk0p12/dataext4
rw,nosuid,nodev,noatime,barrier=1,journal_async_commit,data=ordered
,noauto_da_alloc,discard00
VFATisanextensiontotheFAT16andFAT32filesystems.Microsoft'sFAT32filesystemissupportedbymostAndroiddevices.Itissupportedbyalmostallthemajoroperatingsystems,includingWindows,Linux,andMacOS.Thisenablesthesesystemstoeasilyread,modify,anddeletethefilespresentontheFAT32portionoftheAndroiddevice.MostoftheexternalSDcardsareformattedusingtheFAT32filesystem.Observethefollowingoutput,whichshowsthatthemountpoints/sdcardand/secure/asecusetheVFATfilesystem.
shell@Android:/sdcard$mount
mount
rootfs/rootfsrw00
tmpfs/devtmpfsrw,nosuid,relatime,mode=75500
devpts/dev/ptsdevptsrw,relatime,mode=600,ptmxmode=00000
proc/procprocrw,relatime00
sysfs/syssysfsrw,relatime00
tmpfs/mnt/asectmpfsrw,relatime,mode=755,gid=100000
tmpfs/mnt/obbtmpfsrw,relatime,mode=755,gid=100000
/dev/block/nandd/systemext4
rw,nodev,noatime,user_xattr,barrier=0,data=ordered00
/dev/block/nande/dataext4
rw,nosuid,nodev,noatime,user_xattr,barrier=0,journal_checksum,data=
ordered,noauto_da_alloc00
/dev/block/nandh/cacheext4
rw,nosuid,nodev,noatime,user_xattr,barrier=0,journal_checksum,data=
ordered,noauto_da_alloc00
/dev/block/vold/93:64/mnt/sdcardvfat
rw,dirsync,nosuid,nodev,noexec,relatime,uid=1000,gid=1015,fmask=070
2,dmask=0702,allow_utime=0020,codepage=cp437,iocharset=ascii,shortn
ame=mixed,utf8,errors=remount-ro00
/dev/block/vold/93:64/mnt/secure/asecvfat
rw,dirsync,nosuid,nodev,noexec,relatime,uid=1000,gid=1015,fmask=070
2,dmask=0702,allow_utime=0020,codepage=cp437,iocharset=ascii,shortn
ame=mixed,utf8,errors=remount-ro00
tmpfs/mnt/sdcard/.Android_securetmpfs
ro,relatime,size=0k,mode=00000
/dev/block/dm-0/mnt/asec/com.kiloo.subwaysurf-1vfat
ro,dirsync,nosuid,nodev,relatime,uid=1000,fmask=0222,dmask=0222,cod
epage=cp437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro
00
YetAnotherFlashFileSystem2(YAFFS2)isanopensource,single-threadedfilesystemreleasedin2002.ItismainlydesignedtobefastwhendealingwithNANDflash.YAFFS2utilizesOOB(outofband)andthatisoftennotcapturedordecodedcorrectlyduringforensicacquisition,whichmakesanalysisdifficult.ThiswillbediscussedmoreinChapter9,AndroidDataExtractionTechniques.YAFFS2wasthemostpopularreleaseatonepointandisstillwidelyusedinAndroiddevices.YAFFS2isalog-structuredfilesystem.Dataintegrityisguaranteedevenincaseofsuddenpoweroutage.In2010,therewasanannouncementstatingthatinreleasesafterGingerbread,devicesweregoingtomovefromYAFFS2toEXT4.CurrentlyYAFFS2isnotsupportedinnewerkernelversions,butcertainmobilemanufacturersmightstillcontinuetosupportit.
FlashFriendlyFileSystem(F2FS)wasreleasedinFebruary2013tosupportSamsungdevicesrunningtheLinux3.8kernel(http://www.linux.org/threads/flash-friendly-file-system-f2fs.4477/).F2FSreliesonlog-structuredmethodsthatoptimizeNANDflashmemory.Theofflinesupportfeaturesareahighlightofthisfilesystem.Yet,thefilesystemisstill
transientandbeingupdated.
RobustFileSystem(RFS)supportsNANDflashmemoryonSamsungdevices.RFScanbesummarizedasaFAT16(orFAT32)filesystemwherejournalingisenabledthroughatransactionlog.ManyuserscomplainthatSamsungshouldstickwithEXT4.RFShasbeenknowntohavelagtimesthatslowdownthefeaturesofAndroid.
SummaryUnderstandingtheunderlyingfeatures,filesystems,andcapabilitiesofanAndroiddeviceprovesusefulinaforensicinvestigation.UnlikeiOS,severalvariantsofAndroidexistasmanydevicesruntheAndroidoperatingsystemandeachmayhavedifferentfilesystemsanduniquefeatures.ThefactthatAndroidisopenandcustomizablealsochangestheplayingfieldofdigitalforensics.AforensicexaminermustbepreparedtoexpecttheunexpectedwhenhandlinganAndroiddevice.Inthenextchapter,wewilldiscussmethodsforaccessingthedatastoredonAndroiddevices.
Chapter8.AndroidForensicSetupandPreDataExtractionTechniquesHavinganestablishedforensicenvironmentbeforethestartofanexaminationisimportantasitensuresthatthedataisprotectedwhiletheexaminermaintainscontroloftheworkstation.Thischapterwillexplaintheprocessandconsiderationswhensettingupadigitalforensicexaminationenvironment.Itisparamountthattheexaminermaintainscontroloftheforensicenvironmentatalltimes.Thispreventstheintroductionofcrosscontaminantsthatcouldeffecttheforensicinvestigation.ThischapteraimstocovertheminimumbasicrequirementsthatshouldbeinplacetostartaforensicinvestigationofanAndroidmobiledevice.
AforensicenvironmentsetupSettingupaproperlabenvironmentisanessentialpartofaforensicprocess.Androidforensicsetupusuallyinvolvesthefollowing:
Startwithafreshorforensicallysterilecomputerenvironment.Thismeansthatotherdataisnotpresentonthesystemoriscontainedinamannerthatitcannotcontaminatethepresentinvestigation.Installbasicsoftwarenecessarytoconnecttothedevice.AndroidforensictoolsandmethodologieswillworkonWindows,Linux,andOSXplatforms.Obtainaccesstothedevice.AnexaminermustbeabletoenablesettingsorbypasstheminordertoallowthedatatobeextractedfromtheAndroiddevice.IssuecommandstothedevicethroughthemethodsdefinedinthischapterandinChapter9,AndroidDataExtractionTechniques.
ThefollowingsectionsprovideguidanceonsettingupabasicAndroidforensicworkstation.
AndroidSoftwareDevelopmentKit
TheAndroidSoftwareDevelopmentKit(SDK)helpsthedevelopmentworldtobuild,test,anddebugapplicationstorunonAndroid.Thisisachievedbyprovidingnecessarytoolstocreatetheapplications.Butalongwiththis,italsoprovidesvaluabledocumentationandothertoolsthatcanbeofgreathelpduringtheinvestigationofanAndroiddevice.AgoodunderstandingoftheAndroidSDKwillhelpyoutogettogripswiththeparticularsofadeviceandthedataonthedevice.
TheAndroidSDKconsistsofsoftwarelibraries,APIs,tools,emulators,andotherreferencematerial.Itcanbedownloadedforfreefromhttp://developer.android.com/.Duringaforensicinvestigation,theSDKhelpsconnecttoandaccessthedataontheAndroiddevice.TheAndroidSDKisupdatedveryfrequentlysoit'simportanttoverifythatyourworkstationalsoremainsupdated.TheAndroidSDKcanrunonWindows,Linux,andOSX.
AndroidSDKinstallation
AworkinginstallationofTheAndroidSDKisamustduringtheinvestigationofaforensicdevice.MostwebsitesrecognizetheoperatingsystemonthecomputerandwillpromptyoutodownloadthecorrectAndroidSDK.Thefollowingisastep-by-stepproceduretoinstalltheAndroidSDKonaWindows7machine:
1. BeforeyouinstalltheAndroidSDK,makesureyoursystemhasJavaDevelopmentKitinstalledbecausetheAndroidSDKreliesonJavaSEDevelopmentKit(JDK).JDKcanbedownloadedfromhttp://www.oracle.com/technetwork/java/javase/downloads/index.html.
2. DownloadthelatestversionoftheAndroidSDKfromhttp://developer.android.com/.TheinstallerversionoftheSDKisrecommendedforthispurpose.
3. Runtheinstallerfile,whichwasdownloadedinstep2.Awizardwindowwillbeshown,asseeninthefollowingscreenshot.Afterthis,runthroughtheroutineNextstepsthatyouencounter.
AndroidSDKToolssetupwizard
4. Theinstallationlocationistheuser'schoiceandmustberememberedforfutureaccess.Inthisexample,wewillinstallitintheC:\folder.ClickontheInstallbuttonandchoosethelocation(say,C:\android-sdk).Thenecessaryfileswillbeextractedtothisfolder.
5. Openthedirectory(C:\android-sdk)anddouble-clickonSDKManager.exetobegintheupdateprocess.MakesurethatyouselectAndroidSDKPlatformtoolsandanyonereleaseplatformversionofAndroidasshowninthefollowingscreenshot.Someoftheitemsinthelistarechosenbydefault.Forinstance,itisnecessarytoinstalltheUSBdriverinordertoworkwithAndroiddevicesinWindows.Inourexample,GoogleUSBDriverisselected.Similarly,youcanfindotheritemsundertheExtrassection.Acceptthelicenseandinstallit,asshowninthefollowingscreenshot:
AndroidSDKLicense
ThiscompletestheAndroidSDKinstallationandyoucanupdatethesystem'senvironmentvariables(Path)bypointingtotheexecutablefiles.TheinstallationoftheAndroidSDKonOSXandLinuxmayvary.MakesurethatyoufollowallthestepsprovidedwiththeSDKdownloadforfullfunctionality.
AndroidVirtualDevice
OncetheAndroidSDKisinstalledalongwiththereleaseplatform,youcancreateanAndroidVirtualDevice(alsocalledanemulator/AVD),whichisoftenusedbydeveloperswhencreatingnewapplications.However,anemulatorhassignificancefromaforensicperspectivetoo.Emulatorsareusefulwhentryingtounderstandhowapplicationsbehaveandexecuteonadevice.Thiscouldbehelpfultoconfirmcertainfindingsthatareunearthedduringaforensicinvestigation.Also,whileworkingonadevicewhichisrunningonanolderplatform,youcandesignanemulatorwiththesameplatform.Furthermore,beforeinstallingaforensictoolonarealdevice,theemulatorcanbeusedtofindouthowaforensictoolworksandchangescontentonanAndroiddevice.TocreateanewAVD(ontheWindowsworkstation),performthefollowingsteps:
1. Openthecommandprompt(cmd.exe).TostarttheAVDmanagerfromthecommandline,navigatetothepathwheretheSDKisinstalledandcalltheandroidtoolwiththeavdoptionasshowninthefollowingcommandline.ThiswouldautomaticallyopentheAVDmanager.
C:\android-sdk\tools>androidavd
Tip
Alternately,theAVDmanagercanalsobestartedusingthegraphicalAVDmanager.Tostartthis,navigatetothelocationwheretheSDKisinstalled(C:\android-sdk)inourexampleanddouble-clickonAVDManager.
TheAndroidVirtualDeviceManagerwindowisasshowninthefollowingscreenshot:
AndroidVirtualDeviceManager
2. ClickonNewintheAVDManagerwindowtocreateanewvirtualdevice.ClickonEdittochangetheconfigurationofanexistingvirtualdeviceasshowninthefollowingscreenshot:
Virtualdeviceconfiguration
3. Enterthedetailsasperthefollowinginformation:AVDName:Thisoptionisusedtoprovideanynameforthevirtualdevice,forexample,ForensicsAVD.
Device:Thisoptionisusedtoselectanydevicefromtheavailableoptionsbasedonthescreensize.Target:Thisoptionhelpsyoutoselecttheplatformofthedevice.NotethatonlytheversionsthatwereselectedandinstalledduringtheSDKinstallationwillbeshownheretobeselected.Forourexample,theAndroid4.4platformisselected.Similarly,youcanselecthardwarefeaturestocustomizetheemulator,forexample,thesizeofinternalstoragememory,SDcard,andsoon.
4. Aconfirmationmessageisshownoncethedeviceissuccessfullycreated.Now,selecttheAVDandclickonStart.Thiswillpromptyouwiththelaunchoptions.SelectanyoptionandclickonLaunch.
5. Thisshouldlaunchtheemulator.Notethatthiscouldtakeafewminutesorevenlongerdependingontheworkstation'sCPUandRAM.Theemulatordoesconsumeasignificantamountofresourcesonthesystem.Afterasuccessfullaunch,theAVDwillberunningasshowninthefollowingscreenshot:
TheAndroidemulator
Withemulator,youcanconfiguree-mailaccounts,installapplications,surftheInternet,sendtextmessages,andmore.Fromaforensicperspective,analystsandsecurityresearcherscanleveragethefunctionalityofanemulatortounderstandthefilesystem,datastorage,andsoon.Thedatacreatedwhenworkingonanemulatorisstoredinyourhomedirectory,inafoldernamed.android.Forinstance,inourexample,thedetailsabouttheForensicsAVDemulatorthatwecreatedearlierarestoredunderC:\Users\Rohit\.android\avd\ForensicsAVD.avd.Amongthevariousfiles
presentunderthisdirectory,thefollowingarethefilesthatareofinterestforaforensicanalyst:
cache.img:Thisisthediskimageofthe/cachepartition(rememberthatwediscussedthe/cachepartitionofanAndroiddeviceinChapter7,UnderstandingAndroid).sdcard.img:ThisisthediskimageoftheSDcardpartition.Userdata-qemu.img:Thisisthediskimageofthe/datapartition.The/datapartitioncontainsvaluableinformationaboutthedeviceuser.
ConnectinganAndroiddevicetoaworkstation
ForensicacquisitionofanAndroiddeviceusingopensourcetoolsrequiresconnectingthedevicetoaforensicworkstation.Forensicacquisitionofanydeviceshouldbeconductedonaforensicallysterileworkstation.Thismeansthattheworkstationisstrictlyusedforforensicsandnotforpersonaluse.Also,notethatanytimeadeviceispluggedintoacomputer,changescanbemadetothedevice.TheexaminermusthavefullcontrolofallinteractionswiththeAndroiddeviceatalltimes.
Thefollowingstepsshouldbeperformedbytheexaminerinordertoconnectthedevicesuccessfullytoaworkstation.Notethatwriteprotectionmaypreventthesuccessfulacquisitionofthedevicesincecommandsmayneedtobepushedtothedeviceinordertopullinformation.Allthefollowingstepsshouldbevalidatedonatestdevicepriortoattemptingthemonrealevidence.
Identifyingthedevicecable
ThephysicalUSBinterfaceofanAndroiddeviceallowsittoconnecttoacomputertosharedata,suchassongs,videos,andphotos.ThisUSBinterfacemightchangefrommanufacturertomanufacturerandalsofromdevicetodevice.Forexample,somedevicesusemini-USBwhilesomeothersusemicro-USB.Apartfromthis,somemanufacturersusetheirownproprietaryformats,suchasEXT-USB,EXTmicro-USB,andsoon.ThefirststepinacquiringanAndroiddeviceistodeterminewhatkindofdevicecableisrequired.
Installingthedevicedrivers
Inordertoidentifythedeviceproperly,thecomputermayneedcertaindriverstobeinstalled.Withoutnecessarydrivers,thecomputermaynotidentifyandworkwiththeconnecteddevice.Buttheissueis,thatsinceAndroidisallowedtobemodifiedandcustomizedbythemanufacturers,thereisnosinglegenericdriverthatwouldworkforalltheAndroiddevices.Eachmanufacturerwritesitsownproprietarydriversanddistributesthemalongwiththephone.So,it'simportanttoidentifyspecificdevicedrivers,whichneedtobeinstalled.Ofcourse,someoftheAndroidforensictoolkits(whichwearegoingtodiscussinthefollowingchapters)docomewithsomegenericdriversorasetofmost-useddrivers;theymaynotworkwithallthemodelsofAndroidphones.SomeWindowsoperating
systemsareabletoautodetectandinstallthedriversoncethedeviceispluggedinbutmoreoftenthannot,itfails.Thedevicedriversforeachmanufacturercanbefoundontheirrespectivewebsites.
Accessingtheconnecteddevice
Ifyouhaven'tdonesoalready,connecttheAndroiddevicetothecomputerdirectlyusingtheUSBcable.TheAndroiddevicewillappearasanewdriveandyoucanaccessthefilesontheexternalstorage.SomeolderAndroiddevicesmaynotbeaccessibleunlesstheTurnonUSBStorageoptionisenabledonthephoneasshowninthefollowingscreenshot:
USBmassstorage
InsomeAndroidphones(especiallywithHTC),thedevicemayexposemorethanonefunctionalitywhenconnectedwithaUSBcable.Forinstance,asshowninthefollowingscreenshot,whenanHTCdeviceisconnected,itpresentsamenuwithfouroptions.ThedefaultselectionisChargeonly.WhentheDiskdriveoptionisselected,itismountedasadiskdrive.
HTCmobileUSBoptions
Whenthedeviceismountedasadiskdrive,youwillbeabletoaccesstheSDcardpresentonthedevice.Fromaforensicpointofview,theSDcardhassignificantvalueasitmaycontainfilesthatareimportantforaninvestigation.However,thecoreapplicationdatastoredunder/data/datawillremainonthedeviceandcannotbeaccessedthroughthesemethods.
AndroidDebugBridge
AndroidDebugBridge(adb)isoneofthecrucialcomponentsinAndroidforensics.Althoughwewilllearnaboutadbindetailinthecomingchapters,wewillfocusonabasicintroductionaboutadbfornow.AndroidDebugBridge(adb)isacommand-linetoolthatallowsyoutocommunicatewiththeAndroiddeviceandcontrolit.Youcanaccesstheadbtoolunder<sdk>/platform-tools/.Beforewediscussanythingaboutadb,weneedtohaveanunderstandingabouttheUSBdebuggingoption.TheprimaryfunctionofthisoptionistoenablecommunicationbetweentheAndroiddeviceandaworkstationonwhichtheAndroidSDKisinstalled.
OnaSamsungphone,youcanaccessthisunderSettings|DeveloperOptions,asshowninthefollowingscreenshot.OtherAndroidphonesmayhavedifferentenvironmentsandconfigurationfeatures.Theexaminermayhavetoforcethedeveloperoptionsbyaccessingthebuildmode.Thesestepsarealldevicespecificandcanbedeterminedbyresearchingthedeviceorreadingtheinstructionsprovidedbyyourforensictoolofchoice.
TheUSBdebuggingoptioninSamsungmobiles
WhentheUSBdebuggingoptionisselected,thedevicewillrunadbdaemon(adbd)inthebackgroundandwillcontinuouslylookforaUSBconnection.Thedaemonwillusuallyrununderanonprivilegedshelluseraccountandthuswillnotprovideaccesstocompletedata.However,onrootedphones,adbdwillrunundertherootaccountandthusprovideaccesstoallthedata.Itisnotrecommendedtorootadevicetogainfullaccessunlessallotherforensicmethodsfail.ShouldtheexaminerelecttorootanAndroiddevice,themethodsmustbewelldocumentedandtestedpriortoattemptingitonrealevidence.Rootingwillbediscussedattheendofthischapter.
OntheworkstationwheretheAndroidSDKisinstalled,adbdwillrunasabackgroundprocess.Also,onthesameworkstationaclientprogramwillrun,whichcanbeinvokedfromashellbyissuingtheadbcommand.Whentheadbclientisstarted,itfirstchecksifanadbdaemonisalreadyrunning.Iftheresponseisnegative,itinitiatesanewprocesstostarttheadbdaemon.Theadbclientprogramcommunicateswithlocaladbdoverport5037.
Accessingthedeviceusingadb
OncetheenvironmentsetupiscompleteandtheAndroiddeviceisinUSBdebuggingmode,connecttheAndroiddevicewiththecorrectUSBcabletotheforensicworkstationandstartusingadb.
Detectingconnecteddevices
Thefollowingadbcommandprovidesalistofallthedevicesconnectedtotheforensicworkstation.Thiswouldalsolisttheemulatorifitisrunningatthetimeofissuingthecommand.Also,rememberthatifnecessarydriversarenotinstalled,thenthefollowingcommandwouldshowablankmessage.Ifyouencounterthatsituation,downloadthenecessarydriversfromthemanufacturerandinstallthem.
C:\android-sdk\platform-tools>adb.exedevices
Listofdevicesattached
4df16ac8115e5f06device
Killingthelocaladbserver
Thefollowingcommandkillsthelocaladbservice:
C:\android-sdk\platform-tools>adb.exekill-server
Afterkillingthelocaladbservice,issuetheadbdevicescommandandobservethattheserverisstarted,asshowninthefollowingcommandlines:
C:\android-sdk\platform-tools>adb.exedevices
*daemonnotrunning.startingitnowonport5037*
*daemonstartedsuccessfully*
Listofdevicesattached
4df16ac8115e5f06device
Accessingtheadbshell
ThiscommandallowsforensicexaminerstoaccesstheshellonanAndroiddeviceandinteractwiththedevice.Thefollowingisthecommandtoaccesstheadbshellandexecuteabasiclscommandtoseethecontentsofthecurrentdirectory:
C:\android-sdk\platform-tools>adb.exeshell
shell@android:/$ls
ls
acct
cache
config
d
data
default.prop
dev
efs
etc
factory
fstab.smdk4x12
init
init.bt.rc
init.goldfish.rc
init.rc
init.smdk4x12.rc
init.smdk4x12.usb.rc
....
TheAndroidemulatorcanbeusedbyforensicexaminerstoexecuteandunderstandadbcommandsbeforeusingthemonthedevice.InChapter9,AndroidDataExtractionTechniques,wearegoingtoexplainmoreaboutleveragingadbtoinstallapplications,copyfilesandfoldersfromthedevice,viewdevicelogs,andsoon.
HandlinganAndroiddevice
HandlinganAndroiddeviceinapropermannerpriortotheforensicinvestigationisaveryimportanttask.Careshouldbetakentomakesurethatourunintentionalactionsdon'tresultindatamodificationoranyotherunwantedhappenings.Thefollowingsectionsthrowlightoncertainissueswhichneedtobeconsideredwhilehandlingthedeviceintheinitialstagesofforensicinvestigation.
Withtheimprovementsintechnology,theconceptofdevicelockinghaseffectivelychangedoverthelastfewyears.Mostusersnowhaveapasscodelockingmechanismenabledontheirdeviceduetotheincreaseingeneralsecurityawareness.BeforewelookatsomeofthetechniquestobypassthelockedAndroiddevices,itisimportantnottomissanopportunitytodisablethepasscodewhenthereisachance.
WhenanAndroiddevice,whichistobeanalyzed,isfirstaccessed,checkifthedeviceisstillactive(unlocked).Ifso,changethesettingsofthedevicetoenablegreateraccesstothedevice.So,whenthedeviceisstillactive,considerperformingthefollowingtasks:
EnablingUSBdebugging:OncetheUSBdebuggingoptionisenabled,itgivesgreateraccesstothedevicethroughtheadbconnection.Thisisofgreatsignificancewhenitcomestoextractingdatafromthedevice.ThelocationtoenableUSBdebuggingmightchangefromdevicetodevicebutit'susuallyunderDeveloperOptionsinSettings.MostmethodsforphysicallyacquiringAndroiddevicesrequireUSBdebuggingtobeenabled.Enablingthe"Stayawake"setting:IftheStayawakeoptionisselectedandthedeviceisconnectedforcharging,thenthedeviceneverlocks.Again,ifthedevicelocks,theacquisitioncouldbehalted.Increasingscreentimeout:Thisisthetimeforwhichthedevicewillbeeffectivelyactiveonceitisunlocked.Thelocationtoaccessthissettingvariesdependinguponthemodelofthedevice.OnaSamsungGalaxyS3phone,youcanaccessthesameunderSettings|Display|ScreenTimeout.
Apartfromthis,asmentionedinChapter1,IntroductiontoMobileForensics,thedeviceneedstobeisolatedfromthenetworktomakesurethatremotewipe
optionsdonotworkonthedevice.TheAndroidDeviceManagerallowsthephonetoberemotelywipedorlocked.ThiscanbedonebysigningintotheGoogleaccount,whichisconfiguredonthemobile.Moredetailsaboutthisarementionedinthefollowingsection.IftheAndroiddeviceisnotsetuptoallowremotewiping,thedevicecanonlybelockedusingtheAndroidDeviceManager.Also,thereareseveralMobileDeviceManagement(MDM)softwareproductsavailableonthemarket,whichallowuserstoremotelylockorwipetheAndroiddevice.Someofthesemaynotrequirespecificsettingstobeenabledonthedevice.
Usingtheavailableremotewipesoftware,itispossibletodeleteallthedataincludinge-mails,applications,photos,contacts,andotherfilesincludingthosefoundontheSDcard.Toisolatethedevicefromthenetwork,youcanputthedeviceinairplanemodeanddisableWi-Fiasanextraprecaution.EnablingairplanemodeanddisablingWi-FiworkswellasthedevicewillnotbeabletocommunicateoveracellularnetworkandcannotbeaccessedviaWi-Fi.RemovingtheSIMcardfromthephoneisalsoanoptionbutthatdoesnoteffectivelystopthedevicefromcommunicatingoverWi-Fiorsomecellularnetworks.Toplacethedeviceinairplanemode,pressandholdthePower/Offbuttonandselectairplanemode.
AllthesestepscanbedonewhentheAndroiddeviceisnotlocked.However,duringtheinvestigation,wecommonlyencounterdevicesthatarelocked.Hence,it'simportanttounderstandhowtobypassthelockcodeifitisenabledonanAndroiddevice.
ScreenlockbypassingtechniquesDuetotheincreaseinuserawarenessandtheeaseoffunctionality,therehasbeenanexponentialincreaseintheusageofpasscodeoptionstolockAndroiddevices.Hence,bypassingthedevice'sscreenlockduringaforensicinvestigationisbecomingincreasinglyimportant.Thescreenlockbypasstechniquesdiscussedhavetheirapplicabilitybasedonthesituation.Notethatsomeofthesemethodsareusedtomakechangestothedevice.Makesurethatyoutestandvalidateallthestepslistedonnon-evidentiaryAndroiddevices.Theexaminermusthaveauthorizationtomaketherequiredchangestothedevice,documentallstepstaken,andbeabletodescribethestepstakenifacourtroomtestimonyisrequired.
Currently,therearethreetypesofscreenlockmechanismsofferedbyAndroid.Althoughtherearesomedeviceswhichhavevoicelockandfacelockoptions,wewilllimitourdiscussiontothefollowingthreeoptionssincethesearemostwidelyusedonallAndroiddevices:
PatternLock:Theusersetsapatternordesignonthephoneandthesamemustbedrawntounlockthedevice.Androidwasthefirstsmartphonetointroduceapatternlock.PINcode:Thisisthemostcommonlockoptionandisfoundonmanymobilephones.ThePINcodeisa4-digitnumberthatneedstobeenteredtounlockthedevice.Passcode(alphanumeric):Thisisanalphanumericpasscode.UnlikethePIN,whichtakesfourdigits,thealphanumericpasscodetakesmorethanjustdigits.
ThefollowingsectiondetailssomeofthetechniquestobypasstheseAndroidlockmechanisms.Dependingonthesituation,thesetechniquesmighthelpaninvestigatortobypassthescreenlock.
Usingadbtobypassthescreenlock
IfUSBdebuggingappearstobeenabledontheAndroiddevice,itiswisetotakeadvantageofitbyconnectingwithadbusingUSB,asdiscussedintheearliersections.Theexaminershouldconnectthedevicetotheforensicworkstationandissuetheadbdevicescommand.Ifthedeviceshowsup,itimpliesthatUSBdebuggingisenabled.IftheAndroiddeviceislocked,theexaminermustattempttobypassthescreenlock.ThefollowingarethetwomethodsthatmayallowtheexaminertobypassthescreenlockwhenUSBdebuggingisenabled.
Deletingthegesture.keyfile
Thisishowtheprocessisdone:
1. Connectthedevicetotheforensicworkstation(aWindowsmachineinourexample)usingaUSBcable.
2. Openthecommandpromptandexecutethefollowinginstructions:
adb.exeshell
cd/data/system
rmgesture.key
3. Rebootthedevice.Ifthepatternlockstillappears,justdrawanyrandomdesignandobservethatthedeviceshouldunlockwithoutanytrouble.
Thismethodworkswhenthedeviceisrooted.Thismethodmaynotbesuccessfulonunrooteddevices.RootinganAndroiddeviceshouldnotbeperformedwithoutproperauthorizationasthedeviceisaltered.
Updatingthesettings.dbfile
Toupdatethesettings.dbfile,performthefollowingsteps:
1. ConnectthedevicetotheforensicworkstationusingaUSBcable.2. Openthecommandpromptandexecutethefollowinginstructions:
adb.exeshellcd
/data/data/com.android.providers.settings/databases
sqlitesettings.db
sqlite>updatesystemsetvalue=0where
name='lock_pattern_autolock';
sqlite>updatesystemsetvalue=0wherename=
'lockscreen.lockedoutpermenantly';
3. Exitandrebootthedevice.4. TheAndroiddeviceshouldbeunlocked.Ifnot,attempttoremove
gesture.keyasexplainedearlier.
Checkingforthemodifiedrecoverymodeandadbconnection
InAndroid,recoveryreferstothededicatedpartitionwheretherecoveryconsoleispresent.Thetwomainfunctionsofrecoveryaretodeletealluserdataandinstallupdates.Forinstance,whenyoufactoryresetyourphone,recoverybootsupanddeletesallthedata.Similarly,whenupdatesaretobeinstalledonthephone,itisdoneintherecoverymode.TherearemanyenthusiasticAndroiduserswhoinstallcustomROMthroughamodifiedrecoverymodule.ThismodifiedrecoverymoduleismainlyusedtomaketheprocessofinstallingcustomROMeasy.Recoverymodecanbeaccessedindifferentwaysdependingonthemanufacturerofthedevice,whichiseasilyavailableontheInternet.Usually,thisisdonebyholdingdifferentkeystogethersuchasthevolumebuttonandpowerbutton.Onceinrecoverymode,connectthedevicetotheworkstationandtrytoaccesstheadbconnection.Ifthedevicehasarecoverymodewhichisnotmodified,theexaminermaynotbeabletoaccesstheadbconnection.Themodifiedrecoveryversionsofthedevicepresenttheuserwithdifferentoptionsandcanbeeasilynoticed.
Flashinganewrecoverypartition
TherearemechanismsavailabletoflashtherecoverypartitionofanAndroiddevicewithamodifiedimage.TheFastbootutilitywouldfacilitatethisprocess.FastbootisadiagnosticprotocolthatcomeswiththeSDKpackage,usedprimarilytomodifytheflashfilesystemthroughaUSBconnectionfromahostcomputer.Forthis,youneedtostartthedeviceinthebootloadermodeinwhichonlythemostbasichardwareinitializationisperformed.Oncetheprotocolisenabledonthedevice,itwillacceptaspecificsetofcommandsthataresenttoitviatheUSBcableusingacommandline.Flashingorrewritingapartitionwithabinaryimagestoredonthecomputerisonesuchcommandthatisallowed.Oncetherecoveryisflashed,bootthedeviceinrecoverymode,mountthe/dataand/systempartitions,anduseadbtoremovethegesture.keyfile.Rebootthephoneandyoushouldbeabletobypassthescreenlock.
Smudgeattack
Inrarecases,asmudgeattackmaybeusedtodeducethepasswordofatouchscreenmobiledevice.Theattackreliesonidentifyingthesmudgesleftbehindbytheuser'sfingers.Whilethismaypresentabypassmethod,itmustbesaidthatasmudgeattackisunlikelysincemostAndroiddevicesaretouchscreenandsmudgeswillalsobepresentfromusingthedevice.However,ithasbeendemonstratedthatunderproperlighting,thesmudgesthatareleftbehindcanbeeasilydetectedasshowninthefollowingscreenshot(http://www.securitylearn.net/tag/android-passcode-bypass/).Byanalyzingthesmudgemarks,wecandiscernthepatternthatisusedtounlockthescreen.ThisattackismorelikelytoworkwhilediscerningthepatternlockontheAndroiddevice.Insomecases,PINcodescanalsoberecovereddependinguponthecleanlinessofthescreen.So,duringaforensicinvestigation,careshouldbetakenwhenthedeviceisfirsthandledtomakesurethatthescreenisnottouched.
Smudgesvisibleonadeviceunderproperlighting(source:https://viaforensics.com/wpinstall/wp-content/uploads/smudge.png)
UsingtheprimaryGmailaccount
IfyouknowtheusernameandpasswordoftheprimaryGmailaddressthatisconfiguredonthedevice,youcanchangethePIN,password,orswipeonthedevice.Aftermakingacertainnumberoffailedattemptstounlockthescreen,AndroidprovidesanoptionnamedForgotPatternorForgotPasswordasshowninthefollowingscreenshot.TaponthatlinkandsigninusingtheGmailusernameandpasswordandthiswillallowyoutocreateanewpatternlockorpasscodeforthedevice.
ForgotpatternoptiononanAndroiddevice
Othertechniques
AlloftheearliermentionedtechniquesandthecommercialtoolsavailableprovetobeusefultotheforensicexaminertryingtogetaccesstothedataontheAndroiddevices.However,therecouldbesituationswherenoneofthesetechniqueswork.Toobtainacompletephysicalimageofthedevice,techniquessuchaschip-offandJTAGmayberequiredwhencommercialandopensourcesolutionsfail.Ashortdescriptionofthesetechniquesismentioned.
Whilethechip-offtechniqueremovesthememorychipfromacircuitandtriestoreadit,theJTAGtechniqueinvolvesprobingtheJTAGTestAccessPorts(TAPs)andsolderingconnectorstotheJTAGportsinordertoreaddatafromthedevicememory.Thechip-offtechniqueismoredestructivebecauseoncethechipisremovedfromthedevice,itisdifficulttorestorethedevicebacktoitsoriginalfunctionalstate.Also,expertiseisneededtocarefullyremovethechipfromthedevicebydesolderingthechipfromthecircuitboard.Theheatrequiredtoremovethechipcanalsodamageordestroythedatastoredonthatchip.Hence,thistechniqueshouldbelookedupononlywhenthedataisnotretrievablebyopensourceorcommercialtoolsorthedeviceisdamagedbeyondrepair.WhenusingtheJTAGtechnique,JTAGportshelpanexaminertoaccessthememorychiptoretrieveaphysicalimageofthedatawithoutneedingtoremovethechip.Toturnoffthescreenlockonadevice,anexaminercanidentifywherethelockcodeisstoredinthephysicalmemorydump,turnoffthelocking,andcopythatdatabacktothedevice.Commercialtools,suchasCellebritePhysicalAnalyzer,canaccept.binfilesfromchip-offandJTAGacquisitionsandcrackthelockcodefortheexaminer.Oncethecodeiseithermanuallyremovedorcracked,theexaminercananalyzethedeviceusingnormaltechniques.
Boththechip-offandJTAGtechniquesrequireextensiveresearchandexperiencetobetriedonarealdevice.AgreatresourceforJTAGandchip-offondevicescanbefoundathttp://www.forensicswiki.org/wiki.
GainingrootaccessAsamobiledeviceforensicexaminer,itisessentialtoknoweverythingthatrelatestotwistingandtweakingthedevice.Thiswouldhelpyoutounderstandtheinternalworkingofthedeviceindetailandcomprehendmanyissuesthatyoumayfaceduringyourinvestigation.RootingAndroidphoneshasbecomeacommonphenomenonandyoucanexpecttoencounterrootedphonesduringforensicexaminations.Theexaminer,whereapplicable,mayalsoneedtorootthedeviceinordertoacquiredatafortheforensicexamination.Hence,it'simportanttoknowtheinsandoutsofrooteddevicesandhowtheyaredifferentfromtheotherphones.ThefollowingsectionscoverinformationaboutAndroidrootingandotherrelatedconcepts.
Whatisrooting?
ThedefaultadministrativeaccountinUnix-likeoperatingsystemsiscalled"root".So,inLinux,therootuserhasthepowertostart/stopanysystemservice,edit/deleteanyfile,changetheprivilegesofotherusers,andsoon.WehavealreadylearnedthatAndroidusestheLinuxkernelandhencemostoftheconceptspresentinLinuxareapplicabletoAndroidaswell.However,whenyoubuyanAndroidphone,itdoesnotletyouloginasarootuserbydefault.RootinganAndroidphoneisallaboutgainingaccessonthedevicetoperformactionsthatarenotnormallyallowedonthedevice.Manufacturerswantthedevicestofunctioninacertainmannerfornormalusers.Rootingadevicemayvoidawarrantysincerootopensthesystemtovulnerabilitiesandprovidestheuserwithsuperusercapabilities.ImagineamaliciousapplicationhavingaccesstoanentireAndroidsystemwithrootaccess.RememberthatinAndroid,eachapplicationistreatedasaseparateuserandissuesaUID.Thus,theapplicationshaveaccesstolimitedresourcesandtheconceptofapplicationisolationisenforced.Essentially,rootinganAndroiddeviceallowssuperusercapabilitiesandprovidesopenaccesstotheAndroiddevice.
RootinganAndroiddevice
Eventhoughthehardwaremanufacturerstrytoputenoughrestrictionstorestrictaccesstotheroot,hackershavealwaysfounddifferentwaystogetaccesstotheroot.Theprocessofrootingvariesdependingontheunderlyingdevicemanufacturer.Butrootinganydeviceusuallyinvolvesexploitingasecuritybuginthedevice'sfirmwareandthencopyingthesu(superuser)binarytoalocationinthecurrentprocess'spath(/system/xbin/su)andgrantingitexecutablepermissionswiththechmodcommand.
Forthesakeofsimplicity,imaginethatanAndroiddevicehasthreetofourpartitions,whichrunprogramsnotentirelyrelatedtoAndroid(Androidbeingoneamongthem).
Thebootloaderispresentinthefirstpartitionandisthefirstprogramthatrunswhenthephoneispoweredon.TheprimaryjobofthisbootloaderistoboototherpartitionsandloadtheAndroidpartition,commonlyreferredtoasROMbydefault.Toseethebootloadermenu,aspecifickeycombinationisrequiredsuchasholdingthepowerbuttonandpressingthevolumeupbutton.Thismenuprovidesoptionsforyoutobootintootherpartitionssuchastherecoverypartition.
Therecoverypartitiondealswithinstallingupgradestothephone,whicharewrittendirectlytotheAndroidROMpartition.Thisisthemodethatyouseewhenyouinstallanyofficialupdateonthedevice.Devicemanufacturersmakesurethatonlyofficialupdatesareinstalledthroughtherecoverypartition.Thus,bypassingthisrestrictionwouldallowyoutoinstall/flashanyunlockedAndroidROM.Modifiedrecoveryprogramsarethosethatnotonlyallowaneasierrootingprocessbutalsoprovidevariousoptions,whicharenotseeninthenormalrecoverymode.Thefollowingscreenshotshowsthenormalrecoverymode:
NormalAndroidsystemrecoverymode
Thefollowingscreenshotshowsthemodifiedrecoverymode:
Modifiedrecoverymode
ThemostusedrecoveryprogramintheAndroidworldistheClockworkrecovery,alsocalledClockworkMod.Hence,mostoftherootingmethodsbeginbyflashingamodifiedrecoverytotherecoverypartition.Afterthat,youcanissueanupdate,whichcanrootthedevice.However,youdon'tneedtoperformalltheactionsmanuallyassoftwareisavailableformostofthemodels,whichcouldrootyourphonewithasingleclick.
Rootingadevicehasbothadvantagesanddisadvantagesassociatedwithit.
Thefollowingaretheadvantages:
Rootingallowsmodificationofthesoftwareonthedevicetothedeepestlevel.Forexample,youcanoverclockorunderclockthedevice'sCPU(http://techbeasts.com/2014/01/17/what-is-cpu-underclocking-overclocking-and-how-to-underclock-overclock/).Bypassrestrictionsimposedonthedevicebycarriers,manufacturers,andsoon.Forextremecustomization,newcustomizedROMscouldbedownloadedandinstalled.
Thefollowingarethedisadvantages:
Rootingadevicemustbedonewithextremecareaserrorsmayresultinirreparabledamagetothesoftwareonthephoneturningthedeviceintoauselessbrick.Rootingmightvoidthewarrantyofadevice.Rootingresultsinincreasedexposuretomalwareandotherattacks.MalwarewithaccesstotheentireAndroidsystemcancreatehavoc.
Oncethedeviceisrooted,applicationssuchastheSuperuserappareavailabletoprovideanddenyrootprivileges.Thisapphelpsyoutograntandmanagesuperuserrightsonthedevice,asshowninthefollowingscreenshot:
Rootaccess–adbshell
AnormalAndroidphonedoesnotallowyoutoaccesscertaindirectoriesandfilesonthedevice.Forexample,trytoaccessthe/data/datafolderonanAndroiddevice,whichisnotrooted.Youwillseethefollowingmessage:
C:\android-sdk\platform-tools>adb.exeshell
shell@android:/$cd/data/data
cd/data/data
shell@android:/data/data$ls
ls
opendirfailed,Permissiondenied
255|shell@android:/data/data$
Onarootedphone,youcanruntheadbshellasarootbyissuingthefollowingcommand:
C:\android-sdk\platform-tools>adb.exeroot
restartingadbdasroot
C:\android-sdk\platform-tools>adb.exeshell
root@android:/#cd/data/data
cd/data/data
root@android:/data/data#ls
ls
com.adobe.flashplayer
com.adobe.reader
com.aldiko.android
com.android.backupconfirm
com.android.browser
Thus,rootingaphoneenablesyoutoaccessfoldersanddata,whichareotherwisenotaccessible.Also,notethat#symbolizesrootorsuperuseraccesswhile$reflectsanormaluser,asshownintheprecedingcommandlines.
SummaryAproperforensicworkstationsetupisrequiredpriortoconductinginvestigationsonanAndroiddevice.UsingopensourcemethodstoacquireandanalyzeAndroiddevicesrequirestheinstallationofspecificsoftwareontheforensicworkstation.IfthemethodofforensicacquisitionrequirestheAndroiddevicetobeunlocked,theexaminerneedstodeterminethebestmethodtogainaccesstothedevice.Variousscreenlockbypasstechniquesexplainedinthischapterhelpanexaminertobypassthepasscodeunderdifferentcircumstances.Dependingontheforensicacquisitionmethodandscopeoftheinvestigation,rootingthedeviceshouldprovidecompleteaccesstothefilespresentonthedevice.Somecommercialtools,suchasMicroSystemationXRY,providearootthattheexaminermustuseinordertoaccessspecificareasofthedevicememory.NowthatthebasicconceptsarecoveredongainingaccesstoanAndroiddevice,wewillcoveracquisitiontechniquesanddescribehowthedataisbeingpulledusingeachmethodinChapter9,AndroidDataExtractionTechniques.
Chapter9.AndroidDataExtractionTechniquesByusinganyofthepasscodebypasstechniquesexplainedinChapter8,AndroidForensicSetupandPreDataExtractionTechniques,anexaminercantrytoaccessalockeddevice.Oncethedeviceisaccessible,thenexttaskistoextracttheinformationpresentonthedevice.ThiscanbeachievedbyapplyingvariousdataextractiontechniquesontheAndroiddevice.ThischapterhelpsyoutoidentifythesensitivelocationspresentonanAndroiddeviceandexplainsvariouslogicalandphysicaltechniquesthatcanbeappliedtothedeviceinordertoextractthenecessaryinformation.
ImaginganAndroidPhoneImagingadeviceisoneofthemostimportantstepsinmobiledeviceforensics.Theruleofthumbwhendealingwithaforensicexaminationistoensurethatthedatapresentonthedeviceisnotmodifiedinanyway,whereverpossible.AsexplainedinChapter1,IntroductiontoMobileForensics,allthechangesbytheexaminerfromtheprevioustestingandvalidationshouldbewelldocumented.Whenpossible,it'simperativetoobtainaphysicalimageoftheAndroiddevicebeforeperforminganytechniquestoextractthedatadirectlyfromthedevice.Inforensics,thisprocessofobtainingaphysicalorlogicalacquisitioniscommonlycalledimagingthedevice.Aphysicalimageispreferredasitisabit-by-bitcopyoftheAndroiddevicememory.
Itisimportanttounderstandthatabit-by-bitimageisnotsimilartocopyingandpastingthecontentsonthedevice.Ifwecopyandpastethecontentsonadeviceitwillonlycopytheavailablefilessuchasvisiblefiles,hiddenfiles,andsystem-relatedfiles.Thismethodisconsideredalogicalimage.Withthismethod,deletedfilesandfilesthatarenotaccessiblearenotcopiedbythecopycommand.Deletedfilescanberecovered(basedonthecircumstances)usingcertaintechniques,whichwearegoingtoseeinthefollowingchapters.Hence,youneedtotakea1:1bit-by-bitimageofthedevicememorytoobtainallofthedata.
Let'sfirstrevisithowimagingisdoneonadesktopcomputerasithelpsustocorrelateandrealizetheproblemsassociatedwithimagingAndroiddevices.Let'sassumethatadesktopcomputer,whichisnotpoweredon,isseizedfromasuspectandsentforforensicexamination.Inthiscase,atypicalforensicexaminerwouldremovetheharddisk,connectittoawriteblockerandobtainabit-by-bitforensicimageusinganyoftheavailabletools.Theoriginalharddiskisthensafelyprotectedduringtheforensicimagingofthedata.WithanAndroiddevice,alltheareasthatcontaindatacannotbeeasilyremoved.Also,ifthedeviceisactiveatthetimeofreceivingitforexamination,itisnotpossibletoanalyzethedevicewithoutmakinganychangestoitbecauseanyinteractionwouldchangethestateofthedevice.
AnAndroiddevicemayhavetwofilestorageareas,internalandexternalstorage.Internalstoragereferstothebuilt-innon-volatilememory.External
storagereferstotheremovablestoragemediumsuchasamicroSDcard.However,it'simportanttonotethatsomedevicesdonothavearemovablestoragemediumsuchasanSDcard,buttheydividetheavailablepermanentstoragespaceintointernalandexternalstorage.Hence,it'snotalwaystruethatexternalstorageissomethingthatisremovable.WhenaremovableSDcardispresent,aforensicimageofthememorycardhastobeobtained.AsdiscussedinChapter7,UnderstandingAndroid,theseremovablecardsaregenerallyformattedwiththeFAT32filesystem.SomemobiledeviceacquisitionmethodswillacquiretheSDcardthroughtheAndroiddevice.Thisprocess,whileuseful,willbeslowduetothespeedlimitationsoftheUSBphonecables.
DataextractiontechniquesDataresidingonanAndroiddevicemaybeanintegralpartofcivil,criminal,orinternalinvestigationsdoneaspartofacorporatecompany'sinternalprobe.WhiledealingwithinvestigationsinvolvingAndroiddevices,theforensicexaminerneedstobemindfuloftheissuesthatneedtobetakencareofduringtheforensicprocess;thisincludesdeterminingifrootaccessispermitted(viaconsentorlegalauthority)andwhatdatacanbeextractedandanalyzedduringtheinvestigation.Forexample,inacriminalcaseinvolvingstalking,thecourtmayonlyallowfortheSMS,calllogs,andphotostobeextractedandanalyzedontheAndroiddevicebelongingtothesuspect.Inthiscase,itmaymakethemostsensetologicallycapturejustthosespecificitems.However,itisbesttoobtainafullphysicaldataextractionofthedeviceandonlyexaminetheareasadmissiblebythecourt.Youneverknowwhereyourinvestigationmayleadanditisbesttoobtainasmuchdataoffthedeviceimmediatelyratherthanwishyouhadafullimageshouldthescopeofconsentchange.
ThedataextractiontechniquesonanAndroiddevicecanbeclassifiedintothreetypes:
ManualdataextractionLogicaldataextractionPhysicaldataextraction
Theextractionmethodsforeachofthesetypeswillbedescribedindetailinthefollowingsections.Somemethodsmayrequirethedeviceberootedinordertofullyaccessthedata.Eachmethodhasdifferentimplicationsandsuccessrateswilldependonthetool,methodused,anddevicemakeandmodel.
Manualdataextraction
Thismethodofextractioninvolvestheexaminerutilizingthenormaluserinterfaceofthemobiledevicetoaccesscontentpresentinthememory.Theexaminerwillbrowsethroughthedevicenormallybyaccessingdifferentmenustoviewthedetailssuchascalllogs,textmessages,andIMchats.Thecontentofeachscreeniscapturedbytakingpicturesandcanbepresentedasevidence.Themaindrawbackwiththistypeofexaminationisthatonlythosefilesthatareaccessiblebytheoperatingsystem(intheUImode)canbeinvestigated.Caremustbetakenwhenmanuallyexaminingthedeviceasit'seasytopressthewrongbuttonanderaseoradddata.Manualextractionshouldbeusedasalastresorttoverifyfindingsextractedusingoneoftheothermethods.Certaincircumstancesmaywarranttheexaminertoconductmanualexaminationasthefirststep.Thismayincludelifeordeathsituationsormissingpersonswhereaquickscanofthedevicemayleadthepolicetotheindividual.
UsingrootaccesstoacquireanAndroiddevice
Android,bydefault,doesnotprovideaccesstotheinternaldirectoriesandsystem-relatedfiles.Thisrestrictedaccessistoensurethesecurityofthedevice.Forinstance,the/data/datafolderisnotaccessibleonanon-rooteddevice.Thisfolderisespeciallyofinteresttousbecauseitstoresmostoftheuser-createddataandmanyapplicationswritevaluabledataintothisfolder.Hence,toobtainanimageofthedevice,weneedtoroottheAndroiddevice.Rootingadevicegivesusthesuperuserprivilegesandaccesstoallthedata.Itisimportanttorealizethatthisbookhasbeenstressingthatallthestepstakenshouldbeforensicallysoundandnotmakechangestothedevicewheneverpossible.RootinganAndroiddevicewillmakechangestoitandshouldbetestedonanydevicethattheexaminerhasnotpreviouslyinvestigated.RootingiscommonforAndroiddevices,butgettingrootaccesscouldalterthedeviceinamannerthatrendersthedatachangedorworseyet—wiped.SomeAndroiddevices,suchastheNexus4and5,mayforcethedatapartitiontobewipedpriortoallowingrootaccess.Thisnegatestheneedtorootthedeviceinordertogainaccessbecausealltheuserdataislostduringtheprocess.Justrememberthatwhilerootingprovidesaccesstomoredatawhensuccessfullydone,itcanalsowipethedataordestroythephone.Hence,youmustensureyouhaveconsentorlegalrightstomanipulatetheAndroiddevicepriortoproceedingwiththeroot.AsrootingtechniqueshavebeendiscussedinChapter8,AndroidForensicSetupandPreDataExtractionTechniques,wewillproceedwiththeexampleassumingthatthedeviceisrooted.Thefollowingisastep-by-stepprocesstoobtainaforensicimageofarootedAndroiddevice.
InstalltheAndroidTerminalEmulatorapplication.TheAndroidTerminalEmulatorapplicationhelpsyoutoaccesstheLinuxcommandshell.AndroidTerminalEmulatorcanbedownloadedfromhttps://github.com/jackpal/Android-Terminal-Emulator/wiki.Onceinstalled,youcanrunmostoftheLinuxcommandsonthedevice.ItisrecommendedtoinstallitthroughadbinsteadofconnectingtotheInternettoinstallitfromtheGooglePlaystore.ThefollowingscreenshotshowstheinstallationoftheAndroidTerminalEmulatorapplicationonaMacrunningv10.9.2:
OnceAndroidTerminalEmulatorisinstalled,thepartitionscanbeacquiredfromtheAndroiddeviceusingthefollowingsteps:
Usingtheddcommand:Theddcommandcanbeusedtocreatearawimageofthedevice.Thiscommandhelpsustocreateabit-by-bitimageoftheAndroiddevicebycopyinglow-leveldata.InsertinganewSDcard:InsertanewSDcardintothedeviceinordertocopytheimagefiletothiscard.MakesurethisSDcardiswipedanddoesnotcontainanyotherdata.Executingthecommand:ThefilesystemofanAndroiddeviceisstoredindifferentlocationswithinthe/devpartition.AsimplemountcommandonaSamsungGalaxyS3phonereturnsthefollowingoutput:
shell@Android:/$mount
mount
rootfs/rootfsro,relatime00
tmpfs/devtmpfsrw,nosuid,relatime,mode=75500
devpts/dev/ptsdevptsrw,relatime,mode=60000
proc/procprocrw,relatime00
sysfs/syssysfsrw,relatime00
none/acctcgrouprw,relatime,cpuacct00
tmpfs/mnt/asectmpfsrw,relatime,mode=755,gid=100000
tmpfs/mnt/obbtmpfsrw,relatime,mode=755,gid=100000
none/dev/cpuctlcgrouprw,relatime,cpu00
/dev/block/mmcblk0p9/systemext4
ro,noatime,barrier=1,data=ordered00
/dev/block/mmcblk0p3/efsext4
rw,nosuid,nodev,noatime,barrier=1,journal_async_c
ommit,data=ordered00
/dev/block/mmcblk0p8/cacheext4
rw,nosuid,nodev,noatime,barrier=1,journal_async
_commit,data=ordered00
/dev/block/mmcblk0p12/dataext4
rw,nosuid,nodev,noatime,barrier=1,journal_async
_commit,data=ordered,noauto_da_alloc,discard00
/sys/kernel/debug/sys/kernel/debugdebugfsrw,relatime00
/dev/fuse/storage/sdcard0fuse
rw,nosuid,nodev,noexec,relatime,user_id=1023,group_id=1023,defa
ult_permissions,allow_other00
Fromtheprecedingoutput,wecanidentifytheblockswherethe/system,/data,and/cachepartitionsaremounted.Althoughit'simportanttoimageallthefiles,mostofthedataispresentinthe/dataand/systempartitions.Whentimeallows,allpartitionsshouldbeacquiredforcompleteness.Oncethisisdone,executethefollowingcommandtoimagethedevice:
ddif=/dev/block/mmcblk0p12of=/sdcard/tmp.image
Intheprecedingexample,thedatapartitionofaSamsungGalaxySIIIwasused(whereifistheinputfileandofistheoutputfile).
Theprecedingcommandwillmakeabit-by-bitimageofthemmcblk0p12file(datapartition)andcopytheimagefiletoanSDcard.Oncethisisdone,theddimagefilecanbeanalyzedusingtheavailableforensicsoftware.
Tip
TheexaminermustensurethattheSDcardhasenoughstoragespacetocontainthedatapartitionimage.Othermethodsareavailabletoacquiredatafromtherooteddevices.
Logicaldataextraction
Logicaldataextractiontechniquesextractthedatapresentonthedevicebyaccessingthefilesystem.Thesetechniquesaresignificantbecausetheyprovidevaluabledata,workonmostdevices,andareeasytouse.Onceagain,theconceptofrootingcomesintopicturewhileextractingthedata.Logicaltechniquesdonotactuallyrequirerootaccessfordataextraction.However,havingrootaccessonadeviceallowsyoutoaccessallthefilespresentonadevice.Thismeansthatsomedatamaybeextractedonanon-rooteddevicewhilerootaccesswillopenthedeviceandprovideaccesstoallthefilespresentonthedevice.Hence,havingrootaccessonadevicewouldgreatlyinfluencetheamountandkindofdatathatcanbeextractedthroughlogicaltechniques.Logicalextractioncanbeperformedonadeviceintwoways:
UsingadbpullcommandsUsingcontentproviders
Thefollowingsectionsexplaineachoftheseoptionsandhowthedatacanbeextracted.
Usingtheadbpullcommand
Asseenearlier,adbisacommand-linetoolthathelpsyoucommunicatewiththedevicetoretrieveinformation.Usingadb,youcanextractdatafromallthefilesonthedeviceoronlytherelevantfilesinwhichyouareinterested.ToaccessanAndroiddevicethroughadb,it'snecessarythattheUSBdebuggingoptionisenabled.IfthedeviceislockedandUSBdebuggingisnotenabled,trytobypassthescreenlockusingthetechniquesmentionedinChapter8,AndroidForensicSetupandPreDataExtractionTechniques.
Asaforensicexaminer,it'simportanttoknowhowthedataisstoredontheAndroiddeviceandtounderstandwhereimportantandsensitiveinformationisstoredsothatthedatacanbeextractedaccordingly.Applicationdataoftencontainsawealthofuserdatathatmayberelevanttotheinvestigation.Allfilespertainingtoapplicationsofinterestshouldbeexaminedforrelevance,aswillbeexplainedinChapter10,AndroidDataRecoveryTechniques.Theapplicationdatacanbestoredinoneofthefollowinglocations:
Sharedpreferences:Dataisstoredinkey-valuepairsinalightweight
XMLformat.Sharedpreferencefilesarestoredintheshared_preffolderoftheapplication/datadirectory.Internalstorage:Datastoredhereisprivateandispresentinthedevice'sinternalmemory.Filessavedtotheinternalstorageareprivateandcannotbeaccessedbyotherapplications.Externalstorage:Thisstoresdatathatispublicinthedevice'sexternalmemory,whichdoesnotusuallyenforcesecuritymechanisms.Thisdataisavailableunderthe/sdcarddirectory.SQLitedatabase:Thisdataisavailableinthe/data/data/PackageName/database.Theyareusuallystoredwitha.dbfileextension.ThedatapresentinaSQLitefilecanbeviewedusingaSQLitebrowser(http://sourceforge.net/projects/SQLitebrowser/)orbyexecutingthenecessarySQLitecommandsontherespectivefiles.
EveryAndroidapplicationstoresthedataonthedeviceusinganyoftheprecedingdatastorageoptions.So,theContactsapplicationwouldstorealltheinformationaboutthecontactdetailsinthe/data/datafolderunderitspackagename.Notethat/data/dataisapartofyourdevice'sinternalstoragewherealltheappsareinstalledundernormalcircumstances.SomeapplicationdatawillresideontheSDcardandinthe/data/datapartition.Usingadb,wecanpullthedatapresentinthispartitionforfurtheranalysisusingtheadbpullcommand.Onceagain,it'simportanttonotethatthisdirectoryisaccessibleonlyonarootedphone.
Extractingthe/datadirectoryonarooteddevice
Onarootedphone,apullcommandon/datacanbeexecutedasfollows:
C:\android-sdk-windows\platform-tools>adb.exepull/dataC:\temp
pull:
/data/data/com.kiloo.subwaysurf/app_sslcache/www.chartboost.com.443
->
C:\temp/data/com.kiloo.subwaysurf/app_sslcache/www.chartboost.com.4
43
pull:/data/data/com.mymobiler.android/lib/libpng2.so->
C:\temp/data/com.mymobiler.android/lib/libpng2.so
pull:/data/system.notfirstrun->C:\temp/system.notfirstrun
732filespulled.0filesskipped.
2436KB/s(242711369bytesin97.267s)
Asshowninthefollowingscreenshot,thecomplete/datadirectoryontheAndroiddevicewascopiedtothelocaldirectoryonthemachine.Theentiredatadirectorywasextractedin97seconds.Theextractiontimewillvarydependingontheamountofdataresidingin/data.
The/datadirectoryextractedtoaforensicworkstation
Onanon-rooteddevice,apullcommandonthe/datadirectorydoesnotextractthefilesasshowninthefollowingoutput,sincetheshelluserdoesnothavepermissiontoaccessthosefiles:
C:\android-sdk-windows\platform-tools>adb.exepull/dataC:\temp
pull:buildingfilelist...
0filespulled.0filesskipped.
Thedatacopiedfromarootedphonethroughtheprecedingprocessmaintainsthedirectorystructure,thusallowinganinvestigatortobrowsethroughthenecessaryfilestogainaccesstotheinformation.Byanalyzingthedataoftherespectiveapplications,aforensicexpertcangathercriticalinformationthatcan
influencetheoutcomeoftheinvestigation.Notethatexaminingthefoldersnativelyonyourforensicworkstationwillalterthedatesandtimesofthecontent.Theexaminershouldmakeacopyoftheoriginaloutputtouseforadate/timecomparison.
UsingSQLiteBrowser
SQLBrowserisatoolthatcanhelpduringthecourseofanalyzingtheextracteddata.SQLiteBrowserallowsyoutoexplorethedatabasefileswiththefollowingextensions:.sqlite,.sqlite3,.sqlitedb,.db,and.db3.ThemainadvantageofusingSQLiteBrowseristhatitshowsthedatainatableform.NavigatetoFile|OpenDatabasetoopena.dbfileusingSQLiteBrowser.Asshowninthefollowingscreenshot,therearethreetabs:DatabaseStructure,BrowseData,andExecuteSQL.TheBrowseDatataballowsyoutoseetheinformationpresentindifferenttableswithinthe.dbfiles.Wewillbemostlyusingthistabduringouranalysis.Alternately,OxygenForensicSQLiteDatabaseViewercanalsobeusedforthesamepurpose.RecoveringdeleteddatafromdatabasefilesispossibleandwillbeexplainedinChapter10,AndroidDataRecoveryTechniques.
SQLiteBrowser
ThefollowingsectionsthrowlightonidentifyingimportantdataandmanuallyextractingvariousdetailsfromanAndroidphone.
Extractingdeviceinformation
KnowingthedetailsofyourAndroiddevice,suchasthemodel,version,andmore,willaidinyourinvestigation.Forexample,whenthedeviceisphysicallydamagedandprohibitstheexaminationofthedeviceinformation,youcangrabthedetailsaboutthedevicebyviewingthebuild.propfilepresentinthe/systemfolder,asfollows:
shell@android:/system$catbuild.prop
catbuild.prop
#beginbuildproperties
#autogeneratedbybuildinfo.sh
ro.build.id=JZO54K
ro.build.display.id=JZO54K.I9300XXEMH4
ro.build.version.incremental=I9300XXEMH4
ro.build.version.sdk=16
ro.build.version.codename=REL
ro.build.version.release=4.1.2
ro.build.date=TueSep1717:26:31KST2013
ro.build.date.utc=1379406391
......
ro.product.model=GT-I9300
ro.product.brand=samsung
ro.product.name=m0xx
ro.product.device=m0
ro.product.board=smdk4x12
ro.product.cpu.abi=armeabi-v7a
ro.product.cpu.abi2=armeabi
ro.product_ship=true
ro.product.manufacturer=samsung
......
ro.build.description=m0xx-user4.1.2JZO54KI9300XXEMH4rel
ro.build.fingerprint=samsung/m0xx/m0:4.1.2/JZO54K/I9300XXEM
......
ro.build.PDA=I9300XXEMH4
ro.build.hidden_ver=I9300XXEMH4
......
ro.sec.fle.encryption=true
......
ro.com.google.gmsversion=4.1_r6
dalvik.vm.dexopt-flags=m=y
net.bt.name=Android
dalvik.vm.stack-trace-file=/data/anr/traces.txt
Extractingcalllogs
Accessingthecalllogsofaphoneisoftenrequiredduringtheinvestigationto
confirmcertainevents.Theinformationaboutcalllogsisstoredinthecontacts2.dbfilelocatedat/data/data/com.android.providers.contacts/databases/.Asmentionedearlier,youcanuseSQLiteBrowsertoseethedatapresentinthisfileafterextractingittoalocalfolderontheforensicworkstation.Asshowninthefollowingscreenshot,byusingtheadbpullcommand,thenecessary.dbfilescanbeextractedtoafolderontheforensicworkstation,asshowninthefollowingscreenshot:
Thecontacts2.dbfilecopiedtoalocalfolder
Notethatapplicationsusedtomakecallscanstorecalllogdetailsintherespectiveapplicationfolder.Allcommunicationapplicationsmustbeexaminedforcalllogdetails,asfollows:
C:\android-sdk-windows\platform-tools>adb.exepull
/data/data/com.android.providers.contactsC:\temp
pull:buildingfilelist...
........
pull:
/data/data/com.android.providers.contacts/databases/contacts2.db->
C:\temp/databases/contacts2.db
pull:
/data/data/com.android.providers.contacts/databases/profile.db->
C:\temp/databases/profile.db
pull:
/data/data/com.android.providers.contacts/databases/profile.db-
journal->C:\temp/databases/profile.db-journal
6filespulled.0filesskipped.
70KB/s(644163bytesin8.946s)
Now,openthecontacts2.dbfileusingSQLiteBrowser(navigatingtoFile|OpenDatabase)andbrowsethroughthedatapresentindifferenttables.Thecallstablepresentinthecontacts2.dbfileprovidesinformationaboutthecallhistory.Thefollowingscreenshothighlightsthecallhistoryalongwiththename,number,duration,anddate.
ExtractingSMS/MMS
Duringthecourseofinvestigation,aforensicexaminermaybeaskedtoretrievethetextmessagesthataresentbyanddeliveredtoaparticularmobiledevice.Hence,itisimportanttounderstandwherethedetailsarestoredandhowtoaccessthedata.Themmssms.dbfilewhichispresentunderthe/data/data/com.android.providers.telephony/databaseslocationcontainsthenecessarydetails.Aswithcalllogs,theexaminermustensurethatapplicationscapableofmessagingareexaminedforrelevantmessagelogs,asfollows:
C:\android-sdk-windows\platform-tools>adb.exepull
/data/data/com.android.providers.telephonyC:\temp
pull:buildingfilelist...
......
->C:\temp/databases/telephony.db-journal
pull:
/data/data/com.android.providers.telephony/databases/mmssms.db->
C:\temp/databases/mmssms.db
pull:
/data/data/com.android.providers.telephony/databases/telephony.db-
>C:\temp/databases/telephony.db
5filespulled.0filesskipped.
51KB/s(160951bytesin3.045s)
Thephonenumbercanbeseenundertheaddresscolumnandthecorrespondingtextmessagecanbeseenunderthebodycolumn,asshowninthefollowingscreenshot:
Callstableinthecontacts2.dbfile
Extractingbrowserhistory
Browserhistoryinformationisonetaskthatisoftenrequiredtobereconstructedbyaforensicexaminer.ApartfromthedefaultAndroidBrowser,therearedifferentbrowserapplicationsthatcanbeusedonanAndroidphone,suchasFirefoxMobile,GoogleChrome,andsoon.AllofthesebrowsersstoretheirbrowserhistoryintheSQLite.dbformat.Forourexample,weareextractingdatafromthedefaultAndroidbrowsertoourforensicworkstation.Thisdataislocatedat/data/data/com.android.browser.Thefilenamedbrowser2.dbcontainsthebrowserhistorydetails.ThefollowingscreenshotshowsthebrowserdataasrepresentedbyOxygenForensicSQLiteDatabaseViewer.Notethatthetrialversionwillhidecertaininformation.
Thebrowser2.dbfileinOxygenForensicSQLiteViewer
Analysisofsocialnetworking/IMchats
SocialnetworkingandIMchatapplicationssuchasFacebook,Twitter,andWhatsApprevealsensitivedata,whichcouldbehelpfulduringtheinvestigationofanycase.TheanalysisisprettymuchthesameaswithanyotherAndroidapplication.Downloadthedatatoaforensicworkstationandanalyzethe.dbfilestofindoutifyoucanunearthanysensitiveinformation.Forexample,let'slookattheFacebookapplicationandtrytoseewhatdatacanbeextracted.First,weextractthe/data/data/com.facebook.katanafolderandnavigatetothedatabasesfolder.Thefb.dbfilepresentunderthisfoldercontainsinformationwhichisassociatedtotheuser'saccount.Thefriends_datatablecontainsinformationaboutthefriend'snamesalongwiththeirphonenumbers,e-mailIDs,anddateofbirth,asshowninthefollowingscreenshot.Similarly,otherfilescanbeanalyzedtofindoutifanysensitiveinformationcanbegathered.
Thefb.dbfileinSQLitebrowser
Similarly,byanalyzingthedatapresentinthe/data/datafolder,informationaboutgeolocation,calendarevents,usernotes,andmorecanbegrabbed.
Usingcontentproviders
InAndroid,thedataofoneapplicationcannotbeaccessedbyanotherapplicationundernormalcircumstances.However,Androidprovidesamechanismthroughwhichdatacanbesharedwithotherapplications.Thisispreciselyachievedthroughtheuseofcontentproviders.Contentproviderspresentdatatoexternalapplicationsintheformofoneormoretables.Thesetablesarenodifferentfromthetablesfoundinarelationaldatabase.TheycanbeusedbytheapplicationstosharedatausuallythroughtheURIaddressingscheme.Theyareusedbyotherapplicationsthataccesstheproviderusingaprovider-clientobject.Duringtheinstallationofanapp,theuserdetermineswhetherornottheappcangainaccesstotherequesteddata(contentproviders).Forinstance,contacts,SMS/MMS,calendar,andsoon,areexamplesofcontentproviders.
Hence,bytakingadvantageofthis,wecancreateanappthatcangraballtheinformationfromalltheavailablecontentproviders.Thisispreciselyhowmostofthecommercialforensictoolswork.Theadvantageofthismethodisitcanbeusedonbothrootedandnon-rooteddevices.Forourexample,weareusingAFLogical,whichtakesadvantageofthecontent-providermechanismtogainaccesstotheinformation.ThistoolextractsthedataandsavesittoanSDcard
inCSVformat.ThefollowingstepsextracttheinformationfromanAndroiddeviceusingAFLogicalOpenSourceEdition1.5.2:
1. DownloadAFLogicalOSE1.5.2fromhttps://github.com/viaforensics/android-forensics/downloads.
Note
TheAFLogicalLEeditioniscapableofextractingalargersetofinformationandrequiresregistrationwithviaForensicsusinganactivelawenforcementorgovernmentagencye-mail.AFLogicalOSEcanpullallavailableMMSes,SMSes,contacts,andcalllogs.
2. EnsureUSBdebuggingmodeisenabledandconnectthedevicetotheworkstation.
3. Verifythatthedeviceisidentifiedbyissuingthefollowingcommand:
C:\android-sdk-windows\platform-tools>adb.exedevices
Listofdevicesattached
4df16ac3115d6p18device
4. SavetheAFLogicalOSEappinthehomedirectoryandissuethefollowingcommandtoinstallitonthedevice:
C:\android-sdk-windows\platform-tools>adb.exe
installAFLogical-OSE_1.5.2.apk
1479KB/s(28794bytesin0.019s)
pkg:/data/local/tmp/AFLogical-OSE_1.5.2.apk
Success
5. Oncetheapplicationisinstalled,youcanrunitdirectlyfromthedeviceandclickontheCapturebuttonpresentatthebottomoftheapp,asshowninthefollowingscreenshot:
TheAFLogicalOSEapp
6. Theappstartsextractingdatafromtherespectivecontentprovidersandoncetheprocessiscomplete,amessagewillbedisplayed,asshowninthefollowingscreenshot:
Messagedisplayedaftertheextractioniscomplete
7. TheextracteddataissavedtotheSDcardofthedeviceinadirectorynamedforensics.TheextractedinformationisstoredinCSVfiles,asshowninthefollowingfigure.TheCSVfilescanbeviewedusinganyeditor.
FilesextractedusingAFLogicalOSE
8. Theinfo.xmlfilepresentinthesamedirectoryprovidesinformationaboutthedeviceincludingtheIMEInumber,IMSInumber,Androidversion,informationaboutinstalledapplications,andsoon.
OthertoolsthatcanhelpduringinvestigationtologicallyextractdatawillbecoveredinChapter11,AndroidAppAnalysisandOverviewofForensicTools.
Physicaldataextraction
Androiddataextractionthroughphysicaltechniques(hardware-based)mainlyinvolvestwomethods:JTAGandchip-off.Thesetechniquesareusuallyhardtoimplementandrequiregreatprecisionandexperiencetotrythemonrealdevicesduringthecourseofaninvestigation.Thefollowingsectionsprovideanoverviewofthesetechniques.
JTAG
JTAG(JointTestActionGroup)involvesusingadvanceddataacquisitionmethods,whichinvolveconnectingtospecificportsonthedeviceandinstructingtheprocessortotransferthedatastoredonthedevice.Byusingthismethod,afullphysicalimageofadevicecanbeacquired.Itisalwaysrecommendedtofirsttryoutthelogicaltechniquesmentionedearlierastheyareeasytoimplementandrequirelesseffort.ExaminersmusthavepropertrainingandexperiencepriortoattemptingJTAGasthedevicemaybedamagedifhandledimproperly.
TheJTAGprocessusuallyinvolvesthefollowingforensicsteps:
1. InJTAG,thedeviceTestAccessPorts(TAPs)areusedtoaccesstheCPUofthedevice.IdentifyingtheTAPsistheprimaryandmostimportantstep.TAPsareidentifiedandtheconnectionistracedtotheCPUtofindoutwhichpadisresponsibleforeachfunction.AlthoughdevicemanufacturersdocumentresourcesabouttheJTAGschematicsofaparticulardevice,theyarenotreleasedforgeneralviewing.AgoodsiteforJTAGonanAndroiddeviceishttp://www.forensicswiki.org/wiki/JTAG_Forensics.
2. WireleadsarethensolderedtoappropriateconnecterpinsandtheotherendisconnectedtothedevicethatcancontroltheCPU,asshowninthefollowingimage(publishedbywww.binaryintel.com).JTAGjigscanbeusedtoforgosolderingforcertaindevices.TheuseofajigorJTAGadapternegatestheneedtosolder,asitconnectstheTAPstotheCPU.
TheJTAGsetup
3. Oncetheprecedingstepsarecomplete,powermustbeappliedtoboottheCPU.Thevoltagethatmustbeapplieddependsonthespecificationsreleasedbythehardwaremanufacturer.Donotapplyavoltagebeyondthenumbermentionedinthespecification.
4. Afterapplyingthepower,afullbinarymemorydumpoftheNANDflashcanbeextracted.
5. Analyzetheextracteddatausingtheforensictechniquesandtoolslearnedinthisbook.Araw.binfilewillbeobtainedduringtheacquisitionandmostforensictoolssupportingestionandanalysisofthisimageformat.
ItisalsoimportanttounderstandthattheJTAGtechniqueshouldnotresultinlossoffunctionalityofthedevice.Ifreassembledproperly,thedeviceshouldfunctionwithoutanyproblems.AlthoughtheJTAGtechniqueiseffectiveinextractingthedata,onlyexperiencedandqualifiedpersonnelshouldattemptit.AnyerrorinsolderingtheJTAGpadsorapplyingadifferentvoltagecoulddamagethedeviceentirely.
Chip-off
Chip-off,asthenamesuggests,isatechniquewheretheNANDflashchip(s)areremovedfromthedeviceandexaminedtoextracttheinformation.Hence,thistechniquewillworkevenwhenthedeviceispasscode-protectedandUSBdebuggingisnotenabled.UnliketheJTAGtechniquewherethedevicefunctionsnormallyafterexamination,thechip-offtechniqueusuallyresultsindestructionofthedevice,thatis,itismoredifficulttoreattachtheNANDflashtothedeviceafterexamination.TheprocessofreattachingtheNANDflashtothedeviceiscalledre-ballingandrequirestrainingandpractice.
Chip-offtechniquesusuallyinvolvethefollowingforensicsteps:
1. Allofthechipsonthedevicemustberesearchedtodeterminewhichchipcontainsuserdata.Oncedetermined,theNANDflashisphysicallyremovedfromthedevice.Thiscanbedonebyapplyingheattodesolderthechipasshowninthefollowingimage(publishedbywww.binaryintel.com).ThisisaverydelicateprocessandmustbedonewithgreatcareasitmayresultindamagingtheNANDflash.
Thechip-offtechnique
2. Thechipisthencleanedandrepairedtomakesurethattheconnectorsarepresentandfunctioning.
3. Usingspecializedhardwaredeviceadapters,thechipcannowberead.Thisisdonebyinsertingthechipintothehardwaredevice,whichsupportsthespecificNANDflashchip.Inthisprocess,rawdataisacquiredfromthechipresultingina.binfile.
4. Thedataacquiredcannowbeanalyzedusingforensictechniquesandthetoolsdescribedearlier.
Thechip-offtechniqueismosthelpfulwhenthedeviceisdamagedseverely,locked,orotherwiseinaccessible.However,theapplicationofthistechniquerequiresnotonlyexpertisebutalsocostlyequipmentandtools.ThereisalwaysariskofdamagingtheNANDflashwhileremovingitandhenceitisrecommendedtotryoutthelogicaltechniquesfirsttoextractanydata.
Imagingamemory(SD)card
Therearemanytoolsavailablethatcanimageamemorycard.ThefollowingexampleusesWinHextocreatearawdiskimageoftheSDcard.Thefollowingisastep-by-stepprocesstoimageamemorycardusingtheWinHexsoftware.
Connectingthememorycard:RemovetheSDcardfromthememoryslotanduseacardreadertoconnectthememorycardtotheforensicworkstation.Writeprotectthecard:OpenthediskusingWinHex.NavigatetoOptions|EditModeandselectthewrite-protectedmode,asshowninthefollowingscreenshot.Thisistomakesurethatthedeviceiswriteprotectedandnodatacanbewrittenonit.
WinHexviewofEditMode(left)andWinHexRead-onlyModeenabled(right)
Calculatingthehashvalue:Calculatethehashvalueofthememorycardtomakesurethatnochangesaremadeatanypointduringtheinvestigation.NavigatetoTools|Computehashandchooseanyhashingalgorithm.Creatingtheimageofthedisk:NavigatetoFile|CreateDiskImage,asshowninthefollowingscreenshot.SelecttheRawimageoption(.dd)tocreateanimage.Thiscompletestheimagingofthememorycard.
SummaryImagingadeviceisoneoftheprimarystepstoensurethatthedataonthedeviceisnotmodified.Oncethedeviceisaccessible,anexaminercanextractthedatausingmanual,logical,orphysicaldataextractiontechniques.Logicaltechniquesextractthedatabyaccessingthefilesystem.Whilethephysicaltechniquesaccessalargersetofdata,theyarecomplexandrequiregreatexpertisetoperform.Manualextractionshouldbeperformedtovalidatedataoronlywhenonetoolisusedtocreatetheimage.Oncethedataisacquired,examinationandmanualextractionfollows,asdescribedinthenextchapter.
Chapter10.AndroidDataRecoveryTechniquesWhilethedataextractionandanalysistechniquesprovideinformationaboutvariousdetailssuchascalllogs,textmessages,andothercellularfunctions,notalltechniquescanprovideinformationaboutthedeleteddata.Itisraretofindasmartphonetodaythatdoesn'tcontaindatatheuserintendedtodelete.Theprobabilitythatthedeleteddatacontainssensitiveinformation(whichiswhythedataisdeletedinthefirstplace)ishigh.Hence,datarecoveryisacrucialaspectofmobileforensicsasithelpstounearththedeleteditems.Thischapteraimstocovervarioustechniques,whichcanbeusedbyaforensicanalysttorecoverthedatafromanAndroiddevice.
DatarecoveryDatarecoveryisoneofthemostsignificantandpowerfulaspectsofforensicanalysis.Theabilitytorecoverdeleteddatacanbecrucialtocrackmanycivilandcriminalcases.Fromanormaluser'spointofview,recoveringdatathathasbeendeletedwouldusuallyrefertotheoperatingsystem'sbuilt-insolutionssuchastheRecycleBininWindows.Whileit'struethatdatacanberecoveredfromtheselocations,duetoanincreaseinuserawareness,theseoptionsdon'toftenwork.Forinstance,onadesktopcomputer,peoplenowuseShift+Deleteasawaytodeleteafilecompletelyfromtheirdesktop.
Datarecoveryistheprocessofretrievingdeleteddatafromadevicewhenitcannotbeaccessednormally.Considerthescenariowhereamobilephonehasbeenseizedfromaterrorist.Wouldn'titbeofgreatestimportancetoknowwhichitemsweredeletedbytheterrorist?AccesstoanydeletedSMSmessages,pictures,dialednumbers,applicationdata,andmorecanbeofcriticalimportanceastheyoftenrevealsensitiveinformation.WithAndroid,itispossibletorecovermostofthedeleteddataifthedevicefilesareproperlyacquired.However,ifpropercareisnottakenwhilehandlingthedevice,thedeleteddatacouldbelostforever.Toensurethatthedeleteddataisnotoverwritten,itisrecommendedtokeepthefollowingpointsinmind:
Donotusethephoneforanyactivityafterseizingit.Thedeleteddataexistsonthedeviceuntilthespaceisneededbysomeotherincomingdata.Hence,thephonemustnotbeusedforanysortofactivitysoastopreventthedatafrombeingoverwritten.Evenwhenthephoneisnotused,withoutanyinterventionfromourend,datacanbeoverwritten.Forinstance,anincomingSMSwouldautomaticallyoccupythespace,whichcouldoverwritethedatamarkedfordeletion.Topreventoccurrenceofsuchevents,theexaminershouldfollowtheforensichandlingmethodsdescribedinthepreviouschapters.Theeasiestsolutionistoplacethedeviceinairplanemode,disableallconnectivityoptionsonthedevice,orturnthedeviceoff.Thispreventsthedeliveryofanynewmessages.
Recoveringthedeletedfiles
AllAndroidfilesystemshavemetadatacontaininginformationaboutthehierarchyoffiles,filenames,andsoon.Deletionwillnotreallyerasethedatabutremovethefilesystemmetadata.Whentextmessagesoranyotherfilesaredeletedfromthedevice,theyarejustmadeinvisibletotheuserbutthefilesarestillpresentonthedevice.Essentially,thefilesaresimplymarkedfordeletion,butresideonthefilesystemuntilbeingoverwritten.RecoveringdeleteddatafromanAndroiddeviceinvolvestwoscenarios:recoveringdatathatisdeletedfromtheSDcard,suchaspictures,videos,applicationdata,andmore,andrecoveringdatathatisdeletedfromtheinternalmemoryofthedevice.ThefollowingsectionscoverthetechniquesthatcanbeusedtorecoverdeleteddatafromboththeSDcardandinternalmemoryoftheAndroiddevice.
RecoveringdeleteddatafromanSDcard
DatapresentonSDcardscanrevealalotofinformationforforensicinvestigators.SDcardsarecapableofstoringpicturesandvideostakenbythephone'scamera,voicerecordings,applicationdata,cachedfiles,andmore.Essentially,anythingthatcanbestoredonacomputerharddrivecanbestoredonanSDcardasmuchastheavailablespaceallows.RecoveringthedeleteddatafromanexternalSDcardisastraightforwardprocess.SDcardscanbemountedasanexternalmassstoragedeviceandforensicallyacquiredusingstandarddigitalforensicmethodsasdiscussedinChapter9,AndroidDataExtractionTechniques.Thedeviceshouldneverbemountedonacomputertocopythefilesastheunallocatedspacewillbemissed.Asmentionedinthepreviouschapters,SDcardsinAndroiddevicesoftenusetheFAT32filesystem.ThemainreasonforthisisthattheFAT32filesystemiswidelysupportedinmostoperatingsystemsincludingWindows,Linux,andMacOSX.ThemaximumfilesizeonaFAT32formatteddriveisaround4GB.Withincreasinglyhighresolutionformatsnowavailable,thislimitiscommonlyreached.Apartfromthis,FAT32canbeusedonpartitionsthatarelessthan32GBinsize.Hence,theexFATfilesystem,whichovercomestheseproblems,isnowbeingusedinsomeofthedevices.
TorecoverthedeletedfilesfromanSDcard,youcanuseanyoftheavailableforensictoolssuchastheRemoRecoverforAndroidtool.Thefollowingisastep-by-stepprocesstorecoverthedeletedfilesfromanSDcardusingRemo
RecoveryforAndroid:
1. Downloadthesoftwarefromhttp://www.remosoftware.com/remo-recover-for-android.Next,installthesoftwareandlaunchit.Fromthemainscreen,selecttheappropriatefilerecoverymode.ThetooltriestorecognizetheAndroiddeviceanddisplaysthefollowingscreen,oncethedeviceissuccessfullydetected.Note,theAndroiddevicemustbeabletoconnectviaUSBdebuggingorthedevicemaynotbedetected.
Androidrecovery—devicedetection
2. Thetoolpresentsyouwithalistofstoragedevicesavailable,asshowninthefollowingscreenshot.Selectthestoragedevicefromthelistandproceed.
Thelistofstoragedevicesavailable
3. Selectthetypeoffiletoberecoveredorselectallandproceedfurther.4. Oncetherecoveryprocessiscomplete,alistoftheextractedfileswillbe
providedasshowninthefollowingscreenshot:
Recoveredfileslist
ExaminersmustunderstandthatAndroiddevicesmightusespaceontheSDcardtocacheapplicationdata,thereforeitisimportanttomakesurethatasmuchdataaspossibleisobtainedfromthedevicepriortoremovingtheSDcard.ItisrecommendedtoacquiretheSDcardthroughthedeviceaswellasseparatelytoensurealldataisobtained.ToachievetheSDcardimage,ddthroughadbcanbeusedwhilethedeviceisrunningtoobtainanimageoftheSDcardofthedeviceifthedevicecannotbepoweredoffduetopossibleevidencerunninginthememory.AmemorycapturecanbeobtainedontheAndroiddeviceshoulddataactivelyberunninginthememoryberelevanttotheinvestigation.ToolssuchasLiMEcanbeusedtocompletethememorycapture.LiMEcanbeaccessedonthefollowingsite:https://code.google.com/p/lime-forensics/.
Itisalsorecommendedtocheckifthedevicehasanybackupapplicationsorfilesinstalled.TheinitialreleaseofAndroiddidnotincludeamechanismfortheuserstobackuptheirpersonaldata.Hence,severalbackupapplicationswereusedextensivelybytheusers.Byusingtheapps,usershavetheabilitytobackuptheirdataeithertotheSDcardortothecloud.Forexample,theSuperBackupappcontainstheoptionstobackupcalllogs,contacts,SMS,andmoreasshowninthefollowingscreenshot:
TheSuperBackupAndroidapp
Upondetectionofabackupapplication,theforensicexaminersmustattempttodeterminewherethedataisstored.Thedatasavedinabackupmaycontainimportantinformationandthuslookingforanythird-partybackupapponthedevicewouldbeveryhelpful.
Recoveringdatadeletedfrominternalmemory
RecoveringfileswhicharedeletedfromAndroid'sinternalmemory(suchasSMS,contacts,appdata,andmore)isnotsupportedbyallanalyticaltoolsandmayrequiremanualcarving.UnlikesomemediacontainingcommonfilesystemssuchasSDcards,thefilesystemmaynotberecognizedandmountedbyforensictools.Also,theexaminercannotgetaccesstotherawpartitionsoftheinternalmemoryofanAndroidphoneunlessthephoneisrooted.ThefollowingaresomeoftheotherissuestheexaminermayfacewhenattemptingtorecoverdatafromtheinternalmemoryonAndroiddevices:
Togetaccesstotheinternalmemoryyoucantrytorootthephone.However,therootingprocessmightinvolvewritingsomedatatothe/datapartitionandthisprocesscouldoverwritethedataofvalueonthedevice.
UnlikeSDcards,theinternalfilesystemhereisnotFAT32(whichiswidelysupportedbyforensictools).TheinternalfilesystemcouldbeYAFFS2(inolderdevices),EXT3,EXT4,RFS,orsomethingproprietarybuilttorunonAndroid.Therefore,manyoftherecoverytoolsdesignedforusewithWindowsfilesystemswon'twork.ApplicationdataonAndroiddevicesiscommonlystoredintheSQLiteformat.Whilemostforensictoolsprovideaccesstothedatabasefiles,theymayhavetobeexportedandviewedinanativebrowser.Theexaminermustexaminetherawdatatoensurethatthedeleteddataisnotoverlookedbytheforensictool.
Thediscussedreasonsmakeitdifficult,butnotimpossible,torecoverthedeleteddatafromtheinternalmemory.TheinternalmemoryofAndroiddevicesholdsabulkoftheuserdataandthepossiblekeystoyourinvestigation.Aspreviouslymentioned,thedevicemustberootedinordertoaccesstherawpartitions.MostoftheAndroidrecoverytoolsonthemarketdonothighlightthefactthattheyworkonlyonrootedphones.LetusnowseehowwecanrecoverdeleteddatafromanAndroidphone.
RecoveringdeletedfilesbyparsingSQLitefiles
AndroidusesSQLitefilestostoremostdata.Datarelatedtotextmessages,e-mails,andcertainappdataisstoredinSQLitefiles.SQLitedatabasescanstoredeleteddatawithinthedatabaseitself.FilesmarkedfordeletionbytheusernolongerappearintheactiveSQLitedatabasefiles.Therefore,itispossibletorecoverthedeleteddatasuchastextmessages,contacts,andmore.TherearetwoareaswithinaSQLitepagethatcancontaindeleteddata:unallocatedblocksandfreeblocks.MostofthecommercialtoolsthatrecoverdeleteddatascantheunallocatedblocksandfreeblocksoftheSQLitepages.ParsingthedeleteddatacanbedoneusingtheavailableforensictoolssuchasOxygenForensicsSQLiteViewer.ThetrialversionoftheSQLiteViewercanbeusedforthispurpose;however,therearecertainlimitationsontheamountofdatathatyoucanrecover.YoucanwriteyourownscripttoparsethefilesfordeletedcontentandforthatyouneedtohaveagoodunderstandingabouttheSQLitefileformat.Thelinkhttp://www.sqlite.org/fileformat.htmlisagoodplacetostartwith.Ifyoudonotwanttoreinventandwanttoreusetheexistingscripts,youcantrytheavailableopensourcePythonscripts(http://az4n6.blogspot.in/2013/11/python-parser-to-recover-deleted-sqlite.html)toparsetheSQLitefilesfordeleted
records.
Forourexample,wewillrecoverdeletedSMSesfromanAndroiddevice.RecoveringdeletedSMSesfromanAndroidphoneisquiteoftenrequestedaspartofforensicanalysisonadevicemainlybecausetextmessagescontaindata,whichcanrevealalotofinformation.TherearedifferentwaystorecoverdeletedtextmessagesonanAndroiddevice.First,weneedtounderstandwherethemessagesarebeingstoredonthedevice.InChapter9,AndroidDataExtractionTechniques,weexplainedtheimportantlocationsontheAndroiddevicewhereuserdataisstored.Hereisaquickrecapofthis:
Everyapplicationstoresitsdataunderthe/data/datafolder(again,thisrequiresrootaccesstoacquiredata)Thefilesunderthelocation/data/data/com.android.providers.telephony/databasescontaindetailsaboutSMS/MMS
Undertheprecedingmentionedlocation,textmessagesarestoredinaSQLitedatabasefile,whichisnamedmmssms.db.Deletedtextmessagescanberecoveredbyexaminingthisfile.HerearethestepstorecoverdeletedSMSesusingthemmssms.dbfile:
1. OntheAndroiddevice,enabletheUSBdebuggingmodeandconnectthedevicetotheforensicworkstation.Usingtheadbcommand-linetool,extractthedatabasesfolderpresentunderthelocation/data/data/byissuingtheadbpullcommand:
C:\android-sdk-windows\platform-tools>adb.exepull
/data/data/com.android.providers.telephony/databasesC:\temp
pull:buildingfilelist...
pull:
/data/data/com.android.providers.telephony/databases/mmssms.db-
journal->C:\temp/mmssms.db-journal
pull:
/data/data/com.android.providers.telephony/databases/telephony.
db-journal->C:\temp/telephony.db-journal
pull:
/data/data/com.android.providers.telephony/databases/mmssms.db
->C:\temp/mmssms.db
pull:
/data/data/com.android.providers.telephony/databases/telephony.
db->C:\temp/telephony.db
4filespulled.0filesskipped.
53KB/s(160848bytesin2.958s)
Oncethefilesareextractedtothelocalmachine,usetheOxygenForensicsSQLiteViewertooltoopenthemmssms.dbfile.
2. ClickonthetablenamedsmsandobservethecurrentmessageundertheTablesdatatabinthetool.
3. OnewaytoviewthedeleteddataisbyclickingontheBlockscontainingdeleteddatatab,asshowninthefollowingscreenshot:
RecoveringdeletedSMSmessages
Similarly,otherdataresidingonAndroiddeviceswhichstoredatainSQLitefilescanberecoveredbyparsingfordeletedcontent.Whentheprecedingmethoddoesn'tprovideaccesstothedeleteddata,theexaminershouldlookatthefileinrawhexfilefordatamarkedasdeleted,whichcanbemanuallycarvedandreported.
Recoveringfilesusingfile-carvingtechniques
Filecarvingisanextremelyusefulmethodinforensicsbecauseitallowsfordatathathasbeendeletedorhiddentoberecoveredforanalysis.Insimpleterms,filecarvingistheprocessofreassemblingcomputerfilesfromfragmentsintheabsenceoffilesystemmetadata.Infilecarving,specifiedfiletypesaresearchedforandextractedacrossthebinarydatatocreateaforensicimageofapartitionoranentiredisk.Filecarvingrecoversfilesfromtheunallocatedspaceinadrivebasedmerelyonfilestructureandcontentwithoutanymatchingfilesystemmetadata.Unallocatedspacereferstothepartofthedrivethatnolongerholdsanyfileinformationaspointedbythefilesystemstructuressuchasthefiletable.
Filescanberecoveredorreconstructedbyscanningtherawbytesofthediskandreassemblingthem.Thiscanbedonebyexaminingtheheader(thefirstfewbytes)andfooter(thelastfewbytes)ofafile.
File-carvingmethodsarecategorizedbasedontheunderlyingtechniqueinuse.Theheader-footercarvingmethodreliesonrecoveringthefilesbasedontheheaderandfooterinformation.Forinstance,theJPEGfilesstartwith0xffd8andendwith0xffd9.Thelocationsoftheheaderandfooterareidentifiedandeverythingbetweenthosetwoendpointsiscarved.Similarly,thecarvingmethodbasedonthefilestructureusestheinternallayoutofafiletoreconstructthefile.Butthetraditionalfile-carvingtechniquessuchastheoneswe'vealreadyexplainedmaynotworkifthedataisfragmented.Toovercomethis,newtechniquessuchassmartcarvingusethefragmentationcharacteristicsofseveralpopularfilesystemstorecoverthedata.
Oncethephoneisimaged,itcanbeanalyzedusingtoolssuchasScalpel.Scalpelisapowerfulopensourceutilitytocarvefiles.Thistoolanalyzestheblockdatabasestorageandidentifiesthedeletedfilesandrecoversthem.ScalpelisfilesystemindependentandisknowntoworkonvariousfilesystemsincludingFAT,NTFS,EXT2,EXT3,HFS,andmore.ThefollowingstepsexplainhowtouseScalpelonanUbuntuworkstation:
1. InstallScalpelontheUbuntuworkstationusingthecommandsudoapt-getinstallscalpel.
2. Thescalpel.conffilepresentunderthe/etc/scalpeldirectorycontainsinformationaboutthesupportedfiletypes,asshowninthefollowingscreenshot:
Thescalpelconfigurationfile
ThisfileneedstobemodifiedinordertomentionthefilesthatarerelatedtoAndroid.Asamplescalpel.conffilecanbedownloadedfromthelinkhttps://viaforensics.com/resources/tools/#android.Youcanalsouncommentthefilesandsavetheconffiletoselectfiletypesofyourchoice.Oncethisisdone,replacetheoriginalconffilewiththeonethatisdownloaded.
3. Scalpelneedstoberunalongwiththeprecedingconfigurationfileontheddimagebeingexamined.Youcanrunthetoolusingthecommandshowninthefollowingscreenshot,byinputtingtheconfigurationfileandtheddfile.Oncethecommandisrun,thetoolstartstocarvethefilesandbuildthemaccordingly.
RunningtheScalpeltoolonaddfile
4. Theoutputfolderspecifiedintheprecedingcommandnowcontainslistsoffoldersbasedonthefiletypes,asshowninthefollowingscreenshot.Eachofthesefolderscontainsdatabasedonthefoldername.Forinstance,jpg2-0containsfilesrelatedtothe.jpgextensionthathasbeenrecovered.
OutputfolderafterrunningtheScalpeltool
5. Asshownintheprecedingscreenshot,eachfoldercontainsrecovereddatafromtheAndroiddevice,suchasimages,PDFfiles,ZIPfiles,andmore.Whilesomepicturesarerecoveredcompletely,somearenotrecoveredtoafullextent,asshowninthefollowingscreenshot:
RecovereddatausingtheScalpeltool
ApplicationssuchasDiskDiggercanbeinstalledonAndroiddevicestorecoverdifferenttypesoffilesfromboththeinternalmemoryandSDcards.ApplicationssuchasDiskDiggerincludesupportforJPGfiles,MP3andWAVaudio,MP4and3GPvideo,rawcameraformats,MicrosoftOfficefiles(DOC,XLS,andPPT),andmore.However,asmentionedearlier,theapplicationrequiresrootprivilegesontheAndroiddeviceinordertorecoverthecontentfromtheinternalmemory.Thus,file-carvingtechniquesplayaveryimportantroleinrecoveringimportantdeletedfilesfromthedevice'sinternalmemory.
YoucanalsorestorethecontactsonthedeviceusingtheRestoreContactsoptionthroughtheGoogleaccountconfiguredonthedevice.ThiswouldworkiftheuserofthedevicehaspreviouslysyncedtheircontactsusingtheSyncSettingsoptionavailableinAndroid.Thisoptionsynchronizesthecontactsandotherdetailsandwouldstoretheminthecloud.AforensicexaminerwithlegalauthorityorproperconsentcanrestorethedeletedcontactsiftheycangetaccesstotheGoogleaccountconfiguredonthedevice.Oncetheaccountisaccessed,
performthefollowingstepstorestorethedata:
1. LogintotheGmailaccount.2. ClickonGmailinthetop-leftcornerandselectContacts,asshowninthe
followingscreenshot:
TheContactsmenuinGmail
3. ClickonMore,whichispresentabovethecontactslist.4. ClickonRestoreContactsandthefollowingscreenappears:
TheRestoreContactsdialogbox
5. Now,youcanrestorethecontactlisttothestatethatitwasinatanypointwithinthepast30daysusingthistechnique.
SummaryRecoveryofthedeleteddataonAndroiddevicesdependsonvariousfactorswhichheavilyrelyonaccesstothedataresidingintheinternalmemoryandSDcard.WhiletherecoveryofdeleteditemsfromexternalstoragesuchasanSDcardiseasy,recoveryofdeleteditemsfromtheinternalmemorytakesconsiderableeffort.SQLitefileparsingandfile-carvingtechniquesaretwomethodstorecoverdeleteddataextractedfromanAndroiddevice.ThenextchapterdiscussesAndroidforensictoolsthatcanbehelpfulinextractingandacquiringdatafromAndroiddevices.Bothopensourceandcommercialmethodswillbediscussed.
Chapter11.AndroidAppAnalysisandOverviewofForensicToolsThird-partyapplicationsarecommonlyusedbysmartphoneusers.AndroidusersdownloadandinstallseveralappsfromappstoressuchasAndroidMarketandGooglePlay.Duringforensicinvestigations,itisoftenhelpfultoperformananalysisoftheseappstoretrievevaluabledataandtodetectanymalware.Forinstance,aphotovaultappmightlocksensitiveimagespresentonthedevice.Hence,itwouldbeofgreatsignificancetohavetheknowledgetoidentifythepasscodeforthephotovaultapp.Whilethedataextractionanddatarecoverytechniquesdiscussedinearlierchaptersprovideaccesstovaluabledata,appanalysiswouldhelpustogaininformationaboutthespecificsofanapplication,suchaspreferencesandpermissions.ThischaptercoversthetechniquestoreverseengineeranAndroidapplicationandalsothrowslightonsomeavailableforensictoolsthatmaybeextremelyhelpfulduringforensicacquisitionandanalysis.
AndroidappanalysisOnAndroid,everythingtheuserinteractswithisanapplication.Whilesomeappsarepreinstalledbythedevicemanufacturer,someappsaredownloadedandinstalledbytheuser.Dependingonthetypeofapplication,mostoftheseappsstoresensitiveinformationontheinternalmemoryortheSDcardonthedevice.Usingtheforensictechniquesdescribedearlier,itispossibletogetaccesstothedatastoredbytheseapplications.However,aforensicexaminerneedstodevelopthenecessaryskillstoconverttheavailabledataintousefuldata.Thisisachievedwhenyouhaveacomprehensiveunderstandingofhowtheapplicationhandlesdata.
Theexaminermayneedtodealwithapplicationsthatstandasabarriertoaccessingrequiredinformation.Forinstance,takethecaseofthegalleryonaphonelockedbyanapplockerapplication.Inthiscase,inordertoaccessthepicturesandvideosstoredonthegallery,youfirstneedtoenterthepasscodetotheapplocker.Hence,itwouldbeinterestingtoknowhowtheapplockerappstoresthepasswordonthedevice.Youmightlookintothesqlitedatabasefiles,butiftheyareencrypted,thenit'shardtoevenpredictthatit'sapassword.Reverseengineeringapplicationswouldbehelpfulinsuchcaseswhereyouwanttobetterunderstandtheapplicationandhowtheapplicationstoresthedata.
ReverseengineeringAndroidappsTostateitinsimpleterms,reverseengineeringistheprocessofretrievingsourcecodefromanexecutable.ReverseengineeringanAndroidappisdoneinordertounderstandthefunctioningoftheapp,datastorage,securitymechanismsinplace,andmore.BeforeweproceedtolearnhowtoreverseengineeranAndroidapp,hereisaquickrecapoftheAndroidapps:
AlltheapplicationsthatareinstalledontheAndroiddevicearewrittenintheJavaprogramminglanguage.WhenaJavaprogramiscompiled,wegetbytecode.Thisissenttoadexcompiler,whichconvertsitintoaDalvikbytecode.Thus,theclassfilesareconvertedtodexfilesusingdxtool.AndroidusessomethingcalledDalvikvirtualmachine(DVM)torunitsapplications.JVM'sbytecodeconsistsofoneormoreclassfilesdependingonthenumberofJavafilesthatarepresentinanapplication.Regardless,aDalvikbytecodeiscomposedofonlyonedexfile.
Thus,thedexfiles,XMLfiles,andotherresourcesthatarerequiredtorunanapplication,arepackagedintoanAndroidpackagefile(anAPKfile).TheseAPKfilesaresimplyacollectionofitemswithinaZIPfile.Therefore,ifyourenameanAPKextensionfileas.zip,thenyouwillbeabletoseethecontentsofthefile.Butbeforethat,youneedtogetaccesstotheAPKfileoftheapplicationthatisinstalledonthephone.HereishowtheAPKfilecorrespondingtoanapplicationcanbeaccessed.
ExtractinganAPKfilefromanAndroiddevice
Appsthatcomepreinstalledwiththephonearestoredinthe/system/appdirectory.Third-partyapplicationsthataredownloadedbytheuserarestoredinthe/data/appfolder.ThefollowingmethodhelpsyoutogainaccesstotheAPKfilesonthedeviceandworksonbothrootedandnon-rooteddevices:
1. Identifythepackagenameoftheappbyissuingthefollowingcommand:
C:\android-sdk-windows\platform-tools>adb.exeshellpmlist
packages
package:android
package:android.googleSearch.googleSearchWidget
package:com.android.MtpApplication
package:com.android.Preconfig
package:com.android.apps.tag
package:com.android.backupconfirm
package:com.android.bluetooth
package:com.android.browser
package:com.android.calendar
package:com.android.certinstaller
package:com.android.chrome
...
Asshownintheprecedingcommandlines,thelistofpackagenamesisdisplayed.Trytofindamatchbetweentheappinquestionandthepackagename.Usually,thepackagenamesareverymuchrelatedtotheappnames.Alternatively,youcanusetheAndroidMarketorGooglePlaytoidentifythepackagenameeasily.TheURLforanappinGooglePlaycontainsthepackagenameasshowninthefollowingscreenshot:
FacebookAppinGooglePlayStore
2. IdentifythefullpathnameoftheAPKfileforthedesiredpackagebyissuingthefollowingcommand:
C:\android-sdk-windows\platform-tools>adb.exeshellpmpath
com.android.chrome
package:/data/app/com.android.chrome-2.apk
3. PulltheAPKfilefromtheAndroiddevicetotheforensicworkstationusingtheadbpullcommand:
C:\android-sdk-windows\platform-tools>adb.exepull
/data/app/com.android.chrome-2.apkC:\temp
3493KB/s(30943306bytesin8.649s)
YoucanalsouseapplicationssuchasESExplorertogettheAPKfileofanAndroidapplication.Nowlet'sanalyzethecontentsofanAPKfile.AnAndroidpackageisacontainerforanAndroidapp'sresourcesandexecutables.It'sazippedfilethatcontainsthefollowingfiles:
AndroidManifest.xml:Thiscontainsinformationaboutthepermissionsandmoreclasses.dex:Thisistheclassfileconvertedtoadexfilebythedexcompiler
Res:Theapplication'sresources,suchastheimagefiles,soundfiles,andmore,arepresentinthisdirectoryLib:ThiscontainsnativelibrariesthattheapplicationmayuseMETA-INF:Thiscontainsinformationabouttheapplication'ssignatureandsignedchecksumsforalltheotherfilesinthepackage.
OncetheAPKfileisobtained,youcanproceedtoreverseengineertheAndroidapplication.
StepstoreverseengineerAndroidapps
TheAPKfilescanbereverseengineeredindifferentwaystogettheoriginalcode.Thefollowingisonemethodthatusesthedex2jarandJD-GUItoolstogainaccesstotheapplicationcode.Forourexample,wewillexaminethecom.twitter.android-1.apkfile.ThefollowingarethestepstosuccessfullyreverseengineertheAPKfile:
1. Renametheapkextensionwithziptoseethecontentsofthefile.Renamethecom.twitter.android-1.apkfiletotwitter.android-1.zip,andextractthecontentsofthefileusinganyfilearchiverapplication.Thefollowingscreenshotshowsthefilesextractedfromtheoriginalfiletwitter.android-1.zip:
ExtractedfilesofanAPKfile
2. Theclasses.dexfilediscussedintheearliersectionscanbeaccessedafterextractingthecontentsoftheAPKfile.ThisdexfileneedstobeconvertedtoaclassfileofJava.Thiscanbedoneusingthedex2jartool.
3. Downloadthedex2jartoolfromhttps://code.google.com/p/dex2jar/,anddroptheclasses.dexfileintothedex2jartoolsdirectoryandissuethefollowingcommand:
C:\Users\Rohit\Desktop\Training\Android\dex2jar-0.0.9.15>d2j-
dex2jar.batclasses.dex
dex2jarclasses.dex->classes-dex2jar.jar
4. Theprecedingcommand,whensuccessfullyrun,createsanewfileclasses-dex2jar.jarinthesamedirectoryasshowninthefollowingscreenshot:
Theclasses-dex2jar.jarfilecreatedbythedex2jartool
5. Toviewthecontentsofthisjarfile,youcanuseatoolsuchasJD-GUI.Asshowninthefollowingscreenshot,thefilespresentinanAndroidapplicationandthecorrespondingcodecanbeseen:
TheJD-GUItool
Oncewegetaccesstothecode,itiseasytoanalyzehowtheapplicationstoresthevalues,permissions,andmoreinformationthatmaybehelpfultobypasscertainrestrictions.Whenmalwareisfoundonadevice,thismethodtodecompileandanalyzetheapplicationmayproveuseful,asitwillshowwhatisbeingaccessedbythemalwareandcluestowherethedataisbeingsent.ThemethodintheprecedingscreenshotisthebestwaytodeterminehowmalwareisaffectingtheAndroiddevice.
ForensictoolsoverviewItisimportantforanexaminertounderstandhowaforensictoolacquiresandanalyzesdatatoensurenothingismissedandthatthedataisbeingdecodedcorrectly.Whilemanualextractionandanalysisisuseful,aforensicexaminermayneedthehelpoftoolstoaccomplishthetasksinvolvedinmobiledeviceforensics.Forensictoolsnotonlysavetime,butalsomaketheprocessaloteasier.ThefollowingsectiondescribesfourimportanttoolsthatarewidelyusedduringforensicacquisitionandtheanalysisofanAndroiddevice.
TheAFLogicaltool
AFLogicalisanAndroidforensicstooldevelopedbyviaForensics.ThistoolperformslogicalacquisitionofanyAndroiddevicerunningeitherAndroid1.5orlaterversions.Itallowstheextracteddatatobesavedtotheexaminer'sSDCardinCSVformat.Therearetwoeditionsinthistool:AFLogicalOpenSourceEdition(OSE)andAFLogicalLawEnforcement(LE).
AFLogicalOpenSourceEdition
AFLogicalOpenSourceEditionisfreeopensourcesoftware.ItpullsallavailableMMS,SMS,contacts,andcalllogsfromtheAndroiddevice.AFLogicalOSEisalsobuiltintoSantoku-Linux,theopensource,community-drivenOSdedicatedtomobileforensics,mobilemalware,andmobilesecurity.TheconceptsbehindAFLogicalOSEwerementionedinChapter9,AndroidDataExtractionTechniques.ThiseditioncanalsobeusedonSantoku-Linuxbyperformingthefollowingsteps:
1. NavigatetoSantoku|DeviceForensics|AFLogicalOSE,asshowninthefollowingscreenshot:
AFLogicalinSantokuLinux
2. ToinstallAFLogicalOSEontothedevice,connecttheAndroiddeviceviaUSB.IfyouareusingSantoku-LinuxinaVM,makesureyouconnecttheAndroiddevicetotheguestVM.
3. Installtheapplicationtoyourdeviceasfollows:
aflogical-ose
634KB/s(28794bytesin0.044s)
pkg:/data/local/tmp/AFLogical-OSE_1.5.2.apk
Success
Starting:Intent{
cmp=com.viaforensics.android.aflogical_ose/com.viaforensics.and
roid.ForensicsActivity}
Pressentertopull/sdcard/forensicsinto~/aflogical-data/
4. OntheAndroiddevice,selecttheitemsyouwishtoextractandclickonCapture.
5. Next,pressEnterintheLinuxworkstation.ThiswillextractthedatafromyourAndroiddevicetothemountedSDcardin~/aflogical-data.
6. Thedataisstoredinafolderlabeledwiththedateandtimeoftheextraction,asshowninthefollowingscreenshotreferencedfromhttps://santoku-linux.com/:
TheAFLogicalresults
7. Theextracteddata,suchascalllogs,SMS,contacts,andmore,canbeaccessedbybrowsingthisfolder.
AFLogicalLawEnforcement(LE)
AccordingtoviaForensics,todownloadAFLogicalLE,youmustregisterwithviaForensicsusinganactivelawenforcementorgovernmentagencye-mail.ThiseditionisabletopullalllogicaldatafromanAndroiddevice,includingthefollowing:
BrowserbookmarksBrowsersearchesCalendarattendeesCalendareventsCalendarextendedpropertiesCalendarremindersCalendarsCallLogcallsContactmethodsContactextensionsContactgroupsContactorganizationsContactphonesContactsettingsExternalimagemediaExternalimagethumbmediaExternalmediaexternalvideosIMaccountIMaccountsIMchatsIMcontactsprovider(IMcontacts)IMinvitationsIMmessagesIMprovidersIMprovidersettingsInternalimagemediaInternalimagethumbmediaInternalVideosandMaps-FriendsMaps-FriendscontactsMaps-Friendsextra
MMSMmsPartsProvider(MMSParts)NotesPeoplePhonestoragedeletedbypeople(HTCIncredible)SearchhistorySMSSocialcontractsactivities
Cellebrite–UFEDCurrently,CellebriteUFEDoffersseveralproductsthatsupportdataacquisitionandanalysisofAndroiddevices.Cellebriteisapopularcommercialtoolthatprovidestheexaminerwithbothlogicalandphysicalacquisitionsupportaswellasananalyticalplatformtoexaminedata.CellebritePhysicalAnalyzer,theanalyticalplatform,allowstheexaminertokeywordsearch,bookmark,carvedata,andcreatecustomizedreportstosupporttheirinvestigation.
Physicalextraction
ThefollowingstepsneedtobefollowedtoextractinformationfromaSamsungAndroiddeviceusingUFEDTouch.Beforetheextractionprocessstarts,makesurethatthephoneisfullycharged.
1. IntheUFEDTouchmenu,selectPhysicalExtraction,asshowninthefollowingscreenshot:
TheUFEDTouchmainmenu
2. Inthevendorlist,selectthenameofthedevicemanufacturerasshowninthefollowingscreenshot(forexample,Samsung):
TheUFEDtouch—vendorlistscreen
3. Inthemodelmenu,selectthemodelofthedevice.SelectPhysicalExtraction.
4. Selectthelocationwhereyouwanttosavetheextraction—removabledriveortheforensicworkstation.
5. FollowtheinstructionsexactlyaslistedonUFEDTouch.Makesureyouusetheexactcable,andremovethebatterywhenprompted.
6. Thephonewillenterdownloadmodeanddisplayalogo.Next,connectthephonetoUFEDTouchandpresscontinue.
7. Connecttheexternaldrive(tosavetheextracteddata)tothetargetportofUFEDTouch.
8. ThiswillpromptUFEDTouchtoautomaticallymovetotheextractionscreen.Atthisstage,youmightbepromptedtoperformsomeofthephoneconnectionsteps.Dosoifprompted.
9. Oncetheprocessiscomplete,theextracteddatacanbeviewedandanalyzedusingtheUFEDPhysicalAnalyzerapplicationasshowninthefollowingscreenshot:
TheUFEDPhysicalAnalyzerapplication
MOBILeditAsperthevendor,theMOBILeditforensictoolcanbeusedtoview,search,orretrievedatafromaphone,includingcallhistory,phonebook,textmessages,multimediamessages,files,calendars,notes,reminders,andapplicationdatasuchasSkype,Dropbox,Evernote,andmore.ItwillalsoretrievephoneinformationsuchasIMEI,operatingsystems,firmwareincludingSIMdetails(IMSI),ICCID,andlocationareainformation.Dependingonthecircumstances,MOBILeditisalsoabletoretrievedeleteddatafromphonesandbypassthepasscode,PIN,andphonebackupencryption.Thesetupfilecanbedownloadedfromwww.mobiledit.comandcanbeinstalledeasily.Onceinstalled,performthefollowingstepstoextractinformationfromanAndroidphoneusingtheMOBILeditsoftware:
1. EnsurethatUSBdebuggingisenabledonthedeviceandconnecttheAndroiddevicetotheforensicworkstationusingaUSBcable.MOBILeditattemptstodetectthedevice,andtoinstalltheConnectorapponthedevice,asshowninthefollowingscreenshot:
TheMOBILeditconnectionwizard
2. MOBILeditthenpresentsyouwithoptionstobackupcertaindata.Oncethisisdone,thetooldisplaysstatisticsandtheapplicationdatathatcanbeusedforanalysis,asshowninthefollowingscreenshot:
TheMOBILedittoolresults
3. UndertheNavigationtab,clickonanyitemtoviewtheresults.Forinstance,clickonthePhonebooklinktoviewallthecontactsstoredwithinthephonebookincludingphonenumbers,e-mailaddresses,andmore.Similarly,youcanviewtheinformationaboutcalllogsbyclickingontheCallLogsoption,asshowninthefollowingscreenshot:
TheMOBILedittool—Calllogsoption
AutopsyShouldmanualexaminationorfilecarvingberequired,itisbesttouseaforensictoolthatprovidesaccesstotherawfilesontheAndroiddevice.Autopsy,theGUI-basedupontheSleuthKit,runsonaWindowsforensicworkstationandcanbedownloadedfromhttp://www.sleuthkit.org/autopsy/.AutopsycurrentlyprovidesanalyticalsupportforAndroiddevices.BothopensourceandLawEnforcementmodulesareavailableforAutopsy.ThesemodulesprovideadditionalfilecarvingandparsingsupportforapplicationsandfilesfoundonAndroiddevicesandSDcards.Forexample,theopenmobileforensicsmoduleprovidesmobiledeviceparsingcapabilitiestopulloutartifactssuchascalls,SMS,chats,pictures,andmore.
AnalyzinganAndroidinAutopsy
Inthisexample,wewillbeusingaphysicalimageoftheSamsungGalaxySIII.ThisdevicewasphysicallyextractedusingCellebriteUFEDTouch.ThefollowingstepsshouldbeperformedtocorrectlymountanAndroidimageandtostartyourexamination:
1. DownloadandinstallthecurrentversionofAutopsyfromwww.thesleuthkit.org.
2. LaunchAutopsyandselecttheoptiontocreateanewcaseasshowninthefollowingscreenshot:
TheAutopsytoolscreen
3. FilloutthecaseinformationandclickonFinish.4. SelectImageFileandnavigatetothephysicalimageoftheAndroiddevice
asshowninthefollowingscreenshot.IfmorethanoneimagefileisprovidedfortheAndroid,simplyselectthefirstone.
Autopsyimageloading
5. SelecttheingestmodulesyouwishtorunagainsttheAndroiddevice.Themoduleselectionsareshowninthefollowingscreenshot.NotethatLawEnforcementmodulesarenotlistedandareprovidedonlytothoseworkinginLawEnforcementandtheFederalGovernment.Thefollowingscreenshotshowstheingestmodules:
Autopsyingestmodules
6. SelectNextandFinish,andAutopsywillbegintoparseandloadtheAndroidimagefile.Unlikeotherforensictools,Autopsyprovidesresultsasquicklyastheyarerecoveredtosavethepreprocessingtimeandallowtheexaminerdirectaccesstothedatainvolvedintheirinvestigation.Theresultsappearasshowninthefollowingscreenshot:
SummaryReverseengineeringAndroidappsistheprocessofretrievingsourcecodefromanAPKfile.Byusingcertaintoolssuchasdex2jar,Androidappscanbereverseengineeredinordertounderstandthefunctionalityoftheappanddatastorage,definemalware,andmore.Forensictools,suchasAFLogical,Cellebrite,MOBILedit,andAutopsy,arejustafewofthetoolsthatarehelpfultoanexaminer.Theynotonlysavetimebutalsoeffort.Astep-by-stepexplanationofusingthesewascoveredinthischapter.UnlikeAndroiddevices,datastoredonWindowsMobiledevicesisdifficulttoextractandanalyze.ThenextchapterprovidesaglanceatperformingforensicsonWindowsMobiledevices.
Chapter12.WindowsPhoneForensicsWindowsmobiledevicesarebecomingmorewidelyusedandmaybeencounteredduringforensicinvestigations.LocatingandinterpretingdigitalevidencepresentonthesedevicesrequiresspecializedknowledgeoftheWindowsPhoneoperatingsystemandmaynotalwaysbepossible.CommercialforensicandopensourcetoolsprovidelimitedsupportforacquiringuserdatafromWindowsdevices.AsWindowsmobiledevicesarerelativelynew,mostforensicpractitionersareunfamiliarwiththedataformats,embeddeddatabasesused,andsoon.ThischapterprovidesanoverviewofWindowsPhoneforensics,describingvariousmethodsofacquiringandexaminingdataonWindowsmobiledevices.
WindowsPhoneOSWindowsPhoneisaproprietarymobileoperatingsystemdevelopedbyMicrosoft.ItwaslaunchedasasuccessortoWindowsMobile,butdoesnotprovidebackwardcompatibilitywiththeearlierplatform.WindowsPhonewasfirstlaunchedinOctober2010withWindowsPhone7.TheversionhistoryoftheWindowsPhoneoperatingsystemthencontinuedwiththereleaseofWindowsPhone7.5,WindowsPhone7.8,andWindowsPhone8.Althoughthemarketshareofthisoperatingsystemislimited,thereiscertainlyacaseforoptimismbasedonthefollowingtworeasons:
ThecomputeroperatingsystemmarketisstillheavilydominatedbyWindows.ThisgivesWindowsPhoneOSgreaterflexibilitytoprovideuserswithacomputerenvironmentwithwhichtheyarefamiliar.Microsoft'sdecisiontoacquireNokiacouldbeasignificantfactorinimprovingitsmarketshareofmobileoperatingsystems.
ThefollowingsectionswilldescribemoreaboutWindowsPhone7,itsfeatures,andtheunderlyingsecuritymodel.WebelievethedataisstoredsimilarlyonWindowsPhone8,sothemethodsdefinedinthefollowingsectionsshouldworkonbothoperatingsystems.
UnlikeAndroidandiOS,WindowsPhonecomeswithanewinterface,whichusesso-calledtilesforappsinsteadoficons,asshowninthefollowingfigure.Thesetilescanbedesignedandupdatedbytheuser.Similartoothermobileplatforms,WindowsPhoneallowsfortheinstallationofthird-partyapps.TheappscanbedownloadedfromWindowsPhoneMarketplace,whichismanagedbyMicrosoft.
Securitymodel
ThesecuritymodelofWindowsPhoneisdesignedtomakesurethattheuserdatapresentonthedeviceissafeandsecure.ThefollowingsectionsareabriefexplanationoftheconceptsonwhichWindowsPhonesecurityisbuilt.
Windowschambers
TheWindowsPhoneOS7.0isheavilybuiltontheprinciplesofleastprivilegeandisolation.Toachievethis,WindowsPhoneintroducedtheconceptofchambers.Eachchamberhasanisolationboundarywithinwhichaprocesscanrun.Dependingonthesecuritypolicyofaspecificchamber,aprocessrunninginthatchamberhastheprivilegetoaccesstheOSresourcesandcapabilities(https://www.msec.be/mobcom/ws2013/presentations/david_hernie.pdf).Therearefourtypesofsecuritychambers.Thefollowingisabriefdescriptionofeachoneofthem:
TrustedComputingBase(TCB):ProcessesherehaveunrestrictedaccesstomostoftheWindowsPhone7resources.Thischamberhastheprivilegetomodifypoliciesandenforcethesecuritymodel.Thekernelrunsinthischamber.ElevatedRightsChamber(ERC):ThischamberislessprivilegedthantheTCBchamber.Ithastheprivilegestoaccessallresourcesexceptthesecuritypolicy.Thischamberismainlyusedforservicesanduser-modedrivers,whichprovidefunctionalityintendedforusebyotherapplicationsonthephone.StandardRightsChamber(SRC):Thisisthedefaultchamberforpreinstalledapplications,suchasMicrosoftOutlookMobile2010.LeastPrivilegedChamber(LPC):ThisisthedefaultchamberforalltheapplicationsthataredownloadedandinstalledthroughtheMarketplaceHub(alsoknownastheWindowsPhoneMarketplace).
Capability-basedmodel
Capabilitiesaredefinedastheresourcesonthephone(camera,locationinformation,microphone,andmore),whichareassociatedwithsecurity,privacy,andcost.TheLPChasaminimalsetofaccessrightsbydefault.However,thiscanbeexpandedbyrequestingmorecapabilitiesduringtheinstallation.Capabilitiesaregrantedduringtheappinstallationandcannotbemodifiedorelevatedduringruntime.
ToinstallanapponaWindowsphone,youneedtosignintoMarketplacewithaWindowsLiveID.Duringinstallation,appsarerequiredtoasktheuserforpermissionbeforeusingcertaincapabilities,anexampleofwhichisshowninthefollowingscreenshot:
Windowsapprequestinguserpermissions
ThisissimilartothepermissionmodelinAndroid.Thisgivestheuserthefreedomtolearnaboutallthecapabilitiesthatanapplicationhasbeforeinstallingtheapplication.ThelistofallcapabilitiesisincludedintheapplicationmanifestfileWMAppManifest.xml,whichcanbeaccessedthroughvisualstudioorothermethodsdefinedathttp://developer.nokia.com/community/wiki/How_to_access_Application_Manifest_%28WMAppManifest.xml%29_file_at_runtime
Appsandboxing
AppsinWindowsPhoneruninasandboxedenvironment.ThismeanseveryapplicationonWindowsPhone7runsinitsownchamber.Applicationsareisolatedfromeachotherandcannotaccessthedataofotherapplications.Ifanyappneedstosaveinformationtothedevice,itcandosousingtheisolatedstorage,whichisrestrictedfromaccessbyotherapplications.Also,thethird-partyapplicationsinstalledonWindowsPhonecannotruninthebackground,thatis,whentheuserswitchestoadifferentapplication,thepreviouslyusedapplicationisshutdown(althoughtheapplicationstateispreserved).ThisensuresthattheapplicationcannotperformactivitiessuchascommunicatingovertheInternetwhentheuserisnotusingtheapplication.TheserestrictionsalsomaketheWindowsPhonelesssusceptibletomalware.
WindowsPhonefilesystemTheWindowsPhone7filesystemismoreorlesssimilartothefilesystemsusedinWindowsXP,WindowsVista,orWindows7.Fromtherootdirectory,onecanreachdifferentfilesandfoldersavailableonthedevice.Fromaforensicperspective,thefollowingaresomeofthefoldersthatcanyieldvaluabledata.Allthementioneddirectoriesarelocatedintherootdirectory.
ApplicationData:ThisdirectorycontainsdataofpreinstalledappsonthephonesuchasOutlook,Maps,andInternetExplorer.Applications:Thisdirectorycontainstheappsinstalledbytheuser.Theisolatedstorage,whichisallocatedorusedbyeachapp,isalsolocatedinthisfolder.MyDocuments:ThisdirectoryholdsdifferentOfficedocumentssuchasWord,Excel,orPowerPoint.Thedirectoryalsoincludesconfigurationfilesandmultimediafiles,suchasmusicorvideos.Windows:ThisdirectorycontainsfilesrelatedtotheWindowsPhone7operatingsystem.
WindowsPhonealsomaintainsWindowsregistry,adatabasethatstoresenvironmentvariablesontheoperatingsystem.TheWindowsregistryisbasicallyadirectorythatstoressettingsandoptionsfortheMicrosoftoperatingsystem.
DataacquisitionAcquiringdatafromaWindowsPhoneischallengingforforensicexaminers,asphysicalandlogicalmethodsdefinedinpreviouschaptersarenotcommonlysupported.Oneofthemostcommontechniquesindataacquisitionistoinstallanapplicationoragentonthedevice,whichextractsasmuchdataaspossiblefromthedevice.Thiscouldresultincertainchangesonthedevicebutnevertheless,itisstillforensicallysoundiftheexaminerfollowsstandardprotocols.Theseprotocolsincludepropertestingtoensurenouserdataischanged,validationofthemethodonatestdevice,anddocumentingallstepstakenduringtheacquisitionprocess.Forthisacquisitionmethodtowork,theappneedstobeinstalledwiththeprivilegesofStandardRightsChamber.Thismayrequiretheexaminertocopythemanufacturer'sDLLs,whichhavehigherprivilegesintotheuserapp.Thisallowstheapptoaccessmethodsandresourcesthatareusuallylimitedtonativeapps.
Mostexaminersrelyonforensictoolsandmethodstoacquiremobiledevices.Again,thesepracticesarenotreadilyavailableforWindowsMobiledevices.KeepinmindthattodeployandrunanapponWindowsPhone,boththephoneandthedevelopermustberegisteredandunlockedbyMicrosoft.ThisrestrictioncanbebypassedbyunlockingthedeviceusingtoolssuchasChevronWP7.ThistoolbasicallyallowsthebypassingofMarketplaceprocedureandallowsyoutosideload(rununsignedapplicationswithouttherestrictionslisted)anunpublishedapplication.
SideloadingusingChevronWP7
Asexplainedearlier,inordertoinstalltheappthatprovidesaccesstothefilesystemofthephone,wefirstneedtounlockthedevice(similartojailbreakingoniOSdevices).ThismethodwillonlyworkonaWindowsPhonethatisnotlockedwithapasscode.ThiscanbedoneusingtheChevronWP7toolbyperformingthefollowingsteps:
1. DownloadChevronWP7.exeandChevronWP7.cerfiles.Notethatthesefilesareoftenremovedandarenotalwaysavailableonthesamesite.Onelocationthatcurrentlyhasthefilesavailablefordownloadishttp://www.4shared.com/file/HQGmwIRx/ChevronWP7.htm?locale=en.
2. InstallChevronWP7.cerontheWindowsPhone.NotethatthemethodsforinstallingChevronWP7mayrequiretechniquesnotstandardtoforensicpractices.Thus,allmethodsmustbetestedonasampleWindowsPhonetoensureuserdataisnotlostintheprocessofattemptingtoextractthedata.OnemethodforinstallingChevronWP7includessendingittoane-mailandaccessingit.Thismethodshouldbeusedasalastresortwhenallotheracquisitionmethodsfail.
3. Connectthephonetoyourcomputerandmakesurethatthedeviceisnotpasscode-locked.Ifthedeviceislockedandthepasswordisknown,enterthepasswordonlywhenpromptedbythecomputer.DonotguessthepasswordontheWindowsPhoneasmultipleincorrectguessesmaywipetheuserdata.
4. RunChevronWP7.exeandcheckboththeboxesshowninthefollowingscreenshotandclickonUnlock.Thisenablesthedeveloperunlockonthedeviceandalsoenablesyoutoinstallanythird-partyappwithoutaMarketplacedeveloperaccount.
TheChevronWP7tool
Toexecutenativecodeinauserapp,theWindows.Phone.interopServiceDLLisused.ThisDLLprovidesthemethodRegisterComDLL,whichcanimportnativemanufacturerDLLs.HencebyincludingthisDLLinauserapp,itispossibletoexecutenativecodewithintheappandgetaccesstotheentirefilesystemofthephone,includingtheisolatedstorage.
Extractingthedata
Onanunlockeddevice(again,similartoajailbrokeniOSdevice),itispossibletorunanappthatcanextracttheuserdatapresentinthephone.TheappTouchXperience,whichcomesalongwiththeWindowsMobileDeviceManager(WPDM),canbeusedforthispurpose.WindowsMobileDeviceManageristhemanagementsoftwareforWindowsPhone7.TheclientappTouchXperienceextractsdatasuchasthefilesystemfromthemobiledevice,andWPDMretrievesthisdataandconvertsitintoahumanreadablegraphicalformat.ThefollowingarethestepswhichwillhelpaforensicexaminerextractuserdatapresentonanunlockedWindowsPhonedevice:
1. DownloadWindowsPhoneSDK7.1andtheZunesoftwareontheforensicworkstationandinstallit(http://www.microsoft.com/en-us/download/details.aspx?id=27570).
2. DownloadtheWindowsPhoneDeviceManagerontheworkstation,andlaunchWPDeviceManager.exe(http://touchxperience.com/windows-phone-device-manager/).
3. Connectthedevicetotheworkstation,anditshouldbedetectedautomatically.Ifitisnotdetected,makesureapasscodeisnotsetonthedevice.Ifitis,thisprocessmayfailifthepasscodeisunknown.
4. WindowsPhoneDeviceManagerwillautomaticallyinstalltheTouchXperienceappwhenthephoneisconnectedforthefirsttime.Makesureyousetwhatthesoftwareisallowedtodoonthedevice(thatis,makesurenottochangetheuserdata,notupdatedate/timesettings,oranythingelsethatwillmodifytheuserdata).MakesuretodocumentthatTouchXperiencewasinstalledinordertoextractdatafromtheWindowsPhoneasstandardforensicmethodsprovidelittlesupportforthesedevices.
5. Thereafter,thefollowingscreenispresented,whichprovidesaccesstoavastamountoffilespresentonthedevice:
WindowsPhoneDeviceManager
Thehomescreendisplaysinformationaboutthemodelofthephone,OSversion,andmore.ClickonManageapplicationstoseetheinformationaboutinstalledappsonthedevice,asshowninthenextscreenshot.WPDMalsoprovidesotherfunctionality,suchasmediamanagement,synchronizationoffilesandfolders,andmore.Fromaforensicpointofview,theFileExploreristhemostinterestingpartofthissoftware.Itprovidesread,write,andexecutableaccesstomostofthefilespresentontheWindowsPhone7device.
Havealookatthefollowingscreenshot:
WindowsPhoneDeviceManager—TheManageApplicationsscreen
Usingthisacquisitiontechnique,youcanacquiretwotypesofdata:systemdataandapplicationdata.Systemdataismainlythedatathatisrequiredtorunthephone,andapplicationdataisthedatacreatedandusedbydifferentapplicationsinstalledonthedevice.Whilesystemdatamaynotcontaindatarelevanttoyourinvestigation,applicationdataisverymuchvaluable.Regardless,alldatashouldbeacquiredfromanysmartphoneastheexaminationmustbecompleteandcapturealldatacontainedonthedevicewhenpossible.ThefollowingsectionsdiscussthestepstobefollowedtoextractapplicationdatafromaWindowsPhonedevice.Theapplicationdatawillcontainthebulkoftheuser-createddataandwillprovidethemostvaluetoyourinvestigation.
ExtractingSMS
Alltheincomingandoutgoingshortmessages(SMSes)inWindowsPhone7arestoredinthefilenamedstore.vol,whichispresentunderthedirectory\ApplicationData\Microsoft\Outlook\Stores\DeviceStore,asshowninthenextscreenshot.However,itisnotpossibletocopythisfiledirectlybecausethisfileisalwaysinuse.Whenthefileisrenamed(saystore.vol.txtorstore.bkp),itautomaticallycreatesacopyofthefile.Oncethecopyismade,thisfilecannowbeexaminedusinganormaltexteditor.Notethatthisfilecanalsoexistinthe\APPDATA\Local\Unistoredirectory.Havealookatthefollowingscreenshot:
Thestore.volfileinWindowsPhone
Extractinge-mail
WindowsPhone7devicesuseOutlookastheirstandarde-mailclient.Thiscanbeusedtosynchronizewithvariouse-mailservicessuchasGoogle,YahooMail,andmore.AnydatathatbelongstoOutlookisstoredunderthedirectory\ApplicationData\Microsoft\Outlook\Stores\DeviceStore\data,asshowninthefollowingscreenshot:
WindowsPhone:extractinge-mail
Asshowninthenextscreenshot,therearedifferentfolderspresentthatcontaindifferentdata.Forexample,folder3containspicturesoftheuser'scontacts(e-mailreceivers).Thisfolderisbeingusedasanexample.Thisfolderwillnotbeconsistentlynamedfolder3acrossWindowsPhonedevices.Havealookatthe
followingscreenshot:
WindowsPhone:folder3
Althoughthefilesarepresentwiththe.datextension,byrenamingthemto.jpg,wecanviewthepicturesasshowninthefollowingscreenshot:
WindowsPhone:renamingdatafilestoJPGfiles
Similarly,folder4containsinformationaboute-mailmessages.ByrenamingthefilestoHTML,wecanviewthecontentofthee-mailmessages.Again,eachfoldershouldbeexaminedforrelevanceastheymaycontaine-mailmessages,attachments,contacts,andmore.
Extractingapplicationdata
TheApplicationsfoldercontainsalltheapplicationsinstalledonthephone.Eachapplicationhasitsowndirectory,whichisidentifiedwithauniqueapplicationID.InsidetheapplicationIDfolder,thereareotherimportantfolders,suchasCookies,History,IsolatedStore,andmore.MostofthecrucialinformationisusuallypresentintheIsolatedStorefolder.Forexample,asshowninthenextscreenshot,theIsolatedStorefolderinFacebookcontainsthefollowingdata:
ContentsoftheIsolatedStorefolder
Byanalyzingthesefolders,aforensicanalystcangatheralotofinformationthatcouldaidintheinvestigation.ThefollowingaresomeofthefindingsfromourFacebookappanalysisexample:
Thefileuserid.settingsshowninthefollowingscreenshotcontainstheuser'sprofilenameandalinktotheuser'sprofileandprofilepicture.AllthepicturesusedbytheFacebookapparestoredintheImagesfolderpresentinthedirectoryIsolatedStore.Toviewtheimages,changetheextensionofthefilestoJPG.TheDataCache.userIDfoldercontainsmostoftheinformationabouttheFacebookaccount.Byparsingthisfolder,informationaboutfriends,friendrequests,messages,andmorecanbeobtained.Thisisstraightforwardasallthefiles,onceextracted,canbemanuallyexaminedforrelevancetotheinvestigation.
TheDataCache.UserIDfolderoftheFacebookapp
Similarly,byexaminingtheInternetExplorerapp,aforensicexaminercangatherinformationaboutthesitesvisitedbytheuser.AllthisdatacanbefoundundertheApplicationData\Microsoft\InternetExplorerfolder.ByanalyzingtheMapsapplication,informationabouttheuserlocationandotherdetailscanbeobtained.Thecalllogscanberecoveredfrom\APPDATA\Local\UserData\Phoneonmostdevices.KeepinmindthatthelocationmayvarydependingontheOSandtheWindowsdevice.However,the
directorycontainingthedata(phone,store.vol,andsoon)remainsthesame.AgreatsourceforconductingforensicsonaWindowsPhonedevicecanbefoundathttp://cheeky4n6monkey.blogspot.com/2014/06/monkeying-around-with-windows-phone-80.html.
SummaryAcquiringdatafromWindowsPhonedevicesischallengingastheyaresecure,andascommercialforensictoolsandopensourcemethodsdonotprovideeasysolutionsforforensicexaminers.chip-off,JTAG,andthemethodsdefinedinthisbookaresomeofthemethodsthatprovideaccesstouserdataonWindowsPhonedevices.Thebiggestchallengeisgettingaccesstothedevice,acquiringthedata,andextractingtherawfilesforanalysis.Oncethedataisavailable,alltheinformationaboutSMS,e-mail,applicationdata,andmorecanbeanalyzedbytheexaminer.Again,thedevicemustnotcontainapasscode,mustbeunlocked(jailbroken/rooted),andwillbemodifiedbytheexaminerinordertoextractthedatausingthemethodsdefinedinthischapter.Whilesomemaychallengeusandsaythesemethodsarenotcommoninforensicpractices,theymustrealizethatthesemethodsmaybetheonlywaytoobtainuserdatafromWindowsPhonedevices.Inthenextchapter,wewillcoverBlackBerryforensics,which,whilechallenging,ismoresupportedbycommercialandopensourcemethods.
Chapter13.BlackBerryForensicsBlackBerrydevicescomewiththeResearchinMotion(RIM)softwareimplementationofproprietarywirelessprotocols.BlackBerrydevicesposeasignificantchallengetoforensicexaminationsduetothelackofphysicalparsingsupportanddeviceencryption.ThischapterwillcoverthevarioussecurityfeaturesthatcomewithBlackBerrydevices,theavailabletechniquestoextractdatafromadevice,andthebestmethodstoanalyzethedataextracted.
BlackBerryOSBlackBerryOSisaproprietarymobileoperatingsystemdevelopedbytheCanadiancompanyRIMusedonallBlackBerrydevicesuntilBlackBerry10,whichintroducedQNX.BlackBerryRIMisnowreferredtoasBlackBerryLimited.TheinitialBlackBerryoperatingsystemisknowntosupportspecializedfunctions,suchastrackball,trackwheel,trackpad,andmore.BlackBerryOSwasinitiallyreleasedin1999forthedevicePagerBlackBerry580.BlackBerryQNX(OS10)usesaLinuxvariantthatwasinitiallyintroducedwiththeBlackBerryPlaybookandisnowusedonBlackBerrydevices.WithQNX,BlackBerryWorldandBalancewereintroducedalongwithotherfeaturesmorecomparabletoAndroidandiPhone(http://searchitchannel.techtarget.com/feature/Introduction-to-the-BlackBerry).
ThefollowingtableprovidesinformationabouttheversionhistoryofBlackBerryOS:
Version Releaseyear
1 1999
3.6 2002
5 2008
6 2010
7 2011
7.1 2012
10 2013
10.1 2013
10.2 2013
BlackBerryOSversions
TheBlackBerryOSoffersnativesupportforcorporatemailthroughMIDP,whichallowswirelesssyncingwithMicrosoftExchange,LotusDominoande-mail,contacts,calendar,notes,andmore,whileusedalongwiththeBlackBerryEnterpriseServer.ThisOSadditionallysupportsWAP1.2.WiththeadventofAndroidandiOS,themarketshareofBlackBerryOShassteadilydecreasedovertheyears.Neverthelesstherearemorethan70millionBlackBerryusersworldwideandthesedevicesarefrequentlyencounteredduringforensicinvestigations,especiallyforinternalcorporateinvestigations.TheBlackBerryEnterpriseServer(BES)consistsofsoftwarethatfacilitatescorporatemessagingtoallowthesyncingofcorporatee-mailwiththeuser'sdevice.ABESadministratorofanITdepartmentnormallymanagesBESservices.TheBlackBerryInternetService(BIS)isaservicethatallowstheusertoconfigureupto10e-mailaccountstosynctotheBlackBerrydevice.
BlackBerryallowstheinstallationofthird-partyappsfromBlackBerryWorld,whichistheappdistributionservice.BlackBerryappsaredevelopedusingaJavaDevelopmentEnvironment(JDE)orRIM'sMobileDataSystem(MDS).IftheapplicationcanrunindependentlyofaBlackBerrysolution,suchasBISorBES,aJavaapplicationwouldservethepurpose.Iftheapplicationrequirese-mailforfunctionalityorneedssupportfromaBlackBerrydevicetohelpitoperate,MDSisusuallypreferredtodeveloptheapplication.
Securityfeatures
TherearetwotypesofBlackBerryusers—consumerswhobuyandusethedevice,andenterpriseuserswhoareprovidedwiththeBlackBerrydevicebytheiremployers.TheconsumerdevicesareusuallyconfiguredtousetheBIS,whereastheenterpriseuserdevicesareconfiguredtouseBES.InaBESenvironment,securityisusuallyenforcedbytheenterprisethroughappropriatesettingsandapplicationcontrols.
AlthoughBlackBerryusesaproprietaryoperatingsystem,itsthird-partyapplicationframeworkismostlybasedonJava.Third-partyappsthatarenotsignedhaveverylimitedaccesstothisrestrictivefunctionality.Eveninthecaseofsignedapplications,userpermissionisneededtoperformimportantactionssuchascallinganumber,accessingacontact,andmore.BlackBerryappsarewritteninJavaandthencompiledintoCODfiles.Butbeforecompilingtheapps,theyarepreverifiedforcertainsecuritychecksandaretaggedtoconfirmthatthecheckshavebeencarriedout.WhentheJavaVirtualMachine(JVM)presentonBlackBerryloadstheclass,itcancross-checkandperformitsownverificationmuchfaster.AnychangestothecodeafterthepreverificationcanbeeasilydetectedatruntimeandJVMwillpreventtheirexecution.ThismakesBlackBerryasecureplatformthatislesssusceptibletomalwarewhencomparedtoothersmartdevices.
InorderforanapplicationtogetfullaccesstoalltheAPIs,theapplicationmustbesignedbyRIM.WhenthedevelopersfirstregisterwithRIM,theyreceiveadeveloperkey.UsingthesigningtoolprovidedbyRIM,theSHA1hashoftheapplicationcanbesenttoRIM.Uponreceivingthis,RIMgeneratesasignature,whichisthensentbacktothedeveloperandaddedtotheapplication.WhenthesignedapplicationisloadedontoaBlackBerrydevice,theJVMlinkstheCODfilewiththeAPIlibrariesandchecksthattheapplicationhastherequiredsignatures.Iftherequiredsignatureisnotpresent,JVMwillrefusetolinktheapplicationtotherespectiveAPIs,andhence,theapplicationwillfailatruntime.Thisway,BlackBerryensuressecurityforthedevicethroughthecode-signingprocess.
ThesecuritystrengthofBlackBerrycanbeattributedtothegranularcontrolthatitprovidesthroughtheITpoliciespresentontheBES.Itisimportanttonotethat
manyofthesecuritycontrolsthatareenabledwithBESdevicesarenotpresentinconsumerdevicesthatuseBIS.BESdevicescomewithvarioussecurityfeatures,asfollows:
Dataprotection:AllthedatathatissentbetweentheBESandaBlackBerrydeviceisencryptedusingBlackBerrytransportlayerencryption.BeforetheBlackBerrydevicesendsamessage,itcompressesandencryptsthemessageusingthedevicetransportkey.WhentheBESreceivesamessagefromtheBlackBerrydevice,theBlackBerryDispatcherdecryptsthemessageusingthedevicetransportkeyandthendecompressesthemessage.TheBlackBerryusesAESorTripleDESasthesymmetrickeycryptographicalgorithmforencryptingdata.Bydefault,theBESusesthestrongestalgorithmthatboththeBESandBlackBerrydevicessupportfortheBlackBerrytransportlayerencryption.Moreinformationondataprotectioncanbefoundathttp://btsc.webapps.blackberry.com/btsc/viewdocument.do;jsessionid=E8567E865DBC9668D3F8740BEB9D65E6?externalId=KB13160&sliceId=1&cmd=displayKC&docType=kc&noCount=true&ViewedDocsListHelper=com.kanisa.apps.common.BaseViewedDocsListHelperImplProtectionofdataandencryptionkeysonthedevice:Ifthecontentprotectionoptionisturnedon,BlackBerrydevicescanbeconfiguredtoencryptdatastoredonthedevice.Bydefault,alockedBlackBerrydevicewascreatedtouseAES-256encryptiontoencryptstoreddataandanECCpublickeytoencryptdatathatissenttothelockedBlackBerrydevice(http://docs.blackberry.com/en/admin/deliverables/25763/Encrypting_user_data_on_a_locked_BB_device_834471_11.jspAlso,BlackBerryisdesignedtoprotecttheencryptionkeysthatarestoredonthedevice.Thedeviceencryptstheencryptionkeyswhenthedeviceislocked.Bettercontroloverthedevice:YoucanuseanITpolicytocontrolaBlackBerrydevice.TheITpolicyusuallyconsistsofmultiplepolicyrulesthatmanagethesecurityandbehavioroftheBES.Forexample,usingtheITpolicyrules,thefollowingsecurityfeaturesonaBlackBerrydevicecanbecontrolled:
EncryptionofdatatransmittedbetweentheBlackBerryserverandthedeviceConnectionsthatuseBluetoothwirelesstechnologyProtectionofuserdatastoredontheBlackBerrydeviceControlofprotecteddeviceresources,suchasthecameraorGPS,thatareavailabletothird-partyapplications
Inadditiontoallthis,theBESadministratorcanalsoresetuserpasswords
Inadditiontoallthis,theBESadministratorcanalsoresetuserpasswordsfortheBlackBerrydeviceandinitializearemotewipe,whichmustbeconsideredduringforensicinvestigations.
BlackBerrysecurityisahugehurdleforforensicexaminers.WhileaBESadministratorcanbeusedtoresetadevicepassword,whichmayallowanexaminertoaccessthedevice,theycanalsoremotelywipethedevice.Thus,followingstepssimilartothoseforAndroidandiOS,theexaminermustplacethedeviceinairplanemodeanddisableallremoteconnectionstothedevice.ABlackBerrywipeinitiatedviatheBEScanexistforanextendedperiodoftime.ThismeansthatevenifthebatteryisremovedfromthedeviceandtheBlackBerryboots,thewipecouldimmediatelybesenttoaconnectedBlackBerry.WhileAndroidandiOSprovedtobeeasiertoaccesswhenlocked,alockedBlackBerrydeviceismoredifficult.ThelevelofprotectiononthesedevicesmayrendertheextracteddataencryptedevenafteraJTAGorchip-offextraction.Physicalsupport,toincludebothacquisitionandanalysis,islimitedforBlackBerrydevices.Asdescribedinthefollowingsections,mostofthedataisobtainedbysimplyobtainingabackupofthedevice.
DataacquisitionWhilethesalesofBlackBerrydevicesisonthedecline,theyarestillencounteredduringforensicinvestigations.CommercialforensictoolsprovidelimitedsupportforBlackBerrydevicesincomparisontoothersmartphones.Evenworse,opensourcemethodsarenotavailablefordataacquisitionofBlackBerrydevices.Henceitisimportantfortheexaminerstounderstandallpossiblemethodsofdataextractionavailableforthesedevices.ThefollowingsectionsdiscussthevariousstepsinvolvedinacquiringdatafromaBlackBerrydevice.
Standardacquisitionmethods
StandardforensicacquisitionmethodscanbeappliedtoBlackBerrydevices.However,encryptedandlockeddevicesmaynotbepossibletoacquire,anditwillbeevenmoredifficult(ifnotimpossible)toanalyzewhetherthepasswordorencryptionkeysarepresent.Thelevelofacquisitionsupportavailabledependsontheforensickit,thedevicemodel,andthesecuritylevelcurrentlybeingusedontheBlackBerrydevice.Asexplainedinpreviouschapters,logicalandphysical(toincludefilesystem)acquisitionmethodsarepossibleonBlackBerrydevices.TheCellebriteUFEDTouchprovidesthegreatestlevelofphysicalacquisitionsupportforBlackBerrydevices(atthetimeofwritingthis).ThefollowingtwoimagesshowthedifferentsupportprovidedbytheCellebriteUFEDTouchontwodifferentmodelsofBlackBerry.
Notethatonemodelhasfullacquisitionsupportwhiletheotheronlyofferslogicalacquisition.
TheBlackBerryZ10supportinCellebriteUFEDTouch
ThefollowingimageshowsthattheBlackBerryZ10devicecanonlybelogicallyacquiredusingtheCellebriteUFEDTouch.WhenattemptingtoacquireaBlackBerry8300usingtheUFEDTouch,logical,physical,andfilesystemacquisitionsupportispossible,asshowninthefollowingimage:
TheBlackBerryCurvesupportinCellebriteUFEDTouch
Thedevicepasscodemustbeknownforphysicalacquisition.ThisisoneofthemajordifferencesbetweenBlackBerry'sphysicalacquisitionandAndroidandiOS.KeepinmindevenifaBlackBerrydeviceisphysicallyacquired,anytoolcurrentlyavailabletoforensicexaminersmaynotsupporttheanalysisportion.Thesechallengeswillbediscussedintheanalysissection.LogicalsupportforBlackBerrydevicesismorecommonandissupportedbymostcommercialforensictoolstoincludeOxygenForensics,MicrosystemationXRY,CellebriteUFEDTouch,andmore.MostBlackBerrysupportprovidedbycommercialforensictoolsappliestodevicesusingBlackBerryOS(Java-based)andnotQNX(BlackBerry10OS).
AphysicalacquisitionofaBlackBerrydevicewillcaptureacompletebinary
imageoftheBlackBerrydevice.ThismethodofacquisitionnormallyrequirestheBlackBerrytobepoweredoffandinterceptsthedatapriortothedevicebooting.Filesystemacquisitionsmaybepossibleusingcommercialtoolsifthedevicepasscodeisknown.ThismethodofacquisitionnormallycapturesdatafromthedeviceandtheSDcard.Asmentioned,evenifaphysicalorfilesystemacquisitionissupportedandsuccessful,theexaminershouldalwaysobtainalogicalacquisitiontoavoidsituationswherephysicaldataparsingisnotsupportedbytheforensicanalysistool.OneofthebiggesterrorsinBlackBerryforensicsoccurswhenanexaminerobtainsonlyaphysicalimage,returnsthedevicetotheuser/suspect,andthenrealizesthedataisencryptedorcannotbeparsedbytheiranalyticaltool.Makesureyoudonotfindyourselfinthispositionbytakingthetimetoacquirethedeviceusingallpossiblemethods.Thefollowingscreenshotshowssecuritypromptsthattheexaminermayencounterduringtheacquisitionand/oranalysisofaBlackBerrydevice:
Theencryptedbackupfilepasswordprompt
TheprecedingscreenshotshowsthepromptfortheusertoenterthepasswordfortheencryptedbackupfilewhenattemptingtoopentheimageinCellebritePhysicalAnalyzer.Allforensictoolsthatattempttoparsetheimageorbackupfileforanalysiswillrequirethepassword.Withoutthepassword,theexaminercannotaccesstheimage.
ThefollowingscreenshotshowstheprompttoopentheimagefileinOxygenForensicsSuite.
CreatingaBlackBerrybackup
WithBlackBerrydevices,asignificantamountofdatacanbeextractedusingtheBlackBerryDesktopManager(BDM)orBlackBerryLink(BlackBerry10devices),whichcanbedownloadedforfree.ThismethodofacquiringdatafromaBlackBerrydevicesometimesprovestoobtainandprovidedataforexaminerstoanalyze.Again,thepasscodemustbeknownfortheexaminertocreateabackupofaBlackBerrydevice.Acquiringthislogicalbackupisrecommendedbecauseitcanprovideaformofvalidationforthedataacquiredthroughforensictools.ThebackupfileexistsasaBBBorIPDfileandcontainsdifferenttypesofdatastoredontheBlackBerrydevice,includingcalllogs,calendaritems,contacts,pictures,e-mail,andmore.
ABlackBerryBackup(BBB)fileiscreatedwhenBDMv7.0andlaterversionsoraMaccomputerisusedtocreatethebackupfile.TheBBBfilewilleitherbeaZIPcontainercomprisedofanIPDfileorDATfiles,dependingonthemethodtocreatethebackupfile.ABBBfilethatcontainsanIPDfilehasthesamefileheaderasaZIPfile.InHex,thisfileheaderis0x504B.AnInter@ctivePagerBackup(IPD)iscreatedwhenBDMv6.0orearlierisusedtocreatethebackupfile.CommercialforensictoolsmayalsocreateBlackBerrybackupfilesandusetheIPDformat.ShafikPunjamaintainsablog,highlydedicatedtohisworkonBlackBerry,thatprovidesadeeperlookintoBlackBerrybackupfiles(http://qubytelogic.blogspot.com/).
Itisimportanttonoteherethat,bydefault,theBDMisconfiguredtosynchronizesomedatabetweenthedeviceandthecomputer.Hence,itisimportanttodisablethisfeatureinordertopreventanychangesofdataonthedevice.Inaforensicprocess,evenaminorchange,suchasalteringthetimezonesonadevice,wouldmakeitdifficultforaninvestigatortoanalyzewhenspecificeventsexactlyoccurredandwillbeevenmoredifficulttodefendincourt.HenceitisnecessarytodisablethesynchronizationprocessintheBDMbydisablingtheoptionsasshowninthefollowingscreenshot.TheoptionUpdatedevicedataandtimeisselectedbydefault,soitisnecessarytoexplicitlydeselectthisoption.Itistheexaminer'sjobtoensurethattotalcontrolismaintainedduringtheentireforensicprocess.Thismeansthattheforensicworkstationissterileandfreeofolddataandthatthetoolsarenotsettoautomaticallyread/writedatatoandfromtheBlackBerrydevice.IftheBDM
requiresthedevicebeconnectedinordertoselecttheoptions,itiswisetoattemptthesettingswithatestBlackBerrydeviceofthesamemodelasyourevidence.
BlackBerryDesktopManager
Thefollowingisthestep-by-stepproceduretocreateabackupoftheBlackBerrydeviceusingBlackBerryDesktopManager:
1. Ontheforensicworkstation,installBlackBerryDesktopSoftware.CertainversionsofBDMmayberequiredtoconnectwitholderBlackBerrydevices.
Note
Downloadlink:http://in.BlackBerry.com/software/desktop.html
2. ConnecttheBlackBerrydevicetotheworkstationandobservethatthedeviceisdetected.
3. ClickonBackupunderDevice,asshowninthefollowingscreenshot:
4. SelectBackuptypeasFull(alldevicedataandsettings)toperformafullbackup,asshowninthefollowingscreenshot:
FullbackupoptioninBlackBerry
5. Asshownintheprecedingscreenshot,theFilenameandlocationtosavethebackupfilemustbeselected.Youarerecommendedtonamethefileaccordinglytoreflectthenamingconventionimplementedbyyourorganizationortosimplyusethedevicenameandserialnumber.Thiswillensurethatthebackupfilecaneasilybeassociatedbacktotheoriginaldevice.Oncethisiscomplete,clickonBackup.
BlackBerryanalysisBlackBerrydevicesarestillusedbyemployeesofmajorcorporationsduetothegreatsecurityfeatures.eDiscoverycasesoftenrequiretheexaminertobewellversedinextractingandanalyzingdatafromcomputers,servers,andsmartphonessuchasBlackBerrydevices.CommercialtoolsareavailablefortheanalysisofBlackBerrydevices.Themethodofacquisitionwilldeterminetheamountofanalysispossiblebytheexaminer.Forexample,aphysicalacquisitionmayhavebeenobtained,buttheforensictooldoesnotautomaticallyparsethedataintheimagefile.Thisrequirestheexaminertomanuallycarveandreconstructthedata.BlackBerrydevicesareoneofthemostcomplicatedsmartphonestounderstandandconsistentlyreconstructbymanualexamination.TheprevioussectionprovidedsomestepstosuccessfullyextractingdatafromBlackBerrydevices.Theacquisitionstepsshouldbefollowedtoensurethatdataisnotmissed.MultipleacquisitionsmayberequiredinordertoextractandrecovertheuserdatafromaBlackBerrydevice.ThemethodologiesandforensictoolsrequiredtoanalyzedatafromBlackBerrybackupfilesandforensicimagesdiffer,andtheyaredefinedinthefollowingsections.
BlackBerrybackupanalysis
BlackBerrybackupfilescanbefoundnativelyonharddrivesorotherexternalmediaduringaforensicinvestigationormayexistastheforensicimagecreatedbytheexaminerinordertocompletetheirforensicinvestigation.Sometimes,thebackupfilecontainsmoreusabledatathanaphysicalimage.Again,italldependsonthedevicemodel,themethodofacquisitionandtheforensictoolusedforanalysis.Aspreviouslymentioned,BlackBerrybackupfilesexistasIPDandBBBfilesandarecreatedbytheBDMortheBlackBerryLinksoftware.Whencreatedbyauser,theBlackBerrybackupfilesarecommonlystoredintheMyDocumentsfolderonaWindowsplatform.Thebackupfilecontainsvariousdatabases(tables)presentontheBlackBerrydevice.ItisnamedbydefaultintheformatBackup(yyyy-mm-dd).ipd.
BestpracticessuggestsearchingforIPDandBBBfilesacrossdigitalmediasuspectedofcontainingBlackBerrybackupfilessincetheusercanmodifythefilenameofthebackup.IftheBlackBerrybackupfilewasrecoveredfromaharddriveorotherdigitalmedia,thefollowingtwoformatsmayexist:
Loaderbackup(yyyy-mm-dd).ipd
AutoBackup((yyyy-mm-dd).ipd
TheLoaderbackupfileiscreatedautomaticallywhenthedeviceOSisbeingupdated.Thisensuresthatrequireddataisreadilyavailableshouldthedevicecrashduringtheupgrade.TheAutobackupfileiscreatedwhentheuserelectstohavethedevicesettobackuponaregularorscheduledbasisorwhenthedeviceissyncedwithaPC.
AfullbackupofaBlackBerrydeviceshouldcontaindetailssuchasaddressbook,e-mail,SMS,calllogs,andmore.However,thebackupfilemaynotcontainalltheapplicationdatabecausethethird-partyapplicationsmaynotalwaysprovideaccesstotheirdata.Abackupfilecontainsthefollowinginformation:
Fileheader:TheheadercontainsinformationabouttheRIMsignature,databaseversion,numberofdatabasesinthecurrentfile,andsoon,asshowninthefollowingtable:
Name Length(inbytes) Offset
RIMsignature 37 0x0
Linebreak 1 0x25
Databaseversion 1 0x26
Numberofdatabases 2 0x27~0x28
Databaseseparator 1 0x29
Databasenameblocks:Thesearepresentaftertheheaderinformation.Ineachblock,thenamelengthandnamearestored.Databaserecords:Thesearepresentafterdatabasenameblocksandcontainrealdata.TheycontaininformationaboutdatabaseID,recordlength,databaseversion,databaserecordhandle,databaseuniqueID,andsoon.Databaserecordfields:Thesecontainrecorddatalength,recordtype,andrecorddata.
OnceyouhaveaccesstotheBlackBerrybackupfile,useanyoftheavailabletoolsdiscussedintheForensictoolsforBlackBerryanalysissectiontoreadtheinformationpresentinthefile.
BlackBerryforensicimageanalysis
ThemethodofobtainingtheforensicimageofaBlackBerrydevice,whetherlogical,physical,orfilesystem,maylimitthetoolsavailabletoanalyzethedata.Forexample,arawimagecreatedusingJTAGorchip-offshouldbeingestibleandparsedbyanyforensictoolthatprovidesphysicalanalysissupportforthatmodelofBlackBerry,aslongasthedevicewasunlockedorthepasscodeisknown.Itisbesttousemorethanonetoolduringyourforensicanalysistoverifytheresultsoftheforensicimage.
BlackBerryfilesystemsaredifficulttoreconstructduetotheproprietaryformatdevelopedbyRIM.Unlikeothersmartphonedevices,BlackBerryfilesystemsvarygreatlypermodel.Commercialtoolswillattempttoreconstructthefilesystems,butthesupportislowandmaynotbeaccurate.Itisbesttovalidateyourfindingsusinglogical,filesystem,orbackupfileacquisitionandanalysistoensureyourfindingsarecorrect.
OnceanexaminergainsexperienceanalyzingBlackBerrydevices,thefilesofinterestbecomemoreapparentregardlessoftheimageformat.Aphysicaldumpandbackupfilemayactuallycontainthesameamountofdatareadilyavailabletotheexaminer.Thetoolofchoicetoexaminethedatawilldeterminetheamountofaccessyouhavetothatfile.Asexplainedinpreviouschapters,deleteddatacanresideindatabasefilesjustasAndroidandiOS,BlackBerrydatabases/tablesmaycontaindeleteddata.IfyourforensictooldoesnotprovideaccesstothenativefileforexportorforexaminationinHex,youwillmissthisdeleteddata.
ThefollowingscreenshotshowsthefilesystemrepresentationofaBlackBerrybackupfileinCellebritePhysicalAnalyzer.NoticethattheAddressBookisbeingexaminedinrawhex.Thismethodofanalysisispreferredtovalidateyourlogicalresultsorthedataprovidedinthetoolreport.
CellebritePhysicalAnalyzer—AddressBookexamination
BlackBerrydata,storedindatabases/tables,isoftenproprietary,whichcausesdifficultieswhenattemptingtointerpretdatausingthetoolandmanuallybytheexaminer.Whencomparedtoothersmartphonedevices,theredoesn'tappeartobeaclearstandardfordataonBlackBerrydevices.Forexample,statusflagsassociatedwiththee-mailapphavebeenfoundtobeinconsistentamongdifferentdevices.Commonly,astatusflagisconsistentwithinatableforaspecificmodel.ThishasbeenfoundtobeuntrueforBlackBerry.Forexaminers,thismakesvalidationofyourtooldifficult.BlackBerrytimestampsarecommonlyinasimpledateformat,whichiscompatiblewithJavaandissupportedtoparsebymostforensictools.
ThereareavarietyofBlackBerrytimestamptypesthataredefinedindetailat
http://www.swiftforensics.com/2012/03/blackberry-date-formats.html.WhenexaminingSMSmessages,theexaminershouldusemorethanonetooltoensurethedataisparsedproperly.Currently,thereisnostandardforhowSMSmessagesarestoredonBlackBerrydevices.TheSMSmessagesmaybeencrypted,compressed,orexistasaproprietary7-bitformat.SeveralfactorsweighontheformattostoretheSMSmessagecontent,includingdevicesecuritysettings,devicemodel,administratorsettings,andmore.
Unlikeothersmartphones,third-partyapplicationdatacannotbestoredinternallyontheBlackBerrydevicememoryiftheapplicationusesSQLitedatabasestorage,whichapplicationscommonlydo.Allthird-partyapplicationdatawillresideontheSDcard(oreMMC)associatedtotheBlackBerrydeviceinanapplicationfolder.MoreinformationonusingSQLiteonBlackBerrydevicescanbefoundathttp://blog.softartisans.com/2011/03/29/using-sqlite-in-blackberry-applications/.Thesefoldersanddatabasefilesmustbeexaminedforrelevancetotheinvestigation,asdefinedinpreviouschapters.DuetotheunknownnatureofRIMandtheproprietarymethodstostoreuserdata,itisrecommendedthattheexaminerexamineanydatabase/tablerecoveredfromtheBlackBerrydevicethatmaybeofinteresttotheinvestigation.Manualexaminationistime-consuming,butitwillensurethatdataisnotoverlooked.
EncryptedBlackBerrybackupfiles
Duringyourforensicexaminations,itislikelythatanencryptedBlackBerrybackupfilewillrequireanalysis.ElcomsoftdevelopedthePhonePasswordBreaker,whichallowstheexaminertousevariousbruteforceanddictionaryattackstocrackencryptedbackupfiles.
Thefollowingisthestep-by-stepproceduretocrackanencryptedBlackBerrybackupfileusingElcomsoftPhonePasswordBreaker:
1. Ontheforensicworkstation,installElcomsoftPhonePasswordBreaker.Thefullanddemoversioncanbefoundathttp://www.elcomsoft.com/eppb.html.
ElcomsoftPhonePasswordBreaker
2. Navigatetothebackupfile.3. Selecttheattackmethod.Severaloptionsareavailableanddictionariescan
beaddedtoincreasethesuccessrateoftheattack,asshowninthefollowingscreenshot:
TheElcomsoftPhonePasswordBreakerattackoptions
4. Ifcracked,thepasswordwillbedisplayedandcanbeusedtoaccesstheencryptedbackupfilewiththeuseofaforensictool.Itisimportanttouseaforensictoolthatwillpromptyouforthepassword.Somewillsimplyfailorfinishwitherrorsandprovidenoaccesstotheencrypteddata,asshowninthefollowingscreenshot:
ForensictoolsforBlackBerryanalysis
SeveralforensictoolsareavailabletoparsedatafromBlackBerrybackupfilesandforensicimagesofBlackBerrydevices.Thebesttoolsshouldprovideaccesstotherawdatabasefilestoensurethatdatanotsupportedbytheforensictoolcouldbemanuallyparsedbytheexaminerandtoavoiddeleteddatanotbeingrecovered.KnowingwheretofindthedataondevicestakespracticeandtheexaminershouldbetrainedonexaminingdatafromBlackBerrydevices.
SomeforensictoolsavailableincludeCellebritePhysicalAnalyzer,OxygenForensicsSuite,MicrosystemationXRY,AccessDataMPE+,andseveralothers.SometoolsarespecificallydesignedtoanalyzeBlackBerrybackupfiles.CommontoolsthatprovidesupportforbackupfilesincludeOxygenForensicsIPDViewer,ElcomsoftBlackBerryBackupExplorer,andBlackBerryBackupExtractor.BulkExtractor,createdbyDr.SimsonGarfinkle,isafreetoolthatcanparsedatafromrawBlackBerryimagefiles(physicaldumps)evenifthepasswordisunknown.
BulkExtractorscanstheimagefileandpullsusefulinformation(calls,URLs,e-mailaddresses,andmore)withoutparsingthefilesystemandprovidestheresultstotheexaminer.BulkExtractorcanbedownloadedfromhttp://digitalcorpora.org/downloads/bulk_extractor/.AnexampleofaBulkExtractoroutputfortelephonenumbersisshowninthefollowingscreenshot:
TelephonenumbersparsedbyBulkExtractor
Thefollowingisastep-by-stepproceduretoviewtheinformationpresentinanIPDfileusingBlackBerryBackupExtractor.Thistoolprovidesaccesstothenativefilesforfurtherexamination.AtoolsuchasBlackBerryBackupExtractormaybehelpfulwhenyourcommercialforensictooldoesnotprovideaccesstotheactualfilesrecoveredfromtheBlackBerrybackupfile.
1. DownloadandinstallBlackBerryBackupExtractorontheforensicworkstation(http://www.blackberryconverter.com/).
2. ClickontheOpenbackup…buttontoloadtheIPDbackupfileintothesoftwareasshowninthefollowingscreenshot:
BlackBerryBackupExtractor
3. Selectthefolderwherethedatawillbesavedandextracted.Whentheprocessbegins,thetoolsdisplayinformationaboutthenumberofdatabasescurrentlybeingextracted.
4. Oncetheextractioniscomplete,youwillfindinformationaboutsente-mails,receivede-mails,contacts,SMS,calendarappointments,andmore,asshowninthefollowingscreenshot:
E-mailextractedfrombackup
Thecontacts,calllogs,andotherdataextractedbythetoolcanbenavigatedtoandexaminedforrelevanceasshowninthefollowingscreenshot.Again,BlackBerryBackupExtractordoesnotprovideananalyticalplatformtoviewalloftheextracteddatainanormalizedmanner;therefore,manualreviewoftheresultsisrequired.
Contactsextractedfrombackup
Otherinformationthatcanbecrucialduringinvestigations,suchasbrowserURLs,browserdatacache,andsoon,arealsoextractedasshowninthefollowingscreenshot:
Otherusefuldataextractedfromthebackup
TheBlackBerrybackupfilecontainsa2-bytehexadecimalvaluethat,whenconvertedtodecimal,revealsthenumberofdatabasefilescontainedwithinthatbackupfile.ThetwobytesofinterestarethethirdandfourthbytesfollowingthefileheaderoftheIPDbackupfile.Asshowninthefollowingscreenshot,theIPDfileisbeingexaminedinaHexviewertodeterminethenumberofdatabasefilescontainedwithintheIPDfile.Thethirdandfourthbytes(006D)aregoingtobeconvertedfordatabaseverificationpurposes.Inthefollowingscreenshot,Hex6Disconvertedtodecimal,whichis109.Therefore,thereare109databasescontainedwithinthisIPDfile.Itisimportantfortheforensictooltodisplay109databases/tablesfortheexaminertoanalyze.
TheHexviewofIPDfile
Someforensictoolswillconvertthisnumberforyou,whichistruewithOxygenForensicsIPDViewer,asshowninthenextscreenshot.OxygenForensicsSuiteisoneofthemostpowerfulcommercialforensictoolstoparsedatafromBlackBerrybackupfiles.ThissuiteoftoolsoffersbothabackupfileparseraswellasanIPDViewer.Someforensictoolsomitemptydatabases,providepartialsupportforbackupfiles,orrequiretheexaminertomanuallyconvertandverifythenumberoftables.Toverifythenumberofdatabases/tablesinaBlackBerrybackupfile,ElcomsoftIPDViewercanbeusedbyperformingthefollowingsteps:
1. InstallOxygenForensicsSuite(licenserequired)onyourforensicworkstation.
2. SelectBlackBerryIPDViewerandnavigatetothebackupfile.Havealookatthefollowingscreenshot:
OxygenForensicsSuiteBlackBerryIPDViewer
3. Ifencrypted,enterthepassword.Ifyoudonotknowthepassword,thedatacannotbedecryptedforexamination.Keepinmindthatyouwillneedthispasswordeverytimeyouopentheimagefileforexamination,asshowninthefollowingscreenshot:
OxygenForensicsSuiteBlackBerryIPDViewer—theencryptedfile
4. Thedecrypteddatawillbeprovidedforexamination.Notethatthenumberofdatabasescontainedwithinthisbackupfilewas107asshowninthefollowingscreenshot:
SummaryForensicsupportforBlackBerrydevicesislimitedwhencomparedtoothersmartphonedevices.OpensourcetoolssupportingBlackBerryphysicalacquisitionarenotcurrentlyavailable,andbypassingalockeddeviceiscomplicatedandoftenrendersthedataencryptedandunusable.UnlikeiOSandAndroiddevices,ourmostsuccessfuldataextractionsofBlackBerrydevicesusuallycomefromthefilesystemimageorbackupfile.Informationsuchase-mail,SMS,contacts,andmorecanbeextractedfromBlackBerrybackupfiles.Sometimes,themostusefulinformationisthedataextractedfromabackupfile,whichprovidesaccesstothemostdataforanalysis.
IndexA
acquisitionviaacustomramdiskabout/Acquisitionviaacustomramdiskforensicenvironmentsetup/Theforensicenvironmentsetupforensictoolkit,creating/Creatingandloadingtheforensictoolkitdevicecommunication,establishing/Establishingcommunicationwiththedevicepasscode,bypassing/Bypassingthepasscodedatapartition,imaging/Imagingthedatapartitiondatapartition,decrypting/Decryptingthedatapartitiondeleteddata,recovering/Recoveringthedeleteddata
acquisitionviajailbreakingperforming/Acquisitionviajailbreaking
ActivationLock,iOSsecurityabout/ActivationLock
adbabout/Usingtheadbpullcommand
adbpullcommandused,forlogicaldataextraction/Usingtheadbpullcommand
AddressBook.sqlitedbabout/AddressbookcontactsABPerson/AddressbookcontactsABMultiValue/AddressbookcontactsABMultiValueLabel/Addressbookcontacts
AddressBookImages.sqlitedbfileabout/Addressbookimages
AddressSpaceLayoutRandomization(ASLR),iOSsecurityabout/AddressSpaceLayoutRandomization
AFLogical/Usingcontentprovidersabout/TheAFLogicaltooleditions/TheAFLogicaltoolOSE/TheAFLogicaltoolLE/TheAFLogicaltool
AFLogicalLE
about/AFLogicalLawEnforcement(LE)logicaldata,extractingfromdevice/AFLogicalLawEnforcement(LE)
AFLogicalOSEabout/AFLogicalOpenSourceEditioninstalling/AFLogicalOpenSourceEdition
AFLogicalOSE1.5.2downloading/Usingcontentproviders
Alpine/1.x–thefirstiPhoneAndroid
about/AndroidAndroidapp
analysis/AndroidappanalysisAndroidapps
reverseengineering/ReverseengineeringAndroidapps,StepstoreverseengineerAndroidapps
AndroidDebugBridge(adb)about/AndroidDebugBridgeused,foraccessingdevice/Accessingthedeviceusingadb
Androiddeviceaccessing,adbused/Accessingthedeviceusingadbconnecteddevices,detecting/Detectingconnecteddeviceslocaladbserver,killing/Killingthelocaladbserveradbshell,accessing/Accessingtheadbshellhandling/HandlinganAndroiddevicerooting/RootinganAndroiddevicerootaccess/Rootaccess–adbshellimaging/ImaginganAndroidPhonedataextractiontechniques/Dataextractiontechniques
Androiddevice,connectingtoworkstationdevicecable,identifying/Identifyingthedevicecabledevicedrivers,installing/Installingthedevicedrivers
Androidfilehierarchy/boot/Androidfilehierarchy/system/Androidfilehierarchy/recovery/Androidfilehierarchy/data/Androidfilehierarchy
/cache/Androidfilehierarchy/misc/Androidfilehierarchy
Androidfilesystemabout/Androidfilesystemviewing,onAndroiddevice/ViewingfilesystemsonanAndroiddeviceExtendedFileSystem(EXT)/ExtendedFileSystem–EXT
Androidmodelabout/TheAndroidmodelLinuxkernellayer/TheLinuxkernellayerlibraries/LibrariesDalvikvirtualmachine/Dalvikvirtualmachinedalvikvirtualmachine/Dalvikvirtualmachineapplicationframeworklayer/Theapplicationframeworklayerapplicationslayer/Theapplicationslayer
AndroidSDKabout/AndroidSoftwareDevelopmentKitdownloading/AndroidSoftwareDevelopmentKitinstalling/AndroidSDKinstallation
Androidsecurityabout/Androidsecuritysecurekernel/Securekernelpermissionmodel/Thepermissionmodelapplicationsandbox/Applicationsandboxsecureinterprocesscommunication/Secureinterprocesscommunicationapplicationsigning/Applicationsigning
Apex/4.x–GameCenterandmultitaskingAPKfile
extractingfromAndroiddevice/ExtractinganAPKfilefromanAndroiddevice
AppDomain/Recordapplicationframeworklayer,Androidmodel
about/Theapplicationframeworklayertelephonymanager/Theapplicationframeworklayercontentprovider/Theapplicationframeworklayerresourcemanager/Theapplicationframeworklayer
Applicationsandbox/Applicationsandboxapplicationslayer,Androidmodel
about/TheapplicationslayerAppsandboxing
about/AppsandboxingAppStore/2.x–AppStoreand3G
about/AppStorearchivingphase,Mobilephoneevidenceextractionprocess
about/ThearchivingphaseAutopsy
about/Autopsydownloadlink/AutopsyAndroid,analyzing/AnalyzinganAndroidinAutopsy
AVDabout/AndroidVirtualDevicecreating/AndroidVirtualDevice
Bb-treelayout/RecoveringdeletedSQLiterecordsbackupanalysis,BlackBerry
about/BlackBerrybackupanalysisbackupfile,BlackBerry
fileheader/BlackBerrybackupanalysisdatabasenameblocks/BlackBerrybackupanalysisdatabaserecords/BlackBerrybackupanalysisdatabaserecordfields/BlackBerrybackupanalysis
backupstructure,iTunesabout/Understandingthebackupstructureinfo.plistfile/info.plistmanifest.plistfile/manifest.pliststatus.plistfile/status.plistmanifest.mbdbfile/manifest.mbdb
BigBear/2.x–AppStoreand3GBlackBerryanalysis
about/BlackBerryanalysisbackupanalysis/BlackBerrybackupanalysisforensicimageanalysis/BlackBerryforensicimageanalysisencryptedBlackBerrybackupfile/EncryptedBlackBerrybackupfilesforensictools/ForensictoolsforBlackBerryanalysis
BlackBerrybackupcreating/CreatingaBlackBerrybackup
BlackBerryBackup(BBB)file/CreatingaBlackBerrybackupBlackBerryBackupExtractor/ForensictoolsforBlackBerryanalysis
using/ForensictoolsforBlackBerryanalysisURL/ForensictoolsforBlackBerryanalysisinstalling/ForensictoolsforBlackBerryanalysis
BlackBerrybackupfileabout/ForensictoolsforBlackBerryanalysis
BlackBerryDesktopManager(BDM)/CreatingaBlackBerrybackupBlackBerryDesktopSoftware
installing/CreatingaBlackBerrybackupURL/CreatingaBlackBerrybackup
BlackBerryEnterpriseServer(BES)/BlackBerryOS
BlackBerryInternetService(BIS)/BlackBerryOSBlackBerryLimited/BlackBerryOSBlackBerryLink/CreatingaBlackBerrybackupBlackBerryOS
about/BlackBerryOS,BlackBerryOSURL/BlackBerryOSversionhistory/BlackBerryOSsecurityfeatures/Securityfeaturesdataacquisition/Dataacquisition
BlackBerryRIM/BlackBerryOSBlackBerrysecurity
about/SecurityfeaturesBlackBerrytimestamptypes
URL/BlackBerryforensicimageanalysisBootROM/Normalmodebrowserhistory
extracting/ExtractingbrowserhistoryBulkExtractor
about/ForensictoolsforBlackBerryanalysisURL/ForensictoolsforBlackBerryanalysis
CCalendar.sqlitedbfile
about/Calendareventscalllogs
extracting/Extractingcalllogscall_history.dbfile
about/Callhistorycapabilities
about/Capability-basedmodelcapabilities-basedmodel,WindowsPhone
about/Capability-basedmodelCelleBrite
about/Cellebrite–UFEDCelleBritePhysicalAnalyzer
about/Cellebrite–UFEDCellebritePhysicalAnalyzer/BlackBerryforensicimageanalysisCelleBriteUFED
about/Cellebrite–UFEDCellebriteUFED
about/CellebriteUFEDPhysicalAnalyzerURL/CellebriteUFEDPhysicalAnalyzerfeatures/FeaturesofCellebriteUFEDPhysicalAnalyzerusage/UsageofCellebriteUFEDPhysicalAnalyzerphysicalacquisitionofiOS,performing/UsageofCellebriteUFEDPhysicalAnalyzersupporteddevices/Supporteddevices
CellebriteUFEDTouch/StandardacquisitionmethodsBlackBerryZ10support/StandardacquisitionmethodsBlackBerryCurvesupport/Standardacquisitionmethods
cgroupfilesystem/ViewingfilesystemsonanAndroiddevicechambers
about/WindowschambersChevronWP7
about/Dataacquisitionused,forsideloading/SideloadingusingChevronWP7
Chip-off
about/Chip-offprocess/Chip-off
chip-offmethodabout/Chip-off
chip-offtechnique,screenlockbypassingtechniques/OthertechniquesClockworkMod/RootinganAndroiddeviceClockworkrecovery/RootinganAndroiddeviceCocoaTouchlayer,iOS
about/TheCocoaTouchlayercodesigning,iOSsecurity
about/Codesigningcodesign_allocatetoolpath
verifying/Verifyingthecodesign_allocatetoolpathCODfiles/SecurityfeaturesConnectorapp/MOBILeditconsolidated.dbfile
about/ConsolidatedGPScacheconsolidatedGPScache
about/ConsolidatedGPScachecontentproviders
used,fordataextraction/Usingcontentproviderscookies
about/CookiesCoreOSlayer,iOS
about/TheCoreOSlayerCoreServiceslayer,iOS
about/TheCoreServiceslayercustomramdisk
building/Buildingacustomramdiskbooting/Bootingthecustomramdisk
Cydiaapplication/Acquisitionviajailbreaking
D.dumptable-namecommand/SQLitespecialcommands/datadirectory
extracting,onrooteddevice/Extractingthe/datadirectoryonarooteddeviceextracting,onnon-rooteddevice/Extractingthe/datadirectoryonarooteddevice
Dalvikbytecode/ReverseengineeringAndroidappsDalvikVirtualMachine(DVM)/ReverseengineeringAndroidappsdataacquisition
about/Dataacquisitionsideloading,ChevronWP7used/SideloadingusingChevronWP7data,extracting/Extractingthedata
dataacquisition,BlackBerryabout/Dataacquisitionstandardacquisitionmethods/StandardacquisitionmethodsBlackBerrybackup,creating/CreatingaBlackBerrybackup
dataacquisitionmethodsabout/Dataacquisitionmethodsphysicalacquisition/Physicalacquisitionlogicalacquisition/Logicalacquisitionmanualacquisition/Manualacquisition
dataexecutionprevention(DEP),iOSsecurityabout/Dataexecutionprevention
dataextraction,WindowsPhonedeviceperforming/ExtractingthedataSMS,extracting/ExtractingSMSe-mail,extracting/Extractinge-mailapplicationdata,extracting/Extractingapplicationdata
dataextractiontechniques,Androiddevicetypes/Dataextractiontechniquesmanualdataextraction/Manualdataextractionlogicaldataextraction/Logicaldataextractionphysicaldataextraction/Physicaldataextraction
dataprotection,iOSsecurityabout/Dataprotection
datarecoveryabout/Datarecoveryperforming/Datarecoverydeletedfiles,recovering/Recoveringthedeletedfilesdeleteddata,recoveringfromSDcard/RecoveringdeleteddatafromanSDcarddeleteddata,recoveringfrominternalmemory/Recoveringdatadeletedfrominternalmemorydeletedfiles,recoveringbyparsingSQLitefiles/RecoveringdeletedfilesbyparsingSQLitefilesfiles,recoveringusingfilecarvingtechniques/Recoveringfilesusingfile-carvingtechniques
datastorage,Androiddevicesharedpreferences/Usingtheadbpullcommandinternalstorage/Usingtheadbpullcommandexternalstorage/UsingtheadbpullcommandSQLitedatabase/Usingtheadbpullcommand
datasynchronization/iTunesbackupdatawipe,iOSsecurity
about/DatawipedeletedSQLiterecords
recovering/RecoveringdeletedSQLiterecordsdeviceinformation
extracting/Extractingdeviceinformationdevicelocking/HandlinganAndroiddevicedevptsfilesystem/ViewingfilesystemsonanAndroiddevicedex2jartool/StepstoreverseengineerAndroidappsDFUmode,iOSdevices
about/DFUmodeenabling/DFUmodeverifying/DFUmode
differentialbackupabout/Understandingthebackupstructure
DiskDigger/Recoveringfilesusingfile-carvingtechniquesdisklayout,iOSdevices
systempartition/Disklayoutabout/Disklayout
userdatapartition/Disklayoutmountedpartitions,viewing/Disklayoutrawdiskimages,viewing/Disklayout
documentandreportingphase,Mobilephoneevidenceextractionprocessabout/Thedocumentandreportingphase
dotcommandsabout/SQLitespecialcommands.tables/SQLitespecialcommands.schematable-name/SQLitespecialcommands.dumptable-name/SQLitespecialcommands.outputfile-name/SQLitespecialcommands.headerson/SQLitespecialcommands.help/SQLitespecialcommands.exit/SQLitespecialcommands.modeMODE/SQLitespecialcommands
downloadedapplicationsabout/Downloadedapplications
DVMabout/Dalvikvirtualmachine
E.exitcommand/SQLitespecialcommandse-maildatabase
about/E-maildatabaseeDiscovery
about/BlackBerryanalysisEffaceableStorage/RecoveringthedeleteddataEIFT
about/ElcomsoftiOSForensicToolkitURL/ElcomsoftiOSForensicToolkitfeatures/FeaturesofEIFTusage/UsageofEIFTguidedmode/Guidedmodemanualmode/Manualmode
EIFT-supporteddevicesabout/EIFT-supporteddevicescompatibilities/Compatibilitynotes
ElcomsoftBlackBerryBackupExplorer/ForensictoolsforBlackBerryanalysisElcomsoftIPDViewer
using/ForensictoolsforBlackBerryanalysisElcomsoftPhonePasswordBreaker/EncryptedBlackBerrybackupfilesElevatedRightsChamber(ERC)
about/Windowschambersencryptedbackup,iTunes
creating/Encryptedbackupextracting/Extractingencryptedbackupsextracting,iPhoneDataProtectionToolsused/iPhoneDataProtectionToolskeychain,decrypting/Decryptingthekeychain
encryptedBlackBerrybackupfileabout/EncryptedBlackBerrybackupfilescracking/EncryptedBlackBerrybackupfiles
encryption,iOSsecurityabout/Encryption
Escrowkeybag/Pairingrecords
ESExplorer/ExtractinganAPKfilefromanAndroiddeviceevidence
about/Potentialevidencestoredonmobilephonesrules/Authenticsecuring/Securingtheevidencepreserving/Preservingtheevidencedocumenting/Documentingtheevidence
evidenceintakephase,Mobilephoneevidenceextractionprocessabout/Theevidenceintakephase
ExtendedFileSystem(EXT)about/ExtendedFileSystem–EXT
FFastbootutility/Flashinganewrecoverypartitionfilecarving
about/Recoveringfilesusingfile-carvingtechniquesused,forrecoveringfiles/Recoveringfilesusingfile-carvingtechniques
filesystem,iPhoneHFSX/Filesystem
FindMyFriendsservice/iCloudbackupFindMyiPhoneservice/iCloudbackupFlashFriendlyFileSystem(F3FS)/ExtendedFileSystem–EXTforensicbestpractices
evidence,securing/Securingtheevidenceevidence,preserving/Preservingtheevidenceevidence,documenting/Documentingtheevidenceallchanges,documenting/Documentingallchanges
forensicenvironmentsettingup/AforensicenvironmentsetupAndroidSDK/AndroidSoftwareDevelopmentKitAndroidSDKinstallation/AndroidSDKinstallationAVD/AndroidVirtualDeviceAndroiddevice,connectingtoworkstation/ConnectinganAndroiddevicetoaworkstationconnecteddevice,accessing/AccessingtheconnecteddeviceAndroidDebugBridge(adb)/AndroidDebugBridgeAndroiddevice,accessingwithadb/AccessingthedeviceusingadbAndroiddevice,handling/HandlinganAndroiddevice
forensicenvironmentsetup,acquisitionviaacustomramdiskperforming/Theforensicenvironmentsetupldidtool,downloading/Downloadingandinstallingtheldidtoolldidtool,installing/Downloadingandinstallingtheldidtoolcodesign_allocatetoolpath,verifying/Verifyingthecodesign_allocatetoolpathOSXFuse,installing/InstallingOSXFusePythonmodules,installing/InstallingPythonmodulesiPhoneDataProtectionTools,downloading/DownloadingiPhone
DataProtectionToolsIMG3FStool,building/BuildingtheIMG3FStoolredsn0w,downloading/Downloadingredsn0w
forensicimageanalysis,BlackBerryabout/BlackBerryforensicimageanalysis
forensictoolkit,acquisitionviaacustomramdiskcreating/Creatingandloadingtheforensictoolkitloading/CreatingandloadingtheforensictoolkitiOSfirmwarefile,downloading/DownloadingtheiOSfirmwarefilekernel,modifying/Modifyingthekernelcustomramdisk,building/Buildingacustomramdiskcustomramdisk,booting/Bootingthecustomramdisk
forensictoolsoverview/ForensictoolsoverviewAFLogicaltool/TheAFLogicaltoolMOBILedit/MOBILeditAutopsy/Autopsy
forensictools,forBlackBerryanalysisabout/ForensictoolsforBlackBerryanalysisCellebritePhysicalAnalyzer/ForensictoolsforBlackBerryanalysisOxygenForensicsSuite/ForensictoolsforBlackBerryanalysisMicrosystemationXRY/ForensictoolsforBlackBerryanalysisAccessDataMPE+/ForensictoolsforBlackBerryanalysis
GGameCenter/4.x–GameCenterandmultitaskingGlobalPositioningSystem(GPS)/2.x–AppStoreand3Gguidedmode,EIFT
about/GuidedmodephysicalacquisitionofiPhone4,performing/Guidedmode
H.headersoncommand/SQLitespecialcommands.helpcommand/SQLitespecialcommandsHeavenly/1.x–thefirstiPhonehexdump
about/HexdumpHFSPlusfilesystem
about/TheHFSPlusfilesystemURL/TheHFSPlusfilesystem
HFSPlusvolumeabout/TheHFSPlusvolumestructure/TheHFSPlusvolume
HFSvolumes/TheHFSPlusfilesystemHFSX
about/FilesystemHierarchicalFileSystem(HFS)
about/TheHFSPlusfilesystemHomeDomain/RecordHomeDomainplistfiles
about/TheHomeDomainplistfiles
IiBackupBot/OpensourceorfreemethodsiBECloader
about/DFUmodeiBoot
about/NormalmodeiCloud/5.x–SiriandiCloud
about/iCloudbackupFindMyiPhoneservice/iCloudbackupFindMyFriendsservice/iCloudbackup
iCloudbackupperforming/iCloudbackupextracting/ExtractingiCloudbackups
identificationphase,Mobilephoneevidenceextractionprocessabout/Theidentificationphaselegalauthority/Thelegalauthorityexaminationsgoals/Thegoalsoftheexaminationmakeandmodel,identifying/Themake,model,andidentifyinginformationforthedeviceremovabledatastorage/Removableandexternaldatastoragepotentialevidencesources/Othersourcesofpotentialevidence
ideviceinfocommand-linetoolabout/iPhonemodelsURL/iPhonemodels
iExplorer/OpensourceorfreemethodsiFunBox/Opensourceorfreemethodsimagingprocess,memory(SD)card
memorycard,connecting/Imagingamemory(SD)cardmemorycard,protecting/Imagingamemory(SD)cardhashvalue,calculating/Imagingamemory(SD)carddiskimage,creating/Imagingamemory(SD)card
imagingthedeviceabout/ImaginganAndroidPhone
IMchatsanalysisabout/Analysisofsocialnetworking/IMchats
IMG3FStool
building/BuildingtheIMG3FStoolinfo.plistfile
about/info.plistcontent/info.plist
Innsbruck/7.x–theiPhone5SandbeyondInter@activePagerBackup(IPD)/CreatingaBlackBerrybackupiOS
about/iOS,iPhoneoperatingsystemdifferences,withMacOSX/iPhoneoperatingsystem
iOSacquisitionmethodsopensourcemethods/Opensourceorfreemethods
iOSarchitectureabout/TheiOSarchitecturelayers/TheiOSarchitectureCocoaTouchlayer/TheCocoaTouchlayerMedialayer/TheMedialayerCoreServiceslayer/TheCoreServiceslayerCoreOSlayer/TheCoreOSlayer
iOSdataanalysisandrecoverytimestamps/TimestampsSQLitedatabases/SQLitedatabasespropertylist/Propertylistscookies/Cookieskeyboardcache/Keyboardcachephotosdirectory/Photoswallpaperdirectory/Wallpapersnapshotsdirectory/Snapshotsrecordingsdirectory/Recordingsdownloadedapplications/DownloadedapplicationsdeletedSQLiterecords,recovering/RecoveringdeletedSQLiterecords
iOSdevicesiPhone/iPhonemodelsiPad/iPadmodelsdisklayout/Disklayoutoperatingmodes/OperatingmodesofiOSdevicesphysicalacquisition/Physicalacquisition
iOSfirmwarefiledownloading/DownloadingtheiOSfirmwarefile
iOShistoryabout/iOShistoryiPhoneOS1.x/1.x–thefirstiPhoneAppStore/2.x–AppStoreand3GiPhone3G/2.x–AppStoreand3GiPad/3.x–thefirstiPadgamecenter/4.x–GameCenterandmultitaskingmultitasking/4.x–GameCenterandmultitaskingSiri/5.x–SiriandiCloudiCloud/5.x–SiriandiCloudAppleMaps/6.x–AppleMapsiPhone5S/7.x–theiPhone5Sandbeyond
iOSsecurityabout/iOSsecurityfeatures/iOSsecuritypasscodes/Passcodecodesigning/Codesigningsandboxing/Sandboxingencryption/Encryptiondataprotection/DataprotectionAddressSpaceLayoutRandomization(ASLR)/AddressSpaceLayoutRandomizationprivilegeseparation/Privilegeseparationstacksmashingprotection/Stacksmashingprotectiondataexecutionprevention(DEP)/Dataexecutionpreventiondatawipe/DatawipeActivationLock/ActivationLock
iPadhardwareabout/iPadhardwareinternalimages/iPadhardware
iPadmodelsiOSversions/iPadmodelsspecificationsandfeatures/iPadmodels
IPDfileinformation,viewingwithBlackBerryBackupExtractor/Forensic
toolsforBlackBerryanalysisiPhone
about/iPhonemodelsmodels/iPhonemodelsmodel,identifying/iPhonemodelsexamining/iPhonemodelsmodelnumber/iPhonemodelsfirmwareversion/iPhonemodelsspecificationsandfeatures/iPhonemodelsfilesystem/Filesystem
iPhoneBackupBrowserunencryptedbackup,extracting/iPhoneBackupBrowserabout/iPhoneBackupBrowser
iPhoneBackupExtractorabout/iPhoneBackupExtractorunencryptedbackup,extracting/iPhoneBackupExtractor
iPhonebackupsiTunesbackup/iTunesbackupiCloudbackup/iCloudbackup
iPhoneDataProtectionToolsabout/Acquisitionviaacustomramdisk,iPhoneDataProtectionToolsinstalling/DownloadingiPhoneDataProtectionToolsunencryptedbackup,extracting/iPhoneDataProtectionToolsencryptedbackup,extracting/iPhoneDataProtectionTools
iPhonehardwareabout/iPhonehardwareinternalimages/iPhonehardware
iPhoneOSabout/iPhoneoperatingsystem
iPhonePasswordBreakerabout/iPhonePasswordBreakerbackuppassword,bruteforcing/iPhonePasswordBreaker
iPhoneSoftwareDevelopmentKit(SDK)/2.x–AppStoreand3GiRecoveryStick
about/ParabeniRecoveryStickURL/ParabeniRecoveryStick
features/FeaturesofParabeniRecoveryStickusage/UsageofParabeniRecoveryStickacquisitionofiOSdevice,performing/UsageofParabeniRecoverySticksupporteddevices/DevicessupportedbyParabeniRecoveryStick
isolationphase,Mobilephoneevidenceextractionprocessabout/Theisolationphase
iTunesabout/iTunesbackupauto-syncing,disabling/iTunesbackup
iTunesbackupperforming/iTunesbackuprecords,pairing/Pairingrecordsbackupstructure/Understandingthebackupstructureunencryptedbackup,creating/Unencryptedbackupencryptedbackup,creating/Encryptedbackup
IV(initializationvector)/Extractingencryptedbackups
Jjailbreaking
about/JailbreakingURL/Jailbreaking
JavaDevelopmentEnvironment(JDE)/BlackBerryOSJavaVirtualMachine(JVM)/SecurityfeaturesJD-GUItool/StepstoreverseengineerAndroidappsJointTestActionGroup(JTAG)method/Chip-offJTAG
about/JTAGprocess/JTAG
JTAGtechnique,screenlockbypassingtechniques/Othertechniques
KKernelAddressSpaceLayoutRandomization/AcquisitionviajailbreakingKernelAddressSpaceProtection/Acquisitionviajailbreakingkeyboardcache
about/KeyboardcacheKirkwood/3.x–thefirstiPad
Lldidtool
downloading/Downloadingandinstallingtheldidtoolinstalling/Downloadingandinstallingtheldidtool
LeastPrivilegedChamber(LPC)about/Windowschambers
libraries,Androidmodelabout/Libraries
LiMEabout/RecoveringdeleteddatafromanSDcard
Linuxkernellayer,Androidmodelabout/TheLinuxkernellayer
lockdowncertificates/Pairingrecordslogicalacquisitionmethod
about/Logicalacquisitionlogicaldataextraction
about/Logicaldataextractionperforming/Logicaldataextractionperforming,adbpullcommandused/Usingtheadbpullcommand/datadirectory,extractingonrooteddevice/Extractingthe/datadirectoryonarooteddevice/datadirectory,extractingonnon-rooteddevice/Extractingthe/datadirectoryonarooteddeviceperforming,SQLiteBrowserused/UsingSQLiteBrowserdeviceinformation,extracting/Extractingdeviceinformationcalllogs,extracting/ExtractingcalllogsSMS/MMS,extracting/ExtractingSMS/MMSbrowserhistory,extracting/Extractingbrowserhistorysocialnetworkinganalysis/Analysisofsocialnetworking/IMchatsIMchatsanalysis/Analysisofsocialnetworking/IMchatsperforming,contentprovidersused/Usingcontentproviders
logicalextractionprocessabout/Logicalextraction
Low-Levelbootloader(LLB)/Normalmode
M.modeMODEcommand/SQLitespecialcommandsM2Crypto
about/InstallingPythonmodulesinstalling/InstallingPythonmodules
Macabsolutetimeabout/Macabsolutetime
MacOSX10.8iPhonemodel,obtaining/iPhonemodelsiPhoneiOSversion,obtaining/iPhonemodels
manifest.mbdbfileabout/manifest.mbdbheader/Headerrecords/Record
manifest.plistfileabout/manifest.plistcontent/manifest.plist
manualacquisitionmethodabout/Manualacquisition
manualdataextractionabout/ManualdataextractionAndroiddevice,rooting/UsingrootaccesstoacquireanAndroiddevice
manualextractionprocessabout/Manualextraction
manualmode,EIFTabout/Manualmode
MCC/MNCcodesreferencelink/Callhistory
Medialayer,iOSabout/TheMedialayer
memory(SD)cardimaging/Imagingamemory(SD)cardimaging,WinHexused/Imagingamemory(SD)cardimagingprocess/Imagingamemory(SD)card
Mercurialsourcecodemanagementsystem
installing/InstallingPythonmodulesmicroread/MicroreadMicrosoft.NETFramework4/iPhoneBackupBrowserMobileDataSystem(MDS)/BlackBerryOSMobileDeviceManagement(MDM)/HandlinganAndroiddeviceMOBILedit
about/MOBILeditURL/MOBILeditused,forextractinginformationfromAndroidphone/MOBILedit
Mobileforensicapproachesabout/Practicalmobileforensicapproachesmobileoperatingsystemsoverview/MobileoperatingsystemsoverviewMobileforensictoollevelingsystem/Mobileforensictoollevelingsystemdataacquisitionmethods/Dataacquisitionmethods
Mobileforensicsabout/Mobileforensicschallenges/Mobileforensicchallenges
Mobileforensictoollevelingsystemabout/Mobileforensictoollevelingsystemmanualextraction/Manualextractionlogicalextraction/Logicalextractionhexdump/Hexdumpchip-off/Chip-offmicroread/Microread
mobileoperatingsystemsoverview/MobileoperatingsystemsoverviewAndroid/AndroidiOS/iOSWindowsphone/WindowsphoneBlackBerryOS/BlackBerryOS
Mobilephoneevidenceextractionprocessabout/Mobilephoneevidenceextractionprocessevidenceintakephase/Theevidenceintakephaseidentificationphase/Theidentificationphasepreparationphase/Thepreparationphase
isolationphase/Theisolationphaseprocessingphase/Theprocessingphaseverificationphase/Theverificationphasedocumentandreportingphase/Thedocumentandreportingphasepresentationphase/Thepresentationphasearchivingphase/Thearchivingphase
mobilephonesevidence/Potentialevidencestoredonmobilephones
modelnumber,iPhone/iPhonemodelsmountcommand/Disklayout
O.outputfile-namecommand/SQLitespecialcommandsoperatingmodes,iOSdevices
about/OperatingmodesofiOSdevicesnormalmode/Normalmoderecoverymode/RecoverymodeDFUmode/DFUmode
OSXFuseinstalling/InstallingOSXFuse
overtheair(OTA)softwareupdates/5.x–SiriandiCloudOxygenForensicsIPDViewer/ForensictoolsforBlackBerryanalysisOxygenForensicsSQLiteViewer
about/RecoveringdeletedfilesbyparsingSQLitefilesOxygenForensicsSuite
installing/ForensictoolsforBlackBerryanalysisOxygenForensicSuite2014
about/OxygenForensicSuite2014URL/OxygenForensicSuite2014features/FeaturesofOxygenForensicSuiteusage/UsageofOxygenForensicSuiteacquisitionofiOS,performing/UsageofOxygenForensicSuitesupporteddevices/OxygenForensicSuite2014supporteddevices
Ppasscodes,iOSsecurity
about/PasscodePBKDF2(Password-BasedKeyDerivationFunction2)/Extractingencryptedbackupsphotosdirectory
about/Photosphotosmetadata
about/Thephotosmetadataphysicalacquisition,iOSdevices
about/Physicalacquisitionphysicalacquisitionmethod
about/Physicalacquisitionphysicaldataextraction
performing/PhysicaldataextractionJTAG/JTAGChip-offtechnique/Chip-off
plistabout/Propertylists
PlistEditorforWindowsURL/Propertylists
plutilcommand-lineutility,MacOSXabout/Propertylists
preparationphase,Mobilephoneevidenceextractionprocessabout/Thepreparationphase
presentationphase,Mobilephoneevidenceextractionprocessabout/Thepresentationphase
privilegeseparation,iOSsecurityabout/Privilegeseparation
processingphase,Mobilephoneevidenceextractionprocessabout/Theprocessingphase
procfilesystem/ViewingfilesystemsonanAndroiddevicepropertylist/Pairingrecords
about/PropertylistsPropertyListEditor
about/Propertylists
PropertyListEditorapplication/UnderstandingthebackupstructurePyCrypto/InstallingPythonmodulesPythonmodules
installing/InstallingPythonmodules
Rre-balling
about/Chip-offread-onlymemory(ROM)/Normalmoderecordingsdirectory
about/Recordingsrecoveryloop
about/Recoverymoderecoverymode,iOSdevices
about/Recoverymoderedsn0wtool
about/Recoverymodedownloading/Downloadingredsn0w
RemoRecoverforAndroidtoolused,forrecoveringdeletedfilesfromSDcard/RecoveringdeleteddatafromanSDcardabout/RecoveringdeleteddatafromanSDcarddownloading/RecoveringdeleteddatafromanSDcard
ResearchinMotion(RIM)about/BlackBerryOS
reverseengineering,AndroidappsAPKfile,extractingfromAndroiddevice/ExtractinganAPKfilefromanAndroiddeviceperforming/StepstoreverseengineerAndroidapps
RobustFileSystem(RFS)/ExtendedFileSystem–EXTroot/Whatisrooting?rootaccess
gaining/GainingrootaccessRootDomainplistfiles
about/TheRootDomainplistfilesrootfsfilesystem/ViewingfilesystemsonanAndroiddevicerooting
about/Whatisrooting?Androiddevice/RootinganAndroiddeviceClockworkrecovery/RootinganAndroiddeviceClockworkMod/RootinganAndroiddevice
advantages/RootinganAndroiddevicedisadvantages/RootinganAndroiddeviceadbshell,running/Rootaccess–adbshell
rules,evidenceadmissible/Admissibleauthentic/Authenticcomplete/Completereliable/Reliablebelievable/Believable
S.schematable-namecommand/SQLitespecialcommandsSafaribookmarksdatabase
about/SafaribookmarksSafariwebcaches
about/TheSafariwebcachesSamsungAndroiddevice
dataextracting,UFEDused/Physicalextractionsandboxing,iOSsecurity
about/SandboxingScalpel
about/Recoveringfilesusingfile-carvingtechniquesusing,onUbuntuworkstation/Recoveringfilesusingfile-carvingtechniques
screenlockbypassingtechniquesabout/Screenlockbypassingtechniquespatternlock/ScreenlockbypassingtechniquesPINcode/Screenlockbypassingtechniquesalphanumericpasscode/Screenlockbypassingtechniquesadb,used/Usingadbtobypassthescreenlockgesture.keyfile,deleting/Deletingthegesture.keyfilesettings.dbfile,updating/Updatingthesettings.dbfilemodifiedrecoverymode,checking/Checkingforthemodifiedrecoverymodeandadbconnectionadbconnection,checking/Checkingforthemodifiedrecoverymodeandadbconnectionrecoverypartition,flashing/Flashinganewrecoverypartitionsmudgeattack/SmudgeattackGmailaccount,using/UsingtheprimaryGmailaccountJTAG/Othertechniqueschip-offtechnique/Othertechniques
securebootchain/NormalmodesecureROM/Normalmodesecuritychambers
about/WindowschambersTrustedComputingBase(TCB)/Windowschambers
ElevatedRightsChamber(ERC)/WindowschambersStandardRightsChamber(SRC)/WindowschambersLeastPrivilegedChamber(LPC)/Windowschambers
securityfeatures,BlackBerryabout/Securityfeatures
securitymodel,WindowsPhoneOSabout/Securitymodel
Siri/5.x–SiriandiCloudSleuthKit/AutopsySMS/MMS
extracting/ExtractingSMS/MMSSMSdatabase
about/SMSmessagesSMSSpotlightcache
about/SMSSpotlightcachesmudgeattack/Smudgeattacksnapshotsdirectory
about/Snapshotssocialnetworkinganalysis
about/Analysisofsocialnetworking/IMchatsSQLite
about/SQLitedatabasessqlite3command-lineutility/SQLitedatabasesSQLiteBrowser
URL/SQLitedatabasesused,forlogicaldataextraction/UsingSQLiteBrowser
SQLitecommand-lineclientURL/SQLitedatabases
SQLitecommandsabout/SQLitespecialcommands
SQLitedatabasesabout/SQLitedatabasesconnectingto/Connectingtoadatabasecommands/SQLitespecialcommandsstandardSQLqueries/StandardSQLqueriesaddressbookcontacts/Addressbookcontactsaddressbookimages/Addressbookimages
callhistory/CallhistorySMSdatabase/SMSmessagesSMSSpotlightcache/SMSSpotlightcachecalendarevents/Calendareventse-maildatabase/E-maildatabasenotesdatabase/NotesSafaribookmarks/SafaribookmarksSafariwebcaches/TheSafariwebcacheswebapplicationcache/ThewebapplicationcacheWebKitstorage/TheWebKitstoragephotosmetadata/ThephotosmetadataconsolidatedGPScache/ConsolidatedGPScachevoicemaildatabase/Voicemail
SQLitefilesusing/RecoveringdeletedfilesbyparsingSQLitefilesURL/RecoveringdeletedfilesbyparsingSQLitefiles
SQLiteProfessionalURL/SQLitedatabases
SQLiteSpyURL/SQLitedatabases
stacksmashingprotection,iOSsecurityabout/Stacksmashingprotection
standardacquisitionmethodsabout/Standardacquisitionmethods
StandardRightsChamber(SRC)about/Windowschambers
standardSQLqueriesSELECT/StandardSQLqueriesINSERT/StandardSQLqueriesDELETE/StandardSQLqueriesALTER/StandardSQLqueries
status.plistfileabout/status.plistcontent/status.plist
Sundance/6.x–AppleMapsSuperBackupapp
about/RecoveringdeleteddatafromanSDcard
Systemkeybag/Bypassingthepasscode,Pairingrecordssystempartition,iOSdevicedisklayout
about/DisklayoutSystemPreferencesDomainplistfiles
about/TheSystemPreferencesDomainplistfiles
T.tablescommand/SQLitespecialcommandsTelluride/5.x–SiriandiCloudTestAccessPorts(TAPs)/Chip-offtiles/WindowsPhoneOStimestamps
about/TimestampsUnixtimestamp/UnixtimestampsMacabsolutetime/Macabsolutetime
tmpfsfilesystem/ViewingfilesystemsonanAndroiddeviceTrustedComputingBase(TCB)
about/Windowschambers
UUFEDTouch
used,forextractingdatafromSamsungAndroiddevice/Physicalextraction
unencryptedbackup,iTunescreating/Unencryptedbackupextracting/Extractingunencryptedbackupsextracting,iPhoneBackupExtractorused/iPhoneBackupExtractorextracting,iPhoneBackupBrowserused/iPhoneBackupBrowser,iPhoneDataProtectionToolskeychain,decrypting/Decryptingthekeychain
UniqueDeviceIdentifier(UDID)/Bypassingthepasscode,UnderstandingthebackupstructureUnixtimestamp
about/Unixtimestampsuserdatapartition,iOSdevicedisklayout
about/Disklayout
Vverificationphase,Mobilephoneevidenceextractionprocess
about/Theverificationphaseextracteddata,comparingtohandsetdata/Comparingextracteddatatothehandsetdataresults,comparingusingmultipletools/Usingmultipletoolsandcomparingtheresultshashvalues,using/Usinghashvalues
VFAT/ExtendedFileSystem–EXTviaForensics/TheAFLogicaltoolVisualC++2010runtime/iPhoneBackupBrowservoicemaildatabase
about/Voicemailvolumestructure,HFSPlus
volumeheader/TheHFSPlusvolumeallocationfile/TheHFSPlusvolumeextentsoverflowfile/TheHFSPlusvolumecatalogfile/TheHFSPlusvolumeattributefile/TheHFSPlusvolumestartupfile/TheHFSPlusvolumealternatevolumeheaderfile/TheHFSPlusvolume
Wwallpaperdirectory
about/Wallpaperwebapplicationcache
about/ThewebapplicationcacheWebKitstorage,Safari
about/TheWebKitstorageWildcat/3.x–thefirstiPadWindowsphone
about/WindowsphoneWindowsPhoneDeviceManager
downloading/ExtractingthedataWindowsPhonefilesystem
about/WindowsPhonefilesystemApplicationDatadirectory/WindowsPhonefilesystemApplicationsdirectory/WindowsPhonefilesystemMyDocumentsdirectory/WindowsPhonefilesystemWindowsdirectory/WindowsPhonefilesystem
WindowsPhoneOSabout/WindowsPhoneOSsecuritymodel/Securitymodelchambers/Windowschamberscapabilities-basedmodel/Capability-basedmodelAppsandboxing/Appsandboxing
WindowsPhoneSDK7.1downloading/Extractingthedata
Windowsregistry/WindowsPhonefilesystemWinHex
used,forimagingmemory(SD)card/Imagingamemory(SD)cardWirelessDomainplistfiles
about/TheWirelessDomainplistfiles