Practical Mobile Forensics - Chadshare

PracticalMobileForensics

TableofContents

PracticalMobileForensicsCreditsAbouttheAuthorsAbouttheReviewerswww.PacktPub.com

Supportfiles,eBooks,discountoffers,andmoreWhysubscribe?FreeaccessforPacktaccountholders

PrefaceWhatthisbookcoversWhatyouneedforthisbookWhothisbookisforConventionsReaderfeedbackCustomersupport

DownloadingtheexamplecodeDownloadingthecolorimagesofthebookErrataPiracyQuestions

1.IntroductiontoMobileForensicsMobileforensics

MobileforensicchallengesMobilephoneevidenceextractionprocess

TheevidenceintakephaseTheidentificationphase

ThelegalauthorityThegoalsoftheexaminationThemake,model,andidentifyinginformationforthedeviceRemovableandexternaldatastorageOthersourcesofpotentialevidence

ThepreparationphaseTheisolationphaseTheprocessingphase

TheverificationphaseComparingextracteddatatothehandsetdataUsingmultipletoolsandcomparingtheresultsUsinghashvalues

ThedocumentandreportingphaseThepresentationphaseThearchivingphase

PracticalmobileforensicapproachesMobileoperatingsystemsoverview

AndroidiOSWindowsphoneBlackBerryOS

MobileforensictoollevelingsystemManualextractionLogicalextractionHexdumpChip-offMicroread

DataacquisitionmethodsPhysicalacquisitionLogicalacquisitionManualacquisition

PotentialevidencestoredonmobilephonesRulesofevidence

AdmissibleAuthenticCompleteReliableBelievable

GoodforensicpracticesSecuringtheevidencePreservingtheevidenceDocumentingtheevidenceDocumentingallchanges

Summary2.UnderstandingtheInternalsofiOSDevices

iPhonemodelsiPhonehardwareiPadmodelsiPadhardwareFilesystemTheHFSPlusfilesystem

TheHFSPlusvolumeDisklayoutiPhoneoperatingsystem

iOShistory1.x–thefirstiPhone2.x–AppStoreand3G3.x–thefirstiPad4.x–GameCenterandmultitasking5.x–SiriandiCloud6.x–AppleMaps7.x–theiPhone5Sandbeyond

TheiOSarchitectureTheCocoaTouchlayerTheMedialayerTheCoreServiceslayerTheCoreOSlayer

iOSsecurityPasscodeCodesigningSandboxingEncryptionDataprotectionAddressSpaceLayoutRandomizationPrivilegeseparationStacksmashingprotectionDataexecutionpreventionDatawipeActivationLock

AppStoreJailbreaking

Summary

3.DataAcquisitionfromiOSDevicesOperatingmodesofiOSdevices

NormalmodeRecoverymodeDFUmode

PhysicalacquisitionAcquisitionviaacustomramdisk

TheforensicenvironmentsetupDownloadingandinstallingtheldidtoolVerifyingthecodesign_allocatetoolpathInstallingOSXFuseInstallingPythonmodulesDownloadingiPhoneDataProtectionToolsBuildingtheIMG3FStoolDownloadingredsn0w

CreatingandloadingtheforensictoolkitDownloadingtheiOSfirmwarefileModifyingthekernelBuildingacustomramdiskBootingthecustomramdisk

EstablishingcommunicationwiththedeviceBypassingthepasscodeImagingthedatapartitionDecryptingthedatapartitionRecoveringthedeleteddata

AcquisitionviajailbreakingSummary

4.DataAcquisitionfromiOSBackupsiTunesbackup

PairingrecordsUnderstandingthebackupstructure

info.plistmanifest.pliststatus.plistmanifest.mbdb

HeaderRecord

UnencryptedbackupExtractingunencryptedbackups

iPhoneBackupExtractoriPhoneBackupBrowseriPhoneDataProtectionTools

DecryptingthekeychainEncryptedbackup

ExtractingencryptedbackupsiPhoneDataProtectionTools

DecryptingthekeychainiPhonePasswordBreaker

iCloudbackupExtractingiCloudbackups

Summary5.iOSDataAnalysisandRecovery

TimestampsUnixtimestampsMacabsolutetime

SQLitedatabasesConnectingtoadatabaseSQLitespecialcommandsStandardSQLqueriesImportantdatabasefiles

AddressbookcontactsAddressbookimagesCallhistorySMSmessagesSMSSpotlightcacheCalendareventsE-maildatabaseNotesSafaribookmarksTheSafariwebcachesThewebapplicationcacheTheWebKitstorageThephotosmetadataConsolidatedGPScache

VoicemailPropertylists

ImportantplistfilesTheHomeDomainplistfilesTheRootDomainplistfilesTheWirelessDomainplistfilesTheSystemPreferencesDomainplistfiles

OtherimportantfilesCookiesKeyboardcachePhotosWallpaperSnapshotsRecordingsDownloadedapplications

RecoveringdeletedSQLiterecordsSummary

6.iOSForensicToolsElcomsoftiOSForensicToolkit

FeaturesofEIFTUsageofEIFT

GuidedmodeManualmode

EIFT-supporteddevicesCompatibilitynotes

OxygenForensicSuite2014FeaturesofOxygenForensicSuiteUsageofOxygenForensicSuiteOxygenForensicSuite2014supporteddevices

CellebriteUFEDPhysicalAnalyzerFeaturesofCellebriteUFEDPhysicalAnalyzerUsageofCellebriteUFEDPhysicalAnalyzerSupporteddevices

ParabeniRecoveryStickFeaturesofParabeniRecoveryStickUsageofParabeniRecoveryStickDevicessupportedbyParabeniRecoveryStick

OpensourceorfreemethodsSummary

7.UnderstandingAndroidTheAndroidmodel

TheLinuxkernellayerLibrariesDalvikvirtualmachineTheapplicationframeworklayerTheapplicationslayer

AndroidsecuritySecurekernelThepermissionmodelApplicationsandboxSecureinterprocesscommunicationApplicationsigning

AndroidfilehierarchyAndroidfilesystem

ViewingfilesystemsonanAndroiddeviceExtendedFileSystem–EXT

Summary8.AndroidForensicSetupandPreDataExtractionTechniques

AforensicenvironmentsetupAndroidSoftwareDevelopmentKitAndroidSDKinstallationAndroidVirtualDeviceConnectinganAndroiddevicetoaworkstation

IdentifyingthedevicecableInstallingthedevicedrivers

AccessingtheconnecteddeviceAndroidDebugBridgeAccessingthedeviceusingadb

DetectingconnecteddevicesKillingthelocaladbserverAccessingtheadbshell

HandlinganAndroiddeviceScreenlockbypassingtechniques

Usingadbtobypassthescreenlock

Deletingthegesture.keyfileUpdatingthesettings.dbfileCheckingforthemodifiedrecoverymodeandadbconnectionFlashinganewrecoverypartitionSmudgeattackUsingtheprimaryGmailaccountOthertechniques

GainingrootaccessWhatisrooting?RootinganAndroiddeviceRootaccess–adbshell

Summary9.AndroidDataExtractionTechniques

ImaginganAndroidPhoneDataextractiontechniques

ManualdataextractionUsingrootaccesstoacquireanAndroiddeviceLogicaldataextraction

UsingtheadbpullcommandExtractingthe/datadirectoryonarooteddeviceUsingSQLiteBrowserExtractingdeviceinformationExtractingcalllogsExtractingSMS/MMSExtractingbrowserhistoryAnalysisofsocialnetworking/IMchatsUsingcontentproviders

PhysicaldataextractionJTAGChip-off

Imagingamemory(SD)cardSummary

10.AndroidDataRecoveryTechniquesDatarecovery

RecoveringthedeletedfilesRecoveringdeleteddatafromanSDcardRecoveringdatadeletedfrominternalmemory

RecoveringdeletedfilesbyparsingSQLitefilesRecoveringfilesusingfile-carvingtechniques

Summary11.AndroidAppAnalysisandOverviewofForensicTools

AndroidappanalysisReverseengineeringAndroidapps

ExtractinganAPKfilefromanAndroiddeviceStepstoreverseengineerAndroidapps

ForensictoolsoverviewTheAFLogicaltoolAFLogicalOpenSourceEditionAFLogicalLawEnforcement(LE)

Cellebrite–UFEDPhysicalextraction

MOBILeditAutopsy

AnalyzinganAndroidinAutopsySummary

12.WindowsPhoneForensicsWindowsPhoneOS

SecuritymodelWindowschambersCapability-basedmodel

AppsandboxingWindowsPhonefilesystemDataacquisition

SideloadingusingChevronWP7Extractingthedata

ExtractingSMSExtractinge-mailExtractingapplicationdata

Summary13.BlackBerryForensics

BlackBerryOSSecurityfeatures

DataacquisitionStandardacquisitionmethods

CreatingaBlackBerrybackupBlackBerryanalysis

BlackBerrybackupanalysisBlackBerryforensicimageanalysisEncryptedBlackBerrybackupfilesForensictoolsforBlackBerryanalysis

SummaryIndex

PracticalMobileForensics

PracticalMobileForensicsCopyright©2014PacktPublishing

Allrightsreserved.Nopartofthisbookmaybereproduced,storedinaretrievalsystem,ortransmittedinanyformorbyanymeans,withoutthepriorwrittenpermissionofthepublisher,exceptinthecaseofbriefquotationsembeddedincriticalarticlesorreviews.

Everyefforthasbeenmadeinthepreparationofthisbooktoensuretheaccuracyoftheinformationpresented.However,theinformationcontainedinthisbookissoldwithoutwarranty,eitherexpressorimplied.Neithertheauthors,norPacktPublishing,anditsdealersanddistributorswillbeheldliableforanydamagescausedorallegedtobecauseddirectlyorindirectlybythisbook.

PacktPublishinghasendeavoredtoprovidetrademarkinformationaboutallofthecompaniesandproductsmentionedinthisbookbytheappropriateuseofcapitals.However,PacktPublishingcannotguaranteetheaccuracyofthisinformation.

Firstpublished:July2014

Productionreference:2140714

PublishedbyPacktPublishingLtd.

LiveryPlace

35LiveryStreet

BirminghamB32PB,UK.

ISBN978-1-78328-831-1

www.packtpub.com

CoverimagebyAniketSawant(<[email protected]>)

CreditsAuthors

SatishBommisetty

RohitTamma

HeatherMahalik

Reviewers

Dr.AswamiAriffin

Dr.SalvatoreFiorillo(MSIT)

YogeshKhatri

ErikKristensen

Dr.MichaelSpreitzenbarth

CommissioningEditor

RebeccaYoué

AcquisitionEditor

RebeccaYoué

ContentDevelopmentEditor

BalajiNaidu

TechnicalEditor

MananBadani

CopyEditors

SarangChari

SarangChari

MradulaHegde

AdithiShetty

ProjectCoordinator

Aaron.S.Lazar

Proofreaders

MariaGould

AmeeshaGreen

Indexer

HemanginiBari

Graphics

DishaHaria

AbhinashSahu

ProductionCoordinator

AdoniaJones

CoverWork

AdoniaJones

AbouttheAuthorsSatishBommisettyisasecurityanalystworkingforaFortune500company.HisprimaryareasofinterestincludeiOSforensics,iOSapplicationsecurity,andwebapplicationsecurity.Hehaspresentedatinternationalconferences,suchasClubHACKandC0C0n.HeisalsooneofthecoremembersoftheHyderabadOWASPchapter.HehasidentifiedanddisclosedvulnerabilitieswithinthewebsitesofGoogle,Facebook,Yandex,PayPal,Yahoo!,AT&T,andmore,andislistedintheirhalloffame.

Iwouldliketothankeveryonewhoencouragedmewhileproducingthisbook,especiallymywifeforhergreatsupport.

RohitTammaisasecurityanalystworkingforaFortune500company.Hisinterestslieinmobileforensics,Androidapplicationsecurity,andwebapplicationsecurity.Heisexperiencedinperformingvulnerabilityassessmentsandpenetrationtestingofarangeofapplications,includingwebandmobileapplications.HelivesinHyderabad,India,wherehespendstimewithhisparentsandfriends.

IwouldliketothankeveryonewhoencouragedmewhileIwasauthoringthisbook,especiallymyparentsandmyfriendswhoofferedtheirsupportineverywaytheycould.SpecialthankstoSatishBommisetty,mycolleague,co-authorofthisbook,whomentoredmeallthewaythroughwithhisvaluablesuggestions.

HeatherMahalikistheMobileExploitationTeamLeadatBasisTechnologyandtheCourseLeadfortheSANSSmartphoneForensicscourse.Withover11years'experienceindigitalforensics,shecurrentlyfocusesherenergyonmobiledeviceinvestigations,forensiccoursedevelopmentandinstruction,andresearchonsmartphoneforensics.

PriortojoiningBasisTechnology,HeatherworkedatStrozFriedbergandasacontractorfortheU.S.DepartmentofStateComputerInvestigationsandForensicsLab.SheearnedherBachelor'sdegreefromWestVirginiaUniversity.Shehasauthoredwhitepapersandforensiccoursematerial,andhastaughthundredsofcoursesworldwideforlawenforcement,Government,IT,eDiscovery,andotherforensicprofessionalsfocusingonmobiledevicesanddigitalforensics.

digitalforensics.

TherearealotofpeopletowhomIowemydeepestgratitude.Thisbookisformyhusband,whoalwaysencouragesmetotryharderandstrivetobeonestepahead.ThisbookisalsoforJack,whowouldsleepsothatmamacouldwrite,andmydadandmother-in-lawforalwayssupportingme.Professionally,thisbookisforBrianCarrier,EoghanCasey,TerranceMaguire,RobLee,andShawnHowellforgettingmeaddictedtothistradeandprovidingmewiththeopportunitiestobettermyself.Iwouldalsoliketothankmyco-workers,whohavetaughtmepatience,keptasmileonmyface,andhelpedmelearnmoreaboutforensicsthanmostwoulddeemrequired.Youguysarethebest!

AbouttheReviewersDr.AswamiAriffinspecializesindigitalforensics(PhD)andpreviouslywasaGIACCertifiedForensicAnalyst(GCFA)andCertifiedWirelessSecurityProfessional(CWSP).Hehasattendedvariousdigitalforensicstrainingcourses,suchasSANSSystemForensics,InvestigationandResponseinAustralia,multimediaforensicsintheUnitedKingdomandUnitedStates,andalsodatarecoveryinSouthKorea.

Hehasexperienceinhandlingcomputercrimesandcomputer-relatedcrimeswithvariouslawenforcementagencies/regulatorybodiesinMalaysiaandoverseas(recognizedasanexpertbyNewSouthWalesPoliceForce,Australia).Hemanagedmorethan1,800digitalforensicinvestigationsandprovidedexperttestimonies/coordinationinMalaysia'sHighCourtandRoyalCommissionofInquiry.

Heisactiveinresearch,andoneofhispapersentitledDataRecoveryFromProprietary-FormattedFilesCCTVHardDiskswasacceptedforpublicationandpresentationatthe2013NinthAnnualIFIPWG11.9InternationalConferenceonDigitalForensics,USA.HewasalsoinvolvedasacommitteememberofthedigitalforensicsprogramoftheprestigiousInternationalConferenceonAvailability,Reliability,andSecurity(ARES2012and2013).

DuetohisimmensecontributionincombatingcybercrimesanddevelopingCyberSecurity,Malaysia'sdigitalforensicscapabilities,Dr.AswamiAriffinwasawardedtheISLA(InformationSecurityLeadershipAward)in2009byISC2,USA.TheAttorneyGeneralChambersofMalaysiaandRoyalMalaysiaPolicealsoissuedacommendationletterandcertificateofappreciationtohim.

Currently,heisVicePresidentofCyberSecurityResponsiveServicesatCyberSecurityMalaysia.Heprovidesinputonstrategicdirection,technicalleadership,andmarketingstrategyforCyberSecurityMalaysiasecurityoperationsandresearch—DigitalForensicsDepartment,MyCERT,andSecureTechnologyServices.

Dr.SalvatoreFiorillo(MSIT)isafastlearner,problemsolver,andopen-mindedperson.Helikesunconventionalchallenges.HoldingadegreeinPoliticalScienceandaMaster'sdegreeinITSecurity,hisinterestsarewide

ranging,fromdigitalforensicandgeneralhacking,tosocial,anthropological,statistics,andfinancialstudies.Heisanetwork-centricwarfareevangelistandgaveaspeechatDeVereUniversityArmsinCambridge(UK)duringthe2007conferenceorganizedbytheCommandandControlResearchProgram(CCRP)withintheOfficeoftheAssistantSecretaryofUS-Defense(NII).HeisalsotheauthorofTheoryandpracticeofflashmemorymobileforensics,a2009widespreadpaperonthelimitsofdigitalforensictools(workcitedinthe2014NISTGuidelinesonMobileDeviceForensics).

IwouldliketothankLuciaTirinoandMonicaCapassofortheirprecioushelpandsupportthroughout.IwouldalsoliketothankthepeopleatPacktPublishing;theyareallveryprofessionalandnicepeople.

YogeshKhatriisanassistantprofessorteachingcomputerforensicsatChamplainCollegeinBurlington,Vermont.Priortothat,hehashadadecadeofexperienceworkinginindustryasaconsultantandtrainerforvariouscompanies,includingguidancesoftware,duringwhichheworkedoncasesinseveralcountries,andwithmanyFortune100companies.YogeshhasaMaster'sdegreeinComputerEngineeringfromSyracuseUniversity.Herunsablogatwww.swiftforensics.com,whichshowcaseshislatestresearch,scripts,ideas,andvideosoncomputerforensics.

ErikKristensenholdsaBachelor'sdegreeinComputerSciencewithover15yearsofexperiencewithcomputersystemsthatincludescomputersecurity,mobilesecurity,andcomputerforensics.DuringhistimeintheUnitedStatesAirForce,hespecializedincomputersecurityandhelpedpioneeramobilesecurityprogramfortheBlackBerry,Android,andiPhonedevices.HeiscurrentlyaGIACCertifiedForensicsAnalyst(GCFA)andistheprimarymaintaineroftheSANSInvestigativeForensicsToolkit(SIFT)forcomputerforensics.Hehasabroadrangeofexperienceandinterests.Heenjoysproblemsolvingandthinkingoutofthebox.HeiscurrentlytheleadDevOpsengineerforviaForensics,anadvancedmobilesecurityandforensicscompany.

Dr.MichaelSpreitzenbarthworkedseveralyearsasafreelancerintheITsecuritysectorafterfinishinghisdiplomathesiswithamajorinMobilePhoneForensics.In2013,hefinishedhisPhDfromtheUniversityofErlangen-NuremberginthefieldofAndroidForensicsandMobileMalwareAnalysis.Sincethistime,hehasbeenworkinginaninternationallyoperatingCERT.His

dailyworkdealswiththesecurityofmobilesystems,forensicanalysisofsmartphonesandsuspiciousmobileapplications,aswellastheinvestigationofsecurity-relatedincidents.Alongsidethis,heisworkingontheimprovementofmobilemalwareanalysistechniquesandresearchinthefieldofAndroidandiOSforensics.

www.PacktPub.com

Supportfiles,eBooks,discountoffers,andmoreYoumightwanttovisitwww.PacktPub.comforsupportfilesanddownloadsrelatedtoyourbook.

DidyouknowthatPacktofferseBookversionsofeverybookpublished,withPDFandePubfilesavailable?YoucanupgradetotheeBookversionatwww.PacktPub.comandasaprintbookcustomer,youareentitledtoadiscountontheeBookcopy.Getintouchwithusat<[email protected]>formoredetails.

Atwww.PacktPub.com,youcanalsoreadacollectionoffreetechnicalarticles,signupforarangeoffreenewslettersandreceiveexclusivediscountsandoffersonPacktbooksandeBooks.

http://PacktLib.PacktPub.com

DoyouneedinstantsolutionstoyourITquestions?PacktLibisPackt'sonlinedigitalbooklibrary.Here,youcanaccess,readandsearchacrossPackt'sentirelibraryofbooks.

Whysubscribe?FullysearchableacrosseverybookpublishedbyPacktCopyandpaste,printandbookmarkcontentOndemandandaccessibleviawebbrowser

FreeaccessforPacktaccountholders

IfyouhaveanaccountwithPacktatwww.PacktPub.com,youcanusethistoaccessPacktLibtodayandviewnineentirelyfreebooks.Simplyuseyourlogincredentialsforimmediateaccess.

PrefaceTheexponentialgrowthofmobiledeviceshasrevolutionizedmanyaspectsofourlives.InwhatiscalledthePost-PCera,smartphonesareengulfingdesktopcomputerswiththeirenhancedfunctionalityandimprovedstoragecapacity.Thisrapidtransformationhasledtoincreasedusageofmobilehandsetsacrossallsectors.

Despitetheirsmallsize,smartphonesarecapableofperformingmanytasks—sendingprivatemessagesandconfidentiale-mails,takingphotosandvideos,makingonlinepurchases,viewingsalaryslips,completingbankingtransactions,accessingsocialnetworkingsites,managingbusinesstasks,andmore.Hence,amobiledeviceisnowahugerepositoryofsensitivedata,whichcouldprovideawealthofinformationaboutitsowner.Thishasinturnledtotheevolutionofmobiledeviceforensics,abranchofdigitalforensicsthatdealswithretrievingdatafromamobiledevice.Today,thereisahugedemandforspecializedforensicexperts,especiallygiventhefactthatthedataretrievedfromamobiledeviceisadmissibleincourt.

Mobileforensicsisallaboututilizingscientificmethodologiestorecoverdatastoredwithinamobilephoneforlegalpurposes.Unliketraditionalcomputerforensics,mobileforensicshaslimitationswhenobtainingevidenceduetorapidchangesinthetechnologyandthefast-pacedevolutionofmobilesoftware.Withdifferentoperatingsystemsandawiderangeofmodelsbeingreleasedintothemarket,mobileforensicshasexpandedoverthelast3-4years.Specializedforensictechniquesandskillsarerequiredinordertoextractdataunderdifferentconditions.

ThisbooktakesyouthroughthechallengesinvolvedinmobileforensicsandpracticallyexplainsdetailedmethodsonhowtocollectevidencefromdifferentmobiledeviceswiththeiOS,Android,BlackBerry,andWindowsmobileoperatingsystems.

Thebookisorganizedinamannerthatallowsyoutofocusindependentlyonchaptersthatarespecifictoyourrequiredplatform.

WhatthisbookcoversChapter1,IntroductiontoMobileForensics,introducesyoutotheconceptofmobileforensics,corevalues,anditslimitations.Thechapteralsoprovidesanoverviewofpracticalapproachesandbestpracticesinvolvedinperformingmobileforensics.

Chapter2,UnderstandingtheInternalsofiOSDevices,providesanoverviewofthepopularAppleiOSdevices,includinganoutlineofdifferentmodelsandtheirhardware.ThebookexplainsiOSsecurityfeaturesanddevicesecurityanditsimpactontheiOSforensicsapproach.ThechapteralsogivesanoverviewoftheiOSfilesystemandoutlinesthesensitivefilesthatareusefulforforensicexaminations.

Chapter3,DataAcquisitionfromiOSDevices,coversvarioustypesofforensicacquisitionmethodsthatcanbeperformedoniOSdevicesandguidesyouthroughpreparingyourdesktopmachineforforensicwork.Thechapteralsodiscussespasscodebypasstechniques,thephysicalextractionofdevices,anddifferentwaysthatthedevicecanbeimaged.

Chapter4,DataAcquisitionfromiOSBackups,providesadetailedexplanationofdifferenttypesofiOSbackupsanddetailswhattypesoffilesarestoredduringthebackup.Thechapteralsocoverslogicalacquisitiontechniquestorecoverdatafrombackups.

Chapter5,iOSDataAnalysisandRecovery,discussesthetypeofdatathatisstoredoniOSdevicesandthegenerallocationofthisdatastorage.CommonfiletypesusediniOSdevices,suchasplistandSQLite,arediscussedindetailsoyouunderstandhowdataisstoredonthedevice,whichwillhelpforensicexaminerstoefficientlyrecoverdatafromthesefiles.

Chapter6,iOSForensicTools,providesanoverviewoftheexistingopensourceandcommercialiOSforensicstools.Thesetoolsdifferintherangeofmobilephonestheysupportandtheamountofdatathattheycanrecover.Thechapterdescribestheadvantagesandlimitationsofthesetools.

Chapter7,UnderstandingAndroid,introducesyoutotheAndroidmodel,filesystem,anditssecurityfeatures.Itprovidesanexplanationofhowdataisstored

inanyandroiddevice,whichwillbeusefulwhilecarryingoutforensicinvestigations.

Chapter8,AndroidForensicSetupandPreDataExtractionTechniques,guidesyouthroughtheAndroidforensicsetupandothertechniquestofollowbeforeextractinganyinformation.Screenlockbypasstechniquesandgainingrootaccessarealsodiscussedinthischapter.

Chapter9,AndroidDataExtractionTechniques,providesanexplanationofphysical,filesystem,andlogicalacquisitiontechniquestoextractinformationfromanAndroiddevice.

Chapter10,AndroidDataRecoveryTechniques,explainsthepossibilitiesandlimitationsfordatarecoveryonAndroiddevices.ThischapteralsocoverstheprocesstoreverseengineerAndroidapplicationstounearthcrucialinformation.

Chapter11,AndroidAppAnalysisandOverviewofForensicTools,coversvariousavailableopensourceandcommercialtools,whicharehelpfulduringforensicexaminationofAndroiddevices.

Chapter12,WindowsPhoneForensics,providesabasicoverviewofforensicapproacheswhendealingwithWindowsPhonedevices.

Chapter13,BlackBerryForensics,providesforensicapproachestoincludeacquisitionandanalysistechniqueswhendealingwithBlackBerrydevices.BlackBerryencryptionanddataprotectionisalsoaddressed.

WhatyouneedforthisbookThebookprovidespracticalforensicapproachesandexplainsthetechniquesinasimplemanner.Thecontentisorganizedinamannerthatallowsevenauserwithbasiccomputerskillstoexamineadeviceandextracttherequireddata.AMacintosh,Windows,orLinuxcomputerwillbehelpfultosuccessfullyperformthemethodsdefinedinthisbook.Whereverpossible,methodsforallcomputerplatformsareprovided.

WhothisbookisforThisbookisintendedforforensicexaminerswithlittleorbasicexperienceinmobileforensicsoropensourcesolutionsformobileforensics.Thebookwillalsobeusefultocomputersecurityprofessionals,researchers,andanyoneseekingadeeperunderstandingofmobileinternals.Thebookwillalsocomeinhandyforthosewhoaretryingtorecoveraccidentallydeleteddata(photos,contacts,SMS,andmore).

ConventionsInthisbook,youwillfindanumberofstylesoftextthatdistinguishbetweendifferentkindsofinformation.Herearesomeexamplesofthesestylesandanexplanationoftheirmeaning.

Codewordsintext,databasetablenames,foldernames,filenames,fileextensions,pathnames,dummyURLs,userinput,andTwitterhandlesareshownasfollows:"ToviewtherawdiskimagesontheiPhone,connectajailbrokeniPhonetoaworkstationoverSSHandrunthels-lhrdisk*command."

Anycommand-lineinputoroutputiswrittenasfollows:

iPhone4:/devroot#ls-lhrdisk*

crw-r-----1rootoperator14,0Oct1004:28rdisk0

crw-r-----1rootoperator14,1Oct1004:28rdisk0s1

crw-r-----1rootoperator14,2Oct1004:28rdisk0s1s1

crw-r-----1rootoperator14,3Oct1004:28rdisk0s1s2

Newtermsandimportantwordsareshowninbold.Wordsthatyouseeonthescreen,inmenusordialogboxesforexample,appearinthetextlikethis:"iOSprovidesanoptionEraseAllContentandSettingstowipethedataontheiPhone."

Note

Warningsorimportantnotesappearinaboxlikethis.

Tip

Tipsandtricksappearlikethis.

ReaderfeedbackFeedbackfromourreadersisalwayswelcome.Letusknowwhatyouthinkaboutthisbook—whatyoulikedormayhavedisliked.Readerfeedbackisimportantforustodeveloptitlesthatyoureallygetthemostoutof.

Tosendusgeneralfeedback,simplysendane-mailto<[email protected]>,andmentionthebooktitlethroughthesubjectofyourmessage.

Ifthereisatopicthatyouhaveexpertiseinandyouareinterestedineitherwritingorcontributingtoabook,seeourauthorguideonwww.packtpub.com/authors.

CustomersupportNowthatyouaretheproudownerofaPacktbook,wehaveanumberofthingstohelpyoutogetthemostfromyourpurchase.

Downloadingtheexamplecode

YoucandownloadtheexamplecodefilesforallPacktbooksyouhavepurchasedfromyouraccountathttp://www.packtpub.com.Ifyoupurchasedthisbookelsewhere,youcanvisithttp://www.packtpub.com/supportandregistertohavethefilese-maileddirectlytoyou.

Downloadingthecolorimagesofthebook

WealsoprovideyouaPDFfilethathascolorimagesofthescreenshots/diagramsusedinthisbook.Thecolorimageswillhelpyoubetterunderstandthechangesintheoutput.Youcandownloadthisfilefrom:https://www.packtpub.com/sites/default/files/downloads/8311OS_ColoredImages.pdf

Errata

Althoughwehavetakeneverycaretoensuretheaccuracyofourcontent,mistakesdohappen.Ifyoufindamistakeinoneofourbooks—maybeamistakeinthetextorthecode—wewouldbegratefulifyouwouldreportthistous.Bydoingso,youcansaveotherreadersfromfrustrationandhelpusimprovesubsequentversionsofthisbook.Ifyoufindanyerrata,pleasereportthembyvisitinghttp://www.packtpub.com/support,selectingyourbook,clickingontheerratasubmissionformlink,andenteringthedetailsofyourerrata.Onceyourerrataareverified,yoursubmissionwillbeacceptedandtheerratawillbeuploadedtoourwebsite,oraddedtoanylistofexistingerrata,undertheErratasectionofthattitle.

Piracy

PiracyofcopyrightmaterialontheInternetisanongoingproblemacrossallmedia.AtPackt,wetaketheprotectionofourcopyrightandlicensesveryseriously.Ifyoucomeacrossanyillegalcopiesofourworks,inanyform,ontheInternet,pleaseprovideuswiththelocationaddressorwebsitenameimmediatelysothatwecanpursuearemedy.

Pleasecontactusat<[email protected]>withalinktothesuspectedpiratedmaterial.

Weappreciateyourhelpinprotectingourauthors,andourabilitytobringyouvaluablecontent.

Questions

Youcancontactusat<[email protected]>ifyouarehavingaproblemwithanyaspectofthebook,andwewilldoourbesttoaddressit.

Chapter1.IntroductiontoMobileForensicsIn2013,therewerealmostasmanymobilecellularsubscriptionsastherewerepeopleonearth,saysInternationalTelecommunicationUnion(ITU).Thefollowingfigureshowstheglobalmobilecellularsubscriptionsfrom2005to2013.Mobilecellularsubscriptionsaremovingatlightningspeedandpassedawhopping7billionearlyin2014.PortioResearchLtd.predictsthatmobilesubscriberswillreach7.5billionbytheendof2014and8.5billionbytheendof2016.

Mobilecellularsubscriptiongrowthfrom2005to2013

Smartphonesoftoday,suchastheAppleiPhone,SamsungGalaxyseries,andBlackBerryphones,arecompactformsofcomputerswithhighperformance,hugestorage,andenhancedfunctionalities.Mobilephonesarethemostpersonalelectronicdeviceauseraccesses.Theyareusedtoperformsimplecommunicationtasks,suchascallingandtexting,whilestillprovidingsupportforInternetbrowsing,e-mail,takingphotosandvideos,creatingandstoringdocuments,identifyinglocationswithGPSservices,andmanagingbusinesstasks.Asnewfeaturesandapplicationsareincorporatedintomobilephones,theamountofinformationstoredonthedevicesiscontinuouslygrowing.Mobilesphonesbecomeportabledatacarriers,andtheykeeptrackofallyourmoves.Withtheincreasingprevalenceofmobilephonesinpeoples'dailylivesandincrime,dataacquiredfromphonesbecomeaninvaluablesourceofevidencefor

investigationsrelatingtocriminal,civil,andevenhigh-profilecases.Itisraretoconductadigitalforensicinvestigationthatdoesnotincludeaphone.MobiledevicecalllogsandGPSdatawereusedtohelpsolvetheattemptedbombinginTimesSquare,NewYork,in2010.Thedetailsofthecasecanbefoundathttp://www.forensicon.com/forensics-blotter/cell-phone-email-forensics-investigation-cracks-nyc-times-square-car-bombing-case/.Thesciencebehindrecoveringdigitalevidencefrommobilephonesiscalledmobileforensics.Digitalevidenceisdefinedasinformationanddatathatisstoredon,received,ortransmittedbyanelectronicdevicethatisusedforinvestigations.Digitalevidenceencompassesanyandalldigitaldatathatcanbeusedasevidenceinacase.

MobileforensicsDigitalforensicsisabranchofforensicsciencefocusingontherecoveryandinvestigationofrawdataresidinginelectronicordigitaldevices.Mobileforensicsisabranchofdigitalforensicsrelatedtotherecoveryofdigitalevidencefrommobiledevices.Forensicallysoundisatermusedextensivelyinthedigitalforensicscommunitytoqualifyandjustifytheuseofparticularforensictechnologyormethodology.Themainprincipleforasoundforensicexaminationofdigitalevidenceisthattheoriginalevidencemustnotbemodified.Thisisextremelydifficultwithmobiledevices.Someforensictoolsrequireacommunicationvectorwiththemobiledevice,thusstandardwriteprotectionwillnotworkduringforensicacquisition.Otherforensicacquisitionmethodsmayinvolveremovingachiporinstallingabootloaderonthemobiledevicepriortoextractingdataforforensicexamination.Incaseswheretheexaminationordataacquisitionisnotpossiblewithoutchangingtheconfigurationofthedevice,theprocedureandthechangesmustbetested,validated,anddocumented.Followingpropermethodologyandguidelinesiscrucialinexaminingmobiledevicesasityieldsthemostvaluabledata.Aswithanyevidencegathering,notfollowingtheproperprocedureduringtheexaminationcanresultinlossordamageofevidenceorrenderitinadmissibleincourt.

Themobileforensicsprocessisbrokenintothreemaincategories:seizure,acquisition,andexamination/analysis.Forensicexaminersfacesomechallengeswhileseizingthemobiledeviceasasourceofevidence.Atthecrimescene,ifthemobiledeviceisfoundswitchedoff,theexaminershouldplacethedeviceinafaradaybagtopreventchangesshouldthedeviceautomaticallypoweron.Faradaybagsarespecificallydesignedtoisolatethephonefromthenetwork.Ifthephoneisfoundswitchedon,switchingitoffhasalotofconcernsattachedtoit.IfthephoneislockedbyaPINorpasswordorencrypted,theexaminerwillberequiredtobypassthelockordeterminethePINtoaccessthedevice.Mobilephonesarenetworkeddevicesandcansendandreceivedatathroughdifferentsources,suchastelecommunicationsystems,Wi-Fiaccesspoints,andBluetooth.Soifthephoneisinarunningstate,acriminalcansecurelyerasethedatastoredonthephonebyexecutingaremotewipecommand.Whenaphoneisswitchedon,itshouldbeplacedinafaradaybag.Ifpossible,priortoplacingthemobiledeviceinthefaradaybag,disconnectit

fromthenetworktoprotecttheevidencebyenablingtheflightmodeanddisablingallnetworkconnections(Wi-Fi,GPS,Hotspots,andsoon).Thiswillalsopreservethebattery,whichwilldrainwhileinafaradaybagandprotectagainstleaksinthefaradaybag.Oncethemobiledeviceisseizedproperly,theexaminermayneedseveralforensictoolstoacquireandanalyzethedatastoredonthephone.

Mobiledeviceforensicacquisitioncanbeperformedusingmultiplemethods,whicharedefinedlater.Eachofthesemethodsaffectstheamountofanalysisrequired,whichwillbediscussedingreaterdetailintheupcomingchapters.Shouldonemethodfail,anothermustbeattempted.Multipleattemptsandtoolsmaybenecessaryinordertoacquirethemostdatafromthemobiledevice.

Mobilephonesaredynamicsystemsthatpresentalotofchallengestotheexaminerinextractingandanalyzingdigitalevidence.Therapidincreaseinthenumberofdifferentkindsofmobilephonesfromdifferentmanufacturersmakesitdifficulttodevelopasingleprocessortooltoexaminealltypesofdevices.Mobilephonesarecontinuouslyevolvingasexistingtechnologiesprogressandnewtechnologiesareintroduced.Furthermore,eachmobileisdesignedwithavarietyofembeddedoperatingsystems.Hence,specialknowledgeandskillsarerequiredfromforensicexpertstoacquireandanalyzethedevices.

Mobileforensicchallenges

Oneofthebiggestforensicchallengeswhenitcomestothemobileplatformisthefactthatdatacanbeaccessed,stored,andsynchronizedacrossmultipledevices.Asthedataisvolatileandcanbequicklytransformedordeletedremotely,moreeffortisrequiredforthepreservationofthisdata.Mobileforensicsisdifferentfromcomputerforensicsandpresentsuniquechallengestoforensicexaminers.

Lawenforcementandforensicexaminersoftenstruggletoobtaindigitalevidencefrommobiledevices.Thefollowingaresomeofthereasons:

Hardwaredifferences:Themarketisfloodedwithdifferentmodelsofmobilephonesfromdifferentmanufacturers.Forensicexaminersmaycomeacrossdifferenttypesofmobilemodels,whichdifferinsize,hardware,features,andoperatingsystem.Also,withashortproductdevelopmentcycle,newmodelsemergeveryfrequently.Asthemobilelandscapeischangingeachpassingday,itiscriticalfortheexaminertoadapttoallthechallengesandremainupdatedonmobiledeviceforensictechniques.Mobileoperatingsystems:UnlikepersonalcomputerswhereWindowshasdominatedthemarketforyears,mobiledeviceswidelyusemoreoperatingsystems,includingApple'siOS,Google'sAndroid,RIM'sBlackBerryOS,Microsoft'sWindowsMobile,HP'swebOS,Nokia'sSymbianOS,andmanyothers.Mobileplatformsecurityfeatures:Modernmobileplatformscontainbuilt-insecurityfeaturestoprotectuserdataandprivacy.Thesefeaturesactasahurdleduringtheforensicacquisitionandexamination.Forexample,modernmobiledevicescomewithdefaultencryptionmechanismsfromthehardwarelayertothesoftwarelayer.Theexaminermightneedtobreakthroughtheseencryptionmechanismstoextractdatafromthedevices.Lackofresources:Asmentionedearlier,withthegrowingnumberofmobilephones,thetoolsrequiredbyaforensicexaminerwouldalsoincrease.Forensicacquisitionaccessories,suchasUSBcables,batteries,andchargersfordifferentmobilephones,havetobemaintainedinordertoacquirethosedevices.Genericstateofthedevice:Evenifadeviceappearstobeinanoffstate,backgroundprocessesmaystillrun.Forexample,inmostmobiles,thealarmclockstillworksevenwhenthephoneisswitchedoff.Asudden

transitionfromonestatetoanothermayresultinthelossormodificationofdata.Anti-forensictechniques:Anti-forensictechniques,suchasdatahiding,dataobfuscation,dataforgery,andsecurewiping,makeinvestigationsondigitalmediamoredifficult.Dynamicnatureofevidence:Digitalevidencemaybeeasilyalteredeitherintentionallyorunintentionally.Forexample,browsinganapplicationonthephonemightalterthedatastoredbythatapplicationonthedevice.Accidentalreset:Mobilephonesprovidefeaturestoreseteverything.Resettingthedeviceaccidentallywhileexaminingmayresultinthelossofdata.Devicealteration:Thepossiblewaystoalterdevicesmayrangefrommovingapplicationdata,renamingfiles,andmodifyingthemanufacturer'soperatingsystem.Inthiscase,theexpertiseofthesuspectshouldbetakenintoaccount.Passcoderecovery:Ifthedeviceisprotectedwithapasscode,theforensicexaminerneedstogainaccesstothedevicewithoutdamagingthedataonthedevice.Communicationshielding:Mobiledevicescommunicateovercellularnetworks,Wi-Finetworks,Bluetooth,andInfrared.Asdevicecommunicationmightalterthedevicedata,thepossibilityoffurthercommunicationshouldbeeliminatedafterseizingthedevice.Lackofavailabilityoftools:Thereisawiderangeofmobiledevices.Asingletoolmaynotsupportallthedevicesorperformallthenecessaryfunctions,soacombinationoftoolsneedstobeused.Choosingtherighttoolforaparticularphonemightbedifficult.Maliciousprograms:Thedevicemightcontainmalicioussoftwareormalware,suchasavirusoraTrojan.Suchmaliciousprogramsmayattempttospreadoverotherdevicesovereitherawiredinterfaceorawirelessone.Legalissues:Mobiledevicesmightbeinvolvedincrimes,whichcancrossgeographicalboundaries.Inordertotacklethesemultijurisdictionalissues,theforensicexaminershouldbeawareofthenatureofthecrimeandtheregionallaws.

MobilephoneevidenceextractionprocessEvidenceextractionandforensicexaminationofeachmobiledevicemaydiffer.However,followingaconsistentexaminationprocesswillassisttheforensicexaminertoensurethattheevidenceextractedfromeachphoneiswelldocumentedandthattheresultsarerepeatableanddefendable.Thereisnowell-establishedstandardprocessformobileforensics.However,thefollowingfigureprovidesanoverviewofprocessconsiderationsforextractionofevidencefrommobiledevices.Allmethodsusedwhenextractingdatafrommobiledevicesshouldbetested,validated,andwelldocumented.

Agreatresourceforhandlingandprocessingmobiledevicescanbefoundathttp://digital-forensics.sans.org/media/mobile-device-forensic-process-v3.pdf.

Mobilephoneevidenceextractionprocess

Theevidenceintakephase

Theevidenceintakephaseisthestartingphaseandentailsrequestformsandpaperworktodocumentownershipinformationandthetypeofincidentthemobiledevicewasinvolvedin,andoutlinesthetypeofdataorinformationtherequesterisseeking.Developingspecificobjectivesforeachexaminationisthecriticalpartofthisphase.Itservestoclarifytheexaminer'sgoals.

Theidentificationphase

Theforensicexaminershouldidentifythefollowingdetailsforeveryexaminationofamobiledevice:

ThelegalauthorityThegoalsoftheexaminationThemake,model,andidentifyinginformationforthedeviceRemovableandexternaldatastorageOthersourcesofpotentialevidence

Wewilldiscusseachoftheminthefollowingsections.

Thelegalauthority

Itisimportantfortheforensicexaminertodetermineanddocumentwhatlegalauthorityexistsfortheacquisitionandexaminationofthedeviceaswellasanylimitationsplacedonthemediapriortotheexaminationofthedevice.

Thegoalsoftheexamination

Theexaminerwillidentifyhowin-depththeexaminationneedstobebaseduponthedatarequested.Thegoaloftheexaminationmakesasignificantdifferenceinselectingthetoolsandtechniquestoexaminethephoneandincreasestheefficiencyoftheexaminationprocess.

Themake,model,andidentifyinginformationforthedevice

Aspartoftheexamination,identifyingthemakeandmodelofthephoneassistsindeterminingwhattoolswouldworkwiththephone.

Removableandexternaldatastorage

Manymobilephonesprovideanoptiontoextendthememorywithremovablestoragedevices,suchastheTransFlashMicroSDmemoryexpansioncard.Incaseswhensuchacardisfoundinamobilephonethatissubmittedforexamination,thecardshouldberemovedandprocessedusingtraditionaldigitalforensictechniques.Itiswisetoalsoacquirethecardwhileinthemobiledevicetoensuredatastoredonboththehandsetmemoryandcardarelinkedforeasieranalysis.Thiswillbediscussedindetailinupcomingchapters.

Othersourcesofpotentialevidence

Mobilephonesactasgoodsourcesoffingerprintandotherbiologicalevidence.Suchevidenceshouldbecollectedpriortotheexaminationofthemobilephonetoavoidcontaminationissuesunlessthecollectionmethodwilldamagethedevice.Examinersshouldweargloveswhenhandlingtheevidence.

Thepreparationphase

Oncethemobilephonemodelisidentified,thepreparationphaseinvolvesresearchregardingtheparticularmobilephonetobeexaminedandtheappropriatemethodsandtoolstobeusedforacquisitionandexamination.

Theisolationphase

Mobilephonesarebydesignintendedtocommunicateviacellularphonenetworks,Bluetooth,Infrared,andwireless(Wi-Fi)networkcapabilities.Whenthephoneisconnectedtoanetwork,newdataisaddedtothephonethroughincomingcalls,messages,andapplicationdata,whichmodifiestheevidenceonthephone.Completedestructionofdataisalsopossiblethroughremoteaccessorremotewipingcommands.Forthisreason,isolationofthedevicefromcommunicationsourcesisimportantpriortotheacquisitionandexaminationofthedevice.Isolationofthephonecanbeaccomplishedthroughtheuseoffaradaybags,whichblocktheradiosignalstoorfromthephone.Pastresearchhasfoundinconsistenciesintotalcommunicationprotectionwithfaradaybags.Therefore,networkisolationisadvisable.Thiscanbedonebyplacingthephoneinradiofrequencyshieldingclothandthenplacingthephoneintoairplaneorflightmode.

Theprocessingphase

Oncethephonehasbeenisolatedfromthecommunicationnetworks,theactualprocessingofthemobilephonebegins.Thephoneshouldbeacquiredusingatestedmethodthatisrepeatableandisasforensicallysoundaspossible.Physicalacquisitionisthepreferredmethodasitextractstherawmemorydataandthedeviceiscommonlypoweredoffduringtheacquisitionprocess.Onmostdevices,theleastamountofchangesoccurtothedeviceduringphysicalacquisition.Ifphysicalacquisitionisnotpossibleorfails,anattemptshouldbemadetoacquirethefilesystemofthemobiledevice.Alogicalacquisitionshouldalwaysbeobtainedasitmaycontainonlytheparseddataandprovidepointerstoexaminetherawmemoryimage.

Theverificationphase

Afterprocessingthephone,theexaminerneedstoverifytheaccuracyofthedataextractedfromthephonetoensurethatdataisnotmodified.Theverificationoftheextracteddatacanbeaccomplishedinseveralways.

Comparingextracteddatatothehandsetdata

Checkifthedataextractedfromthedevicematchesthedatadisplayedbythedevice.Thedataextractedcanbecomparedtothedeviceitselforalogicalreport,whicheverispreferred.Remember,handlingtheoriginaldevicemaymakechangestotheonlyevidence—thedeviceitself.

Usingmultipletoolsandcomparingtheresults

Toensureaccuracy,usemultipletoolstoextractthedataandcompareresults.

Usinghashvalues

Allimagefilesshouldbehashedafteracquisitiontoensuredataremainsunchanged.Iffilesystemextractionissupported,theexaminerextractsthefilesystemandthencomputeshashesfortheextractedfiles.Later,anyindividuallyextractedfilehashiscalculatedandcheckedagainsttheoriginalvaluetoverifytheintegrityofit.Anydiscrepancyinahashvaluemustbeexplainable(forexample,ifthedevicewaspoweredonandthenacquiredagain,thusthehashvaluesaredifferent).

Thedocumentandreportingphase

Theforensicexaminerisrequiredtodocumentthroughouttheexaminationprocessintheformofcontemporaneousnotesrelatingtowhatwasdoneduringtheacquisitionandexamination.Oncetheexaminercompletestheinvestigation,theresultsmustgothroughsomeformofpeer-reviewtoensurethedataischeckedandtheinvestigationiscomplete.Theexaminer'snotesanddocumentationmayincludeinformationsuchasthefollowing:

ExaminationstartdateandtimeThephysicalconditionofthephonePhotosofthephoneandindividualcomponentsPhonestatuswhenreceived—turnedonoroffPhonemakeandmodelToolsusedfortheacquisitionToolsusedfortheexaminationDatafoundduringtheexaminationNotesfrompeer-review

Thepresentationphase

Throughouttheinvestigation,itisimportanttomakesurethattheinformationextractedanddocumentedfromamobiledevicecanbeclearlypresentedtoanyotherexaminerortoacourt.Creatingaforensicreportofdataextractedfromthemobiledeviceduringacquisitionandanalysisisimportant.Thismayincludedatainbothpaperandelectronicformats.Yourfindingsmustbedocumentedandpresentedinamannerthattheevidencespeaksforitselfwhenincourt.Thefindingsshouldbeclear,concise,andrepeatable.Timelineandlinkanalysis,featuresofferedbymanycommercialmobileforensicstools,willaidinreportingandexplainingfindingsacrossmultiplemobiledevices.Thesetoolsallowtheexaminertotietogetherthemethodsbehindthecommunicationofmultipledevices.

Thearchivingphase

Preservingthedataextractedfromthemobilephoneisanimportantpartoftheoverallprocess.Itisalsoimportantthatthedataisretainedinauseableformatfortheongoingcourtprocess,forfuturereference,shouldthecurrentevidencefilebecomecorrupt,andforrecordkeepingrequirements.Courtcasesmaycontinueformanyyearsbeforethefinaljudgmentisarrivedat,andmostjurisdictionsrequirethatdataberetainedforlongperiodsoftimeforthepurposesofappeals.Asthefieldandmethodsadvance,newmethodsforpullingdataoutofaraw,physicalimagemaysurface,andthentheexaminercanrevisitthedatabypullingacopyfromthearchives.

PracticalmobileforensicapproachesSimilartoanyforensicinvestigation,thereareseveralapproachesthatcanbeusedfortheacquisitionandexamination/analysisofdatafrommobilephones.Thetypeofmobiledevice,theoperatingsystem,andthesecuritysettinggenerallydictatetheproceduretobefollowedinaforensicprocess.Everyinvestigationisdistinctwithitsowncircumstances,soitisnotpossibletodesignasingledefinitiveproceduralapproachforallthecases.Thefollowingdetailsoutlinethegeneralapproachesfollowedinextractingdatafrommobiledevices.

Mobileoperatingsystemsoverview

Oneofthemajorfactorsinthedataacquisitionandexamination/analysisofamobilephoneistheoperatingsystem.Startingfromlow-endmobilephonestosmartphones,mobileoperatingsystemshavecomealongwaywithalotoffeatures.Mobileoperatingsystemsdirectlyaffecthowtheexaminercanaccessthemobiledevice.Forexample,AndroidOSgivesterminal-levelaccesswhereasiOSdoesnotgivesuchanoption.Acomprehensiveunderstandingofthemobileplatformhelpstheforensicexaminermakesoundforensicdecisionsandconductaconclusiveinvestigation.Whilethereisalargerangeofsmartmobiledevices,fourmainoperatingsystemsdominatethemarket,namely,GoogleAndroid,AppleiOS,RIMBlackBerryOS,andWindowsPhone.Moreinformationcanbefoundathttp://www.idc.com/getdoc.jsp?containerId=prUS23946013.Thisbookcoversforensicanalysisofthesefourmobileplatforms.Thefollowingisabriefoverviewofleadingmobileoperatingsystems.

Android

AndroidisaLinux-basedoperatingsystem,andit'saGoogleopensourceplatformformobilephones.Androidistheworld'smostwidelyusedsmartphoneoperatingsystem.SourcesshowthatApple'siOSisaclosesecond(http://www.forbes.com/sites/tonybradley/2013/11/15/android-dominates-market-share-but-apple-makes-all-the-money/).AndroidhasbeendevelopedbyGoogleasanopenandfreeoptionforhardwaremanufacturersandphonecarriers.ThismakesAndroidthesoftwareofchoiceforcompanieswhorequirealow-cost,customizable,lightweightoperatingsystemfortheirsmartdeviceswithoutdevelopinganewOSfromscratch.Android'sopennaturehasfurtherencouragedthedeveloperstobuildalargenumberofapplicationsanduploadthemontoAndroidMarket.Later,enduserscandownloadtheapplicationfromAndroidMarket,whichmakesAndroidapowerfuloperatingsystem.MoredetailsonAndroidarecoveredinChapter7,UnderstandingAndroid.

iOS

iOS,formerlyknownastheiPhoneoperatingsystem,isamobileoperatingsystemdevelopedanddistributedsolelybyAppleInc.iOSisevolvingintoauniversaloperatingsystemforallApplemobiledevices,suchasiPad,iPod

touch,andiPhone.iOSisderivedfromOSX,withwhichitsharestheDarwinfoundation,andisthereforeaUnix-likeoperatingsystem.iOSmanagesthedevicehardwareandprovidesthetechnologiesrequiredtoimplementnativeapplications.iOSalsoshipswithvarioussystemapplications,suchasMailandSafari,whichprovidestandardsystemservicestotheuser.iOSnativeapplicationsaredistributedthroughAppStore,whichiscloselymonitoredbyApple.MoredetailsaboutiOSarecoveredinChapter2,UnderstandingtheInternalsofiOSDevices.

Windowsphone

WindowsphoneisaproprietarymobileoperatingsystemdevelopedbyMicrosoftforsmartphonesandpocketPCs.ItisthesuccessortoWindowsmobileandprimarilyaimedattheconsumermarketratherthantheenterprisemarket.TheWindowsPhoneOSissimilartotheWindowsdesktopOS,butitisoptimizedfordeviceswithasmallamountofstorage.WindowsPhonebasicsandforensictechniquesarediscussedinChapter12,WindowsPhoneForensics.

BlackBerryOS

BlackBerryOSisaproprietarymobileoperatingsystemdevelopedbyBlackBerryLtd.,knownasResearchinMotion(RIM),exclusivelyforitsBlackBerrylineofsmartphonesandmobiledevices.BlackBerrymobilesarewidelyusedincorporatecompaniesandoffernativesupportforcorporatemailviaMIDP,whichenableswirelesssyncwithMicrosoftExchange,e-mail,contacts,calendar,andsoon,whileusedalongwiththeBlackBerryEnterpriseserver.Thesedevicesareknownfortheirsecurity.BlackBerryOSbasicsandforensictechniquesarecoveredinChapter13,BlackBerryForensics.

Mobileforensictoollevelingsystem

Mobilephoneforensicacquisitionandanalysisinvolvesmanualeffortandtheuseofautomatedtools.Thereareavarietyoftoolsthatareavailableforperformingmobileforensics.Allthetoolshavetheirprosandcons,anditisfundamentalthatyouunderstandthatnosingletoolissufficientforallpurposes.Sounderstandingthevarioustypesofmobileforensictoolsisimportantforforensicexaminers.Whenidentifyingtheappropriatetoolsfortheforensicacquisitionandanalysisofmobilephones,amobiledeviceforensictoolclassificationsystem(showninthefollowingfigure)developedbySamBrotherscomesinhandyfortheexaminers.

Cellularphonetoollevelingpyramid(SamBrothers,2009)

Theobjectiveofthemobiledeviceforensictoolclassificationsystemistoenableanexaminertocategorizetheforensictoolsbasedupontheexaminationmethodologyofthetool.Startingatthebottomoftheclassificationandworkingupward,themethodsandthetoolsgenerallybecomemoretechnical,complex,andforensicallysound,andrequirelongeranalysistimes.Thereareprosandconsofperformingananalysisateachlayer.Theforensicexaminershouldbeawareoftheseissuesandshouldonlyproceedwiththelevelofextractionthatis

required.Evidencecanbedestroyedcompletelyifthegivenmethodortoolisnotproperlyutilized.Thisriskincreasesasyoumoveupinthepyramid.Thus,propertrainingisrequiredtoobtainthehighestsuccessrateindataextractionfrommobiledevices.

Eachexistingmobileforensictoolcanbeclassifiedunderoneormoreofthefivelevels.Thefollowingsectionscontainadetaileddescriptionofeachlevel.

Manualextraction

Thismethodinvolvessimplyscrollingthroughthedataonthedeviceandviewingthedataonthephonedirectlythroughtheuseofthedevice'skeypadortouchscreen.Theinformationdiscoveredisthenphotographicallydocumented.Theextractionprocessisfastandeasytouse,andwillworkonalmosteveryphone.Thismethodispronetohumanerror,suchasmissingcertaindataduetounfamiliaritywiththeinterface.Atthislevel,itisnotpossibletorecoverdeletedinformationandgraballthedata.Therearesometoolsthathavebeendevelopedtoaidanexaminertoeasilydocumentamanualextraction.

Logicalextraction

LogicalextractioninvolvesconnectingthemobiledevicetoforensichardwareortoaforensicworkstationviaaUSBcable,RJ-45cable,Infrared,orBluetooth.Onceconnected,thecomputerinitiatesacommandandsendsittothedevice,whichistheninterpretedbythedeviceprocessor.Next,therequesteddataisreceivedfromthedevice'smemoryandsentbacktotheforensicworkstation.Later,theexaminercanreviewthedata.Mostoftheforensictoolscurrentlyavailableworkatthisleveloftheclassificationsystem.Theextractionprocessisfast,easytouse,andrequireslittletrainingfortheexaminers.Ontheflipside,theprocessmaywritedatatothemobileandmightchangetheintegrityoftheevidence.Inaddition,deleteddataisalmostneveraccessible.

Hexdump

Ahexdump,alsoreferredtoasaphysicalextraction,isachievedbyconnectingthedevicetotheforensicworkstationandpushingunsignedcodeorabootloaderintothephoneandinstructingthephonetodumpmemoryfromthephonetothecomputer.Sincetheresultingrawimageisinbinaryformat,technicalexpertiseisrequiredtoanalyzeit.Theprocessisinexpensive,providesmoredatatothe

examiner,andallowstherecoveringofthedeletedfilesfromthedevice-unallocatedspaceonmostdevices.

Chip-off

Chip-offreferstotheacquisitionofdatadirectlyfromthedevice'smemorychip.Atthislevel,thechipisphysicallyremovedfromthedeviceandachipreaderorasecondphoneisusedtoextractdatastoredonit.Thismethodismoretechnicallychallengingasawidevarietyofchiptypesareusedinmobiles.Theprocessisexpensiveandrequireshardwarelevelknowledgeasitinvolvesthede-solderingandheatingofthememorychip.Trainingisrequiredtosuccessfullyperformachip-offextraction.Improperproceduresmaydamagethememorychipandrenderalldataunsalvageable.Whenpossible,itisrecommendedthattheotherlevelsofextractionareattemptedpriortochip-offsincethismethodisdestructiveinnature.Also,theinformationthatcomesoutofmemoryisinarawformatandhastobeparsed,decoded,andinterpreted.Thechip-offmethodispreferredinsituationswhereitisimportanttopreservethestateofmemoryexactlyasitexistsonthedevice.Itisalsotheonlyoptionwhenadeviceisdamagedbutthememorychipisintact.

ThechipsonthedeviceareoftenreadusingtheJointTestActionGroup(JTAG)method.TheJTAGmethodinvolvesconnectingtoTestAccessPorts(TAPs)onadeviceandinstructingtheprocessortotransfertherawdatastoredonmemorychips.TheJTAGmethodisgenerallyusedwithdevicesthatareoperationalbutinaccessibleusingstandardtools.

Microread

Theprocessinvolvesmanuallyviewingandinterpretingdataseenonthememorychip.Theexaminerusesanelectronmicroscopeandanalyzesthephysicalgatesonthechipandthentranslatesthegatestatusto0'sand1'stodeterminetheresultingASCIIcharacters.Thewholeprocessistimeconsumingandcostly,anditrequiresextensiveknowledgeandtrainingonflashmemoryandthefilesystem.Duetotheextremetechnicalitiesinvolvedinmicroread,itwouldbeonlyattemptedforhigh-profilecasesequivalenttoanationalsecuritycrisisafterallotherlevelextractiontechniqueshavebeenexhausted.Theprocessisrarelyperformedandisnotwelldocumentedatthistime.Also,therearecurrentlynocommercialtoolsavailabletoperformamicroread.

Dataacquisitionmethods

Dataacquisitionistheprocessofimagingorotherwiseextractinginformationfromadigitaldeviceanditsperipheralequipmentandmedia.Acquiringdatafromamobilephoneisnotassimpleasastandardharddriveforensicacquisition.Thefollowingpointsbreakdownthethreetypesofforensicacquisitionmethodsformobilephones:physical,logical,andmanual.Thesemethodsmayhavesomeoverlapwithacoupleoflevelsdiscussedinthemobileforensicstoollevelingsystem.Theamountandtypeofdatathatcanbecollectedwillvarydependingonthetypeofacquisitionmethodbeingused.

Physicalacquisition

Physicalacquisitionofmobilephonesisperformedusingmobileforensictoolsandmethods.Physicalextractionacquiresinformationfromthedevicebydirectaccesstotheflashmemory.Theprocesscreatesabit-for-bitcopyofanentirefilesystem,similartotheapproachtakenincomputerforensicinvestigations.Aphysicalacquisitionisabletoacquireallofthedatapresentonadeviceincludingthedeleteddataandaccesstounallocatedspaceonmostdevices.

Logicalacquisition

Logicalacquisitionofmobilephonesisperformedusingthedevicemanufacturerapplication-programminginterfaceforsynchronizingthephonescontentswithacomputer.Manyoftheforensictoolsperformalogicalacquisition.However,theforensicanalystmustunderstandhowtheacquisitionoccursandwhetherthemobileismodifiedinanywayduringtheprocess.Dependingonthephoneandforensictoolsused,allorsomeofthedataisacquired.Alogicalacquisitioniseasytoperformandonlyrecoversthefilesonamobilephoneanddoesnotrecoverdatacontainedinunallocatedspace.

Manualacquisition

Withmobilephones,physicalacquisitionisusuallythebestoption,andlogicalacquisitionisthesecond-bestoption.Manualextractionshouldbethelastoptionwhenperformingtheforensicacquisitionofamobilephone.Bothlogicalandmanualacquisitioncanbeusedtovalidatefindingsinthephysicaldata.Duringmanualacquisition,theexaminerutilizestheuserinterfacetoinvestigatethecontentsofthephone'smemory.Thedeviceisusednormallythroughakeypad

ortouchscreenandmenunavigation,andtheexaminertakespicturesofeachscreen'scontents.Manualextractionintroducesagreaterdegreeofriskintheformofhumanerror,andthereisachanceofdeletingtheevidence.Manualacquisitioniseasytoperformandonlyacquiresthedatathatappearsonamobilephone.

PotentialevidencestoredonmobilephonesTherangeofinformationthatcanbeobtainedfrommobilephonesisdetailedinthissection.Dataonamobilephonecanbefoundinanumberoflocations:SIMcard,externalstoragecard,andphonememory.Inaddition,theserviceprovideralsostorescommunication-relatedinformation.Thebookprimarilyfocusesondataacquiredfromthephonememory.Mobiledevicedataextractiontoolsrecoverdatafromthephone'smemory.Eventhoughdatarecoveredduringaforensicacquisitiondependsonthemobilemodel,ingeneral,thedatainthenextsetofbulletitemsiscommonacrossallmodelsandusefulasevidence.Notethatmostofthefollowingartifactscontaindateandtimestamps:

AddressBook:Thisstorescontactnames,numbers,e-mailaddresses,andsoonCallHistory:Thiscontainsdialed,received,missedcalls,andcalldurationsSMS:ThiscontainssentandreceivedtextmessagesMMS:ThiscontainsmediafilessuchassentandreceivedphotosandvideosE-mail:Thiscontainssent,drafted,andreceivede-mailmessagesWebbrowserhistory:ThiscontainsthehistoryofwebsitesthatwerevisitedPhotos:Thiscontainspicturesthatarecapturedusingthemobilephonecamera,thosedownloadedfromtheInternet,andtheonestransferredfromotherdevicesVideos:Thiscontainsvideosthatarecapturedusingthemobilecamera,thosedownloadedfromtheInternet,andtheonestransferredfromotherdevicesMusic:ThiscontainsmusicfilesdownloadedfromtheInternetandthosetransferredfromotherdevicesDocuments:Thiscontainsdocumentscreatedusingthedevice'sapplications,thosedownloadedfromtheInternet,andtheonestransferredfromotherdevicesCalendar:ThiscontainscalendarentriesandappointmentsNetworkcommunication:ThiscontainsGPSlocationsMaps:Thiscontainslooked-updirections,andsearchedanddownloadedmaps

Socialnetworkingdata:Thiscontainsdatastoredbyapplications,suchasFacebook,Twitter,LinkedIn,Google+,andWhatsAppDeleteddata:Thiscontainsinformationdeletedfromthephone

RulesofevidenceCourtroomsrelymoreandmoreontheinformationinsideamobilephoneasvitalevidence.Prevailingevidenceincourtrequiresagoodunderstandingoftherulesofevidence.Mobileforensicsisarelativelynewdisciplineandlawsdictatingthevalidityofevidencearenotwidelyknown.However,therearefivegeneralrulesofevidencethatapplytodigitalforensicsandneedtobefollowedinorderforevidencetobeuseful.Ignoringtheserulesmakesevidenceinadmissible,andyourcasecouldbethrownout.Thesefiverulesare—admissible,authentic,complete,reliable,andbelievable.

Admissible

Thisisthemostbasicruleandameasureofevidencevalidityandimportance.Theevidencemustbepreservedandgatheredinsuchawaythatitcanbeusedincourtorelsewhere.Manyerrorscanbemadethatcouldcauseajudgetoruleapieceofevidenceasinadmissible.Forexample,evidencethatisgatheredusingillegalmethodsiscommonlyruledinadmissible.

Authentic

Theevidencemustbetiedtotheincidentinarelevantwaytoprovesomething.Theforensicexaminermustbeaccountablefortheoriginoftheevidence.

Complete

Whenevidenceispresented,itmustbeclearandcompleteandshouldreflectthewholestory.Itisnotenoughtocollectevidencethatjustshowsoneperspectiveoftheincident.Presentingincompleteevidenceismoredangerousthannotprovidinganyevidenceatallasitcouldleadtoadifferentjudgment.

Reliable

Evidencecollectedfromthedevicemustbereliable.Thisdependsonthetoolsandmethodologyused.Thetechniquesusedandevidencecollectedmustnotcastdoubtontheauthenticityoftheevidence.Iftheexaminerusedsometechniquesthatcannotbereproduced,theevidenceisnotconsideredunlesstheyweredirectedtodoso.Thiswouldincludepossibledestructivemethodssuchaschip-offextraction.

Believable

Aforensicexaminermustbeabletoexplain,withclarityandconciseness,whatprocessestheyusedandthewaytheintegrityoftheevidencewaspreserved.Theevidencepresentedbytheexaminermustbeclear,easytounderstand,andbelievablebyjury.

GoodforensicpracticesGoodforensicpracticesapplytothecollectionandpreservationofevidence.Followingthegoodforensicpracticesensuresthatevidencewillbeacceptedinacourtasbeingauthenticandaccurate.Modificationofevidence,eitherintentionallyoraccidentally,canaffectthecase.So,understandingthebestpracticesiscriticalforforensicexaminers.

Securingtheevidence

WithadvancedsmartphonefeaturessuchasFindMyiPhoneandremotewipes,securingamobilephoneinawaythatitcannotberemotelywipedisofgreatimportance.Also,whenthephoneispoweredonandhasservice,itconstantlyreceivesnewdata.Tosecuretheevidence,usetherightequipmentandtechniquestoisolatethephonefromallnetworks.Withisolation,thephoneispreventedfromreceivinganynewdatathatwouldcauseactivedatatobedeleted.

Preservingtheevidence

Asevidenceiscollected,itmustbepreservedinastatethatisacceptableincourt.Workingdirectlyontheoriginalcopiesofevidencemightalterit.So,assoonasyourecoverarawdiskimageorfiles,createaread-onlymastercopyandduplicateit.Inorderforevidencetobeadmissible,theremustbeamethodtoverifythattheevidencepresentedisexactlythesameastheoriginalcollected.Thiscanbeaccomplishedbycreatingahashvalueoftheimage.Afterduplicatingtherawdiskimageorfiles,computeandverifythehashvaluesfortheoriginalandthecopytoensurethattheintegrityoftheevidenceismaintained.Anychangesinhashvaluesshouldbedocumentedandexplainable.Allfurtherprocessingorexaminationshouldbeperformedoncopiesoftheevidence.Anyuseofthedevicemightaltertheinformationstoredonthehandset.So,performonlythetasksthatareabsolutelynecessary.

Documentingtheevidence

Besuretodocumentallthemethodsandtoolsthatareusedtocollectandextracttheevidence.Detailyournotessothatanotherexaminercouldreproducethem.Yourworkmustbereproducible;ifnot,ajudgemayruleitinadmissible.

Documentingallchanges

It'simportanttodocumenttheentirerecoveryprocess,includingallthechangesmadeduringtheacquisitionandexamination.Forexample,iftheforensictoolusedforthedataextractionslicedupthediskimagetostoreit,thismustbedocumented.Allchangestothemobiledevice,includingpowercyclingandsyncing,shouldbedocumentedinyourcasenotes.

SummaryMobiledeviceforensicsincludesmanyapproachesandconceptsthatfalloutsideoftheboundariesoftraditionaldigitalforensics.Examinersresponsibleformobiledevicesmustunderstandthedifferentacquisitionmethodsandthecomplexitiesofhandlingthedataduringanalysis.Extractingdatafromamobiledeviceishalfthebattle.Theoperatingsystem,securityfeatures,andtypeofsmartphonewilldeterminetheamountofaccessyouhavetothedata.ThenextchapterwillprovideinsighttoiOSforensics.Youwilllearnaboutthefilesystemlayout,securityfeatures,andthewaythefilesarestoredontheiOSdevice.

Chapter2.UnderstandingtheInternalsofiOSDevicesAsofSeptember2013,Applehadsoldmorethan550millioniOSdevices(170millioniPadsand387millioniPhones)accordingtoreleasedsalesrecords.WhileiOSistheleadingoperatingsystemfortabletsworldwide,Androidcontinuestobetheleadingoperatingsystemforsmartphonesworldwide.Thefollowingscreenshotrepresentstheworldwidemobile/tabletoperatingsystemsharefrom2013to2014accordingtohttps://www.netmarketshare.com/operating-system-market-share.aspx?qprid=9&qpcustomb=1:

Regardlessofthestatistics,ifyouareaforensicexaminer,chancesareyouwillneedtoconductanexaminationofaniOSmobiledevice.

InordertoperformaforensicexaminationonaniOSdevice,theexaminermustunderstandtheinternalcomponentsandinnerworkingsofthatdevice.Developinganunderstandingoftheunderlyingcomponentsofamobiledevicewillhelptheforensicexaminerunderstandthecriticalitiesinvolvedintheforensicprocess,includingwhatdatacanbeacquired,wherethedataisstored,

andwhatmethodscanbeusedtoaccessthedatafromthatdevice.So,beforewedelveintotheexaminationofiOSdevices,itisnecessarytoknowthedifferentmodelsthatexistandtheirinternals.

ThisbookprimarilyfocusesontheiPhoneandforensictechniquesassociatedwithit.However,thesametechniquesmaybeappliedtootherAppledevices,suchastheiPodTouch,iPad,andAppleTV.

iPhonemodelsTheiPhoneisamongthemostpopularmobilephonesonthemarket.ApplereleasedthefirstgenerationiPhoneinJune2007.Eversincethefirstrelease,theiPhonehasgainedalotofpopularityduetoitsadvancedfunctionalityandusability.TheintroductionoftheiPhonehasredefinedtheentireworldofmobilecomputing.Consumersstartedlookingforfasterandmoreefficientphones.VariousiPhonemodelsexistnowwithdifferentfeaturesandstoragecapabilitiestoservetheconsumerrequirements.ThefollowingtablelistsalltheiPhonemodelsanditsinitialiOSversions.WiththeiPhone,individualscanaccesse-mail,takephotosandvideos,listentomusic,browsetheInternet,anddomuchmore.Furthermore,endlessapplicationsareavailablefordownloadtoextendthestandardcapabilitiesthatexistontheiPhone.

Device Model InitialOS Internalname Identifier Releasedate

iPhone2G A1203 iPhoneOS1.0 M68AP iPhone1,1 June2007

iPhone3G A1241 iPhoneOS2.0 N82AP iPhone1,2 July2008

iPhone3G(china) A1324

iPhone3GS A1303 iPhoneOS3.0 N88AP iPhone2,1 June2009

iPhone3GS(china) A1325

iPhone4-GSM A1332 iOS4.0 N90AP iPhone3,1 June2010

iPhone4-CDMA A1349 N92AP iPhone3,2

iPhone4S A1387 iOS5.0 N94AP iPhone4,1 October2011

iPhone4S(China) A1431

iPhone5 A1428 iOS6.0 N41AP iPhone5,1 September2012

iPhone5rev2 A1429 N42AP iPhone5,2

iPhone5rev2 A1429 N42AP iPhone5,2

A1442

iPhone5C-GSM A1456 iOS7.0 N48AP iPhone5,3 September2013

A1532

iPhone5C-CDMA A1507 N49AP iPhone5,4

A1516

A1526

A1529

iPhone5S-GSM A1433 iOS7.0 N51AP iPhone6,1

A1533

iPhone5S-CDMA A1457 N53AP iPhone6,2

A1518

A1528

A1530

iPhonemodels

ThemostrecentiPhones,theseventhgenerationiPhone5CandiPhone5S,werejustreleasedatthetimeofwritingthisbook.Currently,thereisnomethodortoolavailabletophysicallyrecoverdatafromthesedevices.However,thefilesystemandalogicalacquisitioncanbeobtainediftheiPhoneisunlocked.AcquisitionmethodsfordataextractionareavailableandwillbediscussedinChapter3,DataAcquisitionfromiOSDevices,andChapter4,DataAcquisitionfromiOSBackups.

BeforeexamininganiPhone,itisnecessarytoidentifythecorrecthardwaremodelandthefirmwareversioninstalledonthedevice.KnowingtheiPhonedetailshelpsyoutounderstandthecriticalitiesandpossibilitiesofobtainingevidencefromtheiPhone.Forexample,inmanycases,thedevicepasscodeisrequiredinordertoobtainthefilesystemorlogicalimage.DependingontheiOSversion,devicemodel,andpasscodecomplexity,itmaybepossibletoobtainthedevicepasscodeusingabruteforceattack.

Therearevariouswaystoidentifythehardwareofadevice.Theeasiestwaytoidentifythehardwareofadeviceisbyobservingthemodelnumberdisplayedonthebackofthedevice.Thefollowingimageshowsthemodelnumberetchedonthebackofthecasing.Apple'sknowledgebasearticlescanbehelpfulforthispurpose.DetailsonidentifyingiPhonemodelscanbefoundathttp://support.apple.com/kb/HT3939.

iPhonemodelnumberlocatedonthebackofthecase

ThefirmwareversionofaniPhonecanbefoundbyaccessingtheSettingsoptionandthennavigatingtoGeneral|About|Version,asshowninthefollowingscreenshot.Thepurposeofthefirmwareistoenablecertainfeaturesandassistwiththegeneralfunctioningofthedevice.

TheiPhoneAboutscreen,displayingfirmwareVersion5.1.1(9B206)

Alternatively,theideviceinfocommand-linetoolavailableinthelibimobiledevicesoftwarelibrary(http://www.libimobiledevice.org/)canbeusedtoidentifytheiPhonemodelanditsiOSversion.ThelibraryallowsyoutocommunicatewithaniPhoneevenifthedeviceislockedbyapasscode.ThesoftwarelibrarywasdevelopedbyNikiasBassen(pimskeks),anditwascompiledforMacOSXbyBenClayton(benvium).

MacOSXcanbeinstalledinvirtualmachinesforuseonaWindowsplatform.ToobtaintheiPhonemodelanditsiOSversioninformationonMacOSX10.8,thefollowingstepsmustbefollowed:

1. Opentheterminalapplication.2. Fromthecommandline,runthefollowingcommandtodownloadthe

libimobiledevicelibrary:

$gitclonehttps://github.com/benvium/libimobiledevice-

macosx.git~/Desktop/libimobiledevice-macosx/

Thecommandcreatesthelibimobiledevice-macosxdirectoryontheuser'sdesktopandplacesthelibimobiledevicecommand-linetoolsontoit.

3. Navigatetothelibimobiledevice-macosxdirectory,asfollows:

$cd~/Desktop/libimobiledevice-macosx/

4. Createandeditthe.bash_profilefileusingthenanocommand,asfollows:

$nano~/.bash_profile

5. Addthefollowingtwolinestothe.bash_profilefile,asfollows:

exportDYLD_LIBRARY_PATH=~/Desktop/libimobiledevice-

macosx/:$DYLD_LIBRARY_PATH

PATH=${PATH}:~/Desktop/libimobiledevice-macosx/

PressCtrl+X,typetheletteryandhitEntertosavethefile.6. Returntotheterminalandrunthefollowingcommand:

$source~/.bash_profile

7. ConnecttheiPhonetotheMacworkstationusingaUSBcable,andruntheideviceinfocommandwiththe-soption:

$./ideviceinfo-s

OutputoftheideviceinfocommanddisplaystheiPhoneidentifier,internalname,andtheiOSversionasshown:

BuildVersion:9B206

DeviceClass:iPhone

DeviceName:iPhone4

HardwareModel:N90AP

ProductVersion:5.1.1

ProductionSOC:true

ProtocolVersion:2

TelephonyCapability:true

UniqueChipID:1937316564364

WiFiAddress:58:1f:aa:22:d1:0a

EveryreleaseoftheiPhonecomeswithimprovedornewlyaddedfeatures.ThefollowingtablesshowthespecificationsandfeaturesoflegacyandcurrentiPhonemodels:

Specification iPhone iPhone3G iPhone3GS

Systemonchip SamsungChip SamsungChip SamsungChip

CPU 620MHzSamsung32-bitRISCARM

620MHzSamsung32-bitRISCARM

833MHzARMCortex-A8

OnboardRAM 128MB 128MB 256MB

Screensize(ininches)

3.5 3.5 3.5

Resolution 480*320 480*320 480*320

Connectivity Wi-Fi,Bluetooth2.0,GSM

Wi-Fi,Bluetooth2.0,GSM/UMTS/HSDPA,GPS

Wi-Fi,Bluetooth2.1,GSM,UMTS/HSDPA,GPS

Camera(megapixel) 2 2 3

Frontcamera N/A N/A N/A

Storage(GB) 4,8,16 8,16 8,16,32

Weight(inounces) 4.8 4.7 4.8

Dimensions 4.5*2.4*0.46 4.55*2.44*0.48 4.55*2.44*0.48

Batterylife 8/7/6/24 5/7/5/24 5/10/5/30

Talk/video/web/audio

Standbytime(hours) 250 300 300

Colors Black Black,white(whitenotin8 Black,white(whitenotin8

Colors Black Black,white(whitenotin8GB)

Black,white(whitenotin8GB)

Material Aluminum,glass,andsteel

Glass,plastic,andsteel Glass,plastic,andsteel

Connector USB2.0dockconnector

USB2.0dockconnector USB2.0dockconnector

SIMcardform-factor MiniSIM MiniSIM MiniSIM

Sirisupport No No No

ThemostrecentiPhonefeaturesareshowninthefollowingtable:

Specification iPhone4 iPhone4S iPhone5 iPhone5C

Systemonchip AppleA4 AppleA5 AppleA6 AppleA6

CPU 1GHzARMCortex-A8 800MHzdualcoreARMCortex-A9

1.3GHzdualcoreApple-designedARMv7s

1.3GHzdualcoreApple-designedARMv7s

OnboardRAM 512MB 512MB 1GB 1GB

Screensize(ininches)

3.5 3.5 4 4

Resolution 960*640 960*640 1136*640 1136*640

Connectivity Wi-Fi,Bluetooth2.1,GSM,UMTS/HSDPA/HSUPA,GPS

Wi-Fi,Bluetooth4,GSM,UMTS/HSDPA/HSUPA,GPS

Wi-Fi,Bluetooth4,UMTS/HSDPA+/DC-HSDPA,GSM,GPS

Wi-Fi,Bluetooth4,UMTS/HSDPA+/DC-HSDPA/LTE,GSM,GPS

Camera(megapixel) 5 8 8 8

Frontcamera VGA VGA 720P 720P

Storage(GB) 8,16,32 8,16,32,64 16,32,64 8,16,32,64

Storage(GB) 8,16,32 8,16,32,64 16,32,64 8,16,32,64

Weight(inounces) 4.8 4.9 3.95 4.7

Dimensions 4.5*2.31*0.37 4.5*2.31*0.37 4.87*2.31*0.30 4.98*2.33*0.353

Batterylife 7/10/10/40 8/10/9/40 8/10/10/40 10/10/10/40

Talk/video/web/audio

Standbytime(hours) 300 300 225 250

Colors Black Black,white Black,white White,pink,yellow,blue,orgreen

Material Aluminosilicateglassandstainlesssteel

Aluminosilicateglassandstainlesssteel

Black-anodizedaluminumslatemetalwhite-silveraluminummetal

White,pink,yellow,blue,orgreen

Connector USB2.0dockconnector USB2.0dockconnector Lightningconnector Lightningconnector

SIMcardform-factor MicroSIM MicroSIM Nano-SIM Nano-SIM

Sirisupport No Yes Yes Yes

OneofthemajorchangesintheiPhone5,iPhone5C,andiPhone5SistheUSBdockconnector,whichisusedtochargeandsynchronizethedevicewiththecomputer.DevicespriortotheiPhone5usea30-pinUSBdockconnector,whereastheneweriPhonesuseaneight-pinlightningconnector.

iPhonehardwareTheiPhoneisacollectionofmodules,chips,andelectroniccomponentsfromdifferentmanufacturers.DuetothecomplexitiesoftheiPhone,thelistofhardwarecomponentsisextensive.AdetailedlistofiPhonehardwarecomponentsisdefinedathttps://viaforensics.com/resources/white-papers/iphone-forensics/overview.

ThefollowingimagesshowtheinternalsoftheiPhone5S.TheimagesweretakenafterdismantlingtheiPhone5S.InternalimagesforalliPhonescanbefoundintheteardownsectionfromhttp://www.ifixit.com/Device/iPhone.

TheiPhone5Steardownimage—sideone(includedwithkindpermissionfromTechInsights)

AndthefollowingistheimageshowingthebackoftheiPhone5S:

TheiPhone5Steardownimage—sidetwo(includedwithkindpermissionfromTechInsights)

iPadmodelsTheAppleiPhonechangedthewaycellphonesareproducedandused.Similarly,theiPad,aversionofthetabletcomputerintroducedinJanuary2010,squashedthesalesofnotebooks.WiththeiPad,individualscanshootvideo,takephotos,playmusic,readbooks,browsetheInternet,anddomuchmore.VariousiPadmodelsexistnowwithdifferentfeaturesandstoragecapabilities.ThefollowingtablelistsalltheiPadmodelsandtheirinitialiOSversions.DetailsonidentifyingiPadmodelscanbefoundathttp://support.apple.com/kb/ht5452.

Device Model InitialOSInternalname Identifier Releasedate

iPad-Wi-Fi A1219 iOS3.2 K48AP iPad1,1 January2010

iPad-3G A1337

iPad1,1

iPad2-Wi-Fi A1395

K93AP iPad2,1 March2011

iPad2-GSM A1396 iOS4.3 K94AP iPad2,2

iPad2-CDMA A1397

K95AP iPad2,3

iPad2-Wi-Firev A1395

K93AAP iPad2,4 March2012

iPad3-Wi-Fi A1416

J1AP iPad3,1

iPad3-Wi-Fi+CellularVerizon A1403 iOS5.1 J2AP iPad3,2

iPad3-Wi-Fi+CellularAT&T A1430

J2AAP iPad3,3

iPad4-Wi-Fi A1458 iOS6.0 P101AP iPad3,4 October2012

iPad4-Wi-Fi+CellularAT&T A1459

P102AP iPad3,5

iPad4-Wi-Fi+CellularVerizon A1460 iOS6.0.1 P103AP iPad3,6

iPadmini-Wi-Fi A1432 iOS6.0 P105AP iPad2,5

iPadmini-Wi-Fi+CellularAT&T A1454

P106AP iPad2,6

iPadmini-Wi-Fi+CellularVerizonandSprint

A1455 iOS6.0.1 P107AP iPad2,7

iPadAir-Wi-Fi A1474 iOS7.0.3 J71AP iPad4,1 November2013

iPadAir-Wi-Fi+Cellular A1475 J72AP iPad4,2

EveryreleaseoftheiPadcomeswithimprovedornewlyaddedfeatures.ThefollowingtableshowsthespecificationsandfeaturesoflegacyandcurrentiPadWi-Fimodels:

Specification iPad iPad2 iPad3 iPad4 iPadMini iPadAir

Systemonchip AppleA4 AppleA5 AppleA5X AppleA6X AppleA5 AppleA7

CPU 1GHzdualcoreSamsung-Intrinsity

1GHzdualcoreARMCortex-A9

1GHzdualcoreARMCortex-A9

1.4GHzdualcoreAppleSwift

1GHzdualcoreARMCortex-A9

1.4GHzdualcoreARMv8-A

OnboardRAM 256MB 512MB 1GB 1GB 512MB 1GB

Screensize(ininches)

9.7 9.7 9.7 9.7 7.9 9.7

Resolution 1024*768 1024*768 2048*1536 2048*1536 1024*768 2048*1536

Connectivity Wi-Fi,Bluetooth2.1

Wi-Fi,Bluetooth2.1

Wi-Fi,Bluetooth4

Wi-Fi,Bluetooth4

Wi-Fi,Bluetooth4

Wi-Fi,Bluetooth4

Camera(megapixel)

N/A 0.7 5 5 5 5

Frontcamera N/A 0.3MP 0.3MP 1.2MP 1.2MP 1.2MP

Storage(GB) 16,32,64 16,32,64 16,32,64 16,32,64,128

16,32,64 16,32,64,128

Weight(inounces)

24 21.6 22.9 22.9 10.8 16

Dimensions 9.56*7.47*0.5

9.5*7.31*0.34

9.5*7.31*0.37

9.5*7.31*0.37

7.87*5.3*0.28

9.4*6.6*0.29

Batterylife 10/10/140 10/10/140 10/10/140 10/10/140 10/10/140 10/10/140

Video/web/audio

Standbytime(hours)

1month 1month 1month 1month 1month 1month

Connector USB2.0dockconnector

USB2.0dockconnector

USB2.0dockconnector

Lightningconnector

Lightningconnector

Lightningconnector

iPadhardwareOneofthekeysuccessesofAppleiOSdevicesistheproperselectionofitshardwarecomponents.JustliketheiPhone,theiPadisalsoacollectionofmodules,chips,andelectroniccomponentsfromdifferentmanufacturers.InternalimagesforalliPadscanbefoundintheteardownsectionofhttp://www.ifixit.com/Device/iPad.

ThefollowingimagesshowtheinternalsoftheiPad3.TheimagesweretakenafterdismantlingtheiPad3cellularmodelandwereobtainedfromhttp://www.chipworks.com/.

TheiPad3cellularmodelteardownimage—sideone(includedwithkindpermissionfromChipworks)

ThefollowingimageshowssidetwooftheiPad3cellularmodel:

IncludedwithkindpermissionfromChipworks

FilesystemTobetterunderstandtheforensicprocessofaniPhone,itisgoodtoknowaboutthefilesystemthatisused.ThefilesystemusedintheiPhoneandotherAppleiOSdevicesisHFSX,avariationofHFSPluswithonemajordifference.HFSXiscasesensitivewhereasHFSPlusiscaseinsensitive.Otherdifferenceswillbediscussedlaterinthischapter.OSXusesHFSPlusbydefaultandiOSusesHFSX.

TheHFSPlusfilesystemIn1996,Appledevelopedanewfilesystem,HierarchicalFileSystem(HFS),toaccommodatethestorageoflargedatasets.InanHFSfilesystemthestoragemediumisrepresentedasvolumes.HFSvolumesaredividedintologicalblocksof512bytes.Thelogicalblocksarenumberedfromfirsttolastonagivenvolumeandwillremainstaticwiththesamesizeasphysicalblocks,thatis,512bytes.Theselogicalblocksaregroupedtogetherintoallocationblocks,whichareusedbytheHFSfilesystemtotrackdatainamoreefficientway.HFSusesa16-bitvaluetoaddressallocationblocks,whichlimitsthenumberofallocationblocksto65,535.ToovercometheinefficientallocationsofdiskspaceandsomeofthelimitationsofHFS,AppleintroducedtheHFSPlusfilesystem(http://dubeiko.com/development/FileSystems/HFSPLUS/tn1150.html).

TheHFSPlusfilesystemwasdesignedtosupportlargerfilesizes.HFSvolumesaredividedintosectorsthatareusually512bytesinsize.Thesesectorsaregroupedtogetherintoallocationblocks.Thenumberofallocationblocksdependsonthetotalsizeofthevolume.HFSPlususesblockaddressesof32bitstoaddressallocationblocks.HFSPlususesjournalingbydefault.Journalingistheprocessofloggingeverytransactiontothedisk,whichhelpsinpreventingfilesystemcorruption.ThekeycharacteristicsoftheHFSPlusfilesystemare:efficientuseofdiskspace,unicodesupportforfilenames,supportfornameforks,filecompression,journaling,dynamicresizing,dynamicdefragmentation,andanabilitytobootonoperatingsystemsotherthanMacOS.

TheHFSPlusvolume

TheHFSPlusvolumecontainsanumberofinternalstructurestomanagetheorganizationofdata.Thesestructuresincludeaheader,alternateheader,andfivespecialfiles:anallocationfile,anExtentsOverflowfile,aCatalogfile,anAttributesfile,andaStartupfile.Amongthefivefiles,threefiles,theExtentsOverflowfile,theCatalogfile,andtheAttributefile,useaB-treestructure,adatastructurethatallowsdatatobeefficientlysearched,viewed,modified,orremoved.TheHFSPlusvolumestructureisshowninthefollowingfigure:

Thevolumestructureisdescribedasfollows:

Thefirst1,024bytesarereservedforbootloadinformation.VolumeHeader:Thisstoresvolumeinformation,suchasthesizeofallocationblocks,atimestampofwhenthevolumewascreated,andmetadataabouteachofthefivespecialfiles.AllocationFile:Thisfileisusedtotrackwhichallocationblocksareinusebythesystem.Thefileformatconsistsofonebitforeveryallocationblock.Ifthebitisset,theblockisinuse.Ifitisnotset,theblockisfree.

ExtentsOverflowFile:Thisfilerecordstheallocationblocksthatareallocatedwhenthefilesizeexceedseightblocks,whichhelpsinlocatingtheactualdatawhenreferred.Badblocksarealsorecordedinthefile.CatalogFile:Thisfilecontainsinformationaboutthehierarchyoffilesandfolders,whichisusedtolocateanyfileandfolderwithinthevolume.AttributeFile:Thisfilecontainsinlinedataattributerecords,forkdataattributerecords,andextensionattributerecords.StartupFile:ThisfileholdstheinformationneededtoassistinbootingasystemthatdoesnothaveHFSPlussupport.AlternateVolumeHeader:Thisisabackupofthevolumeheader,anditisprimarilyusedfordiskrepair.Thelast512bytesarereservedforusebyApple,anditisusedduringthemanufacturingprocess.

DisklayoutBydefault,thefilesystemisconfiguredastwologicaldiskpartitions:system(rootorfirmware)partitionanduserdatapartition.

ThesystempartitioncontainstheOSandallofthepreloadedapplicationsusedwiththeiPhone.Thesystempartitionismountedasread-onlyunlessanOSupgradeisperformedorthedeviceisjailbroken.Thepartitionisupdatedonlywhenafirmwareupgradeisperformedonthedevice.Duringthisprocess,theentirepartitionisformattedbyiTuneswithoutaffectinganyoftheuserdata.Thesystempartitiontakesonlyasmallportionofstoragespace,normallybetween0.9GBand2.7GB,dependingonthesizeoftheNANDdrive.AsthesystempartitionwasdesignedtoremaininfactorystatefortheentirelifeoftheiPhone,thereistypicallylittleusefulevidentiaryinformationthatcanbeobtainedfromit.IftheiOSdevicewasjailbroken,filescontaininginformationregardingthejailbreakmayberesidentonthesystempartition.JailbreakinganiOSdeviceallowstheuserrootaccesstothedeviceandvoidsthemanufacturerwarranty.Jailbreakingwillbediscussedlaterinthischapter.

Theuserdatapartitioncontainsalluser-createddatarangingfrommusictocontacts.TheuserdatapartitionoccupiesmostoftheNANDmemoryandismountedat/private/varonthedevice.Mostoftheevidentiaryinformationcanbefoundinthispartition.Duringaphysicalacquisition,boththeuserdataandsystempartitionscanbecapturedandsavedasa.dmgor.imgfile.Theserawimagefilescanbemountedasread-onlyforforensicanalysis,whichiscoveredindetailinChapter3,DataAcquisitionfromiOSDevices.Evenonnon-jailbrokeniOSdevices,itisrecommendedtoacquireboththesystemanduserdatapartitionstoensurealldataisobtainedforexamination.

ToviewthemountedpartitionsontheiPhone,connectajailbrokeniPhonetoaworkstationoverSSH,andrunthemountcommand.Forthisexample,iPhone4with5.1.1isused.

Themountcommandshowsthatthesystempartitionismountedon/(root),andtheuserdatapartitionismountedon/private/var,asshowninthefollowingcommandlines.BothpartitionsshowHFSasthefilesystem,andtheuserdatapartitionevenshowsthatjournalingisenabled.

iPhone4:~root#mount

/dev/disk0s1s1on/(hfs,local,journaled,noatime)

devfson/dev(devfs,local,nobrowse)

/dev/disk0s1s2on/private/var(hfs,local,journaled,noatime,

protect)

ToviewtherawdiskimagesontheiPhone,connectajailbrokeniPhonetoaworkstationoverSSH,andrunthels-lhrdisk*command.rdisk0istheentirefilesystemandrdisk0s1isthefirmwarepartition.rdisk0s1s1istherootfilesystemandrdisk0s1s2istheuserfilesystem,asshowninthefollowingcommandlines:

iPhone4:/devroot#ls-lhrdisk*

crw-r-----1rootoperator14,0Oct1004:28rdisk0

crw-r-----1rootoperator14,1Oct1004:28rdisk0s1

crw-r-----1rootoperator14,2Oct1004:28rdisk0s1s1

crw-r-----1rootoperator14,3Oct1004:28rdisk0s1s2

iPhoneoperatingsystemiOSisApple'smostadvancedandfeature-richproprietarymobileoperatingsystem.ItwasreleasedwiththefirstgenerationoftheiPhone.Whenintroduced,itwasnamediPhoneOS,andlateritwasrenamedtoiOStoreflecttheunifiednatureoftheoperatingsystemthatpowersallAppleiOSdevices,suchastheiPhone,iPodTouch,iPad,andAppleTV.iOSisderivedfromcoreOSXtechnologiesandstreamlinedtobecompactandefficientformobiledevices.

Itutilizesamultitouchinterfacewheresimplegesturesareusedtooperateandcontrolthedevice,suchasswipingyourfingeracrossthescreentomovetothesuccessivepageorpinchingyourfingerstozoom.Insimpleterms,iOSassistswiththegeneralfunctioningofthedevice.iOSisreallyMacOSXwithsomesignificantdifferences:

ThearchitectureforwhichthekernelandbinariesarecompiledisARM-basedratherthanIntelx86_64TheOSXkernelisopensource,whereastheiOSkernelremainsclosedMemorymanagementismuchtighterThesystemishardenedanddoesnotallowaccesstotheunderlyingAPIs

iOShistory

iOS,likeanyotheroperatingsystem,hasgonethroughmultipleupdatessinceitsrelease.Appleoccasionallyreleasesnewerversionstoenablenewfeatures,tosupportlatesthardware,andtofixbugs.ThelatestversionofiOSatthetimeofthiswritingisiOS7.0.3.ThoughApplestickswithanumericapproachfornewiOSbuilds,alliOSversionshavecodenamesthatareprivatetoApple.ThefollowingsectionsdescribethehistoryofiOSdevelopment.

1.x–thefirstiPhone

iPhoneOS1.xwasthefirstreleaseofApple'stouch-centricmobileoperatingsystem.Onitsinitialrelease,ApplestatedthattheiPhoneusesaversionofthedesktopoperatingsystem,OSX.LateritwasnamediPhoneOS.TheoriginalbuildwasknownasAlpine,butthefinalreleasedversionwasHeavenly.

2.x–AppStoreand3G

iPhoneOS2.0(knownasBigBear)wasreleasedalongwithiPhone3G.FeaturesrequiredforcorporateneedssuchasVPNandMicrosoftExchangewereintroducedwiththisrelease.ThebigadditiontotheOSwiththisreleasewastheAppStore,amarketplaceforthethird-partyapplicationsthatcouldrunontheiPhone.ApplealsoreleasedtheiPhoneSoftwareDevelopmentKit(SDK)toassistdevelopersincreatingapplicationsontheAppStoreforfreeorforpurchase.GlobalPositioningSystem(GPS)wasalsoaddedtotheiPhonewiththisrelease.

3.x–thefirstiPad

iPhoneOS3.0(knownasKirkwood)becameavailablewiththereleaseofiPhone3GS.TheiOSreleasebroughtthecopy/pastefeature,spotlightsearches,andpushnotificationsforthird-partyapplications,andmanyotherenhancementstothebuilt-inapplications.Multitaskingwasintroduced,butitwaslimitedtoaselectionoftheapplicationsAppleincludedonthedevice.ThefirstiPadwasintroducedwithiPhoneOS3.2(knownasWildcat)andlaterupdatedto3.2.2,aversionspecificallymadefortheiPad.

4.x–GameCenterandmultitasking

iOS4.0(knownasApex)wasthefirstmajorreleaseafterrenamingtheiPhoneOStoiOS.Thisreleasebroughtover100newfeatures,suchasFaceTime,iBooks,voicecontrol,and1,500newAPIstothedevelopers.Startingwiththisrelease,multitaskingwasextendedtothird-partyiOSapplications.ApplealsoreleasedGameCenter,anonlinemultiplayersocialgamingnetworkalongwiththisrelease.

5.x–SiriandiCloud

iOS5.0(knownasTelluride)wasreleasedwithiPhone4S.iOS5withiPhone4SintroducedApple'snaturallanguage-basedvoicecontrol,Siri—avirtualassistant.Thisupdatebroughtmanynewfeatures,suchasnotificationcenter,iMessages,Newsstand,Twitterintegration,theRemindersapplication,andovertheair(OTA)softwareupdates.ThebiggestadditiontothereleasewastheiCloud,Apple'scloud-basedservicethatallowsuserstosynchronizetheircontacts,calendar,pictures,andmuchmoretothecloud.

6.x–AppleMaps

iOS6.0(knownasSundance)wasreleasedinJune2012withthereleaseofiPhone5.WithiOS6,theold,Google-poweredMapsapplicationwasremoved,andanall-newAppleMapswithdatasuppliedbyTomTomwasadded.TheYouTubeapplicationwasalsoremovedinthisupdate.iOS6broughtmanynewfeatures,suchasFacebookintegration,FaceTimeovercellularnetwork,Passbook,andmanyenhancementstothebuilt-inapplications.Betterprivacycontrolswereaddedwiththisrelease.

7.x–theiPhone5Sandbeyond

iOS7.0(knownasInnsbruck)wasreleasedinSeptember2013withthereleaseofiPhone5S.ThebiggestchangeiniOS7andthemostimportantwasthesystem-wideredesign.Withthisrelease,Appletooktheinterfaceexperiencefromstatictodynamic.Atonofnewfeatureswereintroduced,suchascontrolcenter,Airdrop,iTunesRadio,FaceTimeaudio,automaticupdatesforapplications,activationlock,andmanymore.WithiPhone5S,Apple'sTouchIDfingerprintidentitysensor,abiometricauthenticationtechnology,wasintroduced.

AlltheiOSversionsarenotsupportedbyalltheiOSdevices.EachiOSversion

iscompatibleonlywithafewdevices,asshowninthefollowingiOScompatibilitymatrix.Thistablewascreatedusinghttp://iossupportmatrix.com/.TheblocksingreensignifythataniOSversionwassupportedforthatdevice.Ifaversionislisted,itistheearliestversionsupportedforthatdevice.Theblocksinredmeannosupportforthatdevice,andtheblocksinbluearestilliOSversionssupportedbyApple.

TheOScompatibilitymatrix

TheiOSarchitecture

iOSactsasanintermediarybetweentheunderlyinghardwarecomponentsandtheapplicationsthatappearonthescreen.Theapplicationsdonottalktotheunderlyinghardwaredirectly.Instead,theycommunicatethroughawell-definedsysteminterfacethatprotectstheapplicationsfromhardwarechanges.Thisabstractionmakesiteasytobuildapplicationsthatworkondeviceswithdifferenthardwarecapability.

TheiOSarchitectureconsistsoffourlayers:theCocoaTouchlayer,Medialayer,CoreServiceslayer,andCoreOSlayer,asshowninthefollowingfigure.Eachlayerconsistsofseveralframeworksthatwouldhelptobuildanapplication.

TheiOSlayers

TheCocoaTouchlayer

TheCocoaTouchlayercontainsthekeyframeworksrequiredtodevelopthevisualinterfaceforiOSapplications.Frameworksinthislayerprovidethebasicapplicationinfrastructureandsupportkeytechnologies,suchasmultitaskingandtouch-basedinput,andmanyhigh-levelsystemservices.

TheMedialayer

TheMedialayerprovidesthegraphicsandaudioandvideoframeworkstocreate

thebestmultimediaexperienceavailableonamobiledevice.Thetechnologiesinthislayerhelpdeveloperstobuildapplicationsthatlookandsoundgreat.

TheCoreServiceslayer

ThisCoreServiceslayerprovidesthefundamentalsystemservicesthatarerequiredfortheapplications.Alltheseservicesarenotusedbythedevelopersthoughmanypartsofthesystemarebuiltontopofthem.Thelayercontainsthetechnologiestosupportfeaturessuchaslocation,iCloud,andsocialmedia.

TheCoreOSlayer

TheCoreOSlayeristhebaselayerandsitsdirectlyontopofthedevicehardware.Thislayerdealswithlow-levelfunctionalitiesandprovidesservicessuchasnetworking(BSDsockets),memorymanagement,threading(POSIXthreads),filesystemhandling,externalaccessoriesaccess,andinter-processcommunication.

iOSsecurity

iOSwasdesignedwithsecurityatitscore.Atthehighestlevel,theiOSsecurityarchitectureappearsasshowninthefollowingfigure:

TheiOSsecurityarchitecture

AppleiOSdevicessuchasiPhone,iPad,andiPodToucharedesignedwithlayersofsecurity.Low-levelhardwarefeaturessafeguardfrommalwareattacksandthehigh-levelOSfeaturespreventunauthorizeduse.AbriefoverviewoftheiOSsecurityfeaturesareprovidedinthefollowingsections.

Passcode

Passcodesrestrictunauthorizedaccesstothedevice.Onceapasscodeisset,eachtimeyouturnonorwakeupthedevice,itwillaskforthepasscodetoaccessthedevice.iPhonesupportssimpleaswellascomplexpasscodes.iPhone5SalsosupportstouchIDfingerprintsasapasscode.

Codesigning

Codesigningpreventsusersfromdownloadingandinstallingunauthorizedapplicationsonthedevice.Applesays"CodeSigningistheprocessbywhichyourcompilediOSapplicationissealedandidentifiedasyours.Also,iOSdeviceswon'trunanapplicationorloadalibraryunlessitissignedbyatrustedparty.Toensurethatallappscomefromaknownandapprovedsourceandhavenotbeentamperedwith,iOSrequiresthatallexecutablecodebesignedusinganApple-issuedcertificate."

Sandboxing

Sandboxingmitigatesthepost-code-executionexploitationbyplacingtheapplicationintoatightlyrestrictedarea.ApplicationsinstalledontheiOSdevicearesandboxed,andoneapplicationcannotaccessthedatastoredbytheotherapplication.

Encryption

OniOSdevices,theentirefilesystemisencryptedwithafilesystemkey,whichiscomputedfromthedevice'suniquehardwarekey.

Dataprotection

Dataprotectionisdesignedtoprotectdataatrestandtomakeofflineattacksdifficult.Itallowsapplicationstoleveragetheuser'sdevicepasscodeinconcertwiththedevicehardwareencryptiontogenerateastrongencryptionkey.Later,thestrongencryptionkeyisusedtoencryptthedatastoredonthedisk.Thiskey

preventsdatafrombeingaccessedwhenthedeviceislocked,ensuringthatcriticalinformationissecuredevenifthedeviceiscompromised.

AddressSpaceLayoutRandomization

AddressSpaceLayoutRandomization(ASLR)isanexploitmitigationtechniqueintroducedwithiOS4.3.ASLRrandomizestheapplicationobjects'locationinthememory,makingitdifficulttoexploitthememorycorruptionvulnerabilities.

Privilegeseparation

iOSrunswiththeprincipleofleastprivileges.Itcontainstwouserroles:rootandmobile.Themostimportantprocessesinthesystemrunwithrootuserprivileges.Allotherapplicationsthattheuserhasdirectaccessto,suchasthebrowserandthird-partyapplications,runwithmobileuserprivileges.

Stacksmashingprotection

Stacksmashingprotectionisanexploitmitigationtechnique.Itprotectsagainstbufferoverflowattacksbyplacingarandomandknownvalue(calledstackcanary)betweenabufferandcontroldataonthestack.

Dataexecutionprevention

Dataexecutionprevention(DEP)isanexploitmitigationtechniquemechanisminwhichaprocessorcandistinguishtheportionsofmemorythatareexecutablecodefromdata.

Datawipe

iOSprovidesanoptionEraseAllContentandSettingstowipethedataontheiPhone.Thistypeofdatawipeerasesusersettingsandinformationbyremovingtheencryptionkeysthatprotectsthedata.Astheencryptionkeysareerasedfromthedevice,itisnotpossibletorecoverthedeleteddatainforensicinvestigations.Otherwipingmethodsareavailablethatoverwritethedatainthedevicememory.Moreinformationonwipingcanbefoundathttp://support.apple.com/kb/ht2110.

ActivationLock

ActivationLock,introducedwithiOS7,isatheftdeterrentthatworksby

leveragingFindMyiPhone.WhenFindMyiPhoneisenabled,itenablestheActivationLock,andyourAppleIDandpasswordwillberequiredtoturnoffFindMyiPhone,toeraseyourdevice,andtoreactiveyourdevice.

AppStore

TheAppStoreisanapplicationdistributionplatformforiOS,developedandmaintainedbyApple.Itisacentralizedonlinestorewhereuserscanbrowseanddownloadbothfreeandpaidapps.Theseappsexpandthefunctionalityofamobiledevice.AsofDecember2013,therearemorethan1millionapplicationsintheAppStore,andusershavedownloadedthemover60billiontimes.AppsavailableintheAppStorearegenerallywrittenbythird-partydevelopers.DevelopersuseXCodeandtheiPhoneSDKtodevelopiOSapplications.Later,theysubmittheapptoAppleforapproval.Applefollowsanextensivereviewprocesstochecktheappagainstthecompanyguidelines.IfAppleapprovestheapp,itispublishedtotheAppStorewhereuserscandownloadorbuyit.ThestrictreviewprocessmakestheAppStorelesspronetomalware.Currently,userscanaccesstheAppStoreviaiTunesandalsofromtheiriOSdevices.

Jailbreaking

JailbreakingistheprocessofremovinglimitationsimposedbyApple'smobileoperatingsystemthroughtheuseofsoftwareandhardwareexploits.Jailbreakingpermitsunsignedcodetorunandgainrootaccessontheoperatingsystem.ThemostcommonreasonforjailbreakingistoexpandthelimitedfeaturesetimposedbyApple'sAppStoreandtoinstallunapprovedapps.Manypubliclyavailablejailbreakingtoolsaddanunofficialapplicationinstallertothedevice,suchasCydia,whichallowsuserstoinstallmanythird-partyapplications,tools,tweaks,andappsfromanonlinefilerepository.ThesoftwaredownloadedfromCydiaopensupendlesspossibilitiesonadevicethatanon-jailbrokendevicewouldneverbeabletodo.Themostpopularjailbreakingtoolsareredsn0w,sn0wbreeze,evasi0n,Absinthe,seas0npass,andsoon.NotalltheiOSversionsarejailbreakable.Thewebsitehttp://www.guidemyjailbreak.com/choose-iphone-to-jailbreak/canbehelpfultofindoutwhetheraparticulariOSversionisjailbreakableornotandwithwhichmethod.InOctober2012,TheU.S.CopyrightOfficedeclaredthatjailbreakingtheiPadisillegal,whilejailbreakingtheiPhoneisdeemedlegal.Thegoverninglawisreviewedeverythreeyears.

SummaryThefirststepinaforensicexaminationofaniOSdeviceshouldbeidentifyingthedevicemodel.ThemodelofaniOSdevicecanbeusedtohelptheexaminerdevelopanunderstandingoftheunderlyingcomponentsandcapabilitiesofthedevice,whichcanbeusedtodrivethemethodsforacquisitionandexamination.LegacyiOSdevicesshouldnotbedisregardedbecausetheymaysurfaceaspartofaninvestigation.ExaminersmustbeawareofalliOSdevicesasolddevicesaresometimesstillinuseandmaybetiedtoacriminalinvestigation.ThenextchapterwillprovidetipsandtechniquesforacquiringdatafromtheiOSdevicesdiscussedinthischapter.

Chapter3.DataAcquisitionfromiOSDevicesAniPhonerecoveredfromacrimescenecanprovidearichsourceofevidenceduetoitsincreasedstoragecapabilitiesandInternetconnectivity.Accordingtoseveralnewsreferences,OcsarPistorius'iPadswereexaminedbyamobileexpertandpresentedduringthemurdertrialtoshowInternetactivityhoursbeforethemurderofhisgirlfriend.TherearedifferentwaystoacquireforensicdatafromaniPhone.Thougheachmethodwillhaveitspositivesandnegatives,thefundamentalprincipleofanyacquisitionmethodistoobtainabit-by-bitpictureoftheoriginaldata.

Thischaptercoversphysicalacquisitiontechniquesthattargetthephysicalstoragemediumdirectlyandextractadiskimagefromthedeviceintoanexternalfile,whichcanbeexaminedlaterusingforensictools.

OperatingmodesofiOSdevicesBeforewediveintotheforensictechniquesandacquisitionmethods,itisimportanttoknowthedifferentoperatingmodesofaniPhone.Manyforensictoolsandmethodsrequireyoutoplacethedeviceintooneoftheoperatingmodes.UnderstandingtheiOSdeviceoperatingmodesisrequiredinordertoperformaparticularactiononthedevice.iOSdevicesarecapableofrunningindifferentoperatingmodes:normalmode,recoverymode,andDFUmode.Mostforensictoolsrequiretheexaminertoknowwhichmodethedeviceiscurrentlyutilizing.Wewilldefineeachmodeinthissection.Whentheterm"iPhone"isreferenced,itshouldbeunderstoodthatthestatementremainstrueforalliOSdevices.

Normalmode

WhenaniPhoneisswitchedon,itisbootedtoitsoperatingsystem.Thismodeisknownasnormalmode.Mostoftheregularactivities(calling,texting,andsoon)performedonaniPhonewillberuninnormalmode.

WhenaniPhoneisturnedon,internally,itgoesthroughasecurebootchain,asshowninthefollowingfigure.Eachstepintheboot-upprocesscontainssoftwarecomponentsthatarecryptographicallysignedbyAppletoensureintegrity.

AsecurebootchainofaniPhoneinnormalmode

TheBootROM,knownasthesecureROM,isaread-onlymemory(ROM)andisthefirstsignificantcodethatrunsonaniPhone(http://images.apple.com/ipad/business/docs/iOS_Security_Feb14.pdf).TheBootROMcodecontainstheApplerootCApublickey,whichisusedtoverifythesignatureofthenextstagebeforeallowingittoload.WhentheiPhoneisstarted,theapplicationprocessorexecutesthecodefromtheBootROM,which,

inturn,verifieswhethertheLowLevelBootloader(LLB)issignedbyAppleornotandloadsitaccordingly.WhenLLBfinishesitstasks,itverifiesandloadsthesecondstagebootloader(iBoot).iBootverifiesandloadstheiOSkernel,which,inturn,verifiesandrunsalltheuserapplicationsasshownintheprecedingfigure.ThesecurebootchainensuresiOSrunsonlyonvalidatedAppledevices.

Recoverymode

Duringtheboot-upprocess,ifonestepisunabletoloadorverifythenextstep,thentheboot-upisstoppedandtheiPhonedisplaysascreen,asshowninthefollowingscreenshot.Thismodeisknownastherecoverymode.TherecoverymodeisrequiredtoperformupgradesorrestoretheiPhone.

Toenterrecoverymode,performthefollowingsteps:

1. Turnoffthedevice—pressandholddowntheSleep/PowerbuttonlocatedatthetopoftheiPhoneuntiltheredsliderappears.Then,movethesliderandwaitforthedevicetoturnoff.

2. HolddowntheiPhoneHomebuttonandconnectthedevicetoacomputerviaaUSBcable.Thedeviceshouldturnon.

3. ContinueholdingtheHomebuttonuntiltheConnecttoiTunesscreenappears,asshowninthefollowingscreenshot.Then,youcanreleasetheHomebutton.(Onajail-brokeniOSdevice,thisscreenmayappearwithdifferenticons.)MostforensictoolsandextractionmethodswillalerttheexaminertothecurrentstateoftheiOSdevice.

YoucanreadabouttheiPhonerecoverymodeathttp://support.apple.com/kb/HT1808.

Toexittherecoverymode,reboottheiPhone.ThiscanbecompletedbyholdingtheHomeandSleep/PowerbuttonuntiltheApplelogoappears.Normally,theprocessofrebootingreturnstheiPhonefromrecoverymodetonormalmode.TheexaminermayexperienceasituationwheretheiPhoneconstantlyrebootsintorecoverymode.Thisisknownasarecoveryloop.ArecoveryloopoftenoccurswhentheuserattemptstojailbreaktheiriOSdeviceandanerroroccurs.

Severalopensourcemethodsexisttorepairarecoveryloop.Thefollowingexampleshowstheredsn0wtool,whichcanbeusedtoexitarecoveryloop.Youcandownloadthelatestversionofredsn0wfromthefollowinglink:https://sites.google.com/a/iphone-dev.com/files/.

Then,navigatetoExtras|Recoveryfix,asshowninthefollowingscreenshot.Anexternalmethodortoolmaynotberequired.Sometimes,placingthedeviceinDFUmodeandconnectingthedevicetoiTuneswillproperlyreboottheiPhone.

Theredsn0wrecoveryfix

DFUmode

Duringtheboot-upprocess,iftheBootROMisnotabletoloadorverifyLLB,thentheiPhonedisplaysablackscreen.ThismodeisknownastheDeviceFirmwareUpgrade(DFU)mode.DFUmodeisalow-leveldiagnosticmodeandisdesignedtoperformfirmwareupgradesfortheiPhone.Duringafirmwareupgrade,theiPhonegoesthroughadifferentbootsequenceasshowninthefollowingfigure.MostforensictoolsuseDFUmodetoperformaphysicalacquisition.

AsecurebootchainofaniPhoneinDFUmode

InDFUmode,theBootROMbootsfirst,which,inturn,verifiesandrunsthesecondstagebootloaders,iBSSandiBEC.TheiBECloaderverifiesandloadsthekernel.Thekernelverifiesandloadstheramdiskintomemory.Again,mostforensicacquisitionmethodsrequiretheiOSdevicetobesuccessfullyenteredinDFUmode.AsmentionedinChapter1,IntroductiontoMobileForensics,allstepsmustbewelldocumentedbytheexaminer.ThehandlingoftheiOSdeviceisnoexception.DFUmodeisamethodrecognizedinmobiledeviceforensics

andisdeemedtobeaforensicallysoundactiontopreparethedeviceforforensicacquisition.

ToenterDFUmode,performthefollowingsteps:

1. DownloadandinstalliTunesonyourforensicworkstationfromhttp://www.apple.com/itunes/download/.

2. ConnectyourdevicetotheforensicworkstationviaaUSBcable.3. Turnoffthedevice.4. HolddownthePowerbuttonfor3seconds.5. HolddowntheHomebuttonwithoutreleasingthePowerbuttonforexactly

10seconds.6. ReleasethePowerbuttonandcontinuetoholddowntheHomebuttonuntil

youarealertedbyiTuneswiththeiTuneshasdetectedaniPhoneinrecoverymode.YoumustrestoretheiPhonebeforeitcanbeusedwithiTunesmessage.

7. Atthispoint,theiPhonescreenwillbeblackandshouldnotdisplayanything.TheiPhoneisreadytobeusedinDFUmode.IfyouseetheApplelogoorothersignalsthatthedeviceisbooting,repeatsteps2through6untiliTunesdisplaysthatmessage.

ToverifywhethertheiPhoneisinDFUmodeonMacOSX,launchSystemInformationandgototheUSBoption.Youshouldseeadevicesimilartowhatisshowninthefollowingscreenshot:

TheMACsysteminformationdisplayingaDFU-modedevice

Justlikeinrecoverymode,toexitDFUmode,holddowntheHomebuttonandthePowerbuttonuntiltheApplelogoappearsonthedevice.MoreinformationcanbefoundonmethodstoverifyDFUmodeathttp://www.zdziarski.com/blog/wp-content/uploads/2013/05/iOS-Forensic-Investigative-Methods.pdf.

PhysicalacquisitioniOSdeviceshavetwotypesofmemory:volatile(RAM)andnon-volatile(NANDFlash).RAMisusedtoloadandexecutethekeypartsoftheoperatingsystemortheapplication.ThedatastoredontheRAMislostafteradevicereboots.RAMusuallycontainsveryimportantapplicationinformationsuchasactiveapplications,usernames,passwords,andencryptionkeys.ThoughtheinformationstoredintheRAMcanbecrucialinaninvestigation,currentlythereisnomethodortoolavailabletoacquiretheRAMmemoryfromaliveiPhone.

UnlikeRAM,NANDisnon-volatilememoryandretainsthedatastoredinitevenafteradevicereboots.NANDflashisthemainstorageareaandcontainsthesystemfilesanduserdata(http://www.nist.gov/forensics/research/upload/draft-guidelines-on-mobile-device-forensics.pdf).Thegoalofphysicalacquisitionistoperformabit-by-bitcopyoftheNANDmemory,similartothewayinwhichacomputerharddrivewouldbeforensicallyacquired.Whiledatastorageseemssimilar,NANDdiffersfromthemagneticmediafoundinmodernharddrives.NANDmemoryischeaper,faster,andholdsagreatamountofdata.Thus,NANDistheidealstorageformobiledevicesasmentionediniPhoneandiOSForensics,AndrewHoogAndKatieStrzempka,ElsevierBV.

PhysicalacquisitionhasthegreatestpotentialforrecoveringdatafromiOSdevices;however,evolvingsecurityfeatures(securebootchain,storageencryption,andpasscode)onthesedevicesmayhindertheaccessibilityofthedataduringforensicacquisition.ResearchersandcommercialforensictoolvendorsarecontinuallyattemptingnewtechniquestobypassthesecurityfeaturesandperformphysicalacquisitiononiOSdevices.Currently,therearetwomethodsthatcanbeusedtogainaccesstotheiOSdeviceandgrabaphysicalimageoftheNAND.Thetwomethodsareexplainedindetailinthefollowingsections.

AcquisitionviaacustomramdiskAcquisitionviaacustomramdiskisanovelmethodtoacquiredatafromaniPhone.ItgainsaccesstothefilesystembyloadingacustomramdiskintothememoryandexploitingaweaknessinthebootprocesswhilethedeviceisintheDFUmode.AcustomramdiskcontainstheforensictoolsnecessarytodumpthefilesystemoverUSBviaanSSHtunnel.Loadingacustomramdiskontoadevicewillnotaltertheuserdata,andthustheevidencewillnotbedestroyed.

ImagineacomputerthatisprotectedwithanOS-levelpassword,wecanstillaccesstheharddiskcontentsbybootingwithaliveCD.Similarly,ontheiPhone,wecanloadacustomramdiskoverUSBandaccessthefilesystem.However,theiPhonesecurebootchainpreventsusfromloadingthecustomramdisk.WecanachievethisbyexploitingaBootROMvulnerabilityandpatchingsuccessivestages,asshowninthefollowingfigure:

AnexploitedbootchainofaniPhoneinDFUmode

HackercommunitieshavefoundseveralBootROMvulnerabilitiesinA4

devices(iPhone4andolderiPhonemodels).Currently,therearenoBootROMexploitsforA5+devices(iPhone4Sandlatermodels)thatallowaccessforphysicalacquisitionofthedevice.BootROMvulnerabilitiescannotbefixedwithsoftwareupdates,effectivelymakingadevicevulnerableforever.

Inadditiontothis,thefilesystemontheiPhoneisencrypted.SincethereleaseoftheiPhone3GS,thehardwareandfirmwareencryptionarebuiltintoiOSdevices.EveryiOSdevicehasadedicatedAES256-bitcryptoengine(theAEScryptographicaccelerator)withtwohardcodedkeys:UID(UniqueID)andGID(GroupID)(asstatedbyZdziarskiinoneofhisbooks).TheCPUonthedevicecannotreadthehardcodedkeysbutcanusethemforencryptionanddecryptionthroughtheAESaccelerator.TheUIDkeyisuniqueforeachdeviceandisusedtocreatedevice-specifickeys(the0x835keyandthe0x89Bkey)thatarelaterusedforfilesystemencryption.TheUIDallowsdatatobecryptographicallytiedtoaparticulardevice;so,eveniftheflashchipismovedfromonedevicetoother,thefilesarenotreadableandremainencrypted.TheGIDkeyissharedbyalldeviceswiththesameapplicationprocessor(forexample,alldevicesthatusetheA4chip)andisusedtodecrypttheiOSfirmwareimages(IPSW)duringinstallation,restore,andupdate.TheGIDpreventshackersfromreversingthefirmwareandfindingsecurityvulnerabilities.

ApartfromtheUIDandGID,allothercryptographickeysarecreatedbythesystem'srandomnumbergenerator(RNG)usinganalgorithmbasedonYarrow.MoreinformationonencryptionandYarrow-basedalgorithmscanbefoundathttp://images.apple.com/ipad/business/docs/iOS_Security_Feb14.pdf.

iPhoneDataProtectionToolsisanopensourceiOSforensictoolkitwrittenbyJean-BaptisteandJeanSigwald,whichusesthecustomramdisktechnique.TheforensictoolkitbuildsacustomramdiskandloadsittothedevicebyexploitingtheBootROMvulnerabilityintheDFUmode.Thecustomramdiskincludestoolstoenumeratedeviceinformation,bruteforcepasscodeattempts,andcreatearawimageofthediskpartition.Theforensictoolkitalsoobtainsdeviceencryptionkeys,decryptsthefilesystem,andrecoversthedeletedfiles.TheiPhoneDataProtectionToolscurrentlyworkwiththeiPhone3G,3GSand4;iPodtouch2G,3Gand4G;andiPad1models.Moreinformationonthiscanbefoundathttps://code.google.com/p/iphone-dataprotection/wiki/README.

Theforensicenvironmentsetup

ThefollowingstepsexplainhowtousetheiPhoneDataProtectionToolsonMacOSX10.8.5withXcode4.6.1andiOS6.1SDK(otherversionsshouldworkwiththesamesteps).AssumingthatyoualreadyhaveXcodewithUNIXtoolsinstalled,youwillneedtoinstallsomeadditionalcommand-linetools,Pythonmodules,andbinariestobuildandusetheiPhoneDataProtectionTools.

Downloadingandinstallingtheldidtool

First,youneedtodownloadtheldidtool,whichisusedtoviewandmanipulatecodesignaturesandembeddedentitlementsplistfilesofbinaries.OnMacOSX,opentheterminalwindowandusethecurlcommand,asshown,todownloadtheIdidtool:

$curl-Ohttp://networkpx.googlecode.com/files/ldid

%Total%Received%XferdAverageSpeedTimeTimeTimeCurrent

DloadUploadTotalSpentLeftSpeed

100320161003201600522140--:--:----:--:----:--:--

279k

Grantexecutionpermissiontotheldidtoolandmoveittothebindirectoryintheusrfolder,usingthecommandsshown:

$chmod+xldid

$sudomvldid/usr/bin/

Verifyingthecodesign_allocatetoolpath

CreateasymboliclinktotheXcodefolder,asshown:

$sudoln-s/Applications/Xcode.app/Contents/Developer/

iPhoneDataProtectionToolsrequirethecodesign_allocatetool,whichispresentbydefaultiftheUNIXtoolswereinstalledwithXcode.Tofindwhethercodesign_allocateexistsornot,usethecommandshown:

$whichcodesign_allocate/usr/bin/codesign_allocate

Ifyoudonotseethelocationofcodesign_allocatefromthecommand-lineoutput,createasymboliclinktoit,asshown:

$sudoln-

s/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/codesign_

allocate/usr/bin

InstallingOSXFuse

iOSfirmwarefilesareintheIMG3fileformat.Tomodifytheramdisk,theiPhoneDataProtectionToolsincludeaFUSEfilesystemthatunderstandstheIMG3format.ThelatestversionofOSXFuseshouldbeinstalledonyourforensicworkstation.OSXFuseextendsthenativefilehandlingcapabilitiesofOSXandallowsyoutomountthefilesystemsthatarenotnativelysupportedbyOSX.YoucandownloadandinstallOSXFusebyexecutingthecommandsshownordirectlyfromthefollowinglink:http://sourceforge.net/projects/osxfuse/files/osxfuse-2.6.2/osxfuse-2.6.2.dmg.

$sudocurl-O-L

http://sourceforge.net/projects/osxfuse/files/osxfuse-

2.6.2/osxfuse-2.6.2.dmg

%Total%Received%XferdAverageSpeedTimeTimeTime

Current

DloadUploadTotalSpentLeftSpeed

1008608k1008608k00546k00:00:150:00:15--:--:-

-698k

Next,runthethreecommandsasshown:

$hdiutilmountosxfuse-2.6.2.dmg

ChecksummingGesamteDisk(Apple_HFS:0)…

...................................................................

..

GesamteDisk(Apple_HFS:0):verifiedCRC32$6D4256E4

verifiedCRC32$D09075DF

/dev/disk2/Volumes/FUSEforOS

X

$sudoinstaller-pkg/Volumes/FUSE\for\OS\X/Install\OSXFUSE\

2.6.pkg-target/

installer:PackagenameisFUSEforOSX(OSXFUSE)

installer:Installingatbasepath/

installer:Theinstallwassuccessful.

$hdiutileject/Volumes/FUSE\for\OS\X/

"disk3"unmounted.

"disk3"ejected.

InstallingPythonmodules

ThePythonscriptsofiPhoneDataProtectionToolsrequireinstallationofseveralPythonmodules:construct,progressbar,andsetuptools.YoucaninstalltherequiredPythonmodulesusingPython'seasy_installcommand,asshown:

$sudoeasy_installconstructprogressbar

Searchingforconstruct

Readinghttp://pypi.python.org/simple/construct/

Bestmatch:construct2.5.1

Downloading

https://pypi.python.org/packages/source/c/construct/construct-

2.5.1.zip#md5=4616eb3c12e86ba859ff2ed2f01ddb1c

Processingconstruct-2.5.1.zip

[...]

Installed/Library/Python/2.7/site-packages/construct-2.5.1-

py2.7.egg

Processingdependenciesforconstruct

Searchingforsix

Readinghttp://pypi.python.org/simple/six/

Bestmatch:six1.4.1

Downloadinghttps://pypi.python.org/packages/source/s/six/six-

1.4.1.tar.gz#md5=bdbb9e12d3336c198695aa4cf3a61d62

Processingsix-1.4.1.tar.gz

[...]

Installed/Library/Python/2.7/site-packages/six-1.4.1-py2.7.egg

Finishedprocessingdependenciesforconstruct

Searchingforprogressbar

Readinghttp://pypi.python.org/simple/progressbar/

Readinghttp://code.google.com/p/python-progressbar

Bestmatch:progressbar2.3

Downloadinghttp://python-

progressbar.googlecode.com/files/progressbar-2.3.tar.gz

Processingprogressbar-2.3.tar.gz

[...]

Installed/Library/Python/2.7/site-packages/progressbar-2.3-

py2.7.egg

Processingdependenciesforprogressbar

Finishedprocessingdependenciesforprogressbar

Searchingforsetuptools

Bestmatch:setuptools0.6c12dev-r88846

Addingsetuptools0.6c12dev-r88846toeasy-install.pthfile

Installingeasy_installscriptto/usr/local/bin

[...]

Processingdependenciesforsetuptools

Finishedprocessingdependenciesforsetuptools

ThePythonscriptsalsorequirethecryptographymodulesPyCryptoandM2CryptotodecryptiOSfirmwareimages,files,andkeychainitems.YoucandownloadandinstallthePyCryptotooldirectlyfromthefollowinglink:https://rudix-mountainlion.googlecode.com/files/pycrypto-2.6-1.pkg.

YoucaninstalltheM2Cryptomoduleusingthecommandsshown:

$sudocurl-O-L

http://chandlerproject.org/pub/Projects/MeTooCrypto/M2Crypto-

0.21.1-py2.7-macosx-10.8-intel.egg

%Total%Received%XferdAverageSpeedTimeTimeTimeCurrent

DloadUploadTotalSpentLeftSpeed

100477k100477k006329000:00:070:00:07--:--:--

102k

$sudoeasy_installM2Crypto-0.21.1-py2.7-macosx-10.8-intel.egg

ProcessingM2Crypto-0.21.1-py2.7-macosx-10.8-intel.egg

[...]

Installed/Library/Python/2.7/site-packages/M2Crypto-0.21.1-py2.7-

macosx-10.8-

intel.egg

ProcessingdependenciesforM2Crypto==0.21.1

FinishedprocessingdependenciesforM2Crypto==0.21.1

Finally,todownloadthelatestcopyofiPhoneDataProtectionToolsfromtheGooglecoderepository,youneedtoinstalltheMercurialsourcecodemanagementsystem.Youcandownloadandinstallthisusingtheeasy_installcommand,asshown,ordirectlyfromthefollowinglink:http://mercurial.berkwood.com/binaries/Mercurial-2.6.2-py2.7-macosx10.8.zip.

$sudoeasy_installmercurial

Searchingformercurial

Readinghttp://pypi.python.org/simple/mercurial/

Bestmatch:mercurial2.8

Downloading

https://pypi.python.org/packages/source/M/Mercurial/mercurial-

2.8.tar.gz#md5=76b565f48000e9f331356ab107a5bcbb

Processingmercurial-2.8.tar.gz

[...]

Processingdependenciesformercurial

Finishedprocessingdependenciesformercurial

DownloadingiPhoneDataProtectionTools

DownloadthelatestcopyofiPhoneDataProtectionToolsusingMercurial(hg),

asshown:

$sudohgclonehttps://code.google.com/p/iphone-dataprotection/

warning:code.google.comcertificatewithfingerprint

ad:3c:56:fb:e8:c0:62:b0:ff:89:21:52:98:b1:a1:d4:94:a4:1c:84not

verified(checkhostfingerprintsorweb.cacertsconfigsetting)

destinationdirectory:iphone-dataprotection

requestingallchanges

addingchangesets

addingmanifests

addingfilechanges

added72changesetswith2033changesto1865files

updatingtobranchdefault

152filesupdated,0filesmerged,0filesremoved,0files

unresolved

Thecommandintheprecedingscreenshotcreatestheiphone-dataprotectiondirectoryanddownloadsiPhoneDataProtectionToolstoit.

BuildingtheIMG3FStool

BuildtheIMG3FUSEfilesystemfromtheimg3fsdirectory.ThismoduleenablesyoutodirectlymountthefirmwarediskimagesincludedintheiOSfirmwarepackages(IPSW),asshowninthefollowingcommandlines:

$cdiphone-dataprotection

$sudomake-Cimg3fs/gcc-oimg3fsimg3fs.c-Wall-lfuse_ino64-

lcrypto-I/usr/local/include/osxfuse||gcc-oimg3fsimg3fs.c-

Wall-losxfuse_i64-lcrypto-I/usr/local/include/osxfuse

img3fs.c:Infunction'img3_check_decrypted_data':img3fs.c:100:

warning:pointertargetsinpassingargument2of'strncmp'differ

insignedness

img3fs.c:104:warning:pointertargetsinpassingargument2of

'strncmp'differinsignedness

img3fs.c:108:warning:pointertargetsinpassingargument2of

'strncmp'differinsignedness

[...]

Afterrunningthemakecommand,youwillnoticeafewcompilerwarningmessages,whichyoucanignore.

Downloadingredsn0w

FirmwarediskimagesincludedintheiOSfirmwarepackagesareencrypted.The

redsn0wapplication,afamousiOSjailbreakingutilitydevelopedbytheiPhoneDevTeam,containsaplistfilewiththedecryptionkeysforallpreviouslyreleasediOSfirmwareimages.TheiPhoneDataProtectionbuildscriptswillusethedecryptionkeystoautomaticallydecryptthekernelandramdisk.Todothis,downloadthelatestversionofredsn0wandcreateasymboliclinktoitsKeys.plistfileinthecurrentdirectory,asshowninthefollowingcode.Laterinthischapter,youwillalsouseredsn0wtobootthecustomramdiskontothedevice.

$sudocurl-O-Lhttps://sites.google.com/a/iphone-

dev.com/files/home/redsn0w_mac_0.9.15b3.zip

%Total%Received%XferdAverageSpeedTimeTimeTimeCurrent

DloadUploadTotalSpentLeftSpeed

10017.1M10017.1M00298k00:00:580:00:58--329k

$sudounzipredsn0w_mac_0.9.15b3.zip

Archive:redsn0w_mac_0.9.15b3.zip

creating:redsn0w_mac_0.9.15b3/

inflating:redsn0w_mac_0.9.15b3/boot-ipt4g.command

inflating:redsn0w_mac_0.9.15b3/credits.txt

inflating:redsn0w_mac_0.9.15b3/license.txt

[...]

extracting:redsn0w_mac_0.9.15b3/redsn0w.app/Contents/PkgInfo

creating:redsn0w_mac_0.9.15b3/redsn0w.app/Contents/Resources/

inflating:

redsn0w_mac_0.9.15b3/redsn0w.app/Contents/Resources/redsn0w.icns

$sudocpredsn0w_mac_0.9.15b3/redsn0w.app/Contents/MacOS/Keys.plist

.

Creatingandloadingtheforensictoolkit

Atthispoint,alloftheprerequisitesshouldbeinstalled,andyoushouldbereadytobuildandloadthecustomramdiskontoyourtargetiOSdevice.First,wepatchtheramdisksignaturechecksinthekernelandbuildacustomramdiskwithourforensictools.Later,weuseredsn0wtoloadthemodifiedkernelandthecustomramdiskbyexploitingtheBootROMvulnerability.

DownloadingtheiOSfirmwarefile

AniOSfirmwareupdatesoftwarearchive(IPSW)fileforthehardwaremodelwithwhichyouintendtousethecustomramdiskisrequired.iPhoneDataProtectionToolssupportstheramdiskcreationforiOS6IPSWandlowerversions.Forbestresults,usethelatestversionofiOS5IPSWtocreatetheramdisk.iOS5kerneliscompatiblewiththepreviousandforthcomingiOSversions.So,evenifyourdeviceisrunningoniOS7oriOS4,youcanpreparetheramdiskwithiOS5.YoucandownloadtheIPSWfileforthetargetdevicefromhttp://getios.com/index.php.

CopythedownloadedIPSWtothedataprotectiondirectoryinsidetheiphonefolder,asshowninthefollowingcommand:

$cp~/Downloads/iPhone3,1_5.1.1_9B208_Restore.ipsw.

Note

Theabovecommandendswith.whichrepresentsthecurrentworkingdirectory.

TheiPhone3,1_5.1.1_9B208_Restore.ipswfileusedintheprecedingcommandtargetstheiPhone4device.TheIPSWfilenamesincludethehardwaremodel(iPhone3,1),theiOSversionnumber(5.1.1),andthespecificbuildnumber(9B208).

Modifyingthekernel

Forthecustomramdisktoworkproperly,amodifiedkernelisrequired.Thekernel_patcher.pyscriptiniPhoneDataProtectionToolsextractsthekernelcachefromthesuppliedIPSWfileandpatchesit.Thekernelpatchingutilitymakesappropriatechangestothekerneltodisablethecodesigningtorunarbitrarybinariesandtoallowaccesstorestrictedfunctions.Runthe

kernel_patcher.pyscriptonyourIPSWtocreateapatchedkernelcacheandashellscriptthatbuildstheramdisk,asshowninthefollowingcommands:

$sudopythonpython_scripts/kernel_patcher.py

iPhone3,1_5.1.1_9B208_Restore.ipsw

Decryptingkernelcache.release.n90

Unpacking...

DoingCSEDpatch

Doinggetxattrsystempatch

Doingnand-disable-driverpatch

Doingtask_for_pid_0patch

DoingIOAESgidpatch

DoingAMFIpatch

Doing_PE_i_can_has_debuggerpatch

DoingIOAESAcceleratorenableUIDpatch

Patchedkernelwrittentokernelcache.release.n90.patched

Createdscriptmake_ramdisk_n90ap.sh,youcanuseitto(re)build

theramdisk

Thescriptcreatesapatchedkernelfilecalledkernelcache.release.n90.patchedtothecurrentworkingdirectory.FortheiOS5IPSWfile,italsocreatesascriptcalledmake_ramdisk_n90ap.shtobuildthecustomramdisk.PayattentiontothefilenamesbecausetheymaydifferdependingontheiOSdevicemodel.

Buildingacustomramdisk

Givepermissiontoexecutethemake_ramdisk_n90ap.shramdiskbuildscriptandexecutethisscripttocreatethecustomramdiskasfollows:

$chmod+xmake_ramdisk_n90ap.sh

Beforeexecutingthescript,editthefileandfixtheiOSSDKpathasfollows:

$sudonanomake_ramdisk_n90ap.sh

AsweareusingiOSSDK6.1,append6.1totheforloop,asshowninthefollowingcode:

forVERin4.24.35.05.16.06.1

FixtheIOKitpathbyreplacing/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS$VER.sdk/System/Library/Frameworks/IOKit.framework/IOKit

with

/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS$VER.sdk/System/Library/Frameworks/IOKit.framework/IOKit

intheifstatement.

Aftermakingthenecessarychanges,pressCtrl+X,typetheletteryandhittheEnterkeyonthekeyboardtosavethefile.

Executethemake_ramdisk_n90ap.shscript;itwilldownloadssh.tar.gzfromGoogleCode.Next,compiletheramdisktoolslocatedintheramdisk_toolsfolderandaddthemtotheexistingramdisktoprepareaforensicramdisk,asshowninthefollowingcommand:

$sudo./make_ramdisk_n90ap.sh

FoundiOSSDK6.1

[somewarningmessages]

Archive:iPhone3,1_5.1.1_9B208_Restore.ipsw

inflating:038-5512-003.dmg

TAG:TYPEOFFSET14data_length:4

[...]

"disk2"unmounted.

"disk2"ejected.

Youcanboottheramdiskusingthefollowingcommand(fix

paths)redsn0w-iiPhone3,1_5.1.1_9B208_Restore.ipsw-r

myramdisk_n90ap.dmg-kkernelcache.release.n90.patched

Add-a"-vrd=md0nand-disable=1"fornanddump/readonlyaccess

IfyouareusinganiOS6IPSWfile,runthebuild_ramdisk_ios6.shfiletocreatethecustomramdisk.Beforerunningthescript,youneedtoeditMakefileintheramdisk_toolsdirectory,fixtheiOSSDKversion,andcompileitusingthemakecommand.

Bootingthecustomramdisk

Toloadthecustomramdiskontothedevice,startredsn0wfromthecommandlineusingtheIPSW,customramdisk,andpatchedkernelasshowninthefollowingcommand:

$sudo./redsn0w_mac_0.9.15b3/redsn0w.app/Contents/MacOS/redsn0w-i

iPhone3,1_5.1.1_9B208_Restore.ipsw-rmyramdisk_n90ap.dmg-k

kernelcache.release.n90.patched

TurnoffyouriOSdeviceandconnectittothecomputer,whichisrunningredsn0w,withaUSBcable.Whenthedeviceisconnected,redsn0wisdisplayedonthescreenasshowninthefollowingscreenshot:

Theredsn0wwelcomescreen

ClickonNextandfollowthestepsdisplayedonthescreentoplacethedeviceintheDFUmode.OnceyourdeviceisintheDFUmode,redsn0wexploitsoneoftheBootROMvulnerabilitiesandloadsthemodifiedkernelandcustomramdisk.Iftheprocessissuccessful,youwillnoticetheimageofapineappleontheiPhone,followedbybootmessagesinsmalltext.Oncetheprocessis

completed,youwillnoticeanASCIIversionoftheOKmessageonthedevice.

Establishingcommunicationwiththedevice

ThecustomramdiskbootedontotheiPhonecontainsanSSHserver,whichwillallowremotecommand-lineaccesstothedevicethroughtheUSBprotocol.TheUSBmultiplexingdaemon(usbmuxd),abackgrounddaemoninApple'smobiledeviceframework,isusedtotunneltheTCPsocketconnectionovertheUSBprotocoltoalocalTCPsocketlisteningonthedevice.Inthiscase,runtcprelay.py,asshowninthefollowingcommandline,toconnecttotheSSHserverthatisrunningonthecustomramdisk:

$pythonusbmuxd-python-client/tcprelay.py-t22:22221999:1999

Forwardinglocalport2222toremoteport22

Forwardinglocalport1999toremoteport1999

OtherpythonscriptsincludediniPhoneDataProtectionToolscommunicatewiththedeviceoverSSH.So,youshouldkeeprunningtcprelay.pyinanotherterminaluntilyouacquiredatafromthedevice.

Bypassingthepasscode

TheiPhoneprovidesanoptionforitsuserstosetapasscodeontheirdevicetopreventunauthorizedaccess.Onceapasscodeisset,wheneverthedeviceisturnedonorawakenedfromsleepmode,thepasscodeisrequiredtoaccessthedata.iOSsupportsasimplefour-digitcodeandcomplexalphanumericpasscodesofanylength.WiththeiPhone5S,theuserfingerprintscancanalsobeusedtolock/unlockthedevice.ForiPhone5S,theusercanalsoselectasimplefour-digitcodetouseincasethefingerprintisnotrecognized.Bydefault,thepasscodeisafour-digitnumericcodebutbymodifyingthesettings,itcanbesettobeacomplexpasscode.TheuseralsohastheoptiontoeraseallthecontentsontheiPhoneafter10failedpasscodeattempts.

Passcode-lockeddevicesarebeingutilizedmorefrequentlyduetogeneraluserawarenessoftheftandsecuritypoliciesfromorganizations.CircumventingthepasscodeisnotalwayspossibleduetosecurityimprovementsiniOS.Theforensicexaminershouldtrytosecurethepasscodefromtheownertopreventissuesinacquiringdatafromnewer,lockediOSdevices.

IntheinitialreleasesofiOSuntiliOS3,thepasscodeforunlockingthedevicewasstoreddirectlyinthekeychain,aplacetostorepasswordssecurelyontheiPhone.ThispasscodesecuritycanbebypassedbyjustremovingtherecordfromthekeychainorbyremovingtheUIsettingthatasksforthepasscodeafterbootingwiththecustomramdisk.

SinceiOS4,thepasscodeisnotstoredonthedeviceinanyformat.Bysettingadevicepasscode,theuserautomaticallyenablesdataprotection,whichprotectsthedataatrest.Withdataprotection,thedataonthedeviceisencryptedwithasetofclasskeysstoredintheSystemkeybag.TheSystemkeybagitselfisprotectedwithapasscodekey,generatedfromtheuser'spasscodeandthedevice'sUID.So,inordertodecrypttheprotectedkeychainitemsandfilesonthefilesystem,youfirstneedtodecrypttheSystemkeybag.Ifthereisnopasscode,theSystemkeybagcanbeeasilydecrypted.Ifthereisasimplefour-digitpasscode,youwillhavetoguessittodecrypttheSystemkeybag.Asthepasscodeistangledwiththedevice'sUIDkey,bruteforceattemptsmustbeperformedonthedevice.Also,thesamepasscodeondifferentdevicesgeneratesdifferentpasscodekeysastheUIDisuniqueperdevice.Passcodebruteforce

attacksperformedatthespringboardlevelintroducedelays,lockthedevice,andmayleadtothewipingofdata.However,theseprotectionmechanismsarenotapplicablewhenyouareperformingabruteforceattackonakernelextension(AppleKeyStore)todecrypttheSystemkeybag.ItisworthmentioningthatsometoolswillattempttocrackthepasscodeonaniOSdevicebyaccessingthehostcomputerforwhichthatiOSdevicewasconnectedandsynced.Thetoolaccessesthepairingkeythroughanescrowfiletodecryptthelockeddevice.Forthistowork,theexaminerwouldneedtohaveaccesstoboththeiOSdeviceandthehostcomputertowhichthedeviceisbackedup.

Shouldthehostcomputernotbeavailable,asmentioned,thedemo_bruteforce.pyPythonscriptincludediniPhoneDataProtectionToolscanperformbruteforceattackandguessanyfour-digitpasscodewithin18minutes.Bruteforceonthedeviceisslow,andthetimerequiredtobruteforceapasscodedependsonthedevice'scapability.ThefollowingtableliststhetimerequiredtobruteforcepasscodesofvariouslengthsandcomplexityrequirementsontheiPhone4:

Passcodelength Complexity Time

4 Numeric 18minutes

4 Alphanumeric 19days

6 Alphanumeric 196days

8 Alphanumeric 755thousandyears

8 Alphanumeric,complex 27millionyears

OnMacOSX,openanewterminalandrunthefollowingcommand.Thebruteforcescriptusesthe1999portopenedwithtcprelay.pytocommunicatewiththeramdisktoolsonthedevice.Thescriptbruteforcesthepasscode,decryptstheSystemkeybag,dumpsthedataprotectionkeys,andplacesthemintoadirectorynamedwiththeUniqueDeviceIdentifier(UDID)ofthetargetdeviceina.plistformat.

$sudopythonpython_scripts/demo_bruteforce.py

Connectingtodevice:

b716de79051ef093a98fc3ff1c46ca5e36faabc3KeybagUUID:

5b14620bd1e74013bfa66325b6946773

Enterpasscodeorleaveblankforbruteforce:

HitEnteronthekeyboardtostartthebruteforceprocess:

Tryingall4-digitspasscodes...

0of10000ETA:--:--:--

10of10000ETA:0:30:48

20of10000ETA:0:30:33

30of10000ETA:0:30:18

40of10000ETA:0:30:02

50of10000ETA:0:29:51

1100of10000ETA:0:25:54

1110of10000ETA:0:25:53

10000of10000Time:0:03:14

100%|############################################################|

BruteforceSystemKeyBag:0:03:14.543986

{'passcode':'1111','passcodeKey':

'1f5c25823297f97f3cb38d998726fc22787ca3f31b8932c2b868700a341145b5'}

True

Keybagtype:Systemkeybag(0)

Keybagversion:3

KeybagUUID:5b14620bd1e74013bfa66325b6946773

-------------------------------------------------------------------

--

ClassWRAPTypeKeyPublickey

-------------------------------------------------------------------

--

NSFileProtectionComplete3AES

746f01658ec28b3ba99339e35beb37232f89658fd0214eb4c4cac99976b05039

NSFileProtectionCompleteUnlessOpen3

Curve25519

65db69526ea4026227d5faa0dc9066c1092e510aa586a2f62d9101e419600703

a035e0f5a6ee59b9e5928cc67b644c6a5cc8c5235c1a5440a02686d222fc3a08

NSFileProtectionCompleteUntilFirstUserAuthentication3AES

a32826f0abdf6fb1c049d395baa12b07e05a310fb49626a5cef078ca4a7a46f4

NSFileProtectionRecovery?3AES

28ec11f7719c7b36d6f4621a07c3b088fe65c9909c7adb45cf73ad8b9814a330

kSecAttrAccessibleWhenUnlocked3AES

bab62b621ebcf0fbc97ee9a2f1fb6d3ee4a198f5a49a7e233c9dcdf2805292e0

kSecAttrAccessibleAfterFirstUnlock3AES

638ae8c4a1a694b8db2968eba28ef39a14d5397ef102e4872395df619bd00d31

kSecAttrAccessibleAlways1AES

5071e2058e148b7deee5b08fd685c0b29cd9d717f57732647dee0239513c7c79

kSecAttrAccessibleWhenUnlockedThisDeviceOnly3AES

3702f4d05b3b910860b9f17577d5f34bbf26e9a6f20594ea308d72919e182531

kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly3AES

3d8fbd6b41c520f1dc8ebe6786abe4848fa1799456300b89c630c23ff931d6c8

kSecAttrAccessibleAlwaysThisDeviceOnly1AES

1774408c99198fb048ca5fbcd06feadc7d5e4c28a571111df557db9f58040ba5

[...]

Iftheuserchoosesastrongpasscodethatisnoteasytoguess,wecanstillaccessthefilesprotectedwithNSFileProtectionNoneandkeychainitemsprotectedbythekSecAttrAccessibleAlwaysdataprotectionclasses.

Imagingthedatapartition

Physicalimagingreferstotheddimageofthelogicalpartitions.AsdiscussedinChapter2,UnderstandingtheInternalsofiOSDevices,NANDflashoniOSdevicescontainstwologicaldiskpartitions:systempartitionanduserdatapartition.Onanon-jailbrokendevice,thesystempartitionwillbekeptintheread-onlyformat.Theuserdatapartitioncontainsalltheuser-installedapplicationsanddata.Forfullforensicanalysis,itispreferredthatboththesystemanddatapartitionareacquired.Mostforensictoolswillcapturebothpartitionsinoneimage.Iftheexaminerhasatimecrunch,attheminimum,theyshoulddumptheentiredatapartition.Toacquireadiskimageoftheuserdatapartition,runthedump_data_partition.shshellscript,asshowninthefollowingcommandlines:

$sudo./dump_data_partition.sh

Warning:Permanentlyadded'[localhost]:2222'(RSA)tothelistof

knownhosts.

root@localhost'spassword:

Enteralpineasthepassword,whichisthedefaultSSHpasswordoniOSdevices,andhitEnteronthekeyboard:

DeviceUDID:b716de79051ef093a98fc3ff1c46ca5e36faabc3

Dumpingdatapartitionin

b716de79051ef093a98fc3ff1c46ca5e36faabc3/data_20131209-1956.dmg...

Warning:Permanentlyadded'[localhost]:2222'(RSA)tothelistof

knownhosts.

[...]

Therawdiskimagewillbegintransferring,asshowninthefollowingcommandlines,whichshouldalsobereflectedbyagradualincreaseinthesizeofthefileonthedesktop.Thescriptrunsforseveralminutestohoursdependingonthesizeofthefilesystem.Forexample,acquiringanimagefroman8GBiPhone4roughlytakes30minutes.

1801554+0recordsin

1801554+0recordsout

14758330368bytes(15GB)copied,2463.01s,6.0MB/s

ThescriptdumpstheentireuserdatapartitionandplacesitintoadirectorynamedUDIDofthetargetdeviceinaDMGformatthatcanbemounteddirectly

ontoMacOSX.Onlytheuserdatapartitioniscopied,sotheactualfilesizewillbelessthantheiPhonesize.Double-clickingontheDMGfilemountsitinread-writemodeandmighteffecttheimageintegrity.Tomaintaintheintegrity,youcanusethehdiutilcommandtomounttheimageinread-onlymode,asshowninthefollowingcommand.(NotethatthefilepathreflectstheDMGfileyoucreated.)

$hdiutilattach-readonly

b716de79051ef093a98fc3ff1c46ca5e36faabc3/data_20131209-1956.dmg

/dev/disk3/Volumes/Data

Theoutputofthehdiutilcommandshowsthatthediskimagehasbeenattachedtothe/dev/disk3devicefileandcanbemountedon/Volumes/Datawiththefollowingcommand:

$cd/Volumes/Data/

Youcannowbrowsethefilesystemin/Volumes/Data/andobservethatallfilecontentsareencrypted,asshowninthefollowingcommand:

$hexdump-Cmobile/Library/AddressBook/AddressBook.sqlitedb|head

Theoutputisasshowninthefollowingscreenshot:

TheencryptedaddressBookfile

Tounmounttheimage,usethehdiutilejectcommandasfollows:

$cd/

$hdiutileject/Volumes/Data/

"disk3"unmounted.

"disk3"ejected.

WhentheextracteddiskimageismountedonMacOSX,youcanbrowsethefilesystem.However,youcannotreadthefilesastheyareencrypted.Toreadanyfiledata,thefilecontentsmustbedecryptedusingthekeysintheSystemkeybag.

Decryptingthedatapartition

TheentirefilesystemisencryptedwithanEMFkey,withtheexceptionofactualfilesonthefilesystem,whichareencryptedwithotherkeys(thedataprotectionclasskeys).TheEMFkeyisencryptedwiththe0x89Bkey.Theemf_decrypter.pyPythonscriptincludediniPhoneDataProtectionToolscanbeusedtodecrypttherawdiskimage.Thisscriptusestherawdiskimageandkeysintheaforementionedplisttodecryptalloftheencryptedfilesonthefilesystem,asshowninthefollowingcommandlines:

$sudopythonpython_scripts/emf_decrypter.py

b716de79051ef093a98fc3ff1c46ca5e36faabc3/data_20131209-1956.dmg

b716de79051ef093a98fc3ff1c46ca5e36faabc3/f03d282cc7182d46.plist

Password:Usingplistfile

b716de79051ef093a98fc3ff1c46ca5e36faabc3/f03d282cc7182d46.plist

Keybagunlockedwithpasscodekey

cprotectversion:4(iOS5)

Testmode:theinputfilewillnotbemodified

PressakeytocontinueorCTRL-Ctoabort

HitEntertocontinuethescriptexecution:

DecryptingiNode1559014

DecryptingiNode3056993

DecryptingiNode3056996

DecryptingiNode6811

[...]

DecryptingAddressBook.sqlitedb

DecryptingAddressBook.sqlitedb-shm

DecryptingAddressBook.sqlitedb-wal

DecryptingAddressBookImages.sqlitedb

DecryptingAddressBookImages.sqlitedb-shm

[...]

DecryptingIMG_1117.JPG

DecryptingIMG_1128.PNG

DecryptingIMG_1139.JPG

[...]

DecryptingKeywordIndex.plist

DecryptingManifest.sqlitedb

Decryptingexpress.psa

Decrypted50518files

Thescriptmodifiesthediskimagedirectlyandthefilesarenowdecryptedandreadable.Toverifythis,youcanmountthediskimageandexamine

AddressBook.sqlitedb,whichwaspreviouslyunreadable,withthefollowingcommand:

$hdiutilattach-readonlydata_20131209-1956.dmg

/dev/disk3/Volumes/Data

$cd/Volumes/Data/

$hexdump-Cmobile/Library/AddressBook/AddressBook.sqlitedb|head

Theoutputisasshowninthefollowingscreenshot:

ThedecryptedAddressBookfile

Now,youshouldbeabletofullyexaminetheartifactsonthedatapartition,whichwillbecoveredindetailinChapter5,iOSDataAnalysisandRecovery.

Recoveringthedeleteddata

Oncearawimageofthedeviceisobtained,youcanrecoverthedeletedfilesintheunallocatedspacebycarvingtheHFSjournalusingtheemf_undelete.pyscript.Thisscriptrecoversonlyalimitednumberoffiles,asshowninthefollowingcommand:

$sudopythonpython_scripts/emf_undelete.pyUDID/data_20131209-

1956.dmg

Torecovermoredeletedfilesorphotos,acquirealow-levelNANDimageusingios_examiner.pyandruntheundeletecommand.

Toacquirealow-levelNANDimage,bootthecustomramdiskandthepatchedkernelontotheiPhonewiththenand-disablebootflag,asshowninthefollowingcommand:

$sudo./redsn0w_mac_0.9.15b3/redsn0w.app/Contents/MacOS/redsn0w-i

iPhone3,1_5.1.1_9B208_Restore.ipsw-rmyramdisk_n90ap.dmg-k

kernelcache.release.n90.patched-a"-vrd=md0nand-disable=1"

Oncetheramdiskisbootedsuccessfully,runtheios_examiner.pyscriptwithoutparameters.Itallowsyoutoentercommandsintheios_examinershell,asshowninthefollowingcommandlines:

$cdiphone-dataprotection$sudopython

python_scripts/ios_examiner.py

Connectingtodevice:b716de79051ef093a98fc3ff1c46ca5e36faabc3

Devicemodel:iPhone4GSM

UDID:b716de79051ef093a98fc3ff1c46ca5e36faabc3

ECID:1937316564364

Serialnumber:870522V6A4S

key835:ef8f36fb3a85b42a72e8c5efa6b1a844

key89B:de75b5f5fa6abc5bf25293b38f980a52

[...]

YaFTL_readCxtInfoFAIL,restoreneededmaxUsn=4491408

FTLrestoreinprogress

100%|########################################|

BTOCnotfoundforblock13(usn4491530),scanningallpages

402usedpagesinblock

LwVMheaderCRCOK

cprotectversion:4(iOS5)

iOSversion:5.1.1

Keybagstate:locked

(iPhone4-data)/

Runthebruteforcecommandtobruteforcethepasscodeandunlockthekeybag:

(iPhone4-data)/bruteforce

Passcodecomlexity(fromOpaqueStuff):4digits

Enterpasscodeorleaveblankforbruteforce:

HitEnterandyouwillseethefollowingcommandlines:

Passcode""OKKeybagstate:unlocked

Savedeviceinformationplistto[b716de7905.plist]:

HitEntertosavetheencryptionkeystoaplistfile(b716de7905.plist).

Runthenand_dumpcommandasshowninthefollowingcommandlines.ItcopiestheNANDimagetothedataprotectionfolder.

(iPhone4-data)/nand_dumpiphone4-nand.bin

Dumping16GBNANDtoiphone4-nand.bin

100%|############################################|

NANDdumptime:0:45:36.200233

SHA1:a16aa578679ef6a787c8c26a40de4b745a3ae179

OncetheNANDimageandtheplistfileareobtained,youcanuseios_examiner.pyandruntheundeletecommandtorecoverthedeletedfiles,asshowninthefollowingcommandlines:

$sudopythonpython_scripts/ios_examiner.pyiphone4-nand.bin

b716de7905.plist

Loadingdeviceinformationfromb716de7905.plist

Devicemodel:iPhone4GSM

UDID:b716de79051ef093a98fc3ff1c46ca5e36faabc3

ECID:1937316564364

Serialnumber:870522V6A4S

key835:ef8f36fb3a85b42a72e8c5efa6b1a844

key89B:de75b5f5fa6abc5bf25293b38f980a52

[...]

cprotectversion:4(iOS5)

iOSversion:5.1.1

(iPhone4-data)/undelete

BuildingFTLlookuptablev1

100%|###################################|

Collectingexistingfileids

23297fileIDs

Carvingcatalogfile

Founddeletedfilerecord51657shaders.datacreated2012-06-09

02:19:28

Founddeletedfilerecord51656shaders.mapscreated2012-06-09

02:19:28

[...]

Carvingattributefileforfilekeys

20261files,50997keys

_FBStory.h

[...]

Thecommandrecoversthedeletedfilesandplacesthemintoadirectorynamedundelete.Therecoveryprocessisslowandtakeshourstorecoverallthefiles.

Ifadeviceisrestored,wiped,orupgradedtoanewOSversion,thefilesystemkey(EMF)iserasedandanewkeyisrecreated.WithouttheoriginalEMFkey,itisnotpossibletorecovertheunderlyingfilesystemstructure.So,itisnotpossibletorecoverthedeletedfileswhenaniPhoneisrestored,wiped,orupgraded.Also,iOSdevicesincludeafeaturecalledEffaceableStoragetosecurelyerasethekeys.Thisfeatureaccessestheunderlyingstorage(NAND)todirectlyaddressanderaseasmallnumberofblocksataverylowlevel,whichmakesitimpossibletorecoverdeletedkeys.

AcquisitionviajailbreakingToperformphysicalacquisitionondevicesthatarenotvulnerabletotheBootROMexploit,thedevicemustbejailbroken.JailbreakinganiPhoneallowstheexaminertoinstalltoolsthatwouldnotnormallybeonthedevice,suchasSSH.Byfar,themostpopularmethodforjailbreakingiswithredSn0worevasi0n.BothtoolshavesimplewizardsthatwillsteptheiOSdevicethroughthejailbreakprocessandinstalltheCydiaapplication.Anexaminershouldonlyjailbreakadeviceasalastresortandshouldusegreatcautionwhendoingso.Again,allstepstakenbytheexaminermustbewell-documented.Thejailbreakingprocessmakeschangestothedevice,whichmaydamageevidenceorrenderitinadmissibleincourt.Ifpossible,considerperformingalogicalacquisitionfirsttopreserveevidencethatmaybelostduringthejailbreakingprocess.

Toobtainanimageoftheuserdatapartition,theforensicworkstationandthetargetiOSdevicemustbeplacedonthesamewirelessnetwork.Fromtheforensicworkstation,runthefollowingSSHcommandtostarttheprocess.MakesurethatyoureplacetheIPaddressusedinthecommandwithyourdevice'sIPaddressbeforerunningit.

[email protected]"ddif=/dev/rdisk0s1s2bs=8192">data.dmg

EnteralpineasthepasswordandhitEnteronthekeyboard.ThisprocessmaytakeseveralhoursdependingonthecapacityoftheiPhone.Oncecompleted,itdisplaysacertainnumberofbytesthathavebeencopied,asshowninthefollowingcommandlines:

1801554+0recordsin

1801554+0recordsout

14758330368bytes(15GB)copied,2722.38s,5.4MB/s

TheSSHcommandconnectstotheSSHserverontheiOSdeviceasarootuser.Theddif=/dev/rdisk0s1s2bs=8192commandexecutesthediskcopyutilityontheiPhoneandreadstheuserdatapartitionlocatedat/dev/rdisk0s1s2withablocksizeof8K.Thecommandoutputsthedata.dmgfileontotheforensicworkstationdrive.Theresultedimagefilecanbemanipulatedbytheforensicanalyst'schoiceoftools.

Itisnotpossibletojailbreakadevicethatisprotectedwithapasscode.So,ifadevice(A5+)isprotectedwithapasscodeandisnotjailbroken,itisnotpossibletoperformphysicalacquisitiononthatdevice.Also,itshouldbenotedthattherawdiskimageobtainedfromtheiPhoneisencryptedandcannotbeparsed.Inordertodecrypttheimage,wemustobtainencryptionkeysfromthedevice.Theencryptionkeysaretiedtothedevice'sUIDkey,whichcanbeusedonlywhentheIOAESAcceleratorkernelextensionispatched.ItiseasytoobtainencryptionkeysondevicesthatrunoniOS5andearlierversions.SinceiOS6,AppleintroducednewsecurityfeaturestothekernelsuchasKernelAddressSpaceLayoutRandomizationandKernelAddressSpaceProtection,whichpreventexaminersfrompatchingthekernelcodedirectly.However,theElcomsoftiOSForensicToolkit,acommercialtoolforiOSforensics,claimsthatitiscapableofperformingphysicalacquisitionondevicesthatrunoniOS6andiOS7.ThisclaimassumesthattheiOSdeviceisjailbroken,orthattheexaminerhasaccesstothehostcomputerthatcontainsthepairingkeysinescrowfiles.ThetoolisdiscussedindetailinChapter6,iOSForensicTools.

ThefollowingdetailsexplainthestepsinvolvedinobtainingadiskimagefromtheiPhone4SthathasiOS5andisprotectedwithapasscodeinthisexample.

Asaprerequisite,theiPhone4SshouldalreadybejailbrokenandOpenSSHisinstalledonitwiththedefaultrootuserpassword.

SetuptheiPhoneDataProtectionToolsasexplainedintheprevioussections.EditMakefileintheramdisk_toolsfolder,fixtheiOSSDKversion,andrunthemakecommand:

$cdiphone-dataprotection

$cdramdisk_tools

$sudomake

ConnecttheiPhonetothecomputerviaUSBandestablishthecommunicationbyrunningthetcprelay.pyscriptasfollows:

$cdiphone-dataprotection

$pythonusbmuxd-python-client/tcprelay.py-t22:2222

DumptheiPhoneuserdatapartitionusingthefollowingcommand:

[email protected]"ddif=/dev/rdisk0s1s2bs=8192">data.dmg

EnteralpineasthepasswordandhitEnter.

Downloadkernel_patcherfromhttps://code.google.com/p/iphone-dataprotection/issues/detail?id=49&q=a5andmoveittotheramdisk_toolsfolderwiththefollowingcommand:

$mv~/Downloads/kernel_patcher~/Documents/iphone-dataprotection/

Copykernel_patcher,bruteforce,anddevice_infosscriptstotheiPhoneusingthescpcommand:

$cdramdisk_tools

$scp-P2222kernel_patcherdevice_infosbruteforce

[email protected]:/var/root/

EnteralpineasthepasswordandhitEnter.

Runthesshcommandandgrantexecutepermissionstotheuploadedscriptswiththefollowing:

[email protected]

EnteralpineasthepasswordandhitEnter:

iPhone#chmod+xkernel_patcherbruteforcedevice_infos

Runthekernel_patcherandbruteforcescripts.Itpatchesthekernel,bruteforcesthepasscode,decryptstheSystemkeybag,andcreatesaplistfileontheiPhonerootdirectory,asshowninthefollowingcommandlines:

iPhone#./kernel_patcher

iPhone#./bruteforce

Writingresultstof04d282cc7182d47.plist

[...]

CopytheplistfilefromtheiPhonetothedesktopusingthescpcommand:

[email protected]:/var/root/f04d282cc7182d47.plist.

Todecryptthediskimage,runemf_decrypter.py,asfollows:

$sudopythonpython_scripts/emf_decrypter.pydata.dmg

f04d282cc7182d47.plist

Now,youshouldbeabletofullyexaminetheartifactsonthedatapartition.

Now,youshouldbeabletofullyexaminetheartifactsonthedatapartition.

SummaryThefirststepintheiPhoneforensicexaminationistoacquirethedatafromthedevice.TherearedifferentwaystoacquiredatafromaniPhone.Thischaptercoveredphysicalacquisitiontechniquesandtechniquestobypasspasscodesanddataencryptionsusingopensourcemethods.Physicalacquisitionispreferredasitrecoversmoredatafromthedevice;however,itisnotpossibletoperformphysicalacquisitiononalliOSdevices.ThefollowingtablesummarizesthephysicalacquisitionpossibilitiesoniOSdevices:

Model Physicalacquisition

iPhone3G,3GS,4 Yes(ifno/easypasscode)

iPad1

iPodtouch2G,3G,4G

iPhone4S,5 Onlyifjailbroken,anduntiliOS6.1.2(ifno/easypasscode)

iPad2,3,4andiPadmini

iPodtouch5G

iPhone5Sand5C No

WhilephysicalacquisitionisthebestmethodforforensicallyobtainingthemajorityofthedatafromiOSdevices,logicalorbackupfilesmayexistorbetheonlymethodtoextractdatafromthedevice.ThenextchapterdiscussesiOSdevicebackupfilesindetailtoincludeuser,forensic,encrypted,andiCloudbackupfilesandthemethodstoconductyourforensicexamination.

Chapter4.DataAcquisitionfromiOSBackupsThephysicalacquisitionofaniPhoneprovidesthemostdatainaninvestigation,butyoucanalsofindawealthofinformationoniPhonebackups.iPhoneusershaveseveraloptionstobackupdatapresentontheirdevices.iPhoneuserscanchoosetobackupdatatotheircomputerusingtheAppleiTunessoftwareortotheApplecloudstorageserviceknownasiCloud.EverytimeaniPhoneissyncedwithacomputerortoiCloud,itcreatesabackupbycopyingtheselectedfilesfromthedevice.Theusercandeterminewhatiscontainedinthebackup,sosomemaybemoreinclusivethanothers.Also,theusercanbackuptobothacomputerandiCloud,andthedataderivedfromeachlocationmaydiffer.Sometimes,thebestinformationavailableonaniOSdeviceisrecoveredfromabackupfile.

Inthepreviouschapter,wecoveredtechniquestoacquiredatafromaniPhone.ThischaptercoversbackupfileacquisitiontechniquesusingApple'ssynchronizationprotocolfromthedeviceontoacomputerortoiCloud.Chapter5,iOSDataAnalysisandRecovery,willthenteachyouhowtoanalyzethedatapulledfromChapter3,DataAcquisitionfromiOSDevices,andChapter4,DataAcquisitionfromiOSBackups.

iTunesbackupAwealthofinformationisstoredonanycomputerthathasbeenpreviouslysyncedwithaniPhone.Thesecomputers,commonlyreferredtoashostcomputers,canhavehistoricaldataandpasscode-bypasscertificates.So,inacriminalinvestigation,asearchwarrantcanbeobtainedtoseizeacomputerthatbelongstothesuspect.iOSbackupfileforensicsmainlyinvolveanalyzinganofflinebackupproducedbyaniPhone.However,theiTunesbackupmethodisalsousefulincaseswhenphysicalacquisitionofadeviceisnotfeasible.Inthissituation,examinersessentiallycreateaniTunesbackupofthedeviceandanalyzeitusingforensicsoftware.Thus,itisimportantforanexaminertocompletelyunderstandthebackupprocessandthetoolsinvolved.

iPhonebackupfilescanbecreatedusingtheiTunessoftware,whichisavailableforMACOSXandWindowsplatforms.iTunesisafreeutilityprovidedbyApplefordatasynchronizationandmanagementbetweentheiPhoneandthecomputer.iTunesusesApple'sproprietarysynchronizationprotocoltocopydatafromtheiPhonetoacomputer.AniPhonecanbesyncedwithacomputerusingaUSBorWi-Fi.iTunesprovidesanoptionforencryptedbackup,butbydefaultitcreatesanunencryptedbackupwheneveraniPhoneissynced.ThebackupcopiesoftheiPhonecanalsobeusefultorecoverdataifthephoneislostordamaged.

iTunesisconfiguredtoautomaticallyinitiatethesynchronizationprocessoncetheiPhoneisconnectedtothecomputer.ToavoidunintendeddataexchangebetweentheiPhoneandthecomputer,disabletheautomaticsynchronizationprocessbeforeconnectingyouriPhonetotheforensicworkstation.ThefollowingscreenshotillustratestheoptionthatdisablesautomaticsyncinginiTunesVersion11.1.3.

Todisableauto-syncinginiTunes,performthefollowingsteps:

1. NavigatetoiTunes|Preferences|Devices.2. CheckPreventiPods,iPhonesandiPadsfromsyncingautomatically

andclickontheOKbutton.

iTunes—disablingautomaticsync

3. Onceyouverifythesynchronizationsettings,connecttheiPhonetothecomputerusingaUSBcable.IftheconnectediPhoneisnotprotectedwithapasscode,iTunesimmediatelyrecognizesthedevice.ThiscanbeverifiedbytheiPhoneicondisplayedontheupper-rightcorneroftheiTunesinterfaceasshowninthefollowingscreenshot:

4. IftheconnectediPhoneisprotectedwithapasscode,iTunespromptsthe

usertounlockthedevicebeforestartingthesyncprocess,asshowninthefollowingscreenshot.OncetheiPhoneisunlockedwithavalidpasscode,iTunesrecognizesthedeviceandallowstheusertobackupandsyncwiththecomputer.OnceaniPhoneissuccessfullysyncedwithacomputer,iTunesallowsittobackupwithoutunlockingthedevicewhenthesameiPhoneisconnectedtothatcomputeragain.

iTunes—iPhonelockedmessage

5. OnceiTunesrecognizesthedevice,asingleclickontheiPhoneicondisplaystheiPhonesummaryincludingtheiPhone'sname,capacity,firmwareversion,serialnumber,freespace,andphonenumber,asshowninthefollowingscreenshot.TheiPhoneSummarypagealsodisplaystheoptionstocreatebackups.

iTunes—iPhonesummary

Pairingrecords

WheniTunesdetectstheiPhone,setsofpairingrecordsareexchangedbetweentheiPhoneandthecomputer.PairingisthemechanismbywhichyourcomputerestablishesatrustedrelationshipwithyourdevicesothatiTunescancommunicatewithit.Onceacomputerhasbeenpaired,itcanaccesspersonalinformationonthedeviceandcaneveninitiateabackupofthedevice.SimilarpairingoccursiniOS7withcommercialforensictools.

OntheiPhone,pairingrecordsarestoredinthe/var/root/Library/Lockdown/pair_records/directory.Thedirectorywillcontainmultiplepairingrecordsifthedeviceispairedwithmultiplecomputers.Pairingrecordsarestoredasapropertylist(.plist)filewithafilenamerepresentingtheuniqueidentifiergiventothecomputer.PropertylistfilesarebinaryformattedXML-likefiles,explainedindetailinChapter5,iOSDataAnalysisandRecovery.PairingrecordsonthedevicecontaintheHostID,rootcertificate,devicecertificate,andhostcertificate.Forexample,thecontentshowninthefollowingscreenshotwaslocatedinapairingrecordononeparticulariPhonewithafilenamed97D6299A-8EDA-454F-9C62-4BB031F45DD6.plist.PairingrecordsstoredontheiPhonearedeletedonlywhenthephoneisrestoredtofactorystate.

PairingrecordsontheiPhone

Onthecomputer,pairingrecordsarestoredinapreconfiguredlocationdependingontheoperatingsystemasshowninthefollowingtable.PairingrecordsarestoredasapropertylistfilewithafilenamerepresentingtheiPhone'suniquedeviceidentifier.Pairingrecordsonthecomputerareknownaslockdowncertificates.

Operatingsystem Location

Windows %AllUserProfile%\Apple\Lockdown\

MacOSX /private/var/db/lockdown/

Pairingrecordsonthecomputercontainthedevicecertificate,Escrowkeybag,rootcertificate,hostcertificate,hostprivatekey,androotcertificateandprivatekey.Forexample,thecontentshowninthefollowingscreenshotwaslocatedinapairingrecordononeparticularcomputerwithafilenamed6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898.plist.

Pairingrecordonacomputer

TheEscrowkeybagstoredonthecomputerallowsiTunestobackupandsyncwiththedeviceeveninalockedstate.TheEscrowkeybagisacopyoftheSystemkeybagandcontainsacollectionofdataprotectionclasskeysthatareusedforencryptionontheiPhone.CommercialtoolsthatclaimtobeabletocrackalockediPhonewithoutbruteforcerequireaccesstothehostcomputerandthus,theEscrowkeybag.Thekeybagimprovestheuserexperienceduringdevicesynchronizationandgivesaccesstoallclassesofdataonthedevicewithoutenteringthepasscode.

TheEscrowkeybagisprotectedwithanewlygeneratedkeycomputedfromthekey0x835andstoredinanescrowrecordonthedevice.Theescrowrecordisapropertylistfilestoredinthe/private/var/root/Library/Lockdown/escrow_records/directorywithafilenamethatrepresentsthecomputer'suniqueidentifier.StartingwithiOS5,

escrowrecordsareprotectedwiththeUntilFirstUserAuthenticationdataprotectionclass,whichtiestheencryptiontotheuser'spasscode.So,thedevicepasscodemustbeenteredbeforebackingupwithiTunesforthefirsttime.

Understandingthebackupstructure

WhentheiPhoneisbackeduptoacomputer,thebackupfilesarestoredinabackupdirectory,whichexistsasa40-characterhexadecimalstring,andcorrespondstotheUniqueDeviceIdentifier(UDID)ofthedevice.ThebackupprocessmaytakeaconsiderableamountoftimedependingonthesizeofthedatastoredontheiPhoneduringthefirstbackup.Thelocationofthebackupdirectorywhereyourbackupdataisstoreddependsonthecomputer'soperatingsystem.ThefollowingtabledisplaysalistofthecommonoperatingsystemsandthedefaultlocationoftheiTunesbackupdirectory:

Operatingsystem Backupdirectorylocation

WindowsXP \DocumentsandSettings\[username]\ApplicationData\Apple

Computer\MobileSync\Backup\

WindowsVista/7/8

\Users\[username]\AppData\Roaming\AppleComputer\MobileSync\Backup\

MacOSX ~/Library/ApplicationSupport/MobileSync/Backup/

(~representsyourHomefolder)

Duringthefirstsync,iTunescreatesabackupdirectoryandtakesacompletebackupofthedevice.Onsubsequentsyncs,iTunesonlybacksupthefilesthataremodifiedonthedeviceandupdatestheexistingbackupdirectory.Also,whenadeviceisupdatedorrestored,iTunesautomaticallyinitiatesabackupandtakesadifferentialbackup.Adifferentialbackuphasthesamenameasthebackupdirectory,butappendedwithadash(-),theISOdateofthebackup,adash(-),andthetimeina24-hourformatwithseconds([UDID]+'-'+[Date]+'-'+[Timestamp]).

TheiTunesbackupmakesacopyofeverythingonthedevicetoincludecontacts,SMSes,photos,thecalendar,music,calllogs,configurationfiles,documents,thekeychain,networksettings,offlinewebapplicationcache,bookmarks,cookiesandapplicationdata,andsoon.Thebackupalsocontainsdevicedetailssuchastheserialnumber,UDID,SIMdetails,andphonenumber.

Thisinformationcanalsobeusedtoprovearelationshipbetweenthedesktopandthemobiledevice.

Thebackupdirectorycontainsfourstandardfilesalongwiththeindividualdatafiles,whichmayexistinvariousformatsdependingontheversionofiTunes.Olderversionswillcontain*.mdbackup,*.mdata,*.mdinfo,andsomefileswithnofileextensions.Thestandardfilesstoredetailsaboutthebackupandthedevicefromwhichitwasderived.Thesefilenamesareasfollows:

info.plist

manifest.plist

status.plist

manifest.mbdb

ThefirstthreefilesarepropertylistfilesthatcanbeeasilyanalyzedusingthePropertyListEditorapplicationonMacOSX.

info.plist

Theinfo.plistfilestoresdetailsaboutthebackedupdeviceandtypicallycontainsthefollowinginformation:

Devicenameanddisplayname:Thisisthenameofthedevice,whichtypicallyincludestheowner'snameICCID:ThisistheIntegratedCircuitCardIdentifier,whichistheserialnumberoftheSIMLastbackupdate:ThisisthetimestampofthelastsuccessfulbackupIMEI:ThisistheInternationalMobileEquipmentIdentity,whichisusedtouniquelyidentifythemobilephonePhoneNumber:ThisisthephonenumberofthedeviceatthetimeofbackupInstalledapplications:ThisisthelistofapplicationidentifiersonthedeviceProducttypeandproductionversion:ThisisthedevicemodelandfirmwareversionSerialnumber:ThisistheserialnumberofthedeviceiTunesversion:ThisistheversionofiTunesthatgeneratedthebackupTargetIdentifierandUniqueIdentifier:ThisistheUDIDofthedevice

manifest.plist

Themanifest.plistfiledescribesthecontentsofthebackupandtypicallycontainsthefollowinginformation:

Applications:Thisisalistofthird-partyapplicationsinstalledonthebackedupdevice,theirversionnumbers,andbundleidentifiersDate:ThisisthetimestampofabackupcreatedorlastupdatedIsEncrypted:Thisidentifieswhetherthebackupisencryptedornot.ForencryptedbackupsthevalueisTrue,otherwiseitisFalseLockdown:Thiscontainsdevicedetails,lastbackupcomputer'sname,andotherremotesyncingprofilesWasPasscodeSet:ThisidentifieswhetherapasscodewassetonthedevicewhenitwaslastsyncedBackupkeybag:StartingwithiOS4,aBackupkeybagiscreatedforeachbackupmadebyiTunes.TheBackupkeybagcontainsanewsetofdataprotectionclasskeysthataredifferentfromthekeysintheSystemkeybag,andbackedupdataisre-encryptedwiththenewclasskeys.KeysintheBackupkeybagfacilitatethestorageofbackupsinasecuremanner

status.plist

Thestatus.plistfilestoresdetailsaboutthebackupstatusandtypicallycontainsthefollowinginformation:

BackupState:ThisidentifieswhetherthebackupisanewbackuporonethathasbeenupdatedDate:ThisisthetimestampofthelasttimethebackupwasmodifiedIsFullBackup:Thisidentifieswhetherornotthebackupwasafullbackupofthedevice

manifest.mbdb

Themanifest.mbdbfileisabinaryfileandcontainsrecordsaboutallotherfilesinthebackupdirectoryalongwiththefilesizes,filetype,andfilestructure.Themanifest.mbdbfileheaderandrecordformatareshowninthefollowingtables.

Header

Thefileheaderisafixedvalueof6bytes.Thisvalueactsasamagicstringtoidentifythefileformat.

Type Data Description

uint8 mbdb\5\0 Thisfilesamagicstring

Record

Eachrecordinthemanifest.mbdbfilecontainsdetailsaboutafileinthebackup.

Type Data Description

String Domain Thisisthedomainname.

String Path Thisisthefilepath.

String Target Thisisanabsolutepathforsymboliclinks.

String Digest ThiscontainsSHA1hash0xFF0xFFfordirectoriesandforAppDomainfiles,and0x000x14forSystemDomainfiles.

String Encryptionkey

Thisindicatesencryptedfilesand0xFF0xFFforunencryptedfiles.

uint16 Mode Thisidentifiesfiletype0xA000forsymboliclink,0x4000fordirectory,and0x8000forregularfiles.

uint64 inodenumber Thisisalookupentryintheinodetable.

uint32 UserID Thisismostly501.

uint32 GroupID Thisismostly501.

uint32 Lastmodifiedtime

Thisisthefile'slastmodifiedtimeintheUnixtimeformat.

uint32 Lastaccessedtime

Thisisthefile'slastaccessedtimeintheUnixtimeformat.

uint32 Createdtime ThisisthefilecreatedtimeintheUnixtimeformat

uint64 Size Thisisthelengthofafile.Itis0forasymboliclinkandadirectory.

uint64 Size Thisisthelengthofafile.Itis0forasymboliclinkandadirectory.

uint8 Protectionclass

Thisisthedataprotectionclass0x1To0xB.

uint8 Numberofproperties

Thisisthenumberofextendedattributes.

Themanifest.mbdbfileheader

Apartfromthestandardfiles,thebackupdirectoryalsocontainshundredsofbackupfileswithvaryingfileextensionsdependingontheversionofiTunesusedtocreatethebackup,asdescribedearlier.Inthefollowingscreenshot,thebackupwascreatedwiththelatestversionofiTunesinwhichthefilesdonotcontainafileextension.Thebackupfilesareuniquelynamedwitha40-characterhexadecimalstring.ThesefilenamessignifyauniqueidentifierforeachdatasetcopiedfromtheiPhone.

iPhonebackupfiles

IniOS,filesarecategorizedinto12domains.AlloftheapplicationfilesareclassifiedintoAppDomainandotherfilesonthefilesystemareclassifiedinto11systemdomainsshowninthefollowingscreenshot.Thelistofsystemdomainsisstoredinapropertylistfilelocatedunder/System/Library/Backup/Domains.plistonthedevice.

The40-characterhexadecimalfilenameinthebackupdirectoryistheSHA1hashvalueofthefilepathappendedtotherespectivedomainnamewithadash(-)symbol.

Forinstance,theAddressBookdatabasefileisamemberofHomeDomainandislocatedunderLibrary/AddressBook/AddressBook.sqlitedb.Thebackupfile

nameofAddressBookis31bb7ba8914766d4ba40d6dfb6113c8b614be442,whichcanbeobtainedbycomputingtheSHA1hashvalueofthefollowingstring:HomeDomain-Library/AddressBook/AddressBook.sqlitedb.

SystemdomainsontheiPhone

Unencryptedbackup

Tocreateanunencryptedbackup,performthefollowingsteps:

1. ConnecttheiPhonetotheforensicworkstationusingaUSBcable.2. Ontheforensicworkstation,launchiTunes.3. ClickontheiPhoneicondisplayedintheupper-rightcorneroftheiTunes

interface.ItdisplaystheiPhoneSummarypage.4. IntheiPhonesummarypage,selecttheThiscomputercheckboxandclick

ontheBackUpNowbutton.

Extractingunencryptedbackups

Therearemanyfreetoolsavailabletoanalyzedatafromunencryptedbackups.Thesetoolsparsethemanifest.mbdbfile,restorethefilenames,andcreatethefilestructurethatusersseeontheiPhone.SomeofthepopulartoolsincludeiPhoneBackupExtractor,iPhoneBackupBrowser,andiPhoneDataProtectionTools.

iPhoneBackupExtractor

iPhoneBackupExtractorisafreetoolforMacOSX,whichcanbedownloadedfromhttp://supercrazyawesome.com/.Thebackupextractorexpectsbackupfilestobelocatedinthedefaultlocation~/Library/ApplicationSupport/MobileSync/Backup/.So,youwillneedtocopyanybackupsyouwishtoextracttothedefaultlocation.iPhoneBackupExtractorisaveryeasytooltouse.

Toextractthebackup,followthesesteps:

1. LaunchtheappandclickontheReadBackupsbutton.Itdisplaysalistofbackupsavailableontheforensicworkstation.SelectthebackupthatyouwishtoextractandclickontheChoosebutton,asshowninthefollowingscreenshot:

iPhoneBackupExtractor—choosingbackups

2. Whenyouchoosethebackup,iPhoneBackupExtractorallowsyoutoextracttheindividualapplicationsandtheiOSfilesystembackup,asshowninthefollowingscreenshot:

iPhoneBackupExtractor

3. ChoosethefilesyouwouldliketoextractandthenclickonExtract.Itpromptsforadestinationdirectorytosavetheextractedfiles.

iPhoneBackupBrowser

iPhoneBackupBrowserisafreetoolforWindowsandcanbedownloadedfromhttp://code.google.com/p/iphonebackupbrowser/.ThetoolrequiresMicrosoft.NETFramework4andVisualC++2010runtimetobeinstalledontheforensicworkstation.Thebackupbrowserexpectsbackupfilestobelocatedinthedefaultlocationasmentionedintheprecedingtable.iPhoneBackupBrowserprovidesaGUItoviewthebackupdata,asshowninthefollowingscreenshot:

iPhoneBackupBrowser

iPhoneDataProtectionTools

iPhoneDataProtectionTools,anopensourceiOSforensictoolkit,canalsobeusedtoextractthebackupfiles.Toanalyzedatafromtheunencryptedbackup

file,setupiPhoneDataProtectionToolsasexplainedinChapter3,DataAcquisitionfromiOSDevices,andrunthebackup_tool.pyscriptonyourbackupdirectoryinaterminalwindow,asfollows:

$cdiphone-dataprotection

$cdpython_scripts

$sudopythonbackup_tool.py~/Library/Application\

Support/MobileSync/Backup/6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898/

DeviceName:Satishb3

DisplayName:Satishb3

LastBackupDate:2014-01-0712:58:13

IMEI:012856001945212

SerialNumber:85137505EDG

ProductType:iPhone2,1

ProductVersion:6.1

iTunesVersion:11.1.3

Extractbackupto/Users/satishb3/Library/Application

Support/MobileSync/Backup/6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_

extract?(y/n)

TypetheletteryandhitEnter.Theprecedingscriptdisplaysanumberofmessagesindicatingthecurrentfilebeingoperatedon,asshowninthefollowingcommandlines:

Backupisnotencrypted

Writing/Users/satishb3/Library/Application

Support/MobileSync/Backup_extract/HomeDomain/Library/Preferences/co

m.apple.voiceservices.plist

Writing/Users/satishb3/Library/Application

Support/MobileSync/Backup_extract/CameraRollDomain/Media/DCIM/100AP

PLE/IMG_0038.JPG

Writing/Users/satishb3/Library/Application

Support/MobileSync/Backup_extract/SystemPreferencesDomain/SystemCon

figuration/preferences.plist

Writing/Users/satishb3/Library/Application

Support/MobileSync/Backup_extract/HomeDomain/Library/Preferences/co

m.apple.mobileipod.plist

[...]

Writing/Users/satishb3/Library/Application

Support/MobileSync/Backup/6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_

extract/HomeDomain/Library/Preferences/com.apple.springboard.plist

Youcandecryptthekeychainusingthefollowingcommand:

pythonkeychain_tool.py-d"/Users/satishb3/Library/Application

Support/MobileSync/Backup/6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_

extract/KeychainDomain/keychain-backup.plist"

"/Users/satishb3/Library/Application

Support/MobileSync/Backup/6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_

extract/Manifest.plist"

Theprecedingscriptcreatesthe6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_extractfolderinthebackupdirectorylocationandextractsthebackupfilesintoitbyrestoringtheoriginalfilenames.Theextractedbackupfilesarestoredinanumberofdomaindirectoriesasshowninthefollowingscreenshot.Now,youshouldbeabletocompletelyexaminetheartifactsonthebackupfiles,whichwillbecoveredindetailinChapter5,iOSDataAnalysisandRecovery.Payattentiontothedirectorynamesusedinthecommandlineastheyvaryforeachdevice.

ExtractediPhonebackupfiles

Decryptingthekeychain

Forunencryptedbackups,allthebackupfilesarestoredunencryptedexceptthekeychain.ThekeychainfilecontentsareencryptedwithasetofclasskeysintheBackupkeybag.TheBackupkeybagitselfisprotectedwithakey(0x835)derivedfromtheiPhonehardwarekey(UIDkey).So,inordertodecryptthekeychain,youneedtoextractthekey0x835fromthedeviceusingthedemo_bruteforce.pytechniquesexplainedinChapter3,DataAcquisitionfromiOSDevices.

TheiPhoneDataProtectiontoolsalsocontainpythonscriptstodecryptthekeychainfilefromthebackup.Todecryptthekeychain,runthefollowingcommandinaterminalwindowandenteryourdevicekey0x835whenprompted:

$sudopythonkeychain_tool.py-d

"/Users/satishb3/Library/Application

Support/MobileSync/Backup/6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_

extract/KeychainDomain/keychain-backup.plist"

"/Users/satishb3/Library/Application

Support/MobileSync/Backup/6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_

extract/Manifest.plist"

Thisbackupisnotencrypted,withoutkey835nothinginthe

keychaincanbedecrypted

Ifyouhavekey835fordevice

6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898enterit(inhex)

33403aec43adea127459485bf5969502

Thescriptextractsgenericpasswords,Internetpasswords,certificates,andprivatekeysfromthekeychainanddisplaystheminatableasshowninthefollowingscreenshot:

Adecryptedkeychain

Encryptedbackup

iTunesprovidesanoptionfortheuserstoencrypttheirbackupsusingapassword.Forensicexaminersmayelecttocreateanencryptedbackuptoprotecttheevidence.Itispertinentthattheexaminerdocumentsthepasswordshouldthismethodbeused.

Tocreateanencryptedbackup,performthefollowingsteps:

1. ConnecttheiPhonetotheforensicworkstationusingaUSBcable.2. Ontheforensicworkstation,launchiTunes.3. ClickontheiPhoneicondisplayedintheupper-rightcorneroftheiTunes

interface.ItdisplaystheiPhonesummarypage.4. IntheiPhonesummarypage,selecttheThiscomputercheckboxandselect

theEncryptiPhonebackupoption.Selectingtheoptionpromptsyoutoenterapassword,asshowninthefollowingscreenshot.

5. SetapasswordandclickontheBackUpNowbutton.Itcreatesanencryptedbackup.

iTunes—encryptedbackup

Ifabackupispasswordprotected,thepasswordissetonthedeviceitselfandstoredinthekeychainfile.Also,wheneverthedeviceisconnectedtoiTunes,itautomaticallychoosestheEncryptiPhonebackupoptionregardlesswhethertheusersownacopyofiTunesbeingusedontheircomputerorsomeoneelse's.So,evenifyouhaveaccesstothesuspect'siPhone,youcannotproduceanunencryptedbackupunlessyouknowthebackuppassword.

Extractingencryptedbackups

Forencryptedbackups,thebackupfilesareencryptedusingtheAES256algorithmintheCBCmode,withauniquekeyandanullIV(initializationvector).TheuniquefilekeysareprotectedwithasetofclasskeysfromtheBackupkeybag.TheclasskeysintheBackupkeybagareprotectedwithakeyderivedfromthepasswordsetiniTunesthrough10,000iterationsofPBKDF2(Password-BasedKeyDerivationFunction2).Bothopensourceandcommercialtoolsprovidesupportforanencryptedbackupfileparsingifthepasswordisknown.Sometoolswon'tevenpromptforapassword,whichmakethemuselessinaforensicinvestigation.iPhoneDataProtectionToolsiscapableofextractingdatafromencryptedbackupfilesifthepasswordisknown.

iPhoneDataProtectionTools

iPhoneDataProtectionToolscontainsPythonscriptstodecryptthebackupwhenthebackuppasswordisavailable.Todecryptandacquiredatafromtheencryptedbackup,inaterminalwindow,runthebackup_tool.pyscriptonyourbackupdirectoryandenterthebackuppasswordwhenprompted,asshowninthefollowingcommands:

$cdiphone-dataprotection

$cdpython_scripts

$sudopythonbackup_tool.py~/Library/Application\

Support/MobileSync/Backup/6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898/

DeviceName:Satishb3

DisplayName:Satishb3

LastBackupDate:2014-01-1516:34:13

IMEI:012856001945212

SerialNumber:85137505EDG

ProductType:iPhone2,1

ProductVersion:6.1

iTunesVersion:11.1.3

Extractbackupto/Users/satishb3/Library/Application

Support/MobileSync/Backup/6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_

extract?(y/n)

TypetheletteryandhitEnter.Thescriptdisplaysanumberofmessagesindicatingthecurrentfilebeingoperatedupon,asfollows:

Backupisencrypted

Enterbackuppassword:

12345

Writing/Users/satishb3/Library/Application

Support/MobileSync/Backup/6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_

extract/HomeDomain/Library/Preferences/com.apple.voiceservices.plis

t

Writing/Users/satishb3/Library/Application

Support/MobileSync/Backup/6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_

extract/CameraRollDomain/Media/DCIM/100APPLE/IMG_0038.JPG

Writing/Users/satishb3/Library/Application

Support/MobileSync/Backup/6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_

extract/SystemPreferencesDomain/SystemConfiguration/preferences.pli

st

[...]

Writing/Users/satishb3/Library/Application

Support/MobileSync/Backup/6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_

extract/HomeDomain/Library/Preferences/com.apple.springboard.plist

Youcandecryptthekeychainusingthefollowingcommand:

pythonkeychain_tool.py-d"/Users/satishb3/Library/Application

Support/MobileSync/Backup/6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_

extract/KeychainDomain/keychain-backup.plist"

"/Users/satishb3/Library/Application

Support/MobileSync/Backup/6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_

extract/Manifest.plist"

Thescriptcreatesthe6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_extractfolderinthebackupdirectorylocation,thendecryptsandextractsthebackupfilesintoanumberofdomaindirectoriesbyrestoringtheoriginalfilenames.

Decryptingthekeychain

EncryptedbackupfilescanbecrackedusingbruteforceattacksinboththecommandlineandGUItools.Forencryptedbackups,thekeychainitemsprotectedwiththeThisDeviceOnlydataprotectionclassareencryptedusingasetofclasskeysthatareprotectedwiththekey0x835.AllotherkeychainitemsareencryptedusingasetofclasskeysthatareprotectedwithapasswordsetiniTunes.IfyouwanttoextracttheThisDeviceOnlyprotecteditems,youneedtoextractakey0x835fromthedeviceusingthedemo_bruteforce.pytechniques

explainedinChapter3,DataAcquisitionfromiOSDevices.

iPhoneDataProtectionToolscontainPythonscriptstodecryptthekeychainfilefromtheencryptedbackup.Todecryptthekeychain,runthefollowingcommandinaterminalwindowandenterthebackuppasswordwhenprompted.Thescriptalsopromptstoenterthekey0x835;pressEnterifyoudon'thavethekey0x835.

$sudopythonkeychain_tool.py-d

"/Users/satishb3/Library/Application

Support/MobileSync/Backup/6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_

extract/KeychainDomain/keychain-backup.plist"

"/Users/satishb3/Library/Application

Support/MobileSync/Backup/6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_

extract/Manifest.plist"

Oncecompleted,thescriptextractsgenericpasswords,Internetpasswords,andcertificatesandprivatekeysfromthekeychain,anddisplaystheminatable.

iPhonePasswordBreaker

iPhonePasswordBreakerisaGPU-acceleratedcommercialtoolfromElcomsoftdevelopedfortheWindowsplatform.Thetoolcandecrypttheencryptedbackupfilewhenthebackuppasswordisnotavailable.Thetoolprovidesanoptiontolaunchapasswordbrute-forceattackontheencryptedbackupifthebackuppasswordisnotavailable.iPhonePasswordBreakertriestorecovertheplain-textpasswordthatprotectstheencryptedbackupusingdictionaryandbruteforceattacks.Passwords,whicharerelativelyshortandsimple,canberecoveredinareasonabletime.Butifthebackupisprotectedwithastrongandcomplexpassword,breakingitcantakeforever.

Tobruteforcethebackuppassword,performthefollowingsteps:

1. LaunchtheiPhonePasswordBreakertoolandthetool'smainscreenwillappear,asshowninthefollowingscreenshot.

2. NavigatetoFile|Open|Backup.Alistofavailabledevicebackupsisdisplayedandalocksymbolisshownnexttotheencrypteddevicebackups,asshowninthefollowingscreenshot:

iPhonePasswordBreaker-Choosebackup

3. Configurethebrute-forcepatternintheAttackssectionandclickontheStartbuttontostartthebruteforceattack.Ifthebruteforceattackissuccessful,thetooldisplaysthepasswordonthemainscreen,asshowninthefollowingscreenshot:

iPhonePasswordBreaker—passwordbruteforce

iCloudbackupiCloudisacloudstorageandcloudcomputingservicebyApplelaunchedinOctober2011.Theserviceallowsuserstokeepdatasuchascalendars,contacts,reminders,photos,documents,bookmarks,applications,notes,andmoreinsyncacrossmultiplecompatibledevices(iOSdevicesrunningwithiOS5orlater,computerswithMacOSX10.7.2orlater,andMicrosoftWindows)usingacentralizediCloudaccount.TheservicealsoallowsuserstowirelesslyandautomaticallybackuptheiriOSdevicestoiCloud.iCloudalsoprovidesotherservicessuchasFindMyiPhone—totrackalostphoneandwipeitremotely,FindMyFriends—tosharelocationwithfriendsandnotifytheuserwhenadevicearrivesatacertainlocation,andsoon.

SigningupwithiCloudisfreeandsimpletodowithanAppleID.WhenyousignupforiCloud,Applegrantsyouaccessto5GBoffreeremotestorage.Ifyouneedmorestorage,youcanpurchasetheupgradeplan.Tokeepyourdatasecure,AppleenforcesuserstochooseastrongpasswordwhencreatinganAppleIDtousewithiCloud.Thepasswordmusthaveaminimumofeightcharacters,anumber,anuppercaseletter,andalowercaseletter.

iOSdevicesrunningoniOS5andlaterallowuserstobackupthedevicesettingsanddatatoiCloud.Databackedupincludesphotos,videos,documents,applicationdata,devicesettings,messages,contacts,calendar,e-mail,keychain,andsoon.YoucanturnoniCloudbackuponyourdevicebynavigatingtoSettings|iCloud|Storage&Backup,asshowninthefollowingscreenshot.iCloudcanautomaticallybackupyourdatawhenyourphoneispluggedin,locked,andconnectedtoWi-Fi.Thisistosay,iCloudbackupsrepresentafreshandnearreal-timecopyofinformationstoredonthedevice.

iCloudbackuptoggleontheiPhone

YoucanalsoinitiateaniCloudbackupfromacomputerbyconnectingthedevicetoiTunesandchoosingtheiCloudoption.iCloudbackupsareincremental,thatis,oncetheinitialiCloudbackupiscompleted,allthesubsequentbackupsonlycopythefilesthatarechangedonthedevice.iCloudsecuresyourdatabyencryptingitwhenitistransmittedovertheInternet,storingitinanencryptedformatontheserver,andusingsecuretokensforauthentication.

Tip

iClouddoesnotencryptEmailandNotesstoredontheservertobeconsistentwithstandardindustrypractices.

Apple'sbuilt-inapps(forexample,EmailandContacts)useasecuretokentoaccessiCloudservices.UseofsecuretokensforauthenticationeliminatestheneedtostoretheiCloudpasswordondevicesandcomputers.

ExtractingiCloudbackups

OnlinebackupsstoredontheiCloudarecommonlyretrievedwhentheoriginaliPhoneisdamagedorlost.ToextractabackupfromiCloud,youmustknowtheuser'sAppleIDandpassword.WiththeknownAppleIDandpassword,youcanlogontowww.icloud.comandgetaccesstocontacts,notes,e-mail,calendar,photos,reminders,andmore.ToextractthecompletebackupfromiCloud,youcanuseElcomsoftiPhonePasswordBreaker.AsiCloudisnotthefastestcloudstorage,downloadingalargebackupwithiPhonePasswordBreakercantakehours.Tospeeduptheinvestigation,thetoolprovidesanoptiontodownloadtheselectedfiles.

ToextracttheiCloudbackup,performthefollowingsteps:

1. LaunchtheiPhonePasswordBreaker.2. NavigatetoFile|Apple|GetBackupfromiCloud.Itdisplaysaprompt

tosigninwithyourAppleID,asshowninthefollowingscreenshot:

3. SuccessfullysigninginwithyourAppleIDliststheavailabledevicebackups,asshowninthefollowingscreenshot:

4. SelectthebackupyouneedandclickonDownload.Itpromptsyouforadestinationdirectorytosavetheextractedfilesintoanumberofdomaindirectoriesbyrestoringtheoriginalfilenames.Thetoolalsoprovidesanoptiontodownloadthebackupwithoutrestoringtheoriginalfilenamessothatyoucanusethird-partysoftwareforanalysis.

ForiCloudbackups,thekeychainfilecontentsareencryptedwithasetofclasskeysintheBackupkeybag.TheBackupkeybagitselfisprotectedwithakey(0x835)derivedfromtheiPhonehardwarekey(UIDkey).YoucanfollowthetechniquesexplainedintheprecedingsectionstodecryptthekeychainfromtheextractediCloudbackup.

SummaryiPhonebackupscontainessentialinformationthatmaybeyouronlysourceofevidencefortheiPhone.InformationstorediniPhonebackupsincludesphotos,videos,contacts,e-mail,calllogs,useraccountsandpasswords,applications,devicesettings,andsoon.ThischaptercoveredtechniquestocreatebackupfilesandretrievedatafromiTunesandiCloudbackupsincludingencryptedbackupfiles,whereverpossible.Chapter5,iOSDataAnalysisandRecovery,goesfurtherintotheforensicinvestigationbyshowingtheexaminerhowtoanalyzethedatarecoveredfromthebackupfiles.Areascontainingdataofpotentialevidentiaryvaluewillbeexplainedindetail.

Chapter5.iOSDataAnalysisandRecoveryAkeyaspectiniPhoneforensicsistoexamineandanalyzethedataacquiredfromaniPhonetointerprettheevidence.DataonmostiOSdevicesisencryptedandrequiresthatthedatapartitionbedecryptedpriortoanexamination.Inthepreviouschapters,youlearnedvarioustechniquestoacquiredatafromaniPhone.Therawdiskimageobtainedduringphysicalacquisition,thefilesystemdumporthelogical/backupfilecontainshundredsofdatafiles.ThischapterwillhelpyoutounderstandhowdataisstoredontheiPhoneandwillwalkyouthroughtheimportantfilesinordertorecoverthemostdatapossible.

TimestampsBeforeexaminingthedata,itisimportanttounderstandthedifferenttimestampsusedontheiPhone.TimestampsfoundontheiPhonearepresentedeitherintheUnixtimestamporMacabsolutetimeformat.Theexaminermustensurethatthetoolsproperlyconvertthetimestampsforthefiles.AccesstotherawSQLitefileswillallowtheexaminertoverifythetimestampsmanually.

Unixtimestamps

AUnixtimestampisthenumberofsecondsthatoffsetstheUnixepochtime,whichstartsonJanuary1,1970.AUnixtimestampcanbeconvertedeasilyusingthedatecommandonaMacworkstationorusinganonlineUnixepochconvertoronaWindowsworkstation.Thedatecommandisshownasfollows:

$date-r1388538061

WedJan106:31:01IST2014

Macabsolutetime

iOSdevicesadoptedtheuseofMacabsolutetimewithiOS5formostofthedata.MacabsolutetimeisthenumberofsecondsthatoffsetstheMacepochtime,whichstartsonJanuary1,2001.ThedifferencebetweentheUnixepochtimeandtheMacepochtimeisexactly978,307,200seconds.ToconverttheUnixepochtimetoMacabsolutetime,add978,307,200toitandcalculateitasaUnixtimestamp.Forexample,thedatecommandcanbeusedtocovertMacabsolutetimeisshownasfollows:

$date-r`echo'389894124+978307200'|bc`

FriMay1021:25:24IST2013

OnlineconvertersprovetobeusefultoconvertbothMacepochandUnixtimestampsforiOSdevices.

SQLitedatabasesSQLiteisanopensource,in-processlibrarythatimplementsaself-contained,zeroconfiguration,andtransactionalSQLdatabaseengine.It'sacompletedatabasewithmultipletables,triggers,andviewsthatarecontainedinasinglecross-platformfile.AsSQLiteisportable,reliable,andsmall,itisapopulardatabaseformatthatappearsinmanymobileplatforms.

AppleiOSdevices,likeothersmartphones,makeheavyuseofSQLitedatabasesfordatastorage.Manyofthebuilt-inapplicationssuchasPhone,Messages,Mail,Calendar,andNotesstoredatainSQLitedatabases.Apartfromthat,third-partyapplicationsinstalledonthedevicealsoleverageSQLitedatabasesfordatastorage.

SQLitedatabasesarecreatedwithorwithoutafileextension.Theytypicallyhave.sqlitedbor.dbfileextensions,butsomedatabasesaregivenotherextensionsaswell.DatainSQLitefilesisbrokenupintotablesthatcontaintheactualdata.Toaccessthedatastoredinthesefiles,youneedatoolthatcanreadthem.Somegoodfreetoolsare:

SQLiteBrowser,whichcanbedownloadedfromhttps://github.com/rp-/sqlitebrowser.SQLitecommand-lineclient,whichyoucandownloadfromhttp://www.sqlite.org/.SQLiteProfessional(https://www.sqlitepro.com/),afreegraphicaluserinterface(GUI)fromHankinsoftDevelopmentforMacOSXusers.YoucandownloaditfromMac'sAppStore.SQLiteSpy,afreeGUItoolforWindows.Youcandownloaditfromhttp://www.yunqa.de/delphi/doku.php/products/sqlitespy/index.

MacOSXincludestheSQLitecommand-lineutility(sqlite3)bydefault.Thiscommand-lineutilitycaneasilyaccessindividualfilesandissueSQLqueriesagainstadatabase.So,inthefollowingsectionswewillusethesqlite3command-lineutilitytoretrievedatafromvariousSQLitedatabases.Beforeretrievingthedata,thebasiccommandsyouwillneedtolearnareexplainedinthefollowingsections:

Connectingtoadatabase

ManualexaminationofiOSSQLitedatabasefilesispossiblewiththeuseoffreetools.ThefollowingisanexampleofhowtoexamineadatabaseusingnativeMaccommandsintheterminal.Makesureyourdeviceimageismountedasread-onlytopreventchangesbeingmadetotheoriginalevidence.ToconnecttoaSQLitedatabasefromthecommandline,runthesqlite3commandintheterminalbyenteringyourdatabasefile.ThiswillgiveyouaSQLpromptwhereyoucanissueSQLqueries:

$sqlite3filename.sqlitedb

SQLiteversion3.7.122012-04-0319:43:07

Enter".help"forinstructions

EnterSQLstatementsterminatedwitha";

"

sqlite>

Todisconnect,usethe.exitcommand.ItexitstheSQLiteclientandreturnstotheterminalprompt.

SQLitespecialcommands

Onceyouconnecttoadatabase,thereareanumberofbuilt-inSQLitecommandsknownasdotcommandsthatcanbeusedtoobtaininformationfromthedatabasefiles.Youcanobtainthelistofspecialcommandsbyissuingthe.helpcommandintheSQLiteprompt.TheseareSQLite-specificcommandsanddonotrequireasemicolonattheendofthecommand.Mostcommonlyuseddotcommandsincludethefollowing:

.tables:Thislistsallofthetableswithinadatabase.Thefollowingexampledisplaysthelistoftablesfoundinsidethesms.dbdatabase:

sqlite>.tables

_SqliteDatabasePropertieschat_message_joinattachment

handlechatmessage

chat_handle_joinmessage_attachment_join

.schematable-name:ThisdisplaystheSQLCREATEstatementusedtoconstructthetable.Thefollowingexampledisplaystheschemaforthehandletable,whichisfoundinsidethesms.dbdatabase:

sqlite>.schemahandle

CREATETABLEhandle(ROWIDINTEGERPRIMARYKEYAUTOINCREMENT

UNIQUE,idTEXTNOTNULL,countryTEXT,serviceTEXTNOTNULL,

uncanonicalized_idTEXT,UNIQUE(id,service));

.dumptable-name:ThisdumpstheentirecontentofatableintoSQLstatements.Thefollowingexampledisplaysthedumpofthehandletable,whichisfoundinsidethesms.dbdatabase:

sqlite>.dumphandle

PRAGMAforeign_keys=OFF;

BEGINTRANSACTION;

CREATETABLEhandle(ROWIDINTEGERPRIMARYKEYAUTOINCREMENT

UNIQUE,idTEXTNOTNULL,countryTEXT,serviceTEXTNOTNULL,

uncanonicalized_idTEXT,UNIQUE(id,service));

INSERTINTO"handle"

VALUES(7,'9951512182','in','SMS','9908923323');

COMMIT;

.outputfile-name:Thisredirectstheoutputtoafileonthediskinsteadofshowingitonthescreen..headerson:ThisdisplaysthecolumntitlewheneveryouissueaSELECTstatement.

.help:ThisdisplaysthelistofavailableSQLitedotcommands.

.exit:ThisdisconnectsfromthedatabaseandexitstheSQLitecommandshell..modeMODE:ThissetstheoutputmodewhereMODEcanbecsv,HTML,tabs,andsoon.

Tip

MakesurethereisnospaceinbetweentheSQLitepromptandthedotcommand,otherwisetheentirecommandwillbeignored.

StandardSQLqueries

InadditiontotheSQLitedotcommands,standardSQLqueriessuchasSELECT,INSERT,ALTER,DELETE,andmorecanbeissuedtoSQLitedatabasesonthecommandline.UnliketheSQLitedotcommands,thestandardSQLqueriesexpectasemicolonattheendofthecommand.

Mostofthedatabasesyouwillexaminewillcontainonlyareasonablenumberofrecords,soyoucanissueaSELECTstatement,whichoutputsallofthedatacontainedinthetable.Thefollowingexampledisplaysthevaluesinthehandletable,whichisfoundinsidethesms.dbdatabase:

sqlite>select*fromhandlelimit1;

7|9951512182|in|SMS|9908923323

Importantdatabasefiles

Rawdiskimages,filesystemdumpsthebackupthatyouextractedaspertheinstructionsinChapter3,DataAcquisitionfromiOSDevices,andChapter4,DataAcquisitionfromiOSBackups,willcontainthefollowingSQLitedatabasesthatmaybeimportanttoyourinvestigation.ThefilesshowninthefollowingsectionsareextractedfromaniOS6device.AsAppleaddsnewfeaturestothebuilt-inapplicationswitheveryiOSrelease,theformatofthefilesmayvaryfordifferentiOSversions.So,youmayneedtomodifythequerieslistedslightlytoworkonyouriOSversion.Moreinformationregardingimportantdatabasefilescanbefoundathttp://www.zdziarski.com/blog/wp-content/uploads/2013/05/iOS-Forensic-Investigative-Methods.pdf.

Addressbookcontacts

Theaddressbookcontainsawealthofinformationabouttheowner'spersonalcontacts.Withtheexceptionofthird-partyapplications,theaddressbookcontainscontactentriesforallofthecontactsstoredonthedevice.TheaddressbookdatabaseisaHomeDomainfileandcanbefoundatprivate/var/mobile/Library/AddressBook/AddressBook.sqlitedb.

AddressBook.sqlitedbcontainsseveraltables,ofwhichthreeareofparticularinterest:

ABPerson:Thiscontainsthename,organization,notes,andmoreforeachcontact.ABMultiValue:Thiscontainsphonenumbers,e-mailaddresses,websiteURLs,andmorefortheentriesintheABPersontable.TheABMultiValuetableusesarecord_idfiletoassociatethecontactinformationwitharowidfromtheABPersontable.ABMultiValueLabel:ThistablecontainslabelstoidentifythekindofinformationstoredintheABMultiValuetable.

SomeofthedatastoredwithintheAddressBook.sqlitedbfilecouldbefromthird-partyapplications.Theexaminershouldmanuallyexaminetheapplicationfilefolderstoensurethatallthecontactsareaccountedforandexamined.

YoucanrunthefollowingcommandstodumptheaddressbookintoaCSVfilenamedAddressBook.csv:

$sqlite3AddressBook.sqlitedbSQLiteversion3.7.122012-04-03

19:43:07

Enter".help"forinstructions

EnterSQLstatementsterminatedwitha";"

sqlite>.modecsv

sqlite>.outputAddressBook.csv

sqlite>.headerson

sqlite>SELECTp.rowid,p.first,p.middle,p.last,

datetime(p.creationDate+978307200,'unixepoch')ascreationdate,

casewhenm.labelin(SELECTrowidfromABMultiValueLabel)

then(SELECTvaluefromABMultiValueLabelwhere

m.label=rowid)

else

m.labelendasType,m.value,p.organization,

p.department,p.note,p.birthday,p.nickname,

p.jobtitle,datetime(p.modificationDate+978307200,'unixepoch')as

modificationdate

FROMABPersonp,ABMultiValuem

WHEREp.rowid=m.record_idandm.valuenotnull

ORDERbyp.rowidASC;

sqlite>.exit

Theprecedingquerycross-referencesthedataacrossthethreetablesandretrievesthecontactinformationstoredinthedatabase.ThequeryalsoconvertstheMacabsolutetimeintoareadableformusingtheSQLitedatetimefunction.

Addressbookimages

Inadditiontotheaddressbook'sdata,eachcontactmaycontainanimageassociatedwithit.Thisimageisdisplayedonthescreenwhenevertheuserreceivesanincomingcallfromaparticularcontact.TheaddressbookimagesdatabaseisaHomeDomainfileandcanbefoundat/private/var/mobile/Library/AddressBook/AddressBookImages.sqlitedb.

TheABFullSizeImagetableintheAddressBookImages.sqlitedbfilecontainsimagesinbinarydata.Toextracttheimages,useSQLite's.outputand.dumpcommandstocreateatextfileanddumpthedatabaseintothisfileinaSQLtextformat,asshowninthefollowingcommandlines:

$sqlite3AddressBookImages.sqlitedb

SQLiteversion3.7.122012-04-0319:43:07

Enter".help"forinstructions

EnterSQLstatementsterminatedwitha";"

sqlite>.outputAddressBookImages.txt

sqlite>.dumpABFullSizeImage

sqlite>.exit

Thetextfilecontainstheimagedatainahexadecimalencodingformat.Toconvertthisoutputbacktobinarydataandgrabtheimages,runtheAddressBookImageGrabber.pyPythonscriptonthedumpfile,asshowninthefollowingcommand.ThePythonscriptsourcecodeisavailableinthecodebundleofthebook.

$PythonAddressBookImageGrabber.pyAddressBookImages.txt

Writing./AddressBookImages-Output/397.jpeg

Writing./AddressBookImages-Output/129.jpeg

Writing./AddressBookImages-Output/73.jpeg

Writing./AddressBookImages-Output/508.jpeg[...]

Writing./AddressBookImages-Output/456.jpeg

Writing./AddressBookImages-Output/141.jpeg

Total93imagesareextracted

Tip

Downloadingtheexamplecode

YoucandownloadtheexamplecodefilesforallPacktbooksyouhavepurchasedfromyouraccountathttp://www.packtpub.com.Ifyoupurchasedthisbookelsewhere,youcanvisithttp://www.packtpub.com/supportandregistertohavethefilese-maileddirectlytoyou.

ThescriptwillcreateadirectorynamedAddressBookImages-OutputandplacetheextractedJPEGimagesontoit.Theimagescanbeviewedusingastandardimageviewer.

Thefilenameofeachimagewillbetherecordidentifier,whichisassociatedwiththeAddressBook.sqlitedatabasesothatyoucanassociateeachimagewithacontact.

Tip

MakesureyouareusingPython2.7torunthePythonscripts.

Callhistory

PhoneorFaceTimecallsplaced,missed,andreceivedbytheuserareloggedinthecallhistory,alongwithothermetadatasuchascallduration,date/time,andmore.Thiscouldbeofinteresttoanexaminer.ThecallhistorydatabaseisaWirelessDomainfileandcanbefoundat/private/var/wireless/Library/CallHistory/call_history.db.Thedatabasecontainsamaximumof100callslistedasactivemessages.Anycallsplaced,missed,orreceivedabove100willbestoredinthedatabaseandtheoldestrecordwillberemoved.However,thisdatawillremainintheSQLitefreepagesandcanberecoveredthroughmanualhexexamination.

TheCalltableinthecall_history.dbfilecontainsthecallhistory.Eachrecordinthecalltableindicatesthephonenumberofaremoteparty,aUNIXtimestampofwhenthecallwasinitiated,thedurationofthecallinseconds,astatusflagtoidentifywhetherthecallwasanoutgoingcall(flag5),incomingcall(flag4),blockedcall(flag8),orFaceTimecall(flag16),anidentifierthatisassociatedwiththeaddressbookcontacts(-1forunknowncontact),themobilecountycode(MCC),andthemobilenetworkcode(MNC).YoucanfindalistofMCC/MNCcodesathttp://en.wikipedia.org/wiki/Mobile_country_code.

FaceTimestatusflagsmayvarydependingonthemethodusedtoinitiatethecall.Forexample,dataplansutilizedifferentflagsthanWi-Ficalls.Ifthestatusflagstartswitha2,itislikelytobeaWi-Fiinitiatedcall.Ifitstartswitha1,asdefinedearlier,itrepresentsaFaceTimecallinitiatedwithadataplanonthedevice.ThereareseveralstatusflagsavailableforFaceTimecallsandthesevarybetweeniOSdevices.

YoucanrunthefollowingcommandstodumpthecallhistoryintoaCSVfilenamedcallhistory.csv:

$sqlite3call_history.db

SQLiteversion3.7.122012-04-0319:43:07

Enter".help"forinstructions

EnterSQLstatementsterminatedwitha";"

sqlite>.modecsv

sqlite>.outputcallhistory.csv

sqlite>.headerson

sqlite>SELECTrowid,address,

datetime(date,'unixepoch','localtime')asdate,duration||"sec"

asduration,caseflags

when4then"Incoming"

when5then"Outgoing"

when8then"Blocked"

when16then"Facetime"

else"Dropped"

endasflags,id,country_code,network_code

FROMcall

ORDERBYrowidASC;

sqlite>.exit

SMSmessages

TheShortMessageService(SMS)databasecontainstextandmultimediamessagesthatweresentfromandreceivedbythedevice,alongwiththephonenumberoftheremoteparty,dateandtime,andothercarrierinformation.StartingwithiOS5,iMessagesdataisalsostoredintheSMSdatabase.iMessageallowsuserstosendSMSandMMSmessagesoveracellularorWi-FinetworktootheriOSorOSXusers,thusprovidinganalternativetoSMS.TheSMSdatabaseisaHomeDomainfileandcanbefoundat/private/var/mobile/Library/SMS/sms.db.

YoucanrunthefollowingcommandstodumptheSMSdatabaseintoaCSVfilenamedsms.csv:

$sqlite3sms.db

SQLiteversion3.7.122012-04-0319:43:07

Enter".help"forinstructions

EnterSQLstatementsterminatedwitha";"

sqlite>.modecsv

sqlite>.outputsms.csv

sqlite>.headerson

sqlite>SELECTm.rowidasrowid,datetime(date+978307200,

'unixepoch')asdate,h.idas"phonenumber",m.serviceas

service,caseis_from_me

when0then"Received"

when1then"Sent"

else"Unknown"

endastype,

case

whendate_read>0

thendatetime(date_read+978307200,'unixepoch')

whendate_delivered>0

then

datetime(date_delivered+978307200,'unixepoch')

elseNULL

endas"DateRead/Sent",text

FROMmessagem,handlehWHEREh.rowid=m.handle_idORDERBY

m.rowidASC;

sqlite>.exit

SMSSpotlightcache

Spotlightisadevice-widesearchfeature,whichallowstheusertosearchacrossalltheapplicationsonthedevice.TheSMSdataisindexedandstoredinadatabaseforaquicksearch.TheSMSSpotlightcachedatabaseisaHomeDomainfileandcanbefoundat/private/var/mobile/Library/Spotlight/com.apple.MobileSMS/SMSSeaerchIndex.sqlite

ThefilecontainsbothactiveanddeletedSMSmessages.ThefollowingscreenshotisanexampleoftheoutputasviewedinSQLiteBrowser.ThisisagreatplacetorecoverSMSmessagesthatarenolongerpresentintheSMSdatabasefile.NotethattheSMSSpotlightcachefilenamemayvarydependingontheversionoftheiOSdevice.

TheSMSSpotlightCachefile

YoucanrunthefollowingcommandstodumptheSMSSpotlightcachedatabaseintoaCSVfilenamedsmsspotlightcache.csv:

$sqlite3smssearchindex.sqlite

SQLiteversion3.7.122012-04-0319:43:07

Enter".help"forinstructions

EnterSQLstatementsterminatedwitha";"

sqlite>.modecsv

sqlite>.outputsmsspotlightcache.csv

sqlite>.headerson

sqlite>SELECT*FROMContent;

sqlite>.exit

Calendarevents

Calendareventsthathavebeenmanuallycreatedbytheuserorsyncedusingamailapplicationorotherthird-partyapplicationsarestoredinthecalendardatabase.ThecalendardatabaseisaHomeDomainfileandcanbefoundat/private/var/mobile/Library/Calendar/Calendar.sqlitedb.

TheCalendarItemtableintheCalendar.sqlitedbfilecontainsthecalendareventssummary,description,startdate,enddate,andmore.YoucanrunthefollowingcommandlinestodumpthecalendardatabaseintoaCSVfilenamedcalendar.csv.NotethatremindersandtasksareoftensavedintheCalendar.sqlitedbfile.Thesefilesmaynotcontainastartorendtimedependingontheevent:

$sqlite3Calendar.sqlitedb

SQLiteversion3.7.122012-04-0319:43:07

Enter".help"forinstructions

EnterSQLstatementsterminatedwitha";"

sqlite>.modecsv

sqlite>.outputcalendar.csv

sqlite>.headerson

sqlite>SELECTrowid,summary,description,datetime(start_date+

978307200,'unixepoch')asstart_date,datetime(end_date+

978307200,'unixepoch')asend_date

FROMCalendarItem;

sqlite>.exit

E-maildatabase

Alle-mailormailapplicationsonthedevicearestoredinaSQLitedatabasefile.ThedatabaseisaHomeDomainfileandcanbefoundat/private/var/mobile/Library/Mail/ProtectedIndex.Thedatabasefilehasnoextensionandcontainslocallystored,sent,anddeletedmessages.

Youcanrunthefollowingcommandstoobtaine-mailsstoredinthemaildatabase:

$sqlite3Protected\Index

SQLiteversion3.7.122012-04-0319:43:07

Enter".help"forinstructions

EnterSQLstatementsterminatedwitha";"

sqlite>.outputEmail.csv

sqlite>.headerson

sqlite>SELECT*FROMmessages;

sqlite>.exit

Inadditiontothemessages,e-mailattachmentsarealsooftenstoredonthefilesystemwithintheMaildirectory.

Notes

TheNotesdatabasecontainsthenotescreatedbytheuserusingthedevice'sbuilt-inNotesapplication.Notesisthesimplestapplication,oftencontainingthemostsensitiveandconfidentialinformation.TheNotesdatabaseisaHomeDomainfileandcanbefoundat/private/var/mobile/Library/Notes/notes.sqlite.

TheZnoteandZnotebodytablesinthenotes.sqlitefilecontainthenotestitle,content,creationdate,modificationdate,andmore.YoucanrunthefollowingcommandstodumptheNotesdatabaseintoaCSVfilenamednotes.csv:

$sqlite3notes.sqlite

SQLiteversion3.7.122012-04-0319:43:07

Enter".help"forinstructions

EnterSQLstatementsterminatedwitha";"

sqlite>.modecsv

sqlite>.outputnotes.csv

sqlite>.headerson

sqlite>SELECTdatetime(zcreationdate+978307200,'unixepoch')as

zcreationdate,datetime(zmodificationdate+978307200,'unixepoch')as

zmodificationdate,ztitle,zsummary,zcontent

FROMznote,znotebody

WHEREznotebody.z_pk=znote.z_pk

ORDERBYznote.z_pkASC;

sqlite>.exit

Safaribookmarks

TheSafaribrowserusedonanAppledeviceallowsuserstobookmarktheirfavoritewebsites.ThebookmarksdatabaseisaHomeDomainfileandcanbefoundat/private/var/mobile/Library/Safari/Bookmarks.db.

Youcanrunthefollowingcommandstoviewthebookmarksstoredinthedatabase:

$sqlite3bookmarks.db

SQLiteversion3.7.122012-04-0319:43:07

Enter".help"forinstructions

EnterSQLstatementsterminatedwitha";"

sqlite>.headerson

sqlite>selecttitle,urlfrombookmarks;

sqlite>.exit

TheSafariwebcaches

TheSafaribrowserstorestherecentlydownloadedandcacheddatainadatabase.ThedatabaseisaHomeDomainfileandcanbefoundat/private/var/mobile/Library/Caches/com.apple.mobilesafari/Cache.db.ThefilecontainscachedURLsandthewebserver'sresponsesalongwiththetimestamps.

Thewebapplicationcache

Offlinedatacachedbywebapplications,suchasimages,HTML,JavaScript,stylesheets,andmorearestoredinadatabase.ThedatabaseisaHomeDomainfileandcanbefoundat/private/var/mobile/Library/Caches/com.apple.WebAppCache/ApplicationCache.db

TheWebKitstorage

SafaristoresinformationfromvarioussitesintheWebKitdatabaselocatedinthe/private/var/mobile/Library/WebKit/LocalStorage/directory.Thedirectorycontainsuniquedatabasesforeachwebsite,asshowninthefollowingscreenshot:

TheLocalStoragefoldercontents

Thephotosmetadata

Amanifestationofthephotosinthedevice'sphotoalbumisstoredinadatabaselocatedat/private/var/mobile/Media/PhotoData/Photos.sqlite.The

photosmetadatadatabasefileisamemberofCameraRollDomain.

Youcanrunthefollowingcommandstoviewthephotosstoredinthedatabase:

$sqlite3Photos.sqlite

SQLiteversion3.7.122012-04-0319:43:07

Enter".help"forinstructions

EnterSQLstatementsterminatedwitha";"

sqlite>.modecsv

sqlite>.outputphotos.csv

sqlite>.headerson

sqlite>SELECTz_pk,ztitle,datetime(zdatecreated+

978307200,'unixepoch')aszdatecreated,datetime(zmodificationdate+

978307200,'unixepoch')aszmodificationdate,zfilename,zdirectory,

zwidth,zheight

FROMzgenericasset

ORDERBYz_pkASC;

sqlite>.exit

ConsolidatedGPScache

GeolocationhistoryofcelltowersandWi-Fionthedeviceisstoredinoneofthetwopossibledatabasesthatarelocatedat/private/var/root/Caches/locationd/.Thedatabasesareeitherconsolidated.dborcache_encryptedA.db.BothdatabasefilesaremembersofRootDomain.TheversionofiOSwilldeterminewhichdatabaseisused.ThesedatabasescontainlocationinformationforcelltowersthatthedevicecameintocloseproximitywithaswellasWi-Finetworksthatwereavailableforthedevicetoconnectto.Thesedatabasesareoftenusedtoplaceapersonnearaspecificlocationasthisdataiscachedtooneofthesedatabasefileswithouttheuser'sconsent.

Forthisexample,wewillexaminetheconsolidated.dbfile.TheCompassCalibrationtableintheconsolidated.dbfilecontainsthelocationinformationalongwiththetimestamps.Thefile,whenopenedwithSQLiteProfessional,displaysthedataasshowninthefollowingscreenshot.Notethatthecache_encryptedA.dbfileisnolongerbackedupwhentheusersyncswithiTunes.

TheConsolidated.dbviewwithSQLiteProfessional

Voicemail

Thevoicemaildatabasecontainsmetadataabouteachvoicemailstoredonthedevicethatincludesthesender'sphonenumber,callbacknumber,timestampandmessageduration,andmore.ThevoicemailrecordingsarestoredasAMRaudiofilesthatcanbeplayedbyanymediaplayerthatsupportstheAMRcodec(forexample,QuickTimePlayer).ThevoicemaildatabaseisaHomeDomainfileandcanbefoundat/private/var/mobile/Library/Voicemail/voicemail.db,whiletheactualvoicemailrecordingsarestoredinthe/private/var/mobile/Library/Voicemail/directory.

Youcanrunthefollowingcommandstoviewthelistofvoicemailsstoredinthedatabase:

$sqlite3voicemail.sqlite

SQLiteversion3.7.122012-04-0319:43:07

Enter".help"forinstructions

EnterSQLstatementsterminatedwitha";"

sqlite>.headerson

sqlite>SELECT*FROMvoicemail;

sqlite>.exit

PropertylistsApropertylist,commonlyreferredtoasaplist,isastructureddataformatusedtostore,organize,andaccessvariousdatatypesofdataonaniOSdeviceaswellasaMacOSXdevice.Plistsarebinary-formattedfilesandcanbeviewedusingaPropertyListEditor,whichiscapableofreadingorconvertingthebinaryformattoASCII.

Plistfilesmayormaynothavea.plistfileextension.Toaccessthedatastoredinthesefiles,youneedatoolthatcanreadthem.Someofthegoodfreetoolsinclude:

PlistEditorforWindows,whichcanbedownloadedfromhttp://www.icopybot.com/plist-editor.htmTheplutilcommand-lineutilityonMacOSX

YoucanalsoviewtheplistfilesusingXCode.MacOSXincludestheplutilcommand-lineutilitybydefault.Thecommand-lineutilitycaneasilyconvertthebinaryformattedfilesintohumanreadablefiles.

ThefollowingexampledisplaystheSafaribrowserHistory.plistfile:

$sudoplutil-convertxml1History.plist-o-

<?xmlversion="1.0"encoding="UTF-8"?>

<!DOCTYPEplistPUBLIC"-//Apple//DTDPLIST1.0//EN"

"http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plistversion="1.0">

<dict>

<key>WebHistoryDates</key>

<array>

<dict>

<key></key>

<string>http://www.securitylearn.net/</string>

<key>D</key>

<array>

<integer>1</integer>

</array>

<key>lastVisitedDate</key>

<string>411576251.8</string>

<key>title</key>

<string>securitylearn/</string>

<key>visitCount</key>

<integer>1</integer>

</dict>

<dict>

<key></key>

<string>http://www.google.com</string>

<key>D</key>

<array>

<integer>1</integer>

</array>

<key>lastVisitedDate</key>

<string>411571510.5</string>

<key>title</key>

<string>Google</string>

<key>visitCount</key>

<integer>1</integer>

</dict>

</array>

<key>WebHistoryFileVersion</key>

<integer>1</integer>

</dict>

</plist>

Importantplistfiles

RawdiskimagesorthebackupthatyouextractedinChapter3,DataAcquisitionfromiOSDevices,andChapter4,DataAcquisitionfromiOSBackups,willcontainthefollowingplistfilesthatareimportantforaninvestigation.ThefilesshownareextractedfromaniOS6device.ThefilelocationsmayvaryforyouriOSversion.

TheHomeDomainplistfiles

ThefollowingaretheHomeDomainplistfiles,whichcontaindatathatmayberelevanttoyourinvestigation:

/private/var/mobile/Library/Preferences/com.apple.mobilephone.plist

Thiscontainsthelastphonenumberenteredintothedialerregardlessofwhetheritwasdialedornot/private/var/mobile/Library/Preferences/com.apple.mobilephone.speeddial.plist

Thiscontainsalistofthecontactsthatwereaddedtothephone'sfavoritelist/private/var/mobile/Library/Preferences/com.apple.accountsettings.plist

Thiscontainsalistofthee-mailaccountsconfiguredonthedevice/private/var/mobile/Library/Preferences/com.apple.AppSupport.plist

ThiscontainsthecountrycodeusedfortheAppStoreonthedevice/private/var/mobile/Library/Preferences/com.apple.Maps.plist:Thiscontainsthelastlatitude,longitude,andaddresspinnedintheMapsapplication/private/var/mobile/Library/Preferences/com.apple.mobilemail.plist

Thiscontainsthee-mailfetchingdatesande-mailsignaturesused/private/var/mobile/Library/Preferences/com.apple.mobiletimer.plist

Thiscontainsalistofworldclocksused/private/var/mobile/Library/Preferences/com.apple.Preferences.plist

Thiscontainsthekeyboardlanguagethatwaslastusedonthedevice/private/var/mobile/Library/Preferences/com.apple.mobilesafari.plist

ThiscontainsalistoftherecentsearchesmadethroughSafari/private/var/mobile/Library/Preferences/Com.apple.springboard.plist

containsalistofapplicationsthatareshownintheinterfaceandiOSversion/private/var/mobile/Library/Preferences/com.apple.mobiletimer.plist

Thiscontainsinformationaboutthecurrenttimezone,timers,alarms,andstopwatches/private/var/mobile/Library/Preferences/com.apple.weather.plist:Thiscontainsthecitiesforweatherreports,date,andtimeoflastupdate/private/var/mobile/Library/Preferences/com.apple.stocks.plist:Thiscontainsalistofthestockstracked/private/var/mobile/Library/Preferences/com.apple.preferences.network.plist

ThiscontainsthestatusofBluetoothandWi-Finetworks/private/var/mobile/Library/Preferences/com.apple.conference.history.plist

ThiscontainsahistoryofthephonenumbersandotheraccountsthatwereconferencedusingFaceTime/private/var/mobile/Library/Preferences/com.apple.locationd.plist

Thiscontainsalistofapplicationidentifiersthatusethelocationserviceonthedevice/private/var/mobile/Library/Safari/History.plist:ThiscontainsthewebbrowsinghistoryofSafari/private/var/mobile/Library/Safari/SuspendState.plist:ThiscontainsthewebpagetitleandtheURLofallsuspendedwebpagesonSafari/private/var/mobile/Library/Maps/Bookmarks.plist:ThiscontainsthebookmarkedlocationswithintheMapsapplication/private/var/mobile/Library/Caches/com.apple.mobile.installation.plist

Thiscontainsalistofallsystemanduserapplicationsloadedontothedeviceandtheirdiskpaths/private/var/mobile/Library/Caches/com.apple.UIKit.pboard/pasteboard

Thiscontainsacachedcopyofthedatastoredonthedevice'sclipboardTheRootDomainplistfiles

ThefollowingRootDomainfileslistedshouldbeexaminedforrelevancetoyourinvestigation:

/private/var/root/Library/Preferences/com.apple.preferences.network.plist

Thiscontainsinformationaboutwhethertheairplanemodeispresentlyenabledonthedevice/private/var/root/Library/Lockdown/pair_records:Thisdirectorycontainspropertylistswithprivatekeysusedinordertopairthedevicetoacomputer

/private/var/root/Library/Caches/locationd/clients.plist:Thiscontainsthelocationsettingsforapplicationsandsystemservices

TheWirelessDomainplistfiles

ThefollowingWirelessDomainplistfilecontainsusefulinformationtoidentifytheSIMcardlastusedinthedevice:

/private/wireless/Library/Preferences/com.apple.commcenter.plist

TheSystemPreferencesDomainplistfiles

ThetwoplistfilescontainingdataofevidentiaryvaluefromtheSystemPreferencesDomainfilesarelisted:

/private/var/preferences/SystemConfiguration/com.apple.network.identification.plist

ThiscontainsnetworkinginformationofthecachedIP/private/var/preferences/SystemConfiguration/com.apple.wifi.plist

ThiscontainsalistofpreviouslyknownWi-Finetworksandthelasttimeeachonewasconnectedto

OtherimportantfilesApartfromSQLiteandplistfiles,severalotherlocationsmaycontainvaluableinformationtoaninvestigation.

Theotherssourcesincludethefollowing:

CookiesKeyboardcachePhotosWallpaperSnapshotsRecordingsDownloadedapplications

Cookies

Cookiescanberecoveredfrom/private/var/mobile/Library/Cookies/Cookies.binarycookies.Thisfileisastandardbinaryfilethatcontainscookiessavedwhenwebpagesareaccessedonthedevice.Thisinformationcanbeagoodindicationofwhatwebsitestheuserhasbeenactivelyvisiting.

Toconvertthebinarycookietohumanreadableformat,runtheBinaryCookieReader.pyPythonscriptonthecookiefile,asshowninthefollowingcommand.ThePythonscriptsourcecodeisavailableinthecodebundleofthebook.

$pythonBinaryCookieReader.pyCookies.binarycookies

Cookie:

__utma=167051323.813879307.1359034257.1367989551.1386632713.9;

domain=.testflightapp.com;path=/;expires=Wed,09Dec2015;

Cookie:__utmb=167051323.24.8.1386633092975;

domain=.testflightapp.com;path=/;expires=Tue,10Dec2013;

Cookie:__utmz=167051323.1386632713.9.1.utmcsr=(direct)|utmccn=

(direct)|utmcmd=(none);domain=.testflightapp.com;path=/;

expires=Tue,10Jun2014;

Cookie:tfapp=1d29da4a798a90186f1d4bfce3ce2f23;

domain=.testflightapp.com;path=/;expires=Thu,09Feb2017;

Cookie:user_segment=Prospect;domain=.testflightapp.com;path=/;

expires=Wed,08Jan2014;[...]

Keyboardcache

Keyboardcacheiscapturedandsavedinthedynamic-text.datfile.Thefileislocatedat/private/var/mobile/Library/Keyboard/dynamic-text.datandcontainskeyboardcache,whichcomprisesoftextenteredbytheuser.Thistextiscachedaspartofthedevice'sautocorrectfeatureandwasdesignedtoautocompletethepredictivecommonwords.Thefilekeepsalistofapproximately600wordsperlanguageusedontheiOSdevice.

Itisabinaryfileandcanbeviewedusingahexeditor,asshowninthefollowingscreenshot.ThisfilemaycontainpasswordscachedbytheiOSdeviceandcanbeusedtoachievebruteforceattacksonthedeviceoranencryptedbackupofthedevice.

Keyboardcacheinhexeditor

Photos

Photosarestoredinadirectorylocatedat/private/var/mobile/Media/DCIM/,whichcontainsthephotostakenwiththedevice'sbuilt-incamera,screenshots,andaccompanyingthumbnails.Somethird-partyapplicationswillalsostorephotostakeninthisdirectory.EveryphotostoredintheDCIMfoldercontainsEXIF(ExchangeableImageFileFormat)data.EXIFdatastoredinthephotocanbeextractedusingexiftool,whichcanbedownloadedfromhttp://www.sno.phy.queensu.ca/~phil/exiftool/.EXIFdatamayalsocontainthegeographicalinformationwhenaphotoistaggedwiththeuser'sgeolocationiftheuserhasenabledlocationpermissionsontheiOSdevice:

$exiftoolIMG_0107.JPG

ExifToolVersionNumber:9.50

FileName:IMG_0107.JPG

Directory:.

FileSize:73kB

FileModificationDate/Time:2014:01:0717:43:05+05:30

FileAccessDate/Time:2014:02:0917:26:40+05:30

FileInodeChangeDate/Time:2014:02:0917:26:40+05:30

FilePermissions:rw-r--r--[...]

Wallpaper

ThecurrentbackgroundwallpapersetfortheiOSdevicecanberecoveredfromtheLockBackgroundThumbnail.jpgfilefoundin/private/var/mobile/Library/SpringBoard/LockBackground.cpbitmap.Thisiscomplementedwithathumbnailnamedinthesamedirectory.Thewallpaperpicturemaycontainidentifyinginformationabouttheuser,whichcouldhelpinamissingperson'scaseoraniOSdevicerecoveredfromatheftinvestigation.

Snapshots

Thesnapshotsdirectorycontainsscreenshotsofthemostrecentstatesofbuilt-inapplicationsatthetimethattheyweresuspended.Thisdirectoryislocatedin/private/var/mobile/Library/Caches/Snapshots/.EverytimeanapplicationissuspendedtothebackgroundbypressingtheHomebutton,asnapshotistakentoproduceaniceshrinkingeffect.Third-partyapplicationsalsostorethesnapshotcacheinsidetheirapplication'sfolder.

Recordings

TheiPhoneallowsausertorecordvoicememosveryeasily.Therecordedvoicememosarestoredinthe/private/var/mobile/Media/Recordings/directory.Recordingsherecouldbeusedtoidentifyapersonbasedupontheirvoiceandmayalsocontaininformationsuchasvoicereminders,whichwon'tbestoredinthecalendardatabase.Recordingsprovidealotofinformationtotheexaminerastheyareusercreatedandoftennotdeleted.

Downloadedapplications

Third-partyapplications,whicharedownloadedandinstalledfromtheAppStore,includeapplicationssuchasFacebook,WhatsApp,Viber,Wickr,Skype,andGMail,andmorethatcontainawealthofinformationusefulforaninvestigation.Somethird-partyapplicationsusetheBase64encoding,whichneedstobeconvertedforviewingaswellasencryption.Applicationsthatencryptthedatabasefilepreventtheexaminerfromaccessingthedataresidinginthetables.EncryptionvariesamongsttheseapplicationsbasedontheapplicationandiOSversions.

AuniquesubdirectoryGUIiscreatedforeachapplicationinstalledonthedeviceinthe/private/var/mobile/Applications/directory,whichisshowninthefollowingexample.Also,thehierarchicalstructureoftheApplicationsdirectoryisshown.Mostofthefilesstoredintheapplication'sdirectoryareintheSQLiteandplistformat:

$tree-L2/var/mobile/Applications/

/var/mobile/Applications/

|--08E03CB2-26A5-4DAF-9843-3893AF4EDDF0

||--Documents

||--Library

||--WordPress.app

||--iTunesArtwork||--iTunesMetadata.plist

|`--tmp

|--0922F95C-7E40-4075-BC5A-06CE829BDD9E

||--Documents

||--Library

||--Wickr.app

||--iTunesArtwork

||--iTunesMetadata.plist

|`--tmp

|--11C7F3E9-A10E-405D-B6BB-2F86B1B2400F

||--Documents

||--Library

||--photovault.app

|`--tmp

RecoveringdeletedSQLiterecordsInadditiontotherecoveringtechniquescoveredinChapter3,DataAcquisitionfromiOSDevices,youcanalsorecoverthedeletedrecordsfromaSQLitedatabase.SQLitedatabasesstorethedeletedrecordswithinthedatabaseitself.So,itispossibletorecoverthedeleteddatasuchascontacts,SMS,calendar,notes,e-mailsandvoicemails,andmorebyparsingthecorrespondingSQLitedatabase.IfaSQLitedatabaseisvacuumedordefragmented,thelikelihoodofrecoveringthedeleteddataisminimal.TheamountofcleanupthesedatabasesrequireheavilyreliesontheiOSversion,thedevice,andtheuser'ssettingsonthedevice.

ASQLitedatabasefilecomprisesoneormorefixedsizepages,whichareusedjustonce.SQLiteusesab-treelayoutofpagestostoreindicesandtablecontent.Detailedinformationontheb-treelayoutisexplainedathttp://sandbox.dfrws.org/2011/fox-it/DFRWS2011_results/Report/Sqlite_carving_extractAndroidData.pdf.

TocarveaSQLitedatabase,youcanexaminethedatainrawhexorusesqliteparse.py,aPythonscriptdevelopedbyMariDeGrazia.ThePythonscriptcanbedownloadedfromhttp://www.arizona4n6.com/download/SQLite-Parser.zip.

Thefollowingexamplerecoversthedeletedrecordsfromthenotes.sqlitedbfileanddumpstheoutputtotheoutput.txtfile.Tovalidateyourfindingsfromrunningthescript,simplyexaminethedatabaseinahexviewertoensurenothingisoverlooked:

$pythonsqliteparse.py-fnotes.sqlitedb-r-ooutput.txt

Inadditiontoit,performingastringsdumpofthedatabasefilecanalsorevealdeletedrecordsthatmayhavebeenmissed,asshowninthefollowingcommand:

$stringsnotes.sqlitedb

SummaryThischaptercoveredvariousdataanalysistechniquesandspecifiedthelocationsofdatawithintheiOSdevice'sfilesystem.WealsoexplainedmostofthecommonfileformatsusedintheiPhoneandwalkedyouthroughimportantfilestorecoverthemostdatapossible.Mostopensourceandcommercialtoolsareabletopulldeleteddatafromcommondatabasefiles,suchascontacts,calls,SMS,andmore,buttheyoftenoverlookthethird-partyapplicationdatabasefiles.WecoveredtechniquestorecoverdeletedSQLiterecordsthatproveusefulinmostiOSdeviceinvestigations.Again,theacquisitionmethod,encoding,andencryptionschemascanaffecttheamountofdatayoucanrecoverduringyourexamination.Inthenextchapter,wewilldiscussiOSforensictools,whichwillhelpyouacquireandanalyzedata.

Chapter6.iOSForensicToolsAlthoughunderstandingacquisitionmethodsandtechniquesishelpful,aforensicexamineroftenneedsthehelpoftoolstoaccomplishtasksinthegiventime.Forensictoolsnotonlysavetimebutalsomaketheprocessaloteasier.Currently,therearemanycommercialtoolssuchasElcomsoftiOSForensicToolkit,CellebriteUFED,BlackLight,OxygenForensicSuite,AccessDataMPE+,iXAM,Lantern,XRY,SecureView,ParabeniRecoveryStick,andsoon,whichareavailableforforensicacquisitionandanalysisofaniOSdevice.Forfamiliaritypurposes,thischapterwillwalkyouthroughtheusageofafewcommercialandopensourcetoolsandprovidedetailsofthestepsrequiredtoperformacquisitionsofiOSdevices.

ElcomsoftiOSForensicToolkitElcomsoftiOSForensicToolkit(EIFT)isasetoftoolsaimedatmakingtheacquisitionofiOSdeviceseasier.EIFTisacombinationofsoftwarethatisabletoperformforensicacquisitionofiOSdevicesrunninganyversionofiOS(note:someiOSversionsrequirethedevicetobejailbroken).EIFTcanacquirebit-for-bitimagesofadevice'sfilesystem,extractdevicesecrets(passcodes,passwords,andencryptionkeys),anddecryptthefilesystemimage.FormoreinformationonEIFT,visithttp://www.elcomsoft.com/eift.html.

Thetoolkitwasinitiallyavailableonlytolawenforcementagencies,butnowitisavailabletoeveryone.ThetoolkitsupportsbothMacOSXandWindowsplatformswithiTunes10.6orlaterinstalled.

FeaturesofEIFT

ThefollowingarethefeaturesofEIFT:

Supportsphysicalandlogicalacquisition.Acquirescompletebit-for-bitdeviceimages.Quickfilesystemacquisition:20-40minutesfor32GBmodels.Supportspasscoderecoveryattacks.Extractsdevicekeysrequiredtodecryptarawdiskimageaswellaskeychainitems.Decryptsarawdiskimageandkeychainitems.Zero-footprint:thisoperationleavesnotracesandalterationstodevicecontents.Fullyaccountable:everystepofinvestigationisloggedandrecorded.

UsageofEIFT

ElcomsoftiOSForensicToolkitcanbeusedintwomodes:guidedmodeandmanualmode.TheUSBdongleshippedwiththetoolkitmustbeconnectedtothecomputerwhilethetoolkitisrunning.

Guidedmode

Theguidedmodefeaturesamenu-baseduserinterfacewhereyoucanaccomplishtypicaltasksbyselectingthecorrespondingmenuitems.Youcanstarttheguidedmodebydouble-clickingontheToolkit.cmd(Windows)orToolkit.command(MacOSX)fileinthedirectorywhereyouhavecopiedthetoolkitfiles.Thisshouldopentheterminalwindowandpresentatext-basedmenuasshowninthefollowingscreenshot:

TheElcomsoftiOSForensicToolkitwelcomescreen

Whenrunningintheguidedmode,thetoolkitlogsalltheactivitiestoatextfile.Eachtimethetoolkitisstarted,anewlogfileiscreatedintheuser'shomedirectoryandtheoutputofalltheinvokedcommandsaswellasuserchoicesare

directoryandtheoutputofalltheinvokedcommandsaswellasuserchoicesarewrittentothatfile.

ToperformthephysicalacquisitionofiPhone4andolderdeviceswithEIFT,followthestepsprovided:

1. PutthedeviceintheDFUmode.Youcandothisbyselectingthemenuitem1andfollowingtheonscreeninstructions.

2. AfterthedevicehasbeenputintheDFUmode,loadtheramdiskwiththeacquisitiontoolsbyselectingmenuitem2oranswerytothepromptthatfollowstheDFUprocedure.Itautomaticallydetectsthetypeofthedeviceandloadsthecompatibleramdiskontoit.Whenramdiskissuccessfullyloaded,thedevicescreenwillshowtheElcomsoftlogo.

3. Recoverthedevicepasscodebyselectingmenuitem3.Thetoolkitcanrecoverasimple4-digitpasscodeinlessthan20minutes.Italsoprovidesoptionstoperformdictionary(wordlist)andbruteforceattacksoncomplexpasswords,asshowninthefollowingscreenshot:

TheEIFTpasscoderecoveryoptions

4. Extracttheencryptionkeysrequiredtodecryptfilesandkeychainitemsby

selectingmenuitem4.Youwillbepromptedtosupplythedevicepasscode,ifknown,oftheescrowfileifyouhaveaccesstothehostcomputerandafilenametosavethekeys.Ifthefilenameisnotsupplied,thetoolkitextractsthekeysandstoresitinthekeys.plistfileintheuser'shomedirectory.

5. Afterextractingthekeys,todecryptthekeychainitems,selectmenuitem5.Thetoolkitusesthekeysstoredinthekeys.plistfile,decryptsthekeychainitems,andstoresitinthekeychain.txtfileintheuser'shomedirectory.

6. Toacquirethephysicalimageofthedevice'sfilesystem,selectthemenuitem6.Youwillbepromptedtochoosethedevicepartition(systemanduserdata)toimage,asshowninthefollowingscreenshot:

EIFT—selectingpartitiontoimageoption

Afterselectingthepartition,thewindowpromptsyouforafilenametosavetheimage.Ifthefilenameisnotsupplied,itextractstherawfilesystemfromthedeviceandstoresitasauser.dmgfileintheuser'shomedirectory.Bestpracticesincludeacquiringboththeuserandsystempartitions.

7. Aftertheacquisition,youcanrebootthedevicetofunctionnormallybyselectingmenuitem9.

8. Todecrypttheacquiredimage,selectmenuitem7.Youwillbepromptedtoprovidefilenamesoftheencryptedimage,devicekeys,andafilenametosavethedecryptedimage.Ifthefilenameisnotsupplied,itdecryptstheimageandstoresitasuser-decrypted.dmgintheuser'shomedirectory.ThetoolkitalsocomputestheSHA1hashofthedecryptedimagefile.EIFTisalsocapableofperformingphysicalacquisitionofajailbrokeniPhone4SandnewerdevicesrunningoniOS5/6/7.Atthetimeofwritingthis,EIFTistheonlytoolthatsupportsphysicalacquisitionoftheiPhone4SandnewerdevicesrunningwithiOS7.EIFTrequirestheOpenSSHpackagetobeinstalledonthedevicetoperformacquisitiononnewerdevices.OpenSSHrunstheSSHserveronthedeviceandallowsyoutocopyandruntheacquisitiontools.OncetheSSHserverisrunningonthedevice,youcanfollowsteps3to8toacquirearawdiskimagefromaniPhone4Sandnewerdevices.

Manualmode

Themanualmodeletsyouinteractwithtoolsdirectlyusingthecommand-lineinterface.Thismodeallowsgreaterflexibilityandisrecommendedifyouarecomfortablewithusingcommand-linetools.Thecommandsrequiredtoaccomplishtypicaltasksinthemanualmodearewelldocumentedinthetechnicalguidethatcomeswiththetoolkit.

Thetoolkitiscapableofperformingphysicalandlogicalacquisitionofthedevice'sfilesystem.Butitdoesnotprovideoptionstoanalyzetheacquireddataandrecoverthedeleteddata.However,youcansupplythe.dmgfileacquiredwithEIFTtoOxygenForensicSuite,CellebritePhysicalAnalyzer,andothertoolsfordataanalysisandrecovery.

EIFT-supporteddevices

ElcomsoftiOSForensicToolkitVersion1.23supportsmostiOSdevices,howeversomemustbejailbroken.Thefollowingfigureistakendirectlyfromthehelpdocumentthatcomeswiththetoolkit:

EIFTsupporteddevices

Compatibilitynotes

ThefollowingarethecompatibilitiesofEIFT-supporteddevices:

SupportforiPhone4S/5/5S/5C,iPad2andlaterversions,andiPodTouch5thgenerationdevicesiscurrentlylimitedtojailbrokendevices.iOSversionsbefore3.xstorethedevicepasscodeinthekeychain.Onthesedevices,thepasscodeisrecoveredinstantlyduringtheencryptionkeyandkeychaindatarecovery.DevicesrunningiOSversionsbefore3.xdonothavedataprotection

enabledanduserpartitionisnotencrypted.IfadevicewasshippedwithiOS3.xinstalledandwasupdatedtoiOS4.xwithoutreset(whicherasesallcontentsandsettings),thatis,usingtheUpdateoptioniniTunesinsteadofRestore,thendataprotectionisnotenabledandtheuserpartitionisnotencrypted.

OxygenForensicSuite2014OxygenForensicSuite2014isanadvancedforensicsoftwaretoextractandanalyzedatafromcellphones,smartphones,PDAs,andothermobiledevices.Thesoftwareprovideslogicalsupportforthewidestrangeofmobiledevicesandallowsfullyautomatedforensicacquisitionandanalysis.Currently,OxygenForensicSuite2014Version6.1supportsmorethan7,700differentmodelmobiledevices.

OxygenForensicSuite2014usesproprietarylow-levelprotocolstoextractdatafromsmartphones.Besidesdataextraction,OxygenForensicSuitealsogivesyoutheopportunitytoimportabackup/imagefileobtainedusingotherforensictools,suchasCellebrite,Elcomsoft,XRY,iTunes,andLanternLitefordataanalysis.Italsostoresthedatabaseofalltheanalyzeddevices,soyoucanalwaysviewthepreviouslyextracteddataoruseapowerfulmultiphonesearchfeaturetofindtherequireddetails.

OxygenForensicSuite2014isavailableonlyfortheWindowsplatformandrequiresiTunestobeinstalledonthecomputer.Thesoftwarecosts$2,999forthefullversion,andafreewareversionisalsoavailablewithlimitedfunctionalities.Thesoftwareoperateswithoriginalandjailbrokendevicesandextractsthefollowingdata:phonebookwithassignedphotos,calendareventsandnotes,calllogs,messages,camerasnapshots,videoandmusic,voicemail,passwords,dictionaries,geopositioningdata,Wi-Fipointswithpasswordsandcoordinates,IPconnections,locations,navigationapplications,devicedata,factoryinstalled,third-partyapplicationsdata,andsoon.ItalsorecoversdeleteddatafromSQLitedatabasesandcanrecovercalls,messages,e-mailmessages,e-mailaccounts,photothumbnails,contactphotos,andsoon.Thistooldoesnotsupportphysicalacquisition,thusafullforensicimagecannotbeobtained.Formoreinformation,visithttp://www.oxygen-forensic.com/de/compare/devices/software-for-iphone.

FeaturesofOxygenForensicSuite

ThefollowingarethefeaturesofOxygenForensicSuite:

Itsupportslogicalacquisition.Logicalacquisitionrecoverstheactivefilesonthedevice.DeleteddatamaybeobtainediftheSQLitedatabaseisrecovered.Physicalandfilesystemacquisitionarenotsupportedbythistool.BothoftheseacquisitionmethodsprovideaccesstotherawfilesystemdataoftheiOSdevice.Passwordrecoveryfromakeychain.Readbackup/imagesobtainedusingotherforensictools.Timeline:Thisprovidesasingle-placeaccesstoalltheuser'sactivitiesandmovementsarrangedbydateandtime.Zero-footprintoperation:Thisleavesnotracesandalterationstodevicecontents.Itsupportsaggregatedcontacts.Thisautomaticallycombinesaccountsfromdifferentsourcesinonemetacontactforeachperson.(Caution:Makesureyouknowwherethedataiscomingfrom!Youshouldmanuallyexamineeachfiletoensurenothingisoverlookedandthatthedataisbeingreportedcorrectly.)Itrecoversdeleteddataautomatically.Itprovidesaccesstorawfilesformanualanalysis.(Note:Thesearetherawdatabasefilesassociatedwitheachapplication,nottherawfilesystempartitions.)Itprovidesanintuitiveanduser-friendlyUItobrowsetheextracteddata.Itprovideskeywordlistsandaregularexpressionlibraryinordertosearch.Reportgenerationinseveralpopularformats—MicrosoftExcel,PDF,HTML,andsoon.

UsageofOxygenForensicSuite

TheacquisitionofaniOSdeviceissimpleandstraightforwardwithOxygenForensicSuite2014.Thesoftwarehelpsyoutoconnectadeviceinseveralmouseclicksanddownloadsalltheavailabledeviceinformationinjustafewminutes.

ToperformtheacquisitionofaniOSdeviceusingOxygenForensicSuite2014,followthestepsprovided:

1. LaunchOxygenForensicSuite2014andclickontheConnectnewdevicebutton.Youwillbepromptedtochoosetheconnectionmode,asshowninthefollowingscreenshot:

OxygenForensicSuite—theConnectionModescreen

2. ConnecttheiOSdevicetothecomputerusingaUSBcableandchoosetheAutodeviceconnectionmode.Itdetectstheconnecteddeviceanddisplaysthedeviceinformation,asshowninthefollowingscreenshot.Youcanalsomanuallychooseyourdevice.

OxygenForensicSuite—thedeviceinformationscreen

3. ClickonNext.Itpromptsyoutofillintheinformationaboutthedeviceandthecase.Continuingfurther,itpromptsyoutoselectthedatatypestobeextractedfromthedevice,asshowninthefollowingscreenshot:

4. ClickonNext.Itextractsthedatafromthedeviceandtheprocesstakesafewminutesdependingontheamountofdatastoredonthedevice.Oncetheprocessiscomplete,thesoftwaredisplaysasummaryoftheextracteddata,asshowninthefollowingscreenshot:

OxygenForensicSuite—theextracteddatasummaryscreen

5. Afterthedownloadprocessiscomplete,youcanusetheautomaticforensicreportgenerationfunctionandexporttheextracteddatatoaPDFfile.Thedevicedatareportappearsasshowninthefollowingscreenshot.YoucanalsoopenthedeviceimageinOxygenforamanuallookatthedata.

OxygenForensicSuite2014supporteddevices

OxygenForensicSuite2014Version6.1supportslogicalacquisitionofalliOSdevices.Keepinmindthataccesstonewerdevicesmayrequirethedevicetobeunlockedorjailbroken.

CellebriteUFEDPhysicalAnalyzerAsperthevendor,CellebriteUFED(UniversalForensicExtractionDevice)empowerslawenforcement,anti-terrorism,andsecurityorganizationstocapturecriticalforensicevidencefrommobilephones,smartphones,PDAs,andportablehandsetvarieties,includingupdatesfornewlyreleasedmodels.Thetoolenablesforensicallysounddataextraction,decoding,andanalysistechniquestoobtainexistinganddeleteddatafromdifferentmobiledevices.AsofFebruary2014,UFEDsupportsdataextractionfrommorethan5,320mobiledevices.

TheCellebriteUFEDPhysicalAnalyzerapplicationcanbeusedtoperformphysicalandadvancedlogicalacquisitionsofiOSdevices.Advancedlogicalacquisitionsarethesameasfilesystemacquisitionsinwhichaccesstothefilesystemdataisprovided.PhysicalacquisitiononiOSdevicesusingtheA5-A7chip(iPhone4sandnewer)isnotpossible.Thus,theadvancedlogicalacquisitionmethodisthebestsupportandwillpullthemostdatafromthesedevicesiftheyareunlocked(eveniftheyarenotjailbroken).TheapplicationisavailableonlyforWindowsplatforms.Cellebritealsooffersa30-dayfreetrialforthesoftware.Formoreinformation,visithttp://www.cellebrite.com/mobile-forensics/products/applications/ufed-physical-analyzer.

FeaturesofCellebriteUFEDPhysicalAnalyzer

ThefollowingarethefeaturesofCellebriteUFEDPhysicalAnalyzer:

Supportsphysicalandadvancedlogicalacquisition(filesystemacquisition)ExtractsdevicekeysrequiredtodecryptrawdiskimagesaswellaskeychainitemsDecryptsrawdiskimagesandkeychainitemsRevealsdevicepasswords(notavailableforalllockeddevices)AllowstoopenanencryptedrawdiskimagefilewithaknownpasswordSupportspasscoderecoveryattacksAdvancedanalysisanddecodingofextractedapplicationsdataReportsgenerationinseveralpopularformats—MicrosoftExcel,PDF,HTML,andsoon.Abilitytodumptherawfilesystempartitiontoimportandexamineitinanotherforensictool

UsageofCellebriteUFEDPhysicalAnalyzer

ToperformthephysicalacquisitionofaniPhone4andolderdeviceswithUFEDPhysicalAnalyzer,followthestepsprovided.NotethatphysicalacquisitionisnotsupportedforneweriOSdevices(iPhone4Sandnewer).

1. LaunchUFEDPhysicalAnalyzerandnavigatetotheExtract|iOSDeviceExtractionmenu.YouwillbepromptedwiththeiOSdevicedataextractionwizard,asshowninthefollowingscreenshot:

UFEDPhysicalAnalyzer—theiOSDeviceDataExtractionWizardscreen

2. ClickonPhysicalmode.ThefirsttimeyouruniOSdeviceextraction,youwillbepromptedtodownloadandinstalltheiOSsupportpackage.

3. Followtheinstructionsdisplayedonthescreentoturnoffthedeviceandplaceitintherecoverymode.Oncethetooldetectsthedeviceintherecoverymode,itdisplaysthedeviceinformation,asshowninthefollowingfigure:

UFEDPhysicalAnalyzer—thedeviceinformationscreen

4. ClickonNextandputthedeviceintheDFUmode.WhenthedeviceisdetectedintheDFUmode,thesoftwareloadstheacquisitiontoolsontothedevice.

5. Oncethedeviceisreadyforextraction,youwillbepromptedtochoosethedesiredextractiontype.ClickonPhysicalExtractionandchoosethepartitionyouwishtoextractandthelocationwhereyouwanttosavetheextraction.

6. ContinuefurtherandclickonRecoverthepasscodeformetorecoverthepasscodepriortotheextraction.

7. ClickonContinue.Thetoolextractsthefilesystemimageanddecryptsit.

Supporteddevices

UFEDPhysicalAnalyzerVersion3.9supportediOSdevicesareshowninthefollowingtable:

Model iOSversion

Physicalacquisition

Logicalacquisition

iPhone,iPhone3G,iPodTouch1,2 iOS1/2/3/4

Yes Yes

iPhone3GSiPodTouch3iPad1 iOS3/4/5 Yes Yes

iPhone4iPodTouch4 iOS4/5/6/7

Yes Yes

iPhone4S,5,5C,5SiPad2,3,4,iPadmini,andiPodTouch5

iOS5/6/7 No Yes

ParabeniRecoveryStickAsperthevendor,theiRecoveryStickcontainsspecializedinvestigationsoftwareonaUSBdrivethatallowsanyonetoinvestigatedataonAppleiOSdevicessuchasaniPhone,iPad,andiPodTouch.TheiRecoveryStickacquiresauser'sdatadirectlyfromthedeviceorfromiTunesbackupfiles.TheiRecoveryStickalsorecoversdeleteddatafromSQLitedatabasesandcanrecoverdatasuchasmessages,contacts,callhistory,Internethistory,andcalendarevents.Notethatthisisnotaphysicalacquisitionbutissimplyacquiringandparsingrawdatabasefileslogically.

TheiRecoveryStickcosts$129andworksonWindowsplatforms.Forbetterrecovery,iRecoveryStickrecommendsturningofftheantivirussoftwarerunningonthecomputer.Formoreinformation,visithttp://www.paraben.com/irecovery-stick.html.

FeaturesofParabeniRecoveryStick

ThefollowingarethefeaturesofParabeniRecoveryStick:

ItsupportslogicalacquisitionItrecoversdeleteddatafromSQLitefilesItiseasytouseandportableItisinconspicuous.ItresemblesacommonlyusedUSBthumbdrive,soitcanbeusedasaspydeviceandnoonewouldsuspectthatthedeviceisusedtorecoverdatafromaniPhone.Itlogstherecoveryprocessbasedonthepluginactivityandtrafficacrossthecommunicationport.Itsupportsdataanalysisandreportinginseveralformats,suchasExcelandPDF.

UsageofParabeniRecoveryStick

TheiRecoveryStickisaUSBflashdrivethatcontainstherecoverysoftwareiRecoveryStick.exe.

ToperformtheacquisitionofaniOSdeviceusingiRecoveryStick,followthesesteps:

1. ConnecttheiOSdevicetothecomputerusingaUSBcable.LaunchtheiRecoverySticksoftwareandclickontheStartRecoverybutton.Youwillbepromptedtochoosetheconnecteddevice,asshowninthefollowingscreenshot:

iRecoveryStick—theChooseconnecteddevicescreen

2. Clickonthedeviceiconanditstartsextractingthedatafromthedevice.Thedataextractionprocesstakesafewminutesdependingontheamountofdatastoredonthedevice.

3. Oncetheprocessiscomplete,thesoftwaredisplaysasummaryofextracteddata,asshowninthefollowingscreenshot:

iRecoveryStick—theextracteddatasummary

DevicessupportedbyParabeniRecoveryStick

ParabeniRecoveryStickVersion3.5supportslogicalacquisitionofalliOSdevices.TheamountofdataacquiredwilldependonhowmuchdataispresentontheiOSdevice,whetherthedevicewaslocked,andwhetherthedevicewasjailbroken.

OpensourceorfreemethodsSeveralmethodsareavailabletoacquireandanalyzeiOSdevicesforfree.Mostofthesetoolshavebeenbuiltbypractitionersinmobileforensicswhorecognizetheneedforaffordablesolutionsthatworktoobtainthesameamountofdataascommercialkits.JonZdziarskihasdevelopedseveralscripts,tools,andmethodstoacquiredatafromiOSdevices.Someofhismethodssuchasphysicalacquisitionscriptsarerestrictedtolawenforcement.ZdziarksireleasedhisinstructionstoacquiredatafromiOSdevicesandthiscanbereadathttp://www.zdziarski.com/blog/wp-content/uploads/2013/05/iOS-Forensic-Investigative-Methods.pdf.

ThereareothertoolsthatexistsoyoucanlogicallyacquireandanalyzeiOSdeviceimagesandbackupfiles.SomeofthesetoolsincludeiFunBox,iExplorer,iBackupBot,andmore.Makesurethatyoutestthesetoolsbeforerelyingonthemforaforensicinvestigation.Again,theyareeitherfreeorrequestadonationforuse.Theyaredevelopedbythecommunityforexaminerstouse.Theyoftendonotgothroughrigorousamountsoftestingandvalidationandmaymissdatathatcanbemanuallyextractedbytheexaminer.Itistheexaminer'sresponsibilitytolearnthetool,testit,andknowitsflawsinordertorecoveralloftheavailabledata.

SummaryForensictoolsarehelpfulforaninvestigatorastheynotonlysavetimebutalsomaketheprocessaloteasier.ThischapterintroducedyoutoseveralavailableiOSforensictoolsandincludedthestepstoperformacquisitionofaniOSdevice.Examinersshouldtakefurtherstepstovalidateandunderstandeachtoolthatmightbeusedaspartofaninvestigation.Inthenextchapter,wewilldiveintoAndroidforensicsandprovideinformationonwhatAndroidis,howthedevicesstoredata,andhowtoaccessthefilesandapplicationsthatarerequiredforforensicexaminations.

Chapter7.UnderstandingAndroidBeforewetakeadiveintotheoceanofAndroidletusfirstspendsometimediscussingtheevolutionofAndroidorwhatwecallTheAndroidStory.Backin2005,Googlestartedinvestingmoneyinstart-upcompanies,whichitthoughtwouldbeprofitableinthefuture.AndroidInc.,foundedin2003byAndyRubin,RichMiner,NickSears,andChrisWhite,wasonesuchcompanyacquiredbyGooglethatlaterturnedouttobethebestdealever.Duringitsfirsttwoyears,AndroidInc.operatedundersecrecy.Itdescribeditselfasacompany"makingsoftwareformobilephones".RubinlaterstayedwithGoogletopioneerAndroidasanoperatingsystemthatrevolutionizedthewaymobilehandsetsoperate.WiththisacquisitionitwasclearthatGooglewaseyeingthemobilephonemarket.AtGoogle,Rubin,alongwithhisteam,developedapowerfulandflexibleoperatingsystembuiltonaLinuxkernel.TherewerespeculationsalloveraboutwhatGooglewastryingtodo.SomereportedthatGooglewastryingtoincorporatesearchandotherapplicationsintomobilehandsets.AfewothersreportedthatGooglewasdevelopingitsownmobilehandset.Finallyin2007,OpenHandsetAlliance(OHA),agroupoftechnologycompanies,devicemanufacturers,chipsetmakers,andwirelesscarriers,wasformedwiththemainobjectiveofproposingopenstandardsforthemobileplatform.TogethertheydevelopedAndroid,thefirstopenandfreemobileplatformbuiltonLinuxkernel2.6.Laterin2008,HTCDreamwasreleasedwhichwasthefirstphonetoruntheAndroidoperatingsystem.Afterthat,itwasadreamrunforAndroid,withitsmarketshareincreasingexponentiallyoverthenextfewyears.AbreakdownonthehistoryofAndroidcanbefoundathttp://www.xcubelabs.com/the-android-story.php.SeveralversionsofitsLinux-basedoperatingsystemhavebeenreleasedinalphabeticalorder.

TheversionhistoryofAndroidcanbefoundathttp://faqoid.com/advisor/android-versions.php,anoverviewofwhichisshowninthefollowingtable:

Version Versionname Releaseyear

Android1.0 Applepie 2008

Android1.1 Bananabread 2009

Android1.5 Cupcake 2009

Android1.6 Donut 2009

Android2.0 Eclair 2009

Android2.2 Froyo 2010

Android2.3 Gingerbread 2010

Android3.0 Honeycomb 2011

Android4.0 IceCreamSandwich 2011

Android4.1 JellyBean 2012

Android4.4 KitKat 2013

TheAndroidmodelToeffectivelyunderstandtheforensicconceptsofAndroid,itwouldbehelpfultohaveabasicunderstandingoftheAndroidarchitecture.Justlikeacomputer,anycomputingsystemthatinteractswiththeuserandperformscomplicatedtasksrequiresanoperatingsystemtohandlethetaskseffectively.Thisoperatingsystem(whetherit'sadesktopoperatingsystemoramobilephoneoperatingsystem)takestheresponsibilitytomanagetheresourcesofthesystemandtoprovideawayfortheapplicationstotalktothehardwareorphysicalcomponentstoaccomplishcertaintasks.Androidiscurrentlythemostpopularmobileoperatingsystemdesignedtopowermobiledevices.Youcanfindoutmoreaboutthisathttp://developer.android.com/about/index.html.AndroidisopensourceandthecodeisreleasedunderApachelicense.Practically,thismeansanyone(especiallydevicemanufacturers)canaccessit,freelymodifyit,andusethesoftwareaccordingtotherequirementsofanydevice.Thisisoneoftheprimaryreasonsforitswideacceptance.NotableplayersthatuseAndroidincludeSamsung,HTC,Sony,LG,andsoon.

Aswithanyotherplatform,Androidconsistsofastackoflayersrunningoneabovetheother.TounderstandtheAndroidecosystem,it'sessentialtohaveabasicunderstandingofwhattheselayersareandwhattheydo.ThefollowingfiguresummarizesthevariouslayersinvolvedintheAndroidsoftwarestack(https://viaforensics.com/wp-content/uploads/2009/08/Android-Forensics-Andrew-Hoog-viaForensics.pdf):

Androidarchitecture

Eachoftheselayersperformsseveraloperationsthatsupportspecificoperatingsystemfunctions(http://www.android-app-market.com/android-architecture.html).Eachlayerprovidesservicestothelayerslyingontopofit.

TheLinuxkernellayer

AndroidOSisbuiltontopoftheLinuxkernelwithsomearchitecturalchangesmadebyGoogle.ThereareseveralreasonsforchoosingtheLinuxkernel.Mostimportantly,Linuxisaportableplatformthatcanbecompiledeasilyondifferenthardware.Thekernelactsasanabstractionlayerbetweenthesoftwareandhardwarepresentonthedevice.Considerthecaseofacameraclick.Whathappenswhenyouclickaphotousingthecamerabuttononyourdevice?Atsomepoint,thehardwareinstruction(pressingabutton)hastobeconvertedtoasoftwareinstruction(totakeapictureandstoreitinthegallery).Thekernelcontainsdriverstofacilitatethisprocess.Whentheuserclicksonthebutton,theinstructiongoestothecorrespondingcameradriverinthekernel,whichsendsthenecessarycommandstothecamerahardware,similartowhatoccurswhenakeyispressedonakeyboard.Insimplewords,thedriversinthekernelcommandcontroltheunderlyinghardware.Asshownintheprecedingfigure,thekernelcontainsdriversrelatedtoWi-Fi,Bluetooth,USB,audio,display,andsoon.

TheLinuxkernelisresponsibleformanagingthecorefunctionalityofAndroid,suchasprocessmanagement,memorymanagement,security,andnetworking.Linuxisaprovenplatformwhenitcomestosecurityandprocessmanagement.AndroidhastakenleverageoftheexistingLinuxopensourceOStobuildasolidfoundationforitsecosystem.EachversionofAndroidhasadifferentversionoftheunderlyingLinuxkernel.ThecurrentKitKatAndroidversionisrumoredtouseLinuxkernel3.8(http://www.phonearena.com/news/Android-4.4-KitKat-update-release-date-features-and-rumors_id47661).

Libraries

ThenextlayerintheAndroidarchitectureconsistsofAndroid'snativelibraries.ThelibrariesarewrittenintheCorC++languageandhelpthedevicetohandledifferentkindsofdata.Forexample,theSQLitelibrariesareusefulforstoringandretrievingthedatafromadatabase.OtherlibrariesincludeMediaFramework,WebKit,SurfaceManager,SSL,andsoon.TheMediaFrameworklibraryactsasthemaininterfacetoprovideaservicetotheotherunderlyinglibraries.TheWebKitlibraryprovideswebpagesinwebbrowsersandthesurfacemanagermaintainsthegraphics.Inthesamelayer,wehaveAndroidRuntime,whichconsistsofDalvikvirtualmachine(DVM)andcorelibraries.TheAndroidruntimeisresponsibleforrunningapplicationsonAndroiddevices.Theterm"runtime"referstothelapseintimefromwhenanapplicationislauncheduntilitisshutdown.

Dalvikvirtualmachine

AlltheapplicationsthatyouinstallontheAndroiddevicearewrittenintheJavaprogramminglanguage.WhenaJavaprogramiscompiled,wegetbytecode.JVMisavirtualmachine(avirtualmachineisanapplicationthatactsasanoperatingsystem,thatis,itispossibletorunaWindowsOSonaMacorviceversabyusingavirtualmachine)thatcanexecutethisbytecode.ButAndroidusessomethingcalledDalvikvirtualmachine(DVM)torunitsapplications.

DVMrunsDalvikbytecode,whichisJavabytecodeconvertedbytheDexcompiler(http://markfaction.wordpress.com/2012/07/15/stack-based-vs-register-based-virtual-machine-architecture-and-the-dalvik-vm/).Thus,the.classfilesareconvertedtodexfilesusingthedxtool.DalvikbytecodewhencomparedwithJavebytecodeismoresuitableforlow-memoryandlow-processingenvironments.Also,notethatJVM'sbytecodeconsistsofoneormore.classfilesdependingonthenumberofJavafilesthatarepresentinanapplication,butDalvikbytecodeiscomposedofonlyonedexfile.EachAndroidapplicationrunsitsowninstanceofDalvikvirtualmachine.ThisisacrucialaspectofAndroidsecurityandwillbeaddressedindetailinChapter8,AndroidForensicSetupandPreDataExtractionTechniques.ThefollowingfigureprovidesaninsightintohowAndroid'sDVMdiffersfromJava'sJVM.

JVMversusDVM

Theapplicationframeworklayer

Theapplicationframeworkisthelayerresponsibleforhandlingthebasicfunctioningofaphone,suchasresourcemanagement,handlingcalls,andsoon.Thisistheblockwithwhichtheapplicationsinstalledonthedevicedirectlytalktoit.Thefollowingaresomeoftheimportantblocksintheapplicationframeworklayer:

TelephonyManager:ThisblockmanagesallthevoicecallsContentProvider:ThisblockmanagesthesharingofdatabetweendifferentapplicationsResourceManager:Thisblockhelpsmanagevariousresourcesusedinapplications

Theapplicationslayer

Thisisthetopmostlayerwheretheusercaninteractdirectlywiththedevice.Therearetwokindsofapplications—preinstalledapplicationsanduser-installedapplications.Preinstalledapplications,suchasDialer,WebBrowser,Contacts,andmorecomealongwiththedevice.User-installedapplicationscanbedownloadedfromdifferentplaces,suchasGooglePlayStore,AmazonMarketplace,andsoon.Everythingthatyouseeonyourphone(contacts,mail,camera,andsoon)isanapplication.

AndroidsecurityAndroidwasdesignedwithaspecificfocusonsecurity.Androidasaplatformoffersandenforcescertainfeaturesthatsafeguardtheuserdatapresentonthemobilethroughmultilayeredsecurity.Therearecertainsafe-defaultsthatwillprotecttheuserandcertainofferingsthatcanbeleveragedbythedevelopmentcommunitytobuildsecureapplications.ThefollowingareissueswhicharekeptinmindwhileincorporatingtheAndroidsecuritycontrols:

Protectinguser-relateddataSafeguardingthesystemresourcesMakingsureoneapplicationcannotaccessthedataofanotherapplication

ThenextfewconceptshelpusunderstandmoreaboutAndroid'ssecurityfeaturesandofferings.AdetailedexplanationonAndroidsecuritycanbefoundathttp://source.android.com/devices/tech/security/.

Securekernel

Linuxhasevolvedasatrustedplatformovertheyears,andAndroidhasleveragedthisfactbyusingitasitskernel.Theuser-basedpermissionmodelofLinuxhasinfactworkedwellforAndroid.Asmentionedearlier,thereisalotofspecificcodebuiltintotheLinuxkernel.WitheachAndroidversionrelease,thekernelversionhasalsochanged.ThefollowingtableshowsAndroidversionsandtheircorrespondingkernelversions:

Androidversion Linuxkernelversion

1 2.6.25

1.5 2.6.27

1.6 2.6.29

2.2 2.6.32

2.3 2.6.35

3 2.6.36

4 3.0.1

4.1 3.0.31

4.2 3.4.0

4.2 3.4.39

4.4 3.8

LinuxkernelversionsusedinAndroid

Thepermissionmodel

Asshowninthefollowingscreenshot,anyAndroidapplicationmustbegrantedpermissionstoaccesssensitivefunctionality,suchastheInternet,dialer,andsoon,bytheuser.Thisprovidesanopportunityfortheusertoknowinadvancewhatfunctionalityonthedevicetheapplicationistryingtoaccess.Simplyput,itrequirestheuser'spermissiontoperformanykindofmaliciousactivity(stealingdata,compromisingthesystem,andsoon).

Thismodelhelpstheusertopreventattacks,butiftheuserisunawareandgivesawayalotofpermissions,itleavesthemintrouble(rememberwhenitcomestoinstallingmalwareonanydevice,theweakestlinkisalwaystheuser).

ThepermissionmodelinAndroid

Applicationsandbox

InLinuxsystems,eachuserisassignedauniqueuserID(UID),andusersaresegregatedsothatoneusercanaccessthedataofanotheruser.However,allapplicationsunderaparticularuserarerunwiththesameprivileges.SimilarlyinAndroid,eachapplicationrunsasauniqueuser.Inotherwords,aUIDisassignedtoeachapplicationandisrunasaseparateprocess.Thisconceptensuresanapplicationsandboxatthekernellevel.ThekernelmanagesthesecurityrestrictionsbetweentheapplicationsbymakinguseofexistingLinuxconcepts,suchasUIDandGID.Ifanapplicationattemptstodosomethingmalicious,saytoreadthedataofanotherapplication,thisisnotpermittedastheapplicationdoesnothavetheuserprivileges.Hence,theoperatingsystemprotectsanapplicationfromaccessingthedataofanotherapplication.

Secureinterprocesscommunication

Androidoffersasecureinterprocesscommunicationthroughwhichone'sactivityinanapplicationcansendmessagestoanotheractivityinthesameapplicationoradifferentapplication.Toachievethis,Androidprovidesinterprocesscommunication(IPC)mechanisms:intents,services,contentproviders,andsoon.

Applicationsigning

Itismandatorythatalltheinstalledapplicationsbedigitallysigned.DeveloperscanplacetheirapplicationsinGoogle'sPlayStoreonlyaftersigningtheapplications.Theprivatekeywithwhichtheapplicationissignedisheldbythedeveloper.Usingthesamekey,adevelopercanprovideupdatestotheirapplication,sharedatabetweentheapplications,andsoon.

AndroidfilehierarchyInordertoperformforensicanalysisonanysystem(desktopormobile),it'simportanttounderstandtheunderlyingfilehierarchy.AbasicunderstandingofhowAndroidorganizesitsdatainfilesandfoldershelpsaforensicanalystnarrowdowntheirresearchtospecificissues.Justlikeanyotheroperatingsystem,Androidusesseveralpartitions.Thischapterprovidesaninsightintosomeofthemostsignificantpartitionsandthecontentstoredinthem.

It'sworthmentioningagainthatAndroidusestheLinuxkernel.Hence,ifyouarefamiliarwithUnix-likesystems,youwillverywellunderstandthefilehierarchyinAndroid.ForthosewhoarenotverywellacquaintedwiththeLinuxmodel,hereissomebasicinformation:inLinux,thefilehierarchyisasingletreewiththetopofthetreebeingdenotedas/(calledthe"root").Thisisdifferentfromtheconceptoforganizingfilesindrives(aswithWindows).Whetherthefilesystemislocalorremote,itwillbepresentundertheroot.TheAndroidfilehierarchyisacustomizedversionofthisexistingLinuxhierarchy.BasedonthedevicemanufacturerandtheunderlyingLinuxversion,thestructureofthishierarchymayhaveafewinsignificantchanges.ThefollowingisalistofimportantfoldersthatarecommontomostAndroiddevices.Someofthefolderslistedareonlyvisiblethroughrootaccess.

/boot:Asthenamesuggests,thispartitionhastheinformationandfilesrequiredforthephonetoboot.ItcontainsthekernelandRAMdisk,andsowithoutthispartitionthephonecannotstartitsprocesses.DataresidinginRAMisrichinvalueandshouldbecapturedduringaforensicacquisition./system:Thispartitioncontainssystem-relatedfilesotherthankernelandRAMdisk.Thisfoldershouldneverbedeletedasthatwillmakethedeviceunbootable.Thecontentsofthispartitioncanbeviewedbyusingthefollowingcommand:

shell@Android:/$cd/system

cd/system

shell@Android:/system$ls

ls

CSCVersion.txt

SW_Configuration.xml

app

bin

build.prop

cameradata

cameradata

csc

csc_contents

etc

fonts

framework

hdic

lib

media

recovery-from-boot.p

sipdb

tts

usr

vendor

voicebargeindata

vsc

wakeupdata

wallpaper

xbi

/recovery:Thisisdesignedforbackuppurposesandallowsthedevicetobootintotherecoverymode.Intherecoverymode,youcanfindtoolstorepairyourphoneinstallation./data:Thisisthepartitionthatcontainsthedataofeachapplication.Mostofthedatabelongingtotheuser,suchasthecontacts,SMS,anddialednumbers,isstoredinthisfolder.Thisfolderhassignificantimportancefromaforensicpointofviewasitholdsvaluabledata.Thecontentsofthedatafoldercanbeviewedusingthefollowingcommand:

C:\Android-sdk-windows\platform-tools>adb.exeshell

root@Android:/#cd/data

cd/data

root@Android:/data#ls

ls

anr

app

app-private

backup

camera

dalvik-cache

data

dontpanic

drm

local

lost+found

misc

property

property

resource-cache

system

system.notfirstrun

user

/cache:Thisisthefolderusedtostorefrequentlyaccesseddataandsomeofthelogsforfasterretrieval.Thecachepartitionisalsoimportanttotheforensicinvestigationasthedataresidingheremaynolongerbepresentinthe/datapartition./misc:Asthenamesuggests,thisfoldercontainsinformationaboutmiscellaneoussettings.Thesesettingsmostlydefinethestateofthedevice,thatisOn/Off.Informationabouthardwaresettings,USBsettings,andsoon,canbeaccessedfromthisfolder.

AndroidfilesystemUnderstandingthefilesystemisoneessentialpartofforensicmethodologies.Knowledgeaboutpropertiesandthestructureofafilesystemprovestobeusefulduringforensicanalysis.Filesystemreferstothewaydataisstored,organized,andretrievedfromavolume.Abasicinstallationmaybebasedononevolumesplitintoseveralpartitions;hereeachpartitioncanbemanagedbyadifferentfilesystem.AsistrueinLinux,Androidutilizesmountpointsandnotdrives(thatisC:orE:).Eachfilesystemdefinesitsownrulesformanagingthefilesonthevolume.Dependingontheserules,eachfilesystemoffersadifferentspeedforfileretrieval,security,size,andsoon.Linuxusesseveralfilesystems,andsodoesAndroid.Fromaforensicpointofview,it'simportanttounderstandwhatfilesystemsareusedbyAndroidandtoidentifythefilesystemsthatareofsignificancetotheinvestigation.Forexample,thefilesystemthatstorestheuser'sdataisofprimaryconcerntousasagainstafilesystemusedtobootthedevice.

ViewingfilesystemsonanAndroiddevice

ThefilesystemssupportedbytheAndroidkernelcanbedeterminedbycheckingthecontentsofthefilefilesystemsintheprocfolder.Thecontentofthisfilecanbeviewedbyusingthefollowingcommand:

shell@Android:/$cat/proc/filesystems

cat/proc/filesystems

nodevsysfs

nodevrootfs

nodevbdev

nodevproc

nodevcgroup

nodevtmpfs

nodevbinfmt_misc

nodevdebugfs

nodevsockfs

nodevusbfs

nodevpipefs

nodevanon_inodefs

nodevdevpts

ext2

ext3

ext4

nodevramfs

vfat

msdos

nodevecryptfs

nodevfuse

fuseblk

nodevfusectl

exfat

Intheprecedingoutput,thefirstcolumntellsuswhetherthefilesystemismountedonthedevice.Theoneswiththenodevpropertyarenotmountedonthedevice.Thesecondcolumnlistsallthefilesystemspresentonthedevice.Asimplemountcommanddisplaysdifferentpartitionsavailableonthedevice,asfollows:

shell@Android:/$mount

mount

rootfs/rootfsro,relatime00

tmpfs/devtmpfsrw,nosuid,relatime,mode=75500

devpts/dev/ptsdevptsrw,relatime,mode=60000

proc/procprocrw,relatime00

sysfs/syssysfsrw,relatime00

none/acctcgrouprw,relatime,cpuacct00

tmpfs/mnt/asectmpfsrw,relatime,mode=755,gid=100000

tmpfs/mnt/obbtmpfsrw,relatime,mode=755,gid=100000

none/dev/cpuctlcgrouprw,relatime,cpu00

/dev/block/mmcblk0p9/systemext4ro,noatime,barrier=1,data=ordered

00

/dev/block/mmcblk0p3/efsext4

rw,nosuid,nodev,noatime,barrier=1,journal_async_commit,data=ordered

00

/dev/block/mmcblk0p8/cacheext4

rw,nosuid,nodev,noatime,barrier=1,journal_async_commit,data=ordered

00

/dev/block/mmcblk0p12/dataext4

rw,nosuid,nodev,noatime,barrier=1,journal_async

_commit,data=ordered,noauto_da_alloc,discard00

/sys/kernel/debug/sys/kernel/debugdebugfsrw,relatime00

/dev/fuse/storage/sdcard0fuse

rw,nosuid,nodev,noexec,relatime,user_id=1023,gro

up_id=1023,default_permissions,allow_other00

Thenextfewsectionsprovideabriefoverviewoftheimportantfilesystems.

Therootfilesystem(rootfs)isoneofthemaincomponentsofAndroidandcontainsalltheinformationrequiredtobootthedevice.Whenthedevicestartsthebootprocess,itneedsaccesstomanycorefilesandthusmountstherootfilesystem.Asshownintheprecedingmountcommand-lineoutput,thisfilesystemismountedat/(rootfolder).Hence,thisisthefilesystemonwhichalltheotherfilesystemsareslowlymounted.Ifthisfilesystemiscorrupt,thedevicecannotbebooted.

Thesysfsfilesystemmountsthe/sysfolder,whichcontainsinformationabouttheconfigurationofthedevice.ThefollowingoutputshowsvariousfoldersunderthesysdirectoryinanAndroiddevice:

shell@Android:/$cd/sys

cd/sys

shell@Android:/sys$ls

ls

block

bus

class

dev

devices

firmware

fs

kernel

module

power

Sincethedatapresentinthesefoldersismostlyrelatedtoconfiguration,thisisnotusuallyofmuchsignificancetoaforensicinvestigator.Buttherecouldbesomecircumstanceswherewemightwanttocheckifaparticularsettingwasenabledonthephone,andanalyzingthisfoldercouldbeusefulundersuchconditions.Notethateachfolderconsistsofalargenumberoffiles.Capturingthisdatathroughforensicacquisitionisthebestmethodtoensurethisdataisnotchangedduringexamination.

ThedevptsfilesystempresentsaninterfacetotheterminalsessiononanAndroiddevice.Itismountedat/dev/pts.Wheneveraterminalconnectionisestablished,forinstance,whenanadbshellisconnectedtoanAndroiddevice,anewnodeiscreatedunder/dev/pts.Thefollowingistheoutputshowingthiswhentheadbshellisconnectedtothedevice:

shell@Android:/$ls-l/dev/pts

ls-l/dev/pts

crw-------shellshell136,02013-10-2616:560

Thecgroupfilesystemstandsforcontrolgroups.Androiddevicesusethisfilesystemtotracktheirjob.Theyareresponsibleforaggregatingthetasksandkeepingtrackofthem.Thisdataisgenerallynotveryusefulduringforensicanalysis.

Theprocfilesystemcontainsinformationaboutkerneldatastructures,processes,andothersystem-relatedinformationunderthe/procdirectory.Forinstance,the/sysdirectorycontainsfilesrelatedtokernelparameters.Similarly,/proc/filesystemsdisplaysthelistofavailablefilesystemsonthedevice.ThefollowingcommandshowsallinformationabouttheCPUofthedevice:

shell@Android:/$cat/proc/cpuinfo

cat/proc/cpuinfo

Processor:ARMv7Processorrev0(v7l)

processor:0

BogoMIPS:1592.52

processor:3

BogoMIPS:2786.91

Features:swphalfthumbfastmultvfpedspneonvfpv3tls

CPUimplementer:0x41

CPUarchitecture:7

CPUvariant:0x3

CPUpart:0xc09

CPUrevision:0

Chiprevision:0011

Hardware:SMDK4x12

Revision:000c

Serial:****************

Similarly,therearemanyotherusefulfilesthatprovidevaluableinformationwhenyoutraversethroughthem.

ThetmpfsfilesystemisatemporarystoragefacilityonthedevicethatstoresthefilesinRAM(volatilememory).ThemainadvantageofusingRAMisfasteraccessandretrieval.Butoncethedeviceisrestartedorswitchedoff,thisdatawillnotbeaccessibleanymore.Hence,it'simportantforaforensicinvestigatortoexaminethedatainRAMbeforeadevicereboothappensorextractthedataviaRAMacquisitionmethods.

ExtendedFileSystem–EXT

ExtendedFileSystem(EXT),whichwasintroducedin1992specificallyfortheLinuxkernel,wasoneofthefirstfilesystemsandusedthevirtualfilesystem.EXT2,EXT3,andEXT4arethesubsequentversions.JournalingisthemainadvantageofEXT3overEXT2.WithEXT3,incaseofanunexpectedshutdown,thereisnoneedtoverifythefilesystem.theEXT4filesystem,thefourthextendedfilesystem,hasgainedsignificancewithmobiledevicesimplementingdual-coreprocessors.TheYAFFS2filesystemisknowntohaveabottleneckondual-coresystems.WiththeGingerbreadversionofAndroid,theYAFFSfilesystemwasswappedforEXT4.ThefollowingarethemountpointsthatuseEXT4onSamsungGalaxyS3mobile:

/dev/block/mmcblk0p9/systemext4ro,noatime,barrier=1,data=ordered

00

/dev/block/mmcblk0p3/efsext4

rw,nosuid,nodev,noatime,barrier=1,journal_async_commit,data=ordered

00

/dev/block/mmcblk0p8/cacheext4

rw,nosuid,nodev,noatime,barrier=1,journal_async_commit,data=ordered

00

/dev/block/mmcblk0p12/dataext4

rw,nosuid,nodev,noatime,barrier=1,journal_async_commit,data=ordered

,noauto_da_alloc,discard00

VFATisanextensiontotheFAT16andFAT32filesystems.Microsoft'sFAT32filesystemissupportedbymostAndroiddevices.Itissupportedbyalmostallthemajoroperatingsystems,includingWindows,Linux,andMacOS.Thisenablesthesesystemstoeasilyread,modify,anddeletethefilespresentontheFAT32portionoftheAndroiddevice.MostoftheexternalSDcardsareformattedusingtheFAT32filesystem.Observethefollowingoutput,whichshowsthatthemountpoints/sdcardand/secure/asecusetheVFATfilesystem.

shell@Android:/sdcard$mount

mount

rootfs/rootfsrw00

tmpfs/devtmpfsrw,nosuid,relatime,mode=75500

devpts/dev/ptsdevptsrw,relatime,mode=600,ptmxmode=00000

proc/procprocrw,relatime00

sysfs/syssysfsrw,relatime00

tmpfs/mnt/asectmpfsrw,relatime,mode=755,gid=100000

tmpfs/mnt/obbtmpfsrw,relatime,mode=755,gid=100000

/dev/block/nandd/systemext4

rw,nodev,noatime,user_xattr,barrier=0,data=ordered00

/dev/block/nande/dataext4

rw,nosuid,nodev,noatime,user_xattr,barrier=0,journal_checksum,data=

ordered,noauto_da_alloc00

/dev/block/nandh/cacheext4

rw,nosuid,nodev,noatime,user_xattr,barrier=0,journal_checksum,data=

ordered,noauto_da_alloc00

/dev/block/vold/93:64/mnt/sdcardvfat

rw,dirsync,nosuid,nodev,noexec,relatime,uid=1000,gid=1015,fmask=070

2,dmask=0702,allow_utime=0020,codepage=cp437,iocharset=ascii,shortn

ame=mixed,utf8,errors=remount-ro00

/dev/block/vold/93:64/mnt/secure/asecvfat

rw,dirsync,nosuid,nodev,noexec,relatime,uid=1000,gid=1015,fmask=070

2,dmask=0702,allow_utime=0020,codepage=cp437,iocharset=ascii,shortn

ame=mixed,utf8,errors=remount-ro00

tmpfs/mnt/sdcard/.Android_securetmpfs

ro,relatime,size=0k,mode=00000

/dev/block/dm-0/mnt/asec/com.kiloo.subwaysurf-1vfat

ro,dirsync,nosuid,nodev,relatime,uid=1000,fmask=0222,dmask=0222,cod

epage=cp437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro

00

YetAnotherFlashFileSystem2(YAFFS2)isanopensource,single-threadedfilesystemreleasedin2002.ItismainlydesignedtobefastwhendealingwithNANDflash.YAFFS2utilizesOOB(outofband)andthatisoftennotcapturedordecodedcorrectlyduringforensicacquisition,whichmakesanalysisdifficult.ThiswillbediscussedmoreinChapter9,AndroidDataExtractionTechniques.YAFFS2wasthemostpopularreleaseatonepointandisstillwidelyusedinAndroiddevices.YAFFS2isalog-structuredfilesystem.Dataintegrityisguaranteedevenincaseofsuddenpoweroutage.In2010,therewasanannouncementstatingthatinreleasesafterGingerbread,devicesweregoingtomovefromYAFFS2toEXT4.CurrentlyYAFFS2isnotsupportedinnewerkernelversions,butcertainmobilemanufacturersmightstillcontinuetosupportit.

FlashFriendlyFileSystem(F2FS)wasreleasedinFebruary2013tosupportSamsungdevicesrunningtheLinux3.8kernel(http://www.linux.org/threads/flash-friendly-file-system-f2fs.4477/).F2FSreliesonlog-structuredmethodsthatoptimizeNANDflashmemory.Theofflinesupportfeaturesareahighlightofthisfilesystem.Yet,thefilesystemisstill

transientandbeingupdated.

RobustFileSystem(RFS)supportsNANDflashmemoryonSamsungdevices.RFScanbesummarizedasaFAT16(orFAT32)filesystemwherejournalingisenabledthroughatransactionlog.ManyuserscomplainthatSamsungshouldstickwithEXT4.RFShasbeenknowntohavelagtimesthatslowdownthefeaturesofAndroid.

SummaryUnderstandingtheunderlyingfeatures,filesystems,andcapabilitiesofanAndroiddeviceprovesusefulinaforensicinvestigation.UnlikeiOS,severalvariantsofAndroidexistasmanydevicesruntheAndroidoperatingsystemandeachmayhavedifferentfilesystemsanduniquefeatures.ThefactthatAndroidisopenandcustomizablealsochangestheplayingfieldofdigitalforensics.AforensicexaminermustbepreparedtoexpecttheunexpectedwhenhandlinganAndroiddevice.Inthenextchapter,wewilldiscussmethodsforaccessingthedatastoredonAndroiddevices.

Chapter8.AndroidForensicSetupandPreDataExtractionTechniquesHavinganestablishedforensicenvironmentbeforethestartofanexaminationisimportantasitensuresthatthedataisprotectedwhiletheexaminermaintainscontroloftheworkstation.Thischapterwillexplaintheprocessandconsiderationswhensettingupadigitalforensicexaminationenvironment.Itisparamountthattheexaminermaintainscontroloftheforensicenvironmentatalltimes.Thispreventstheintroductionofcrosscontaminantsthatcouldeffecttheforensicinvestigation.ThischapteraimstocovertheminimumbasicrequirementsthatshouldbeinplacetostartaforensicinvestigationofanAndroidmobiledevice.

AforensicenvironmentsetupSettingupaproperlabenvironmentisanessentialpartofaforensicprocess.Androidforensicsetupusuallyinvolvesthefollowing:

Startwithafreshorforensicallysterilecomputerenvironment.Thismeansthatotherdataisnotpresentonthesystemoriscontainedinamannerthatitcannotcontaminatethepresentinvestigation.Installbasicsoftwarenecessarytoconnecttothedevice.AndroidforensictoolsandmethodologieswillworkonWindows,Linux,andOSXplatforms.Obtainaccesstothedevice.AnexaminermustbeabletoenablesettingsorbypasstheminordertoallowthedatatobeextractedfromtheAndroiddevice.IssuecommandstothedevicethroughthemethodsdefinedinthischapterandinChapter9,AndroidDataExtractionTechniques.

ThefollowingsectionsprovideguidanceonsettingupabasicAndroidforensicworkstation.

AndroidSoftwareDevelopmentKit

TheAndroidSoftwareDevelopmentKit(SDK)helpsthedevelopmentworldtobuild,test,anddebugapplicationstorunonAndroid.Thisisachievedbyprovidingnecessarytoolstocreatetheapplications.Butalongwiththis,italsoprovidesvaluabledocumentationandothertoolsthatcanbeofgreathelpduringtheinvestigationofanAndroiddevice.AgoodunderstandingoftheAndroidSDKwillhelpyoutogettogripswiththeparticularsofadeviceandthedataonthedevice.

TheAndroidSDKconsistsofsoftwarelibraries,APIs,tools,emulators,andotherreferencematerial.Itcanbedownloadedforfreefromhttp://developer.android.com/.Duringaforensicinvestigation,theSDKhelpsconnecttoandaccessthedataontheAndroiddevice.TheAndroidSDKisupdatedveryfrequentlysoit'simportanttoverifythatyourworkstationalsoremainsupdated.TheAndroidSDKcanrunonWindows,Linux,andOSX.

AndroidSDKinstallation

AworkinginstallationofTheAndroidSDKisamustduringtheinvestigationofaforensicdevice.MostwebsitesrecognizetheoperatingsystemonthecomputerandwillpromptyoutodownloadthecorrectAndroidSDK.Thefollowingisastep-by-stepproceduretoinstalltheAndroidSDKonaWindows7machine:

1. BeforeyouinstalltheAndroidSDK,makesureyoursystemhasJavaDevelopmentKitinstalledbecausetheAndroidSDKreliesonJavaSEDevelopmentKit(JDK).JDKcanbedownloadedfromhttp://www.oracle.com/technetwork/java/javase/downloads/index.html.

2. DownloadthelatestversionoftheAndroidSDKfromhttp://developer.android.com/.TheinstallerversionoftheSDKisrecommendedforthispurpose.

3. Runtheinstallerfile,whichwasdownloadedinstep2.Awizardwindowwillbeshown,asseeninthefollowingscreenshot.Afterthis,runthroughtheroutineNextstepsthatyouencounter.

AndroidSDKToolssetupwizard

4. Theinstallationlocationistheuser'schoiceandmustberememberedforfutureaccess.Inthisexample,wewillinstallitintheC:\folder.ClickontheInstallbuttonandchoosethelocation(say,C:\android-sdk).Thenecessaryfileswillbeextractedtothisfolder.

5. Openthedirectory(C:\android-sdk)anddouble-clickonSDKManager.exetobegintheupdateprocess.MakesurethatyouselectAndroidSDKPlatformtoolsandanyonereleaseplatformversionofAndroidasshowninthefollowingscreenshot.Someoftheitemsinthelistarechosenbydefault.Forinstance,itisnecessarytoinstalltheUSBdriverinordertoworkwithAndroiddevicesinWindows.Inourexample,GoogleUSBDriverisselected.Similarly,youcanfindotheritemsundertheExtrassection.Acceptthelicenseandinstallit,asshowninthefollowingscreenshot:

AndroidSDKLicense

ThiscompletestheAndroidSDKinstallationandyoucanupdatethesystem'senvironmentvariables(Path)bypointingtotheexecutablefiles.TheinstallationoftheAndroidSDKonOSXandLinuxmayvary.MakesurethatyoufollowallthestepsprovidedwiththeSDKdownloadforfullfunctionality.

AndroidVirtualDevice

OncetheAndroidSDKisinstalledalongwiththereleaseplatform,youcancreateanAndroidVirtualDevice(alsocalledanemulator/AVD),whichisoftenusedbydeveloperswhencreatingnewapplications.However,anemulatorhassignificancefromaforensicperspectivetoo.Emulatorsareusefulwhentryingtounderstandhowapplicationsbehaveandexecuteonadevice.Thiscouldbehelpfultoconfirmcertainfindingsthatareunearthedduringaforensicinvestigation.Also,whileworkingonadevicewhichisrunningonanolderplatform,youcandesignanemulatorwiththesameplatform.Furthermore,beforeinstallingaforensictoolonarealdevice,theemulatorcanbeusedtofindouthowaforensictoolworksandchangescontentonanAndroiddevice.TocreateanewAVD(ontheWindowsworkstation),performthefollowingsteps:

1. Openthecommandprompt(cmd.exe).TostarttheAVDmanagerfromthecommandline,navigatetothepathwheretheSDKisinstalledandcalltheandroidtoolwiththeavdoptionasshowninthefollowingcommandline.ThiswouldautomaticallyopentheAVDmanager.

C:\android-sdk\tools>androidavd

Tip

Alternately,theAVDmanagercanalsobestartedusingthegraphicalAVDmanager.Tostartthis,navigatetothelocationwheretheSDKisinstalled(C:\android-sdk)inourexampleanddouble-clickonAVDManager.

TheAndroidVirtualDeviceManagerwindowisasshowninthefollowingscreenshot:

AndroidVirtualDeviceManager

2. ClickonNewintheAVDManagerwindowtocreateanewvirtualdevice.ClickonEdittochangetheconfigurationofanexistingvirtualdeviceasshowninthefollowingscreenshot:

Virtualdeviceconfiguration

3. Enterthedetailsasperthefollowinginformation:AVDName:Thisoptionisusedtoprovideanynameforthevirtualdevice,forexample,ForensicsAVD.

Device:Thisoptionisusedtoselectanydevicefromtheavailableoptionsbasedonthescreensize.Target:Thisoptionhelpsyoutoselecttheplatformofthedevice.NotethatonlytheversionsthatwereselectedandinstalledduringtheSDKinstallationwillbeshownheretobeselected.Forourexample,theAndroid4.4platformisselected.Similarly,youcanselecthardwarefeaturestocustomizetheemulator,forexample,thesizeofinternalstoragememory,SDcard,andsoon.

4. Aconfirmationmessageisshownoncethedeviceissuccessfullycreated.Now,selecttheAVDandclickonStart.Thiswillpromptyouwiththelaunchoptions.SelectanyoptionandclickonLaunch.

5. Thisshouldlaunchtheemulator.Notethatthiscouldtakeafewminutesorevenlongerdependingontheworkstation'sCPUandRAM.Theemulatordoesconsumeasignificantamountofresourcesonthesystem.Afterasuccessfullaunch,theAVDwillberunningasshowninthefollowingscreenshot:

TheAndroidemulator

Withemulator,youcanconfiguree-mailaccounts,installapplications,surftheInternet,sendtextmessages,andmore.Fromaforensicperspective,analystsandsecurityresearcherscanleveragethefunctionalityofanemulatortounderstandthefilesystem,datastorage,andsoon.Thedatacreatedwhenworkingonanemulatorisstoredinyourhomedirectory,inafoldernamed.android.Forinstance,inourexample,thedetailsabouttheForensicsAVDemulatorthatwecreatedearlierarestoredunderC:\Users\Rohit\.android\avd\ForensicsAVD.avd.Amongthevariousfiles

presentunderthisdirectory,thefollowingarethefilesthatareofinterestforaforensicanalyst:

cache.img:Thisisthediskimageofthe/cachepartition(rememberthatwediscussedthe/cachepartitionofanAndroiddeviceinChapter7,UnderstandingAndroid).sdcard.img:ThisisthediskimageoftheSDcardpartition.Userdata-qemu.img:Thisisthediskimageofthe/datapartition.The/datapartitioncontainsvaluableinformationaboutthedeviceuser.

ConnectinganAndroiddevicetoaworkstation

ForensicacquisitionofanAndroiddeviceusingopensourcetoolsrequiresconnectingthedevicetoaforensicworkstation.Forensicacquisitionofanydeviceshouldbeconductedonaforensicallysterileworkstation.Thismeansthattheworkstationisstrictlyusedforforensicsandnotforpersonaluse.Also,notethatanytimeadeviceispluggedintoacomputer,changescanbemadetothedevice.TheexaminermusthavefullcontrolofallinteractionswiththeAndroiddeviceatalltimes.

Thefollowingstepsshouldbeperformedbytheexaminerinordertoconnectthedevicesuccessfullytoaworkstation.Notethatwriteprotectionmaypreventthesuccessfulacquisitionofthedevicesincecommandsmayneedtobepushedtothedeviceinordertopullinformation.Allthefollowingstepsshouldbevalidatedonatestdevicepriortoattemptingthemonrealevidence.

Identifyingthedevicecable

ThephysicalUSBinterfaceofanAndroiddeviceallowsittoconnecttoacomputertosharedata,suchassongs,videos,andphotos.ThisUSBinterfacemightchangefrommanufacturertomanufacturerandalsofromdevicetodevice.Forexample,somedevicesusemini-USBwhilesomeothersusemicro-USB.Apartfromthis,somemanufacturersusetheirownproprietaryformats,suchasEXT-USB,EXTmicro-USB,andsoon.ThefirststepinacquiringanAndroiddeviceistodeterminewhatkindofdevicecableisrequired.

Installingthedevicedrivers

Inordertoidentifythedeviceproperly,thecomputermayneedcertaindriverstobeinstalled.Withoutnecessarydrivers,thecomputermaynotidentifyandworkwiththeconnecteddevice.Buttheissueis,thatsinceAndroidisallowedtobemodifiedandcustomizedbythemanufacturers,thereisnosinglegenericdriverthatwouldworkforalltheAndroiddevices.Eachmanufacturerwritesitsownproprietarydriversanddistributesthemalongwiththephone.So,it'simportanttoidentifyspecificdevicedrivers,whichneedtobeinstalled.Ofcourse,someoftheAndroidforensictoolkits(whichwearegoingtodiscussinthefollowingchapters)docomewithsomegenericdriversorasetofmost-useddrivers;theymaynotworkwithallthemodelsofAndroidphones.SomeWindowsoperating

systemsareabletoautodetectandinstallthedriversoncethedeviceispluggedinbutmoreoftenthannot,itfails.Thedevicedriversforeachmanufacturercanbefoundontheirrespectivewebsites.

Accessingtheconnecteddevice

Ifyouhaven'tdonesoalready,connecttheAndroiddevicetothecomputerdirectlyusingtheUSBcable.TheAndroiddevicewillappearasanewdriveandyoucanaccessthefilesontheexternalstorage.SomeolderAndroiddevicesmaynotbeaccessibleunlesstheTurnonUSBStorageoptionisenabledonthephoneasshowninthefollowingscreenshot:

USBmassstorage

InsomeAndroidphones(especiallywithHTC),thedevicemayexposemorethanonefunctionalitywhenconnectedwithaUSBcable.Forinstance,asshowninthefollowingscreenshot,whenanHTCdeviceisconnected,itpresentsamenuwithfouroptions.ThedefaultselectionisChargeonly.WhentheDiskdriveoptionisselected,itismountedasadiskdrive.

HTCmobileUSBoptions

Whenthedeviceismountedasadiskdrive,youwillbeabletoaccesstheSDcardpresentonthedevice.Fromaforensicpointofview,theSDcardhassignificantvalueasitmaycontainfilesthatareimportantforaninvestigation.However,thecoreapplicationdatastoredunder/data/datawillremainonthedeviceandcannotbeaccessedthroughthesemethods.

AndroidDebugBridge

AndroidDebugBridge(adb)isoneofthecrucialcomponentsinAndroidforensics.Althoughwewilllearnaboutadbindetailinthecomingchapters,wewillfocusonabasicintroductionaboutadbfornow.AndroidDebugBridge(adb)isacommand-linetoolthatallowsyoutocommunicatewiththeAndroiddeviceandcontrolit.Youcanaccesstheadbtoolunder<sdk>/platform-tools/.Beforewediscussanythingaboutadb,weneedtohaveanunderstandingabouttheUSBdebuggingoption.TheprimaryfunctionofthisoptionistoenablecommunicationbetweentheAndroiddeviceandaworkstationonwhichtheAndroidSDKisinstalled.

OnaSamsungphone,youcanaccessthisunderSettings|DeveloperOptions,asshowninthefollowingscreenshot.OtherAndroidphonesmayhavedifferentenvironmentsandconfigurationfeatures.Theexaminermayhavetoforcethedeveloperoptionsbyaccessingthebuildmode.Thesestepsarealldevicespecificandcanbedeterminedbyresearchingthedeviceorreadingtheinstructionsprovidedbyyourforensictoolofchoice.

TheUSBdebuggingoptioninSamsungmobiles

WhentheUSBdebuggingoptionisselected,thedevicewillrunadbdaemon(adbd)inthebackgroundandwillcontinuouslylookforaUSBconnection.Thedaemonwillusuallyrununderanonprivilegedshelluseraccountandthuswillnotprovideaccesstocompletedata.However,onrootedphones,adbdwillrunundertherootaccountandthusprovideaccesstoallthedata.Itisnotrecommendedtorootadevicetogainfullaccessunlessallotherforensicmethodsfail.ShouldtheexaminerelecttorootanAndroiddevice,themethodsmustbewelldocumentedandtestedpriortoattemptingitonrealevidence.Rootingwillbediscussedattheendofthischapter.

OntheworkstationwheretheAndroidSDKisinstalled,adbdwillrunasabackgroundprocess.Also,onthesameworkstationaclientprogramwillrun,whichcanbeinvokedfromashellbyissuingtheadbcommand.Whentheadbclientisstarted,itfirstchecksifanadbdaemonisalreadyrunning.Iftheresponseisnegative,itinitiatesanewprocesstostarttheadbdaemon.Theadbclientprogramcommunicateswithlocaladbdoverport5037.

Accessingthedeviceusingadb

OncetheenvironmentsetupiscompleteandtheAndroiddeviceisinUSBdebuggingmode,connecttheAndroiddevicewiththecorrectUSBcabletotheforensicworkstationandstartusingadb.

Detectingconnecteddevices

Thefollowingadbcommandprovidesalistofallthedevicesconnectedtotheforensicworkstation.Thiswouldalsolisttheemulatorifitisrunningatthetimeofissuingthecommand.Also,rememberthatifnecessarydriversarenotinstalled,thenthefollowingcommandwouldshowablankmessage.Ifyouencounterthatsituation,downloadthenecessarydriversfromthemanufacturerandinstallthem.

C:\android-sdk\platform-tools>adb.exedevices

Listofdevicesattached

4df16ac8115e5f06device

Killingthelocaladbserver

Thefollowingcommandkillsthelocaladbservice:

C:\android-sdk\platform-tools>adb.exekill-server

Afterkillingthelocaladbservice,issuetheadbdevicescommandandobservethattheserverisstarted,asshowninthefollowingcommandlines:

C:\android-sdk\platform-tools>adb.exedevices

*daemonnotrunning.startingitnowonport5037*

*daemonstartedsuccessfully*

Listofdevicesattached

4df16ac8115e5f06device

Accessingtheadbshell

ThiscommandallowsforensicexaminerstoaccesstheshellonanAndroiddeviceandinteractwiththedevice.Thefollowingisthecommandtoaccesstheadbshellandexecuteabasiclscommandtoseethecontentsofthecurrentdirectory:

C:\android-sdk\platform-tools>adb.exeshell

shell@android:/$ls

ls

acct

cache

config

d

data

default.prop

dev

efs

etc

factory

fstab.smdk4x12

init

init.bt.rc

init.goldfish.rc

init.rc

init.smdk4x12.rc

init.smdk4x12.usb.rc

....

TheAndroidemulatorcanbeusedbyforensicexaminerstoexecuteandunderstandadbcommandsbeforeusingthemonthedevice.InChapter9,AndroidDataExtractionTechniques,wearegoingtoexplainmoreaboutleveragingadbtoinstallapplications,copyfilesandfoldersfromthedevice,viewdevicelogs,andsoon.

HandlinganAndroiddevice

HandlinganAndroiddeviceinapropermannerpriortotheforensicinvestigationisaveryimportanttask.Careshouldbetakentomakesurethatourunintentionalactionsdon'tresultindatamodificationoranyotherunwantedhappenings.Thefollowingsectionsthrowlightoncertainissueswhichneedtobeconsideredwhilehandlingthedeviceintheinitialstagesofforensicinvestigation.

Withtheimprovementsintechnology,theconceptofdevicelockinghaseffectivelychangedoverthelastfewyears.Mostusersnowhaveapasscodelockingmechanismenabledontheirdeviceduetotheincreaseingeneralsecurityawareness.BeforewelookatsomeofthetechniquestobypassthelockedAndroiddevices,itisimportantnottomissanopportunitytodisablethepasscodewhenthereisachance.

WhenanAndroiddevice,whichistobeanalyzed,isfirstaccessed,checkifthedeviceisstillactive(unlocked).Ifso,changethesettingsofthedevicetoenablegreateraccesstothedevice.So,whenthedeviceisstillactive,considerperformingthefollowingtasks:

EnablingUSBdebugging:OncetheUSBdebuggingoptionisenabled,itgivesgreateraccesstothedevicethroughtheadbconnection.Thisisofgreatsignificancewhenitcomestoextractingdatafromthedevice.ThelocationtoenableUSBdebuggingmightchangefromdevicetodevicebutit'susuallyunderDeveloperOptionsinSettings.MostmethodsforphysicallyacquiringAndroiddevicesrequireUSBdebuggingtobeenabled.Enablingthe"Stayawake"setting:IftheStayawakeoptionisselectedandthedeviceisconnectedforcharging,thenthedeviceneverlocks.Again,ifthedevicelocks,theacquisitioncouldbehalted.Increasingscreentimeout:Thisisthetimeforwhichthedevicewillbeeffectivelyactiveonceitisunlocked.Thelocationtoaccessthissettingvariesdependinguponthemodelofthedevice.OnaSamsungGalaxyS3phone,youcanaccessthesameunderSettings|Display|ScreenTimeout.

Apartfromthis,asmentionedinChapter1,IntroductiontoMobileForensics,thedeviceneedstobeisolatedfromthenetworktomakesurethatremotewipe

optionsdonotworkonthedevice.TheAndroidDeviceManagerallowsthephonetoberemotelywipedorlocked.ThiscanbedonebysigningintotheGoogleaccount,whichisconfiguredonthemobile.Moredetailsaboutthisarementionedinthefollowingsection.IftheAndroiddeviceisnotsetuptoallowremotewiping,thedevicecanonlybelockedusingtheAndroidDeviceManager.Also,thereareseveralMobileDeviceManagement(MDM)softwareproductsavailableonthemarket,whichallowuserstoremotelylockorwipetheAndroiddevice.Someofthesemaynotrequirespecificsettingstobeenabledonthedevice.

Usingtheavailableremotewipesoftware,itispossibletodeleteallthedataincludinge-mails,applications,photos,contacts,andotherfilesincludingthosefoundontheSDcard.Toisolatethedevicefromthenetwork,youcanputthedeviceinairplanemodeanddisableWi-Fiasanextraprecaution.EnablingairplanemodeanddisablingWi-FiworkswellasthedevicewillnotbeabletocommunicateoveracellularnetworkandcannotbeaccessedviaWi-Fi.RemovingtheSIMcardfromthephoneisalsoanoptionbutthatdoesnoteffectivelystopthedevicefromcommunicatingoverWi-Fiorsomecellularnetworks.Toplacethedeviceinairplanemode,pressandholdthePower/Offbuttonandselectairplanemode.

AllthesestepscanbedonewhentheAndroiddeviceisnotlocked.However,duringtheinvestigation,wecommonlyencounterdevicesthatarelocked.Hence,it'simportanttounderstandhowtobypassthelockcodeifitisenabledonanAndroiddevice.

ScreenlockbypassingtechniquesDuetotheincreaseinuserawarenessandtheeaseoffunctionality,therehasbeenanexponentialincreaseintheusageofpasscodeoptionstolockAndroiddevices.Hence,bypassingthedevice'sscreenlockduringaforensicinvestigationisbecomingincreasinglyimportant.Thescreenlockbypasstechniquesdiscussedhavetheirapplicabilitybasedonthesituation.Notethatsomeofthesemethodsareusedtomakechangestothedevice.Makesurethatyoutestandvalidateallthestepslistedonnon-evidentiaryAndroiddevices.Theexaminermusthaveauthorizationtomaketherequiredchangestothedevice,documentallstepstaken,andbeabletodescribethestepstakenifacourtroomtestimonyisrequired.

Currently,therearethreetypesofscreenlockmechanismsofferedbyAndroid.Althoughtherearesomedeviceswhichhavevoicelockandfacelockoptions,wewilllimitourdiscussiontothefollowingthreeoptionssincethesearemostwidelyusedonallAndroiddevices:

PatternLock:Theusersetsapatternordesignonthephoneandthesamemustbedrawntounlockthedevice.Androidwasthefirstsmartphonetointroduceapatternlock.PINcode:Thisisthemostcommonlockoptionandisfoundonmanymobilephones.ThePINcodeisa4-digitnumberthatneedstobeenteredtounlockthedevice.Passcode(alphanumeric):Thisisanalphanumericpasscode.UnlikethePIN,whichtakesfourdigits,thealphanumericpasscodetakesmorethanjustdigits.

ThefollowingsectiondetailssomeofthetechniquestobypasstheseAndroidlockmechanisms.Dependingonthesituation,thesetechniquesmighthelpaninvestigatortobypassthescreenlock.

Usingadbtobypassthescreenlock

IfUSBdebuggingappearstobeenabledontheAndroiddevice,itiswisetotakeadvantageofitbyconnectingwithadbusingUSB,asdiscussedintheearliersections.Theexaminershouldconnectthedevicetotheforensicworkstationandissuetheadbdevicescommand.Ifthedeviceshowsup,itimpliesthatUSBdebuggingisenabled.IftheAndroiddeviceislocked,theexaminermustattempttobypassthescreenlock.ThefollowingarethetwomethodsthatmayallowtheexaminertobypassthescreenlockwhenUSBdebuggingisenabled.

Deletingthegesture.keyfile

Thisishowtheprocessisdone:

1. Connectthedevicetotheforensicworkstation(aWindowsmachineinourexample)usingaUSBcable.

2. Openthecommandpromptandexecutethefollowinginstructions:

adb.exeshell

cd/data/system

rmgesture.key

3. Rebootthedevice.Ifthepatternlockstillappears,justdrawanyrandomdesignandobservethatthedeviceshouldunlockwithoutanytrouble.

Thismethodworkswhenthedeviceisrooted.Thismethodmaynotbesuccessfulonunrooteddevices.RootinganAndroiddeviceshouldnotbeperformedwithoutproperauthorizationasthedeviceisaltered.

Updatingthesettings.dbfile

Toupdatethesettings.dbfile,performthefollowingsteps:

1. ConnectthedevicetotheforensicworkstationusingaUSBcable.2. Openthecommandpromptandexecutethefollowinginstructions:

adb.exeshellcd

/data/data/com.android.providers.settings/databases

sqlitesettings.db

sqlite>updatesystemsetvalue=0where

name='lock_pattern_autolock';

sqlite>updatesystemsetvalue=0wherename=

'lockscreen.lockedoutpermenantly';

3. Exitandrebootthedevice.4. TheAndroiddeviceshouldbeunlocked.Ifnot,attempttoremove

gesture.keyasexplainedearlier.

Checkingforthemodifiedrecoverymodeandadbconnection

InAndroid,recoveryreferstothededicatedpartitionwheretherecoveryconsoleispresent.Thetwomainfunctionsofrecoveryaretodeletealluserdataandinstallupdates.Forinstance,whenyoufactoryresetyourphone,recoverybootsupanddeletesallthedata.Similarly,whenupdatesaretobeinstalledonthephone,itisdoneintherecoverymode.TherearemanyenthusiasticAndroiduserswhoinstallcustomROMthroughamodifiedrecoverymodule.ThismodifiedrecoverymoduleismainlyusedtomaketheprocessofinstallingcustomROMeasy.Recoverymodecanbeaccessedindifferentwaysdependingonthemanufacturerofthedevice,whichiseasilyavailableontheInternet.Usually,thisisdonebyholdingdifferentkeystogethersuchasthevolumebuttonandpowerbutton.Onceinrecoverymode,connectthedevicetotheworkstationandtrytoaccesstheadbconnection.Ifthedevicehasarecoverymodewhichisnotmodified,theexaminermaynotbeabletoaccesstheadbconnection.Themodifiedrecoveryversionsofthedevicepresenttheuserwithdifferentoptionsandcanbeeasilynoticed.

Flashinganewrecoverypartition

TherearemechanismsavailabletoflashtherecoverypartitionofanAndroiddevicewithamodifiedimage.TheFastbootutilitywouldfacilitatethisprocess.FastbootisadiagnosticprotocolthatcomeswiththeSDKpackage,usedprimarilytomodifytheflashfilesystemthroughaUSBconnectionfromahostcomputer.Forthis,youneedtostartthedeviceinthebootloadermodeinwhichonlythemostbasichardwareinitializationisperformed.Oncetheprotocolisenabledonthedevice,itwillacceptaspecificsetofcommandsthataresenttoitviatheUSBcableusingacommandline.Flashingorrewritingapartitionwithabinaryimagestoredonthecomputerisonesuchcommandthatisallowed.Oncetherecoveryisflashed,bootthedeviceinrecoverymode,mountthe/dataand/systempartitions,anduseadbtoremovethegesture.keyfile.Rebootthephoneandyoushouldbeabletobypassthescreenlock.

Smudgeattack

Inrarecases,asmudgeattackmaybeusedtodeducethepasswordofatouchscreenmobiledevice.Theattackreliesonidentifyingthesmudgesleftbehindbytheuser'sfingers.Whilethismaypresentabypassmethod,itmustbesaidthatasmudgeattackisunlikelysincemostAndroiddevicesaretouchscreenandsmudgeswillalsobepresentfromusingthedevice.However,ithasbeendemonstratedthatunderproperlighting,thesmudgesthatareleftbehindcanbeeasilydetectedasshowninthefollowingscreenshot(http://www.securitylearn.net/tag/android-passcode-bypass/).Byanalyzingthesmudgemarks,wecandiscernthepatternthatisusedtounlockthescreen.ThisattackismorelikelytoworkwhilediscerningthepatternlockontheAndroiddevice.Insomecases,PINcodescanalsoberecovereddependinguponthecleanlinessofthescreen.So,duringaforensicinvestigation,careshouldbetakenwhenthedeviceisfirsthandledtomakesurethatthescreenisnottouched.

Smudgesvisibleonadeviceunderproperlighting(source:https://viaforensics.com/wpinstall/wp-content/uploads/smudge.png)

https://viaforensics.com/wpinstall/wp-content/uploads/smudge.png)

UsingtheprimaryGmailaccount

IfyouknowtheusernameandpasswordoftheprimaryGmailaddressthatisconfiguredonthedevice,youcanchangethePIN,password,orswipeonthedevice.Aftermakingacertainnumberoffailedattemptstounlockthescreen,AndroidprovidesanoptionnamedForgotPatternorForgotPasswordasshowninthefollowingscreenshot.TaponthatlinkandsigninusingtheGmailusernameandpasswordandthiswillallowyoutocreateanewpatternlockorpasscodeforthedevice.

ForgotpatternoptiononanAndroiddevice

Othertechniques

AlloftheearliermentionedtechniquesandthecommercialtoolsavailableprovetobeusefultotheforensicexaminertryingtogetaccesstothedataontheAndroiddevices.However,therecouldbesituationswherenoneofthesetechniqueswork.Toobtainacompletephysicalimageofthedevice,techniquessuchaschip-offandJTAGmayberequiredwhencommercialandopensourcesolutionsfail.Ashortdescriptionofthesetechniquesismentioned.

Whilethechip-offtechniqueremovesthememorychipfromacircuitandtriestoreadit,theJTAGtechniqueinvolvesprobingtheJTAGTestAccessPorts(TAPs)andsolderingconnectorstotheJTAGportsinordertoreaddatafromthedevicememory.Thechip-offtechniqueismoredestructivebecauseoncethechipisremovedfromthedevice,itisdifficulttorestorethedevicebacktoitsoriginalfunctionalstate.Also,expertiseisneededtocarefullyremovethechipfromthedevicebydesolderingthechipfromthecircuitboard.Theheatrequiredtoremovethechipcanalsodamageordestroythedatastoredonthatchip.Hence,thistechniqueshouldbelookedupononlywhenthedataisnotretrievablebyopensourceorcommercialtoolsorthedeviceisdamagedbeyondrepair.WhenusingtheJTAGtechnique,JTAGportshelpanexaminertoaccessthememorychiptoretrieveaphysicalimageofthedatawithoutneedingtoremovethechip.Toturnoffthescreenlockonadevice,anexaminercanidentifywherethelockcodeisstoredinthephysicalmemorydump,turnoffthelocking,andcopythatdatabacktothedevice.Commercialtools,suchasCellebritePhysicalAnalyzer,canaccept.binfilesfromchip-offandJTAGacquisitionsandcrackthelockcodefortheexaminer.Oncethecodeiseithermanuallyremovedorcracked,theexaminercananalyzethedeviceusingnormaltechniques.

Boththechip-offandJTAGtechniquesrequireextensiveresearchandexperiencetobetriedonarealdevice.AgreatresourceforJTAGandchip-offondevicescanbefoundathttp://www.forensicswiki.org/wiki.

GainingrootaccessAsamobiledeviceforensicexaminer,itisessentialtoknoweverythingthatrelatestotwistingandtweakingthedevice.Thiswouldhelpyoutounderstandtheinternalworkingofthedeviceindetailandcomprehendmanyissuesthatyoumayfaceduringyourinvestigation.RootingAndroidphoneshasbecomeacommonphenomenonandyoucanexpecttoencounterrootedphonesduringforensicexaminations.Theexaminer,whereapplicable,mayalsoneedtorootthedeviceinordertoacquiredatafortheforensicexamination.Hence,it'simportanttoknowtheinsandoutsofrooteddevicesandhowtheyaredifferentfromtheotherphones.ThefollowingsectionscoverinformationaboutAndroidrootingandotherrelatedconcepts.

Whatisrooting?

ThedefaultadministrativeaccountinUnix-likeoperatingsystemsiscalled"root".So,inLinux,therootuserhasthepowertostart/stopanysystemservice,edit/deleteanyfile,changetheprivilegesofotherusers,andsoon.WehavealreadylearnedthatAndroidusestheLinuxkernelandhencemostoftheconceptspresentinLinuxareapplicabletoAndroidaswell.However,whenyoubuyanAndroidphone,itdoesnotletyouloginasarootuserbydefault.RootinganAndroidphoneisallaboutgainingaccessonthedevicetoperformactionsthatarenotnormallyallowedonthedevice.Manufacturerswantthedevicestofunctioninacertainmannerfornormalusers.Rootingadevicemayvoidawarrantysincerootopensthesystemtovulnerabilitiesandprovidestheuserwithsuperusercapabilities.ImagineamaliciousapplicationhavingaccesstoanentireAndroidsystemwithrootaccess.RememberthatinAndroid,eachapplicationistreatedasaseparateuserandissuesaUID.Thus,theapplicationshaveaccesstolimitedresourcesandtheconceptofapplicationisolationisenforced.Essentially,rootinganAndroiddeviceallowssuperusercapabilitiesandprovidesopenaccesstotheAndroiddevice.

RootinganAndroiddevice

Eventhoughthehardwaremanufacturerstrytoputenoughrestrictionstorestrictaccesstotheroot,hackershavealwaysfounddifferentwaystogetaccesstotheroot.Theprocessofrootingvariesdependingontheunderlyingdevicemanufacturer.Butrootinganydeviceusuallyinvolvesexploitingasecuritybuginthedevice'sfirmwareandthencopyingthesu(superuser)binarytoalocationinthecurrentprocess'spath(/system/xbin/su)andgrantingitexecutablepermissionswiththechmodcommand.

Forthesakeofsimplicity,imaginethatanAndroiddevicehasthreetofourpartitions,whichrunprogramsnotentirelyrelatedtoAndroid(Androidbeingoneamongthem).

Thebootloaderispresentinthefirstpartitionandisthefirstprogramthatrunswhenthephoneispoweredon.TheprimaryjobofthisbootloaderistoboototherpartitionsandloadtheAndroidpartition,commonlyreferredtoasROMbydefault.Toseethebootloadermenu,aspecifickeycombinationisrequiredsuchasholdingthepowerbuttonandpressingthevolumeupbutton.Thismenuprovidesoptionsforyoutobootintootherpartitionssuchastherecoverypartition.

Therecoverypartitiondealswithinstallingupgradestothephone,whicharewrittendirectlytotheAndroidROMpartition.Thisisthemodethatyouseewhenyouinstallanyofficialupdateonthedevice.Devicemanufacturersmakesurethatonlyofficialupdatesareinstalledthroughtherecoverypartition.Thus,bypassingthisrestrictionwouldallowyoutoinstall/flashanyunlockedAndroidROM.Modifiedrecoveryprogramsarethosethatnotonlyallowaneasierrootingprocessbutalsoprovidevariousoptions,whicharenotseeninthenormalrecoverymode.Thefollowingscreenshotshowsthenormalrecoverymode:

NormalAndroidsystemrecoverymode

Thefollowingscreenshotshowsthemodifiedrecoverymode:

Modifiedrecoverymode

ThemostusedrecoveryprogramintheAndroidworldistheClockworkrecovery,alsocalledClockworkMod.Hence,mostoftherootingmethodsbeginbyflashingamodifiedrecoverytotherecoverypartition.Afterthat,youcanissueanupdate,whichcanrootthedevice.However,youdon'tneedtoperformalltheactionsmanuallyassoftwareisavailableformostofthemodels,whichcouldrootyourphonewithasingleclick.

Rootingadevicehasbothadvantagesanddisadvantagesassociatedwithit.

Thefollowingaretheadvantages:

Rootingallowsmodificationofthesoftwareonthedevicetothedeepestlevel.Forexample,youcanoverclockorunderclockthedevice'sCPU(http://techbeasts.com/2014/01/17/what-is-cpu-underclocking-overclocking-and-how-to-underclock-overclock/).Bypassrestrictionsimposedonthedevicebycarriers,manufacturers,andsoon.Forextremecustomization,newcustomizedROMscouldbedownloadedandinstalled.

Thefollowingarethedisadvantages:

Rootingadevicemustbedonewithextremecareaserrorsmayresultinirreparabledamagetothesoftwareonthephoneturningthedeviceintoauselessbrick.Rootingmightvoidthewarrantyofadevice.Rootingresultsinincreasedexposuretomalwareandotherattacks.MalwarewithaccesstotheentireAndroidsystemcancreatehavoc.

Oncethedeviceisrooted,applicationssuchastheSuperuserappareavailabletoprovideanddenyrootprivileges.Thisapphelpsyoutograntandmanagesuperuserrightsonthedevice,asshowninthefollowingscreenshot:

Applicationrequestingrootaccess

Rootaccess–adbshell

AnormalAndroidphonedoesnotallowyoutoaccesscertaindirectoriesandfilesonthedevice.Forexample,trytoaccessthe/data/datafolderonanAndroiddevice,whichisnotrooted.Youwillseethefollowingmessage:

C:\android-sdk\platform-tools>adb.exeshell

shell@android:/$cd/data/data

cd/data/data

shell@android:/data/data$ls

ls

opendirfailed,Permissiondenied

255|shell@android:/data/data$

Onarootedphone,youcanruntheadbshellasarootbyissuingthefollowingcommand:

C:\android-sdk\platform-tools>adb.exeroot

restartingadbdasroot

C:\android-sdk\platform-tools>adb.exeshell

root@android:/#cd/data/data

cd/data/data

root@android:/data/data#ls

ls

com.adobe.flashplayer

com.adobe.reader

com.aldiko.android

com.android.backupconfirm

com.android.browser

Thus,rootingaphoneenablesyoutoaccessfoldersanddata,whichareotherwisenotaccessible.Also,notethat#symbolizesrootorsuperuseraccesswhile$reflectsanormaluser,asshownintheprecedingcommandlines.

SummaryAproperforensicworkstationsetupisrequiredpriortoconductinginvestigationsonanAndroiddevice.UsingopensourcemethodstoacquireandanalyzeAndroiddevicesrequirestheinstallationofspecificsoftwareontheforensicworkstation.IfthemethodofforensicacquisitionrequirestheAndroiddevicetobeunlocked,theexaminerneedstodeterminethebestmethodtogainaccesstothedevice.Variousscreenlockbypasstechniquesexplainedinthischapterhelpanexaminertobypassthepasscodeunderdifferentcircumstances.Dependingontheforensicacquisitionmethodandscopeoftheinvestigation,rootingthedeviceshouldprovidecompleteaccesstothefilespresentonthedevice.Somecommercialtools,suchasMicroSystemationXRY,providearootthattheexaminermustuseinordertoaccessspecificareasofthedevicememory.NowthatthebasicconceptsarecoveredongainingaccesstoanAndroiddevice,wewillcoveracquisitiontechniquesanddescribehowthedataisbeingpulledusingeachmethodinChapter9,AndroidDataExtractionTechniques.

Chapter9.AndroidDataExtractionTechniquesByusinganyofthepasscodebypasstechniquesexplainedinChapter8,AndroidForensicSetupandPreDataExtractionTechniques,anexaminercantrytoaccessalockeddevice.Oncethedeviceisaccessible,thenexttaskistoextracttheinformationpresentonthedevice.ThiscanbeachievedbyapplyingvariousdataextractiontechniquesontheAndroiddevice.ThischapterhelpsyoutoidentifythesensitivelocationspresentonanAndroiddeviceandexplainsvariouslogicalandphysicaltechniquesthatcanbeappliedtothedeviceinordertoextractthenecessaryinformation.

ImaginganAndroidPhoneImagingadeviceisoneofthemostimportantstepsinmobiledeviceforensics.Theruleofthumbwhendealingwithaforensicexaminationistoensurethatthedatapresentonthedeviceisnotmodifiedinanyway,whereverpossible.AsexplainedinChapter1,IntroductiontoMobileForensics,allthechangesbytheexaminerfromtheprevioustestingandvalidationshouldbewelldocumented.Whenpossible,it'simperativetoobtainaphysicalimageoftheAndroiddevicebeforeperforminganytechniquestoextractthedatadirectlyfromthedevice.Inforensics,thisprocessofobtainingaphysicalorlogicalacquisitioniscommonlycalledimagingthedevice.Aphysicalimageispreferredasitisabit-by-bitcopyoftheAndroiddevicememory.

Itisimportanttounderstandthatabit-by-bitimageisnotsimilartocopyingandpastingthecontentsonthedevice.Ifwecopyandpastethecontentsonadeviceitwillonlycopytheavailablefilessuchasvisiblefiles,hiddenfiles,andsystem-relatedfiles.Thismethodisconsideredalogicalimage.Withthismethod,deletedfilesandfilesthatarenotaccessiblearenotcopiedbythecopycommand.Deletedfilescanberecovered(basedonthecircumstances)usingcertaintechniques,whichwearegoingtoseeinthefollowingchapters.Hence,youneedtotakea1:1bit-by-bitimageofthedevicememorytoobtainallofthedata.

Let'sfirstrevisithowimagingisdoneonadesktopcomputerasithelpsustocorrelateandrealizetheproblemsassociatedwithimagingAndroiddevices.Let'sassumethatadesktopcomputer,whichisnotpoweredon,isseizedfromasuspectandsentforforensicexamination.Inthiscase,atypicalforensicexaminerwouldremovetheharddisk,connectittoawriteblockerandobtainabit-by-bitforensicimageusinganyoftheavailabletools.Theoriginalharddiskisthensafelyprotectedduringtheforensicimagingofthedata.WithanAndroiddevice,alltheareasthatcontaindatacannotbeeasilyremoved.Also,ifthedeviceisactiveatthetimeofreceivingitforexamination,itisnotpossibletoanalyzethedevicewithoutmakinganychangestoitbecauseanyinteractionwouldchangethestateofthedevice.

AnAndroiddevicemayhavetwofilestorageareas,internalandexternalstorage.Internalstoragereferstothebuilt-innon-volatilememory.External

storagereferstotheremovablestoragemediumsuchasamicroSDcard.However,it'simportanttonotethatsomedevicesdonothavearemovablestoragemediumsuchasanSDcard,buttheydividetheavailablepermanentstoragespaceintointernalandexternalstorage.Hence,it'snotalwaystruethatexternalstorageissomethingthatisremovable.WhenaremovableSDcardispresent,aforensicimageofthememorycardhastobeobtained.AsdiscussedinChapter7,UnderstandingAndroid,theseremovablecardsaregenerallyformattedwiththeFAT32filesystem.SomemobiledeviceacquisitionmethodswillacquiretheSDcardthroughtheAndroiddevice.Thisprocess,whileuseful,willbeslowduetothespeedlimitationsoftheUSBphonecables.

DataextractiontechniquesDataresidingonanAndroiddevicemaybeanintegralpartofcivil,criminal,orinternalinvestigationsdoneaspartofacorporatecompany'sinternalprobe.WhiledealingwithinvestigationsinvolvingAndroiddevices,theforensicexaminerneedstobemindfuloftheissuesthatneedtobetakencareofduringtheforensicprocess;thisincludesdeterminingifrootaccessispermitted(viaconsentorlegalauthority)andwhatdatacanbeextractedandanalyzedduringtheinvestigation.Forexample,inacriminalcaseinvolvingstalking,thecourtmayonlyallowfortheSMS,calllogs,andphotostobeextractedandanalyzedontheAndroiddevicebelongingtothesuspect.Inthiscase,itmaymakethemostsensetologicallycapturejustthosespecificitems.However,itisbesttoobtainafullphysicaldataextractionofthedeviceandonlyexaminetheareasadmissiblebythecourt.Youneverknowwhereyourinvestigationmayleadanditisbesttoobtainasmuchdataoffthedeviceimmediatelyratherthanwishyouhadafullimageshouldthescopeofconsentchange.

ThedataextractiontechniquesonanAndroiddevicecanbeclassifiedintothreetypes:

ManualdataextractionLogicaldataextractionPhysicaldataextraction

Theextractionmethodsforeachofthesetypeswillbedescribedindetailinthefollowingsections.Somemethodsmayrequirethedeviceberootedinordertofullyaccessthedata.Eachmethodhasdifferentimplicationsandsuccessrateswilldependonthetool,methodused,anddevicemakeandmodel.

Manualdataextraction

Thismethodofextractioninvolvestheexaminerutilizingthenormaluserinterfaceofthemobiledevicetoaccesscontentpresentinthememory.Theexaminerwillbrowsethroughthedevicenormallybyaccessingdifferentmenustoviewthedetailssuchascalllogs,textmessages,andIMchats.Thecontentofeachscreeniscapturedbytakingpicturesandcanbepresentedasevidence.Themaindrawbackwiththistypeofexaminationisthatonlythosefilesthatareaccessiblebytheoperatingsystem(intheUImode)canbeinvestigated.Caremustbetakenwhenmanuallyexaminingthedeviceasit'seasytopressthewrongbuttonanderaseoradddata.Manualextractionshouldbeusedasalastresorttoverifyfindingsextractedusingoneoftheothermethods.Certaincircumstancesmaywarranttheexaminertoconductmanualexaminationasthefirststep.Thismayincludelifeordeathsituationsormissingpersonswhereaquickscanofthedevicemayleadthepolicetotheindividual.

UsingrootaccesstoacquireanAndroiddevice

Android,bydefault,doesnotprovideaccesstotheinternaldirectoriesandsystem-relatedfiles.Thisrestrictedaccessistoensurethesecurityofthedevice.Forinstance,the/data/datafolderisnotaccessibleonanon-rooteddevice.Thisfolderisespeciallyofinteresttousbecauseitstoresmostoftheuser-createddataandmanyapplicationswritevaluabledataintothisfolder.Hence,toobtainanimageofthedevice,weneedtoroottheAndroiddevice.Rootingadevicegivesusthesuperuserprivilegesandaccesstoallthedata.Itisimportanttorealizethatthisbookhasbeenstressingthatallthestepstakenshouldbeforensicallysoundandnotmakechangestothedevicewheneverpossible.RootinganAndroiddevicewillmakechangestoitandshouldbetestedonanydevicethattheexaminerhasnotpreviouslyinvestigated.RootingiscommonforAndroiddevices,butgettingrootaccesscouldalterthedeviceinamannerthatrendersthedatachangedorworseyet—wiped.SomeAndroiddevices,suchastheNexus4and5,mayforcethedatapartitiontobewipedpriortoallowingrootaccess.Thisnegatestheneedtorootthedeviceinordertogainaccessbecausealltheuserdataislostduringtheprocess.Justrememberthatwhilerootingprovidesaccesstomoredatawhensuccessfullydone,itcanalsowipethedataordestroythephone.Hence,youmustensureyouhaveconsentorlegalrightstomanipulatetheAndroiddevicepriortoproceedingwiththeroot.AsrootingtechniqueshavebeendiscussedinChapter8,AndroidForensicSetupandPreDataExtractionTechniques,wewillproceedwiththeexampleassumingthatthedeviceisrooted.Thefollowingisastep-by-stepprocesstoobtainaforensicimageofarootedAndroiddevice.

InstalltheAndroidTerminalEmulatorapplication.TheAndroidTerminalEmulatorapplicationhelpsyoutoaccesstheLinuxcommandshell.AndroidTerminalEmulatorcanbedownloadedfromhttps://github.com/jackpal/Android-Terminal-Emulator/wiki.Onceinstalled,youcanrunmostoftheLinuxcommandsonthedevice.ItisrecommendedtoinstallitthroughadbinsteadofconnectingtotheInternettoinstallitfromtheGooglePlaystore.ThefollowingscreenshotshowstheinstallationoftheAndroidTerminalEmulatorapplicationonaMacrunningv10.9.2:

OnceAndroidTerminalEmulatorisinstalled,thepartitionscanbeacquiredfromtheAndroiddeviceusingthefollowingsteps:

Usingtheddcommand:Theddcommandcanbeusedtocreatearawimageofthedevice.Thiscommandhelpsustocreateabit-by-bitimageoftheAndroiddevicebycopyinglow-leveldata.InsertinganewSDcard:InsertanewSDcardintothedeviceinordertocopytheimagefiletothiscard.MakesurethisSDcardiswipedanddoesnotcontainanyotherdata.Executingthecommand:ThefilesystemofanAndroiddeviceisstoredindifferentlocationswithinthe/devpartition.AsimplemountcommandonaSamsungGalaxyS3phonereturnsthefollowingoutput:

shell@Android:/$mount

mount

rootfs/rootfsro,relatime00

tmpfs/devtmpfsrw,nosuid,relatime,mode=75500

devpts/dev/ptsdevptsrw,relatime,mode=60000

proc/procprocrw,relatime00

sysfs/syssysfsrw,relatime00

none/acctcgrouprw,relatime,cpuacct00

tmpfs/mnt/asectmpfsrw,relatime,mode=755,gid=100000

tmpfs/mnt/obbtmpfsrw,relatime,mode=755,gid=100000

none/dev/cpuctlcgrouprw,relatime,cpu00

/dev/block/mmcblk0p9/systemext4

ro,noatime,barrier=1,data=ordered00

/dev/block/mmcblk0p3/efsext4

rw,nosuid,nodev,noatime,barrier=1,journal_async_c

ommit,data=ordered00

/dev/block/mmcblk0p8/cacheext4

rw,nosuid,nodev,noatime,barrier=1,journal_async

_commit,data=ordered00

/dev/block/mmcblk0p12/dataext4

rw,nosuid,nodev,noatime,barrier=1,journal_async

_commit,data=ordered,noauto_da_alloc,discard00

/sys/kernel/debug/sys/kernel/debugdebugfsrw,relatime00

/dev/fuse/storage/sdcard0fuse

rw,nosuid,nodev,noexec,relatime,user_id=1023,group_id=1023,defa

ult_permissions,allow_other00

Fromtheprecedingoutput,wecanidentifytheblockswherethe/system,/data,and/cachepartitionsaremounted.Althoughit'simportanttoimageallthefiles,mostofthedataispresentinthe/dataand/systempartitions.Whentimeallows,allpartitionsshouldbeacquiredforcompleteness.Oncethisisdone,executethefollowingcommandtoimagethedevice:

ddif=/dev/block/mmcblk0p12of=/sdcard/tmp.image

Intheprecedingexample,thedatapartitionofaSamsungGalaxySIIIwasused(whereifistheinputfileandofistheoutputfile).

Theprecedingcommandwillmakeabit-by-bitimageofthemmcblk0p12file(datapartition)andcopytheimagefiletoanSDcard.Oncethisisdone,theddimagefilecanbeanalyzedusingtheavailableforensicsoftware.

Tip

TheexaminermustensurethattheSDcardhasenoughstoragespacetocontainthedatapartitionimage.Othermethodsareavailabletoacquiredatafromtherooteddevices.

Logicaldataextraction

Logicaldataextractiontechniquesextractthedatapresentonthedevicebyaccessingthefilesystem.Thesetechniquesaresignificantbecausetheyprovidevaluabledata,workonmostdevices,andareeasytouse.Onceagain,theconceptofrootingcomesintopicturewhileextractingthedata.Logicaltechniquesdonotactuallyrequirerootaccessfordataextraction.However,havingrootaccessonadeviceallowsyoutoaccessallthefilespresentonadevice.Thismeansthatsomedatamaybeextractedonanon-rooteddevicewhilerootaccesswillopenthedeviceandprovideaccesstoallthefilespresentonthedevice.Hence,havingrootaccessonadevicewouldgreatlyinfluencetheamountandkindofdatathatcanbeextractedthroughlogicaltechniques.Logicalextractioncanbeperformedonadeviceintwoways:

UsingadbpullcommandsUsingcontentproviders

Thefollowingsectionsexplaineachoftheseoptionsandhowthedatacanbeextracted.

Usingtheadbpullcommand

Asseenearlier,adbisacommand-linetoolthathelpsyoucommunicatewiththedevicetoretrieveinformation.Usingadb,youcanextractdatafromallthefilesonthedeviceoronlytherelevantfilesinwhichyouareinterested.ToaccessanAndroiddevicethroughadb,it'snecessarythattheUSBdebuggingoptionisenabled.IfthedeviceislockedandUSBdebuggingisnotenabled,trytobypassthescreenlockusingthetechniquesmentionedinChapter8,AndroidForensicSetupandPreDataExtractionTechniques.

Asaforensicexaminer,it'simportanttoknowhowthedataisstoredontheAndroiddeviceandtounderstandwhereimportantandsensitiveinformationisstoredsothatthedatacanbeextractedaccordingly.Applicationdataoftencontainsawealthofuserdatathatmayberelevanttotheinvestigation.Allfilespertainingtoapplicationsofinterestshouldbeexaminedforrelevance,aswillbeexplainedinChapter10,AndroidDataRecoveryTechniques.Theapplicationdatacanbestoredinoneofthefollowinglocations:

Sharedpreferences:Dataisstoredinkey-valuepairsinalightweight

XMLformat.Sharedpreferencefilesarestoredintheshared_preffolderoftheapplication/datadirectory.Internalstorage:Datastoredhereisprivateandispresentinthedevice'sinternalmemory.Filessavedtotheinternalstorageareprivateandcannotbeaccessedbyotherapplications.Externalstorage:Thisstoresdatathatispublicinthedevice'sexternalmemory,whichdoesnotusuallyenforcesecuritymechanisms.Thisdataisavailableunderthe/sdcarddirectory.SQLitedatabase:Thisdataisavailableinthe/data/data/PackageName/database.Theyareusuallystoredwitha.dbfileextension.ThedatapresentinaSQLitefilecanbeviewedusingaSQLitebrowser(http://sourceforge.net/projects/SQLitebrowser/)orbyexecutingthenecessarySQLitecommandsontherespectivefiles.

EveryAndroidapplicationstoresthedataonthedeviceusinganyoftheprecedingdatastorageoptions.So,theContactsapplicationwouldstorealltheinformationaboutthecontactdetailsinthe/data/datafolderunderitspackagename.Notethat/data/dataisapartofyourdevice'sinternalstoragewherealltheappsareinstalledundernormalcircumstances.SomeapplicationdatawillresideontheSDcardandinthe/data/datapartition.Usingadb,wecanpullthedatapresentinthispartitionforfurtheranalysisusingtheadbpullcommand.Onceagain,it'simportanttonotethatthisdirectoryisaccessibleonlyonarootedphone.

Extractingthe/datadirectoryonarooteddevice

Onarootedphone,apullcommandon/datacanbeexecutedasfollows:

C:\android-sdk-windows\platform-tools>adb.exepull/dataC:\temp

pull:

/data/data/com.kiloo.subwaysurf/app_sslcache/www.chartboost.com.443

->

C:\temp/data/com.kiloo.subwaysurf/app_sslcache/www.chartboost.com.4

43

pull:/data/data/com.mymobiler.android/lib/libpng2.so->

C:\temp/data/com.mymobiler.android/lib/libpng2.so

pull:/data/system.notfirstrun->C:\temp/system.notfirstrun

732filespulled.0filesskipped.

2436KB/s(242711369bytesin97.267s)

Asshowninthefollowingscreenshot,thecomplete/datadirectoryontheAndroiddevicewascopiedtothelocaldirectoryonthemachine.Theentiredatadirectorywasextractedin97seconds.Theextractiontimewillvarydependingontheamountofdataresidingin/data.

The/datadirectoryextractedtoaforensicworkstation

Onanon-rooteddevice,apullcommandonthe/datadirectorydoesnotextractthefilesasshowninthefollowingoutput,sincetheshelluserdoesnothavepermissiontoaccessthosefiles:

C:\android-sdk-windows\platform-tools>adb.exepull/dataC:\temp

pull:buildingfilelist...

0filespulled.0filesskipped.

Thedatacopiedfromarootedphonethroughtheprecedingprocessmaintainsthedirectorystructure,thusallowinganinvestigatortobrowsethroughthenecessaryfilestogainaccesstotheinformation.Byanalyzingthedataoftherespectiveapplications,aforensicexpertcangathercriticalinformationthatcan

influencetheoutcomeoftheinvestigation.Notethatexaminingthefoldersnativelyonyourforensicworkstationwillalterthedatesandtimesofthecontent.Theexaminershouldmakeacopyoftheoriginaloutputtouseforadate/timecomparison.

UsingSQLiteBrowser

SQLBrowserisatoolthatcanhelpduringthecourseofanalyzingtheextracteddata.SQLiteBrowserallowsyoutoexplorethedatabasefileswiththefollowingextensions:.sqlite,.sqlite3,.sqlitedb,.db,and.db3.ThemainadvantageofusingSQLiteBrowseristhatitshowsthedatainatableform.NavigatetoFile|OpenDatabasetoopena.dbfileusingSQLiteBrowser.Asshowninthefollowingscreenshot,therearethreetabs:DatabaseStructure,BrowseData,andExecuteSQL.TheBrowseDatataballowsyoutoseetheinformationpresentindifferenttableswithinthe.dbfiles.Wewillbemostlyusingthistabduringouranalysis.Alternately,OxygenForensicSQLiteDatabaseViewercanalsobeusedforthesamepurpose.RecoveringdeleteddatafromdatabasefilesispossibleandwillbeexplainedinChapter10,AndroidDataRecoveryTechniques.

SQLiteBrowser

ThefollowingsectionsthrowlightonidentifyingimportantdataandmanuallyextractingvariousdetailsfromanAndroidphone.

Extractingdeviceinformation

KnowingthedetailsofyourAndroiddevice,suchasthemodel,version,andmore,willaidinyourinvestigation.Forexample,whenthedeviceisphysicallydamagedandprohibitstheexaminationofthedeviceinformation,youcangrabthedetailsaboutthedevicebyviewingthebuild.propfilepresentinthe/systemfolder,asfollows:

shell@android:/system$catbuild.prop

catbuild.prop

#beginbuildproperties

#autogeneratedbybuildinfo.sh

ro.build.id=JZO54K

ro.build.display.id=JZO54K.I9300XXEMH4

ro.build.version.incremental=I9300XXEMH4

ro.build.version.sdk=16

ro.build.version.codename=REL

ro.build.version.release=4.1.2

ro.build.date=TueSep1717:26:31KST2013

ro.build.date.utc=1379406391

......

ro.product.model=GT-I9300

ro.product.brand=samsung

ro.product.name=m0xx

ro.product.device=m0

ro.product.board=smdk4x12

ro.product.cpu.abi=armeabi-v7a

ro.product.cpu.abi2=armeabi

ro.product_ship=true

ro.product.manufacturer=samsung

......

ro.build.description=m0xx-user4.1.2JZO54KI9300XXEMH4rel

ro.build.fingerprint=samsung/m0xx/m0:4.1.2/JZO54K/I9300XXEM

......

ro.build.PDA=I9300XXEMH4

ro.build.hidden_ver=I9300XXEMH4

......

ro.sec.fle.encryption=true

......

ro.com.google.gmsversion=4.1_r6

dalvik.vm.dexopt-flags=m=y

net.bt.name=Android

dalvik.vm.stack-trace-file=/data/anr/traces.txt

Extractingcalllogs

Accessingthecalllogsofaphoneisoftenrequiredduringtheinvestigationto

confirmcertainevents.Theinformationaboutcalllogsisstoredinthecontacts2.dbfilelocatedat/data/data/com.android.providers.contacts/databases/.Asmentionedearlier,youcanuseSQLiteBrowsertoseethedatapresentinthisfileafterextractingittoalocalfolderontheforensicworkstation.Asshowninthefollowingscreenshot,byusingtheadbpullcommand,thenecessary.dbfilescanbeextractedtoafolderontheforensicworkstation,asshowninthefollowingscreenshot:

Thecontacts2.dbfilecopiedtoalocalfolder

Notethatapplicationsusedtomakecallscanstorecalllogdetailsintherespectiveapplicationfolder.Allcommunicationapplicationsmustbeexaminedforcalllogdetails,asfollows:

C:\android-sdk-windows\platform-tools>adb.exepull

/data/data/com.android.providers.contactsC:\temp

pull:buildingfilelist...

........

pull:

/data/data/com.android.providers.contacts/databases/contacts2.db->

C:\temp/databases/contacts2.db

pull:

/data/data/com.android.providers.contacts/databases/profile.db->

C:\temp/databases/profile.db

pull:

/data/data/com.android.providers.contacts/databases/profile.db-

journal->C:\temp/databases/profile.db-journal

6filespulled.0filesskipped.

70KB/s(644163bytesin8.946s)

Now,openthecontacts2.dbfileusingSQLiteBrowser(navigatingtoFile|OpenDatabase)andbrowsethroughthedatapresentindifferenttables.Thecallstablepresentinthecontacts2.dbfileprovidesinformationaboutthecallhistory.Thefollowingscreenshothighlightsthecallhistoryalongwiththename,number,duration,anddate.

ExtractingSMS/MMS

Duringthecourseofinvestigation,aforensicexaminermaybeaskedtoretrievethetextmessagesthataresentbyanddeliveredtoaparticularmobiledevice.Hence,itisimportanttounderstandwherethedetailsarestoredandhowtoaccessthedata.Themmssms.dbfilewhichispresentunderthe/data/data/com.android.providers.telephony/databaseslocationcontainsthenecessarydetails.Aswithcalllogs,theexaminermustensurethatapplicationscapableofmessagingareexaminedforrelevantmessagelogs,asfollows:

C:\android-sdk-windows\platform-tools>adb.exepull

/data/data/com.android.providers.telephonyC:\temp

pull:buildingfilelist...

......

->C:\temp/databases/telephony.db-journal

pull:

/data/data/com.android.providers.telephony/databases/mmssms.db->

C:\temp/databases/mmssms.db

pull:

/data/data/com.android.providers.telephony/databases/telephony.db-

>C:\temp/databases/telephony.db

5filespulled.0filesskipped.

51KB/s(160951bytesin3.045s)

Thephonenumbercanbeseenundertheaddresscolumnandthecorrespondingtextmessagecanbeseenunderthebodycolumn,asshowninthefollowingscreenshot:

Callstableinthecontacts2.dbfile

Extractingbrowserhistory

Browserhistoryinformationisonetaskthatisoftenrequiredtobereconstructedbyaforensicexaminer.ApartfromthedefaultAndroidBrowser,therearedifferentbrowserapplicationsthatcanbeusedonanAndroidphone,suchasFirefoxMobile,GoogleChrome,andsoon.AllofthesebrowsersstoretheirbrowserhistoryintheSQLite.dbformat.Forourexample,weareextractingdatafromthedefaultAndroidbrowsertoourforensicworkstation.Thisdataislocatedat/data/data/com.android.browser.Thefilenamedbrowser2.dbcontainsthebrowserhistorydetails.ThefollowingscreenshotshowsthebrowserdataasrepresentedbyOxygenForensicSQLiteDatabaseViewer.Notethatthetrialversionwillhidecertaininformation.

Thebrowser2.dbfileinOxygenForensicSQLiteViewer

Analysisofsocialnetworking/IMchats

SocialnetworkingandIMchatapplicationssuchasFacebook,Twitter,andWhatsApprevealsensitivedata,whichcouldbehelpfulduringtheinvestigationofanycase.TheanalysisisprettymuchthesameaswithanyotherAndroidapplication.Downloadthedatatoaforensicworkstationandanalyzethe.dbfilestofindoutifyoucanunearthanysensitiveinformation.Forexample,let'slookattheFacebookapplicationandtrytoseewhatdatacanbeextracted.First,weextractthe/data/data/com.facebook.katanafolderandnavigatetothedatabasesfolder.Thefb.dbfilepresentunderthisfoldercontainsinformationwhichisassociatedtotheuser'saccount.Thefriends_datatablecontainsinformationaboutthefriend'snamesalongwiththeirphonenumbers,e-mailIDs,anddateofbirth,asshowninthefollowingscreenshot.Similarly,otherfilescanbeanalyzedtofindoutifanysensitiveinformationcanbegathered.

Thefb.dbfileinSQLitebrowser

Similarly,byanalyzingthedatapresentinthe/data/datafolder,informationaboutgeolocation,calendarevents,usernotes,andmorecanbegrabbed.

Usingcontentproviders

InAndroid,thedataofoneapplicationcannotbeaccessedbyanotherapplicationundernormalcircumstances.However,Androidprovidesamechanismthroughwhichdatacanbesharedwithotherapplications.Thisispreciselyachievedthroughtheuseofcontentproviders.Contentproviderspresentdatatoexternalapplicationsintheformofoneormoretables.Thesetablesarenodifferentfromthetablesfoundinarelationaldatabase.TheycanbeusedbytheapplicationstosharedatausuallythroughtheURIaddressingscheme.Theyareusedbyotherapplicationsthataccesstheproviderusingaprovider-clientobject.Duringtheinstallationofanapp,theuserdetermineswhetherornottheappcangainaccesstotherequesteddata(contentproviders).Forinstance,contacts,SMS/MMS,calendar,andsoon,areexamplesofcontentproviders.

Hence,bytakingadvantageofthis,wecancreateanappthatcangraballtheinformationfromalltheavailablecontentproviders.Thisispreciselyhowmostofthecommercialforensictoolswork.Theadvantageofthismethodisitcanbeusedonbothrootedandnon-rooteddevices.Forourexample,weareusingAFLogical,whichtakesadvantageofthecontent-providermechanismtogainaccesstotheinformation.ThistoolextractsthedataandsavesittoanSDcard

inCSVformat.ThefollowingstepsextracttheinformationfromanAndroiddeviceusingAFLogicalOpenSourceEdition1.5.2:

1. DownloadAFLogicalOSE1.5.2fromhttps://github.com/viaforensics/android-forensics/downloads.

Note

TheAFLogicalLEeditioniscapableofextractingalargersetofinformationandrequiresregistrationwithviaForensicsusinganactivelawenforcementorgovernmentagencye-mail.AFLogicalOSEcanpullallavailableMMSes,SMSes,contacts,andcalllogs.

2. EnsureUSBdebuggingmodeisenabledandconnectthedevicetotheworkstation.

3. Verifythatthedeviceisidentifiedbyissuingthefollowingcommand:

C:\android-sdk-windows\platform-tools>adb.exedevices

Listofdevicesattached

4df16ac3115d6p18device

4. SavetheAFLogicalOSEappinthehomedirectoryandissuethefollowingcommandtoinstallitonthedevice:

C:\android-sdk-windows\platform-tools>adb.exe

installAFLogical-OSE_1.5.2.apk

1479KB/s(28794bytesin0.019s)

pkg:/data/local/tmp/AFLogical-OSE_1.5.2.apk

Success

5. Oncetheapplicationisinstalled,youcanrunitdirectlyfromthedeviceandclickontheCapturebuttonpresentatthebottomoftheapp,asshowninthefollowingscreenshot:

TheAFLogicalOSEapp

6. Theappstartsextractingdatafromtherespectivecontentprovidersandoncetheprocessiscomplete,amessagewillbedisplayed,asshowninthefollowingscreenshot:

Messagedisplayedaftertheextractioniscomplete

7. TheextracteddataissavedtotheSDcardofthedeviceinadirectorynamedforensics.TheextractedinformationisstoredinCSVfiles,asshowninthefollowingfigure.TheCSVfilescanbeviewedusinganyeditor.

FilesextractedusingAFLogicalOSE

8. Theinfo.xmlfilepresentinthesamedirectoryprovidesinformationaboutthedeviceincludingtheIMEInumber,IMSInumber,Androidversion,informationaboutinstalledapplications,andsoon.

OthertoolsthatcanhelpduringinvestigationtologicallyextractdatawillbecoveredinChapter11,AndroidAppAnalysisandOverviewofForensicTools.

Physicaldataextraction

Androiddataextractionthroughphysicaltechniques(hardware-based)mainlyinvolvestwomethods:JTAGandchip-off.Thesetechniquesareusuallyhardtoimplementandrequiregreatprecisionandexperiencetotrythemonrealdevicesduringthecourseofaninvestigation.Thefollowingsectionsprovideanoverviewofthesetechniques.

JTAG

JTAG(JointTestActionGroup)involvesusingadvanceddataacquisitionmethods,whichinvolveconnectingtospecificportsonthedeviceandinstructingtheprocessortotransferthedatastoredonthedevice.Byusingthismethod,afullphysicalimageofadevicecanbeacquired.Itisalwaysrecommendedtofirsttryoutthelogicaltechniquesmentionedearlierastheyareeasytoimplementandrequirelesseffort.ExaminersmusthavepropertrainingandexperiencepriortoattemptingJTAGasthedevicemaybedamagedifhandledimproperly.

TheJTAGprocessusuallyinvolvesthefollowingforensicsteps:

1. InJTAG,thedeviceTestAccessPorts(TAPs)areusedtoaccesstheCPUofthedevice.IdentifyingtheTAPsistheprimaryandmostimportantstep.TAPsareidentifiedandtheconnectionistracedtotheCPUtofindoutwhichpadisresponsibleforeachfunction.AlthoughdevicemanufacturersdocumentresourcesabouttheJTAGschematicsofaparticulardevice,theyarenotreleasedforgeneralviewing.AgoodsiteforJTAGonanAndroiddeviceishttp://www.forensicswiki.org/wiki/JTAG_Forensics.

2. WireleadsarethensolderedtoappropriateconnecterpinsandtheotherendisconnectedtothedevicethatcancontroltheCPU,asshowninthefollowingimage(publishedbywww.binaryintel.com).JTAGjigscanbeusedtoforgosolderingforcertaindevices.TheuseofajigorJTAGadapternegatestheneedtosolder,asitconnectstheTAPstotheCPU.

TheJTAGsetup

3. Oncetheprecedingstepsarecomplete,powermustbeappliedtoboottheCPU.Thevoltagethatmustbeapplieddependsonthespecificationsreleasedbythehardwaremanufacturer.Donotapplyavoltagebeyondthenumbermentionedinthespecification.

4. Afterapplyingthepower,afullbinarymemorydumpoftheNANDflashcanbeextracted.

5. Analyzetheextracteddatausingtheforensictechniquesandtoolslearnedinthisbook.Araw.binfilewillbeobtainedduringtheacquisitionandmostforensictoolssupportingestionandanalysisofthisimageformat.

ItisalsoimportanttounderstandthattheJTAGtechniqueshouldnotresultinlossoffunctionalityofthedevice.Ifreassembledproperly,thedeviceshouldfunctionwithoutanyproblems.AlthoughtheJTAGtechniqueiseffectiveinextractingthedata,onlyexperiencedandqualifiedpersonnelshouldattemptit.AnyerrorinsolderingtheJTAGpadsorapplyingadifferentvoltagecoulddamagethedeviceentirely.

Chip-off

Chip-off,asthenamesuggests,isatechniquewheretheNANDflashchip(s)areremovedfromthedeviceandexaminedtoextracttheinformation.Hence,thistechniquewillworkevenwhenthedeviceispasscode-protectedandUSBdebuggingisnotenabled.UnliketheJTAGtechniquewherethedevicefunctionsnormallyafterexamination,thechip-offtechniqueusuallyresultsindestructionofthedevice,thatis,itismoredifficulttoreattachtheNANDflashtothedeviceafterexamination.TheprocessofreattachingtheNANDflashtothedeviceiscalledre-ballingandrequirestrainingandpractice.

Chip-offtechniquesusuallyinvolvethefollowingforensicsteps:

1. Allofthechipsonthedevicemustberesearchedtodeterminewhichchipcontainsuserdata.Oncedetermined,theNANDflashisphysicallyremovedfromthedevice.Thiscanbedonebyapplyingheattodesolderthechipasshowninthefollowingimage(publishedbywww.binaryintel.com).ThisisaverydelicateprocessandmustbedonewithgreatcareasitmayresultindamagingtheNANDflash.

Thechip-offtechnique

2. Thechipisthencleanedandrepairedtomakesurethattheconnectorsarepresentandfunctioning.

3. Usingspecializedhardwaredeviceadapters,thechipcannowberead.Thisisdonebyinsertingthechipintothehardwaredevice,whichsupportsthespecificNANDflashchip.Inthisprocess,rawdataisacquiredfromthechipresultingina.binfile.

4. Thedataacquiredcannowbeanalyzedusingforensictechniquesandthetoolsdescribedearlier.

Thechip-offtechniqueismosthelpfulwhenthedeviceisdamagedseverely,locked,orotherwiseinaccessible.However,theapplicationofthistechniquerequiresnotonlyexpertisebutalsocostlyequipmentandtools.ThereisalwaysariskofdamagingtheNANDflashwhileremovingitandhenceitisrecommendedtotryoutthelogicaltechniquesfirsttoextractanydata.

Imagingamemory(SD)card

Therearemanytoolsavailablethatcanimageamemorycard.ThefollowingexampleusesWinHextocreatearawdiskimageoftheSDcard.Thefollowingisastep-by-stepprocesstoimageamemorycardusingtheWinHexsoftware.

Connectingthememorycard:RemovetheSDcardfromthememoryslotanduseacardreadertoconnectthememorycardtotheforensicworkstation.Writeprotectthecard:OpenthediskusingWinHex.NavigatetoOptions|EditModeandselectthewrite-protectedmode,asshowninthefollowingscreenshot.Thisistomakesurethatthedeviceiswriteprotectedandnodatacanbewrittenonit.

WinHexviewofEditMode(left)andWinHexRead-onlyModeenabled(right)

Calculatingthehashvalue:Calculatethehashvalueofthememorycardtomakesurethatnochangesaremadeatanypointduringtheinvestigation.NavigatetoTools|Computehashandchooseanyhashingalgorithm.Creatingtheimageofthedisk:NavigatetoFile|CreateDiskImage,asshowninthefollowingscreenshot.SelecttheRawimageoption(.dd)tocreateanimage.Thiscompletestheimagingofthememorycard.

TheWinHexdiskimageoption

SummaryImagingadeviceisoneoftheprimarystepstoensurethatthedataonthedeviceisnotmodified.Oncethedeviceisaccessible,anexaminercanextractthedatausingmanual,logical,orphysicaldataextractiontechniques.Logicaltechniquesextractthedatabyaccessingthefilesystem.Whilethephysicaltechniquesaccessalargersetofdata,theyarecomplexandrequiregreatexpertisetoperform.Manualextractionshouldbeperformedtovalidatedataoronlywhenonetoolisusedtocreatetheimage.Oncethedataisacquired,examinationandmanualextractionfollows,asdescribedinthenextchapter.

Chapter10.AndroidDataRecoveryTechniquesWhilethedataextractionandanalysistechniquesprovideinformationaboutvariousdetailssuchascalllogs,textmessages,andothercellularfunctions,notalltechniquescanprovideinformationaboutthedeleteddata.Itisraretofindasmartphonetodaythatdoesn'tcontaindatatheuserintendedtodelete.Theprobabilitythatthedeleteddatacontainssensitiveinformation(whichiswhythedataisdeletedinthefirstplace)ishigh.Hence,datarecoveryisacrucialaspectofmobileforensicsasithelpstounearththedeleteditems.Thischapteraimstocovervarioustechniques,whichcanbeusedbyaforensicanalysttorecoverthedatafromanAndroiddevice.

DatarecoveryDatarecoveryisoneofthemostsignificantandpowerfulaspectsofforensicanalysis.Theabilitytorecoverdeleteddatacanbecrucialtocrackmanycivilandcriminalcases.Fromanormaluser'spointofview,recoveringdatathathasbeendeletedwouldusuallyrefertotheoperatingsystem'sbuilt-insolutionssuchastheRecycleBininWindows.Whileit'struethatdatacanberecoveredfromtheselocations,duetoanincreaseinuserawareness,theseoptionsdon'toftenwork.Forinstance,onadesktopcomputer,peoplenowuseShift+Deleteasawaytodeleteafilecompletelyfromtheirdesktop.

Datarecoveryistheprocessofretrievingdeleteddatafromadevicewhenitcannotbeaccessednormally.Considerthescenariowhereamobilephonehasbeenseizedfromaterrorist.Wouldn'titbeofgreatestimportancetoknowwhichitemsweredeletedbytheterrorist?AccesstoanydeletedSMSmessages,pictures,dialednumbers,applicationdata,andmorecanbeofcriticalimportanceastheyoftenrevealsensitiveinformation.WithAndroid,itispossibletorecovermostofthedeleteddataifthedevicefilesareproperlyacquired.However,ifpropercareisnottakenwhilehandlingthedevice,thedeleteddatacouldbelostforever.Toensurethatthedeleteddataisnotoverwritten,itisrecommendedtokeepthefollowingpointsinmind:

Donotusethephoneforanyactivityafterseizingit.Thedeleteddataexistsonthedeviceuntilthespaceisneededbysomeotherincomingdata.Hence,thephonemustnotbeusedforanysortofactivitysoastopreventthedatafrombeingoverwritten.Evenwhenthephoneisnotused,withoutanyinterventionfromourend,datacanbeoverwritten.Forinstance,anincomingSMSwouldautomaticallyoccupythespace,whichcouldoverwritethedatamarkedfordeletion.Topreventoccurrenceofsuchevents,theexaminershouldfollowtheforensichandlingmethodsdescribedinthepreviouschapters.Theeasiestsolutionistoplacethedeviceinairplanemode,disableallconnectivityoptionsonthedevice,orturnthedeviceoff.Thispreventsthedeliveryofanynewmessages.

Recoveringthedeletedfiles

AllAndroidfilesystemshavemetadatacontaininginformationaboutthehierarchyoffiles,filenames,andsoon.Deletionwillnotreallyerasethedatabutremovethefilesystemmetadata.Whentextmessagesoranyotherfilesaredeletedfromthedevice,theyarejustmadeinvisibletotheuserbutthefilesarestillpresentonthedevice.Essentially,thefilesaresimplymarkedfordeletion,butresideonthefilesystemuntilbeingoverwritten.RecoveringdeleteddatafromanAndroiddeviceinvolvestwoscenarios:recoveringdatathatisdeletedfromtheSDcard,suchaspictures,videos,applicationdata,andmore,andrecoveringdatathatisdeletedfromtheinternalmemoryofthedevice.ThefollowingsectionscoverthetechniquesthatcanbeusedtorecoverdeleteddatafromboththeSDcardandinternalmemoryoftheAndroiddevice.

RecoveringdeleteddatafromanSDcard

DatapresentonSDcardscanrevealalotofinformationforforensicinvestigators.SDcardsarecapableofstoringpicturesandvideostakenbythephone'scamera,voicerecordings,applicationdata,cachedfiles,andmore.Essentially,anythingthatcanbestoredonacomputerharddrivecanbestoredonanSDcardasmuchastheavailablespaceallows.RecoveringthedeleteddatafromanexternalSDcardisastraightforwardprocess.SDcardscanbemountedasanexternalmassstoragedeviceandforensicallyacquiredusingstandarddigitalforensicmethodsasdiscussedinChapter9,AndroidDataExtractionTechniques.Thedeviceshouldneverbemountedonacomputertocopythefilesastheunallocatedspacewillbemissed.Asmentionedinthepreviouschapters,SDcardsinAndroiddevicesoftenusetheFAT32filesystem.ThemainreasonforthisisthattheFAT32filesystemiswidelysupportedinmostoperatingsystemsincludingWindows,Linux,andMacOSX.ThemaximumfilesizeonaFAT32formatteddriveisaround4GB.Withincreasinglyhighresolutionformatsnowavailable,thislimitiscommonlyreached.Apartfromthis,FAT32canbeusedonpartitionsthatarelessthan32GBinsize.Hence,theexFATfilesystem,whichovercomestheseproblems,isnowbeingusedinsomeofthedevices.

TorecoverthedeletedfilesfromanSDcard,youcanuseanyoftheavailableforensictoolssuchastheRemoRecoverforAndroidtool.Thefollowingisastep-by-stepprocesstorecoverthedeletedfilesfromanSDcardusingRemo

RecoveryforAndroid:

1. Downloadthesoftwarefromhttp://www.remosoftware.com/remo-recover-for-android.Next,installthesoftwareandlaunchit.Fromthemainscreen,selecttheappropriatefilerecoverymode.ThetooltriestorecognizetheAndroiddeviceanddisplaysthefollowingscreen,oncethedeviceissuccessfullydetected.Note,theAndroiddevicemustbeabletoconnectviaUSBdebuggingorthedevicemaynotbedetected.

Androidrecovery—devicedetection

2. Thetoolpresentsyouwithalistofstoragedevicesavailable,asshowninthefollowingscreenshot.Selectthestoragedevicefromthelistandproceed.

Thelistofstoragedevicesavailable

3. Selectthetypeoffiletoberecoveredorselectallandproceedfurther.4. Oncetherecoveryprocessiscomplete,alistoftheextractedfileswillbe

providedasshowninthefollowingscreenshot:

Recoveredfileslist

ExaminersmustunderstandthatAndroiddevicesmightusespaceontheSDcardtocacheapplicationdata,thereforeitisimportanttomakesurethatasmuchdataaspossibleisobtainedfromthedevicepriortoremovingtheSDcard.ItisrecommendedtoacquiretheSDcardthroughthedeviceaswellasseparatelytoensurealldataisobtained.ToachievetheSDcardimage,ddthroughadbcanbeusedwhilethedeviceisrunningtoobtainanimageoftheSDcardofthedeviceifthedevicecannotbepoweredoffduetopossibleevidencerunninginthememory.AmemorycapturecanbeobtainedontheAndroiddeviceshoulddataactivelyberunninginthememoryberelevanttotheinvestigation.ToolssuchasLiMEcanbeusedtocompletethememorycapture.LiMEcanbeaccessedonthefollowingsite:https://code.google.com/p/lime-forensics/.

Itisalsorecommendedtocheckifthedevicehasanybackupapplicationsorfilesinstalled.TheinitialreleaseofAndroiddidnotincludeamechanismfortheuserstobackuptheirpersonaldata.Hence,severalbackupapplicationswereusedextensivelybytheusers.Byusingtheapps,usershavetheabilitytobackuptheirdataeithertotheSDcardortothecloud.Forexample,theSuperBackupappcontainstheoptionstobackupcalllogs,contacts,SMS,andmoreasshowninthefollowingscreenshot:

TheSuperBackupAndroidapp

Upondetectionofabackupapplication,theforensicexaminersmustattempttodeterminewherethedataisstored.Thedatasavedinabackupmaycontainimportantinformationandthuslookingforanythird-partybackupapponthedevicewouldbeveryhelpful.

Recoveringdatadeletedfrominternalmemory

RecoveringfileswhicharedeletedfromAndroid'sinternalmemory(suchasSMS,contacts,appdata,andmore)isnotsupportedbyallanalyticaltoolsandmayrequiremanualcarving.UnlikesomemediacontainingcommonfilesystemssuchasSDcards,thefilesystemmaynotberecognizedandmountedbyforensictools.Also,theexaminercannotgetaccesstotherawpartitionsoftheinternalmemoryofanAndroidphoneunlessthephoneisrooted.ThefollowingaresomeoftheotherissuestheexaminermayfacewhenattemptingtorecoverdatafromtheinternalmemoryonAndroiddevices:

Togetaccesstotheinternalmemoryyoucantrytorootthephone.However,therootingprocessmightinvolvewritingsomedatatothe/datapartitionandthisprocesscouldoverwritethedataofvalueonthedevice.

UnlikeSDcards,theinternalfilesystemhereisnotFAT32(whichiswidelysupportedbyforensictools).TheinternalfilesystemcouldbeYAFFS2(inolderdevices),EXT3,EXT4,RFS,orsomethingproprietarybuilttorunonAndroid.Therefore,manyoftherecoverytoolsdesignedforusewithWindowsfilesystemswon'twork.ApplicationdataonAndroiddevicesiscommonlystoredintheSQLiteformat.Whilemostforensictoolsprovideaccesstothedatabasefiles,theymayhavetobeexportedandviewedinanativebrowser.Theexaminermustexaminetherawdatatoensurethatthedeleteddataisnotoverlookedbytheforensictool.

Thediscussedreasonsmakeitdifficult,butnotimpossible,torecoverthedeleteddatafromtheinternalmemory.TheinternalmemoryofAndroiddevicesholdsabulkoftheuserdataandthepossiblekeystoyourinvestigation.Aspreviouslymentioned,thedevicemustberootedinordertoaccesstherawpartitions.MostoftheAndroidrecoverytoolsonthemarketdonothighlightthefactthattheyworkonlyonrootedphones.LetusnowseehowwecanrecoverdeleteddatafromanAndroidphone.

RecoveringdeletedfilesbyparsingSQLitefiles

AndroidusesSQLitefilestostoremostdata.Datarelatedtotextmessages,e-mails,andcertainappdataisstoredinSQLitefiles.SQLitedatabasescanstoredeleteddatawithinthedatabaseitself.FilesmarkedfordeletionbytheusernolongerappearintheactiveSQLitedatabasefiles.Therefore,itispossibletorecoverthedeleteddatasuchastextmessages,contacts,andmore.TherearetwoareaswithinaSQLitepagethatcancontaindeleteddata:unallocatedblocksandfreeblocks.MostofthecommercialtoolsthatrecoverdeleteddatascantheunallocatedblocksandfreeblocksoftheSQLitepages.ParsingthedeleteddatacanbedoneusingtheavailableforensictoolssuchasOxygenForensicsSQLiteViewer.ThetrialversionoftheSQLiteViewercanbeusedforthispurpose;however,therearecertainlimitationsontheamountofdatathatyoucanrecover.YoucanwriteyourownscripttoparsethefilesfordeletedcontentandforthatyouneedtohaveagoodunderstandingabouttheSQLitefileformat.Thelinkhttp://www.sqlite.org/fileformat.htmlisagoodplacetostartwith.Ifyoudonotwanttoreinventandwanttoreusetheexistingscripts,youcantrytheavailableopensourcePythonscripts(http://az4n6.blogspot.in/2013/11/python-parser-to-recover-deleted-sqlite.html)toparsetheSQLitefilesfordeleted

records.

Forourexample,wewillrecoverdeletedSMSesfromanAndroiddevice.RecoveringdeletedSMSesfromanAndroidphoneisquiteoftenrequestedaspartofforensicanalysisonadevicemainlybecausetextmessagescontaindata,whichcanrevealalotofinformation.TherearedifferentwaystorecoverdeletedtextmessagesonanAndroiddevice.First,weneedtounderstandwherethemessagesarebeingstoredonthedevice.InChapter9,AndroidDataExtractionTechniques,weexplainedtheimportantlocationsontheAndroiddevicewhereuserdataisstored.Hereisaquickrecapofthis:

Everyapplicationstoresitsdataunderthe/data/datafolder(again,thisrequiresrootaccesstoacquiredata)Thefilesunderthelocation/data/data/com.android.providers.telephony/databasescontaindetailsaboutSMS/MMS

Undertheprecedingmentionedlocation,textmessagesarestoredinaSQLitedatabasefile,whichisnamedmmssms.db.Deletedtextmessagescanberecoveredbyexaminingthisfile.HerearethestepstorecoverdeletedSMSesusingthemmssms.dbfile:

1. OntheAndroiddevice,enabletheUSBdebuggingmodeandconnectthedevicetotheforensicworkstation.Usingtheadbcommand-linetool,extractthedatabasesfolderpresentunderthelocation/data/data/byissuingtheadbpullcommand:

C:\android-sdk-windows\platform-tools>adb.exepull

/data/data/com.android.providers.telephony/databasesC:\temp

pull:buildingfilelist...

pull:

/data/data/com.android.providers.telephony/databases/mmssms.db-

journal->C:\temp/mmssms.db-journal

pull:

/data/data/com.android.providers.telephony/databases/telephony.

db-journal->C:\temp/telephony.db-journal

pull:

/data/data/com.android.providers.telephony/databases/mmssms.db

->C:\temp/mmssms.db

pull:

/data/data/com.android.providers.telephony/databases/telephony.

db->C:\temp/telephony.db

4filespulled.0filesskipped.

53KB/s(160848bytesin2.958s)

Oncethefilesareextractedtothelocalmachine,usetheOxygenForensicsSQLiteViewertooltoopenthemmssms.dbfile.

2. ClickonthetablenamedsmsandobservethecurrentmessageundertheTablesdatatabinthetool.

3. OnewaytoviewthedeleteddataisbyclickingontheBlockscontainingdeleteddatatab,asshowninthefollowingscreenshot:

RecoveringdeletedSMSmessages

Similarly,otherdataresidingonAndroiddeviceswhichstoredatainSQLitefilescanberecoveredbyparsingfordeletedcontent.Whentheprecedingmethoddoesn'tprovideaccesstothedeleteddata,theexaminershouldlookatthefileinrawhexfilefordatamarkedasdeleted,whichcanbemanuallycarvedandreported.

Recoveringfilesusingfile-carvingtechniques

Filecarvingisanextremelyusefulmethodinforensicsbecauseitallowsfordatathathasbeendeletedorhiddentoberecoveredforanalysis.Insimpleterms,filecarvingistheprocessofreassemblingcomputerfilesfromfragmentsintheabsenceoffilesystemmetadata.Infilecarving,specifiedfiletypesaresearchedforandextractedacrossthebinarydatatocreateaforensicimageofapartitionoranentiredisk.Filecarvingrecoversfilesfromtheunallocatedspaceinadrivebasedmerelyonfilestructureandcontentwithoutanymatchingfilesystemmetadata.Unallocatedspacereferstothepartofthedrivethatnolongerholdsanyfileinformationaspointedbythefilesystemstructuressuchasthefiletable.

Filescanberecoveredorreconstructedbyscanningtherawbytesofthediskandreassemblingthem.Thiscanbedonebyexaminingtheheader(thefirstfewbytes)andfooter(thelastfewbytes)ofafile.

File-carvingmethodsarecategorizedbasedontheunderlyingtechniqueinuse.Theheader-footercarvingmethodreliesonrecoveringthefilesbasedontheheaderandfooterinformation.Forinstance,theJPEGfilesstartwith0xffd8andendwith0xffd9.Thelocationsoftheheaderandfooterareidentifiedandeverythingbetweenthosetwoendpointsiscarved.Similarly,thecarvingmethodbasedonthefilestructureusestheinternallayoutofafiletoreconstructthefile.Butthetraditionalfile-carvingtechniquessuchastheoneswe'vealreadyexplainedmaynotworkifthedataisfragmented.Toovercomethis,newtechniquessuchassmartcarvingusethefragmentationcharacteristicsofseveralpopularfilesystemstorecoverthedata.

Oncethephoneisimaged,itcanbeanalyzedusingtoolssuchasScalpel.Scalpelisapowerfulopensourceutilitytocarvefiles.Thistoolanalyzestheblockdatabasestorageandidentifiesthedeletedfilesandrecoversthem.ScalpelisfilesystemindependentandisknowntoworkonvariousfilesystemsincludingFAT,NTFS,EXT2,EXT3,HFS,andmore.ThefollowingstepsexplainhowtouseScalpelonanUbuntuworkstation:

1. InstallScalpelontheUbuntuworkstationusingthecommandsudoapt-getinstallscalpel.

2. Thescalpel.conffilepresentunderthe/etc/scalpeldirectorycontainsinformationaboutthesupportedfiletypes,asshowninthefollowingscreenshot:

Thescalpelconfigurationfile

ThisfileneedstobemodifiedinordertomentionthefilesthatarerelatedtoAndroid.Asamplescalpel.conffilecanbedownloadedfromthelinkhttps://viaforensics.com/resources/tools/#android.Youcanalsouncommentthefilesandsavetheconffiletoselectfiletypesofyourchoice.Oncethisisdone,replacetheoriginalconffilewiththeonethatisdownloaded.

3. Scalpelneedstoberunalongwiththeprecedingconfigurationfileontheddimagebeingexamined.Youcanrunthetoolusingthecommandshowninthefollowingscreenshot,byinputtingtheconfigurationfileandtheddfile.Oncethecommandisrun,thetoolstartstocarvethefilesandbuildthemaccordingly.

RunningtheScalpeltoolonaddfile

4. Theoutputfolderspecifiedintheprecedingcommandnowcontainslistsoffoldersbasedonthefiletypes,asshowninthefollowingscreenshot.Eachofthesefolderscontainsdatabasedonthefoldername.Forinstance,jpg2-0containsfilesrelatedtothe.jpgextensionthathasbeenrecovered.

OutputfolderafterrunningtheScalpeltool

5. Asshownintheprecedingscreenshot,eachfoldercontainsrecovereddatafromtheAndroiddevice,suchasimages,PDFfiles,ZIPfiles,andmore.Whilesomepicturesarerecoveredcompletely,somearenotrecoveredtoafullextent,asshowninthefollowingscreenshot:

RecovereddatausingtheScalpeltool

ApplicationssuchasDiskDiggercanbeinstalledonAndroiddevicestorecoverdifferenttypesoffilesfromboththeinternalmemoryandSDcards.ApplicationssuchasDiskDiggerincludesupportforJPGfiles,MP3andWAVaudio,MP4and3GPvideo,rawcameraformats,MicrosoftOfficefiles(DOC,XLS,andPPT),andmore.However,asmentionedearlier,theapplicationrequiresrootprivilegesontheAndroiddeviceinordertorecoverthecontentfromtheinternalmemory.Thus,file-carvingtechniquesplayaveryimportantroleinrecoveringimportantdeletedfilesfromthedevice'sinternalmemory.

YoucanalsorestorethecontactsonthedeviceusingtheRestoreContactsoptionthroughtheGoogleaccountconfiguredonthedevice.ThiswouldworkiftheuserofthedevicehaspreviouslysyncedtheircontactsusingtheSyncSettingsoptionavailableinAndroid.Thisoptionsynchronizesthecontactsandotherdetailsandwouldstoretheminthecloud.AforensicexaminerwithlegalauthorityorproperconsentcanrestorethedeletedcontactsiftheycangetaccesstotheGoogleaccountconfiguredonthedevice.Oncetheaccountisaccessed,

performthefollowingstepstorestorethedata:

1. LogintotheGmailaccount.2. ClickonGmailinthetop-leftcornerandselectContacts,asshowninthe

followingscreenshot:

TheContactsmenuinGmail

3. ClickonMore,whichispresentabovethecontactslist.4. ClickonRestoreContactsandthefollowingscreenappears:

TheRestoreContactsdialogbox

5. Now,youcanrestorethecontactlisttothestatethatitwasinatanypointwithinthepast30daysusingthistechnique.

SummaryRecoveryofthedeleteddataonAndroiddevicesdependsonvariousfactorswhichheavilyrelyonaccesstothedataresidingintheinternalmemoryandSDcard.WhiletherecoveryofdeleteditemsfromexternalstoragesuchasanSDcardiseasy,recoveryofdeleteditemsfromtheinternalmemorytakesconsiderableeffort.SQLitefileparsingandfile-carvingtechniquesaretwomethodstorecoverdeleteddataextractedfromanAndroiddevice.ThenextchapterdiscussesAndroidforensictoolsthatcanbehelpfulinextractingandacquiringdatafromAndroiddevices.Bothopensourceandcommercialmethodswillbediscussed.

Chapter11.AndroidAppAnalysisandOverviewofForensicToolsThird-partyapplicationsarecommonlyusedbysmartphoneusers.AndroidusersdownloadandinstallseveralappsfromappstoressuchasAndroidMarketandGooglePlay.Duringforensicinvestigations,itisoftenhelpfultoperformananalysisoftheseappstoretrievevaluabledataandtodetectanymalware.Forinstance,aphotovaultappmightlocksensitiveimagespresentonthedevice.Hence,itwouldbeofgreatsignificancetohavetheknowledgetoidentifythepasscodeforthephotovaultapp.Whilethedataextractionanddatarecoverytechniquesdiscussedinearlierchaptersprovideaccesstovaluabledata,appanalysiswouldhelpustogaininformationaboutthespecificsofanapplication,suchaspreferencesandpermissions.ThischaptercoversthetechniquestoreverseengineeranAndroidapplicationandalsothrowslightonsomeavailableforensictoolsthatmaybeextremelyhelpfulduringforensicacquisitionandanalysis.

AndroidappanalysisOnAndroid,everythingtheuserinteractswithisanapplication.Whilesomeappsarepreinstalledbythedevicemanufacturer,someappsaredownloadedandinstalledbytheuser.Dependingonthetypeofapplication,mostoftheseappsstoresensitiveinformationontheinternalmemoryortheSDcardonthedevice.Usingtheforensictechniquesdescribedearlier,itispossibletogetaccesstothedatastoredbytheseapplications.However,aforensicexaminerneedstodevelopthenecessaryskillstoconverttheavailabledataintousefuldata.Thisisachievedwhenyouhaveacomprehensiveunderstandingofhowtheapplicationhandlesdata.

Theexaminermayneedtodealwithapplicationsthatstandasabarriertoaccessingrequiredinformation.Forinstance,takethecaseofthegalleryonaphonelockedbyanapplockerapplication.Inthiscase,inordertoaccessthepicturesandvideosstoredonthegallery,youfirstneedtoenterthepasscodetotheapplocker.Hence,itwouldbeinterestingtoknowhowtheapplockerappstoresthepasswordonthedevice.Youmightlookintothesqlitedatabasefiles,butiftheyareencrypted,thenit'shardtoevenpredictthatit'sapassword.Reverseengineeringapplicationswouldbehelpfulinsuchcaseswhereyouwanttobetterunderstandtheapplicationandhowtheapplicationstoresthedata.

ReverseengineeringAndroidappsTostateitinsimpleterms,reverseengineeringistheprocessofretrievingsourcecodefromanexecutable.ReverseengineeringanAndroidappisdoneinordertounderstandthefunctioningoftheapp,datastorage,securitymechanismsinplace,andmore.BeforeweproceedtolearnhowtoreverseengineeranAndroidapp,hereisaquickrecapoftheAndroidapps:

AlltheapplicationsthatareinstalledontheAndroiddevicearewrittenintheJavaprogramminglanguage.WhenaJavaprogramiscompiled,wegetbytecode.Thisissenttoadexcompiler,whichconvertsitintoaDalvikbytecode.Thus,theclassfilesareconvertedtodexfilesusingdxtool.AndroidusessomethingcalledDalvikvirtualmachine(DVM)torunitsapplications.JVM'sbytecodeconsistsofoneormoreclassfilesdependingonthenumberofJavafilesthatarepresentinanapplication.Regardless,aDalvikbytecodeiscomposedofonlyonedexfile.

Thus,thedexfiles,XMLfiles,andotherresourcesthatarerequiredtorunanapplication,arepackagedintoanAndroidpackagefile(anAPKfile).TheseAPKfilesaresimplyacollectionofitemswithinaZIPfile.Therefore,ifyourenameanAPKextensionfileas.zip,thenyouwillbeabletoseethecontentsofthefile.Butbeforethat,youneedtogetaccesstotheAPKfileoftheapplicationthatisinstalledonthephone.HereishowtheAPKfilecorrespondingtoanapplicationcanbeaccessed.

ExtractinganAPKfilefromanAndroiddevice

Appsthatcomepreinstalledwiththephonearestoredinthe/system/appdirectory.Third-partyapplicationsthataredownloadedbytheuserarestoredinthe/data/appfolder.ThefollowingmethodhelpsyoutogainaccesstotheAPKfilesonthedeviceandworksonbothrootedandnon-rooteddevices:

1. Identifythepackagenameoftheappbyissuingthefollowingcommand:

C:\android-sdk-windows\platform-tools>adb.exeshellpmlist

packages

package:android

package:android.googleSearch.googleSearchWidget

package:com.android.MtpApplication

package:com.android.Preconfig

package:com.android.apps.tag

package:com.android.backupconfirm

package:com.android.bluetooth

package:com.android.browser

package:com.android.calendar

package:com.android.certinstaller

package:com.android.chrome

...

Asshownintheprecedingcommandlines,thelistofpackagenamesisdisplayed.Trytofindamatchbetweentheappinquestionandthepackagename.Usually,thepackagenamesareverymuchrelatedtotheappnames.Alternatively,youcanusetheAndroidMarketorGooglePlaytoidentifythepackagenameeasily.TheURLforanappinGooglePlaycontainsthepackagenameasshowninthefollowingscreenshot:

FacebookAppinGooglePlayStore

2. IdentifythefullpathnameoftheAPKfileforthedesiredpackagebyissuingthefollowingcommand:

C:\android-sdk-windows\platform-tools>adb.exeshellpmpath

com.android.chrome

package:/data/app/com.android.chrome-2.apk

3. PulltheAPKfilefromtheAndroiddevicetotheforensicworkstationusingtheadbpullcommand:

C:\android-sdk-windows\platform-tools>adb.exepull

/data/app/com.android.chrome-2.apkC:\temp

3493KB/s(30943306bytesin8.649s)

YoucanalsouseapplicationssuchasESExplorertogettheAPKfileofanAndroidapplication.Nowlet'sanalyzethecontentsofanAPKfile.AnAndroidpackageisacontainerforanAndroidapp'sresourcesandexecutables.It'sazippedfilethatcontainsthefollowingfiles:

AndroidManifest.xml:Thiscontainsinformationaboutthepermissionsandmoreclasses.dex:Thisistheclassfileconvertedtoadexfilebythedexcompiler

Res:Theapplication'sresources,suchastheimagefiles,soundfiles,andmore,arepresentinthisdirectoryLib:ThiscontainsnativelibrariesthattheapplicationmayuseMETA-INF:Thiscontainsinformationabouttheapplication'ssignatureandsignedchecksumsforalltheotherfilesinthepackage.

OncetheAPKfileisobtained,youcanproceedtoreverseengineertheAndroidapplication.

StepstoreverseengineerAndroidapps

TheAPKfilescanbereverseengineeredindifferentwaystogettheoriginalcode.Thefollowingisonemethodthatusesthedex2jarandJD-GUItoolstogainaccesstotheapplicationcode.Forourexample,wewillexaminethecom.twitter.android-1.apkfile.ThefollowingarethestepstosuccessfullyreverseengineertheAPKfile:

1. Renametheapkextensionwithziptoseethecontentsofthefile.Renamethecom.twitter.android-1.apkfiletotwitter.android-1.zip,andextractthecontentsofthefileusinganyfilearchiverapplication.Thefollowingscreenshotshowsthefilesextractedfromtheoriginalfiletwitter.android-1.zip:

ExtractedfilesofanAPKfile

2. Theclasses.dexfilediscussedintheearliersectionscanbeaccessedafterextractingthecontentsoftheAPKfile.ThisdexfileneedstobeconvertedtoaclassfileofJava.Thiscanbedoneusingthedex2jartool.

3. Downloadthedex2jartoolfromhttps://code.google.com/p/dex2jar/,anddroptheclasses.dexfileintothedex2jartoolsdirectoryandissuethefollowingcommand:

C:\Users\Rohit\Desktop\Training\Android\dex2jar-0.0.9.15>d2j-

dex2jar.batclasses.dex

dex2jarclasses.dex->classes-dex2jar.jar

4. Theprecedingcommand,whensuccessfullyrun,createsanewfileclasses-dex2jar.jarinthesamedirectoryasshowninthefollowingscreenshot:

Theclasses-dex2jar.jarfilecreatedbythedex2jartool

5. Toviewthecontentsofthisjarfile,youcanuseatoolsuchasJD-GUI.Asshowninthefollowingscreenshot,thefilespresentinanAndroidapplicationandthecorrespondingcodecanbeseen:

TheJD-GUItool

Oncewegetaccesstothecode,itiseasytoanalyzehowtheapplicationstoresthevalues,permissions,andmoreinformationthatmaybehelpfultobypasscertainrestrictions.Whenmalwareisfoundonadevice,thismethodtodecompileandanalyzetheapplicationmayproveuseful,asitwillshowwhatisbeingaccessedbythemalwareandcluestowherethedataisbeingsent.ThemethodintheprecedingscreenshotisthebestwaytodeterminehowmalwareisaffectingtheAndroiddevice.

ForensictoolsoverviewItisimportantforanexaminertounderstandhowaforensictoolacquiresandanalyzesdatatoensurenothingismissedandthatthedataisbeingdecodedcorrectly.Whilemanualextractionandanalysisisuseful,aforensicexaminermayneedthehelpoftoolstoaccomplishthetasksinvolvedinmobiledeviceforensics.Forensictoolsnotonlysavetime,butalsomaketheprocessaloteasier.ThefollowingsectiondescribesfourimportanttoolsthatarewidelyusedduringforensicacquisitionandtheanalysisofanAndroiddevice.

TheAFLogicaltool

AFLogicalisanAndroidforensicstooldevelopedbyviaForensics.ThistoolperformslogicalacquisitionofanyAndroiddevicerunningeitherAndroid1.5orlaterversions.Itallowstheextracteddatatobesavedtotheexaminer'sSDCardinCSVformat.Therearetwoeditionsinthistool:AFLogicalOpenSourceEdition(OSE)andAFLogicalLawEnforcement(LE).

AFLogicalOpenSourceEdition

AFLogicalOpenSourceEditionisfreeopensourcesoftware.ItpullsallavailableMMS,SMS,contacts,andcalllogsfromtheAndroiddevice.AFLogicalOSEisalsobuiltintoSantoku-Linux,theopensource,community-drivenOSdedicatedtomobileforensics,mobilemalware,andmobilesecurity.TheconceptsbehindAFLogicalOSEwerementionedinChapter9,AndroidDataExtractionTechniques.ThiseditioncanalsobeusedonSantoku-Linuxbyperformingthefollowingsteps:

1. NavigatetoSantoku|DeviceForensics|AFLogicalOSE,asshowninthefollowingscreenshot:

AFLogicalinSantokuLinux

2. ToinstallAFLogicalOSEontothedevice,connecttheAndroiddeviceviaUSB.IfyouareusingSantoku-LinuxinaVM,makesureyouconnecttheAndroiddevicetotheguestVM.

3. Installtheapplicationtoyourdeviceasfollows:

aflogical-ose

634KB/s(28794bytesin0.044s)

pkg:/data/local/tmp/AFLogical-OSE_1.5.2.apk

Success

Starting:Intent{

cmp=com.viaforensics.android.aflogical_ose/com.viaforensics.and

roid.ForensicsActivity}

Pressentertopull/sdcard/forensicsinto~/aflogical-data/

4. OntheAndroiddevice,selecttheitemsyouwishtoextractandclickonCapture.

5. Next,pressEnterintheLinuxworkstation.ThiswillextractthedatafromyourAndroiddevicetothemountedSDcardin~/aflogical-data.

6. Thedataisstoredinafolderlabeledwiththedateandtimeoftheextraction,asshowninthefollowingscreenshotreferencedfromhttps://santoku-linux.com/:

TheAFLogicalresults

7. Theextracteddata,suchascalllogs,SMS,contacts,andmore,canbeaccessedbybrowsingthisfolder.

AFLogicalLawEnforcement(LE)

AccordingtoviaForensics,todownloadAFLogicalLE,youmustregisterwithviaForensicsusinganactivelawenforcementorgovernmentagencye-mail.ThiseditionisabletopullalllogicaldatafromanAndroiddevice,includingthefollowing:

BrowserbookmarksBrowsersearchesCalendarattendeesCalendareventsCalendarextendedpropertiesCalendarremindersCalendarsCallLogcallsContactmethodsContactextensionsContactgroupsContactorganizationsContactphonesContactsettingsExternalimagemediaExternalimagethumbmediaExternalmediaexternalvideosIMaccountIMaccountsIMchatsIMcontactsprovider(IMcontacts)IMinvitationsIMmessagesIMprovidersIMprovidersettingsInternalimagemediaInternalimagethumbmediaInternalVideosandMaps-FriendsMaps-FriendscontactsMaps-Friendsextra

MMSMmsPartsProvider(MMSParts)NotesPeoplePhonestoragedeletedbypeople(HTCIncredible)SearchhistorySMSSocialcontractsactivities

Cellebrite–UFEDCurrently,CellebriteUFEDoffersseveralproductsthatsupportdataacquisitionandanalysisofAndroiddevices.Cellebriteisapopularcommercialtoolthatprovidestheexaminerwithbothlogicalandphysicalacquisitionsupportaswellasananalyticalplatformtoexaminedata.CellebritePhysicalAnalyzer,theanalyticalplatform,allowstheexaminertokeywordsearch,bookmark,carvedata,andcreatecustomizedreportstosupporttheirinvestigation.

Physicalextraction

ThefollowingstepsneedtobefollowedtoextractinformationfromaSamsungAndroiddeviceusingUFEDTouch.Beforetheextractionprocessstarts,makesurethatthephoneisfullycharged.

1. IntheUFEDTouchmenu,selectPhysicalExtraction,asshowninthefollowingscreenshot:

TheUFEDTouchmainmenu

2. Inthevendorlist,selectthenameofthedevicemanufacturerasshowninthefollowingscreenshot(forexample,Samsung):

TheUFEDtouch—vendorlistscreen

3. Inthemodelmenu,selectthemodelofthedevice.SelectPhysicalExtraction.

4. Selectthelocationwhereyouwanttosavetheextraction—removabledriveortheforensicworkstation.

5. FollowtheinstructionsexactlyaslistedonUFEDTouch.Makesureyouusetheexactcable,andremovethebatterywhenprompted.

6. Thephonewillenterdownloadmodeanddisplayalogo.Next,connectthephonetoUFEDTouchandpresscontinue.

7. Connecttheexternaldrive(tosavetheextracteddata)tothetargetportofUFEDTouch.

8. ThiswillpromptUFEDTouchtoautomaticallymovetotheextractionscreen.Atthisstage,youmightbepromptedtoperformsomeofthephoneconnectionsteps.Dosoifprompted.

9. Oncetheprocessiscomplete,theextracteddatacanbeviewedandanalyzedusingtheUFEDPhysicalAnalyzerapplicationasshowninthefollowingscreenshot:

TheUFEDPhysicalAnalyzerapplication

MOBILeditAsperthevendor,theMOBILeditforensictoolcanbeusedtoview,search,orretrievedatafromaphone,includingcallhistory,phonebook,textmessages,multimediamessages,files,calendars,notes,reminders,andapplicationdatasuchasSkype,Dropbox,Evernote,andmore.ItwillalsoretrievephoneinformationsuchasIMEI,operatingsystems,firmwareincludingSIMdetails(IMSI),ICCID,andlocationareainformation.Dependingonthecircumstances,MOBILeditisalsoabletoretrievedeleteddatafromphonesandbypassthepasscode,PIN,andphonebackupencryption.Thesetupfilecanbedownloadedfromwww.mobiledit.comandcanbeinstalledeasily.Onceinstalled,performthefollowingstepstoextractinformationfromanAndroidphoneusingtheMOBILeditsoftware:

1. EnsurethatUSBdebuggingisenabledonthedeviceandconnecttheAndroiddevicetotheforensicworkstationusingaUSBcable.MOBILeditattemptstodetectthedevice,andtoinstalltheConnectorapponthedevice,asshowninthefollowingscreenshot:

TheMOBILeditconnectionwizard

2. MOBILeditthenpresentsyouwithoptionstobackupcertaindata.Oncethisisdone,thetooldisplaysstatisticsandtheapplicationdatathatcanbeusedforanalysis,asshowninthefollowingscreenshot:

TheMOBILedittoolresults

3. UndertheNavigationtab,clickonanyitemtoviewtheresults.Forinstance,clickonthePhonebooklinktoviewallthecontactsstoredwithinthephonebookincludingphonenumbers,e-mailaddresses,andmore.Similarly,youcanviewtheinformationaboutcalllogsbyclickingontheCallLogsoption,asshowninthefollowingscreenshot:

TheMOBILedittool—Calllogsoption

MMS,calendar,filesontheSDcard,andmore,canbeviewedbynavigatingthroughtheavailableoptions.

AutopsyShouldmanualexaminationorfilecarvingberequired,itisbesttouseaforensictoolthatprovidesaccesstotherawfilesontheAndroiddevice.Autopsy,theGUI-basedupontheSleuthKit,runsonaWindowsforensicworkstationandcanbedownloadedfromhttp://www.sleuthkit.org/autopsy/.AutopsycurrentlyprovidesanalyticalsupportforAndroiddevices.BothopensourceandLawEnforcementmodulesareavailableforAutopsy.ThesemodulesprovideadditionalfilecarvingandparsingsupportforapplicationsandfilesfoundonAndroiddevicesandSDcards.Forexample,theopenmobileforensicsmoduleprovidesmobiledeviceparsingcapabilitiestopulloutartifactssuchascalls,SMS,chats,pictures,andmore.

AnalyzinganAndroidinAutopsy

Inthisexample,wewillbeusingaphysicalimageoftheSamsungGalaxySIII.ThisdevicewasphysicallyextractedusingCellebriteUFEDTouch.ThefollowingstepsshouldbeperformedtocorrectlymountanAndroidimageandtostartyourexamination:

1. DownloadandinstallthecurrentversionofAutopsyfromwww.thesleuthkit.org.

2. LaunchAutopsyandselecttheoptiontocreateanewcaseasshowninthefollowingscreenshot:

TheAutopsytoolscreen

3. FilloutthecaseinformationandclickonFinish.4. SelectImageFileandnavigatetothephysicalimageoftheAndroiddevice

asshowninthefollowingscreenshot.IfmorethanoneimagefileisprovidedfortheAndroid,simplyselectthefirstone.

Autopsyimageloading

5. SelecttheingestmodulesyouwishtorunagainsttheAndroiddevice.Themoduleselectionsareshowninthefollowingscreenshot.NotethatLawEnforcementmodulesarenotlistedandareprovidedonlytothoseworkinginLawEnforcementandtheFederalGovernment.Thefollowingscreenshotshowstheingestmodules:

Autopsyingestmodules

6. SelectNextandFinish,andAutopsywillbegintoparseandloadtheAndroidimagefile.Unlikeotherforensictools,Autopsyprovidesresultsasquicklyastheyarerecoveredtosavethepreprocessingtimeandallowtheexaminerdirectaccesstothedatainvolvedintheirinvestigation.Theresultsappearasshowninthefollowingscreenshot:

Autopsyresults

SummaryReverseengineeringAndroidappsistheprocessofretrievingsourcecodefromanAPKfile.Byusingcertaintoolssuchasdex2jar,Androidappscanbereverseengineeredinordertounderstandthefunctionalityoftheappanddatastorage,definemalware,andmore.Forensictools,suchasAFLogical,Cellebrite,MOBILedit,andAutopsy,arejustafewofthetoolsthatarehelpfultoanexaminer.Theynotonlysavetimebutalsoeffort.Astep-by-stepexplanationofusingthesewascoveredinthischapter.UnlikeAndroiddevices,datastoredonWindowsMobiledevicesisdifficulttoextractandanalyze.ThenextchapterprovidesaglanceatperformingforensicsonWindowsMobiledevices.

Chapter12.WindowsPhoneForensicsWindowsmobiledevicesarebecomingmorewidelyusedandmaybeencounteredduringforensicinvestigations.LocatingandinterpretingdigitalevidencepresentonthesedevicesrequiresspecializedknowledgeoftheWindowsPhoneoperatingsystemandmaynotalwaysbepossible.CommercialforensicandopensourcetoolsprovidelimitedsupportforacquiringuserdatafromWindowsdevices.AsWindowsmobiledevicesarerelativelynew,mostforensicpractitionersareunfamiliarwiththedataformats,embeddeddatabasesused,andsoon.ThischapterprovidesanoverviewofWindowsPhoneforensics,describingvariousmethodsofacquiringandexaminingdataonWindowsmobiledevices.

WindowsPhoneOSWindowsPhoneisaproprietarymobileoperatingsystemdevelopedbyMicrosoft.ItwaslaunchedasasuccessortoWindowsMobile,butdoesnotprovidebackwardcompatibilitywiththeearlierplatform.WindowsPhonewasfirstlaunchedinOctober2010withWindowsPhone7.TheversionhistoryoftheWindowsPhoneoperatingsystemthencontinuedwiththereleaseofWindowsPhone7.5,WindowsPhone7.8,andWindowsPhone8.Althoughthemarketshareofthisoperatingsystemislimited,thereiscertainlyacaseforoptimismbasedonthefollowingtworeasons:

ThecomputeroperatingsystemmarketisstillheavilydominatedbyWindows.ThisgivesWindowsPhoneOSgreaterflexibilitytoprovideuserswithacomputerenvironmentwithwhichtheyarefamiliar.Microsoft'sdecisiontoacquireNokiacouldbeasignificantfactorinimprovingitsmarketshareofmobileoperatingsystems.

ThefollowingsectionswilldescribemoreaboutWindowsPhone7,itsfeatures,andtheunderlyingsecuritymodel.WebelievethedataisstoredsimilarlyonWindowsPhone8,sothemethodsdefinedinthefollowingsectionsshouldworkonbothoperatingsystems.

UnlikeAndroidandiOS,WindowsPhonecomeswithanewinterface,whichusesso-calledtilesforappsinsteadoficons,asshowninthefollowingfigure.Thesetilescanbedesignedandupdatedbytheuser.Similartoothermobileplatforms,WindowsPhoneallowsfortheinstallationofthird-partyapps.TheappscanbedownloadedfromWindowsPhoneMarketplace,whichismanagedbyMicrosoft.

TheWindowsPhonehomescreen

Securitymodel

ThesecuritymodelofWindowsPhoneisdesignedtomakesurethattheuserdatapresentonthedeviceissafeandsecure.ThefollowingsectionsareabriefexplanationoftheconceptsonwhichWindowsPhonesecurityisbuilt.

Windowschambers

TheWindowsPhoneOS7.0isheavilybuiltontheprinciplesofleastprivilegeandisolation.Toachievethis,WindowsPhoneintroducedtheconceptofchambers.Eachchamberhasanisolationboundarywithinwhichaprocesscanrun.Dependingonthesecuritypolicyofaspecificchamber,aprocessrunninginthatchamberhastheprivilegetoaccesstheOSresourcesandcapabilities(https://www.msec.be/mobcom/ws2013/presentations/david_hernie.pdf).Therearefourtypesofsecuritychambers.Thefollowingisabriefdescriptionofeachoneofthem:

TrustedComputingBase(TCB):ProcessesherehaveunrestrictedaccesstomostoftheWindowsPhone7resources.Thischamberhastheprivilegetomodifypoliciesandenforcethesecuritymodel.Thekernelrunsinthischamber.ElevatedRightsChamber(ERC):ThischamberislessprivilegedthantheTCBchamber.Ithastheprivilegestoaccessallresourcesexceptthesecuritypolicy.Thischamberismainlyusedforservicesanduser-modedrivers,whichprovidefunctionalityintendedforusebyotherapplicationsonthephone.StandardRightsChamber(SRC):Thisisthedefaultchamberforpreinstalledapplications,suchasMicrosoftOutlookMobile2010.LeastPrivilegedChamber(LPC):ThisisthedefaultchamberforalltheapplicationsthataredownloadedandinstalledthroughtheMarketplaceHub(alsoknownastheWindowsPhoneMarketplace).

Capability-basedmodel

Capabilitiesaredefinedastheresourcesonthephone(camera,locationinformation,microphone,andmore),whichareassociatedwithsecurity,privacy,andcost.TheLPChasaminimalsetofaccessrightsbydefault.However,thiscanbeexpandedbyrequestingmorecapabilitiesduringtheinstallation.Capabilitiesaregrantedduringtheappinstallationandcannotbemodifiedorelevatedduringruntime.

ToinstallanapponaWindowsphone,youneedtosignintoMarketplacewithaWindowsLiveID.Duringinstallation,appsarerequiredtoasktheuserforpermissionbeforeusingcertaincapabilities,anexampleofwhichisshowninthefollowingscreenshot:

Windowsapprequestinguserpermissions

ThisissimilartothepermissionmodelinAndroid.Thisgivestheuserthefreedomtolearnaboutallthecapabilitiesthatanapplicationhasbeforeinstallingtheapplication.ThelistofallcapabilitiesisincludedintheapplicationmanifestfileWMAppManifest.xml,whichcanbeaccessedthroughvisualstudioorothermethodsdefinedathttp://developer.nokia.com/community/wiki/How_to_access_Application_Manifest_%28WMAppManifest.xml%29_file_at_runtime

Appsandboxing

AppsinWindowsPhoneruninasandboxedenvironment.ThismeanseveryapplicationonWindowsPhone7runsinitsownchamber.Applicationsareisolatedfromeachotherandcannotaccessthedataofotherapplications.Ifanyappneedstosaveinformationtothedevice,itcandosousingtheisolatedstorage,whichisrestrictedfromaccessbyotherapplications.Also,thethird-partyapplicationsinstalledonWindowsPhonecannotruninthebackground,thatis,whentheuserswitchestoadifferentapplication,thepreviouslyusedapplicationisshutdown(althoughtheapplicationstateispreserved).ThisensuresthattheapplicationcannotperformactivitiessuchascommunicatingovertheInternetwhentheuserisnotusingtheapplication.TheserestrictionsalsomaketheWindowsPhonelesssusceptibletomalware.

WindowsPhonefilesystemTheWindowsPhone7filesystemismoreorlesssimilartothefilesystemsusedinWindowsXP,WindowsVista,orWindows7.Fromtherootdirectory,onecanreachdifferentfilesandfoldersavailableonthedevice.Fromaforensicperspective,thefollowingaresomeofthefoldersthatcanyieldvaluabledata.Allthementioneddirectoriesarelocatedintherootdirectory.

ApplicationData:ThisdirectorycontainsdataofpreinstalledappsonthephonesuchasOutlook,Maps,andInternetExplorer.Applications:Thisdirectorycontainstheappsinstalledbytheuser.Theisolatedstorage,whichisallocatedorusedbyeachapp,isalsolocatedinthisfolder.MyDocuments:ThisdirectoryholdsdifferentOfficedocumentssuchasWord,Excel,orPowerPoint.Thedirectoryalsoincludesconfigurationfilesandmultimediafiles,suchasmusicorvideos.Windows:ThisdirectorycontainsfilesrelatedtotheWindowsPhone7operatingsystem.

WindowsPhonealsomaintainsWindowsregistry,adatabasethatstoresenvironmentvariablesontheoperatingsystem.TheWindowsregistryisbasicallyadirectorythatstoressettingsandoptionsfortheMicrosoftoperatingsystem.

DataacquisitionAcquiringdatafromaWindowsPhoneischallengingforforensicexaminers,asphysicalandlogicalmethodsdefinedinpreviouschaptersarenotcommonlysupported.Oneofthemostcommontechniquesindataacquisitionistoinstallanapplicationoragentonthedevice,whichextractsasmuchdataaspossiblefromthedevice.Thiscouldresultincertainchangesonthedevicebutnevertheless,itisstillforensicallysoundiftheexaminerfollowsstandardprotocols.Theseprotocolsincludepropertestingtoensurenouserdataischanged,validationofthemethodonatestdevice,anddocumentingallstepstakenduringtheacquisitionprocess.Forthisacquisitionmethodtowork,theappneedstobeinstalledwiththeprivilegesofStandardRightsChamber.Thismayrequiretheexaminertocopythemanufacturer'sDLLs,whichhavehigherprivilegesintotheuserapp.Thisallowstheapptoaccessmethodsandresourcesthatareusuallylimitedtonativeapps.

Mostexaminersrelyonforensictoolsandmethodstoacquiremobiledevices.Again,thesepracticesarenotreadilyavailableforWindowsMobiledevices.KeepinmindthattodeployandrunanapponWindowsPhone,boththephoneandthedevelopermustberegisteredandunlockedbyMicrosoft.ThisrestrictioncanbebypassedbyunlockingthedeviceusingtoolssuchasChevronWP7.ThistoolbasicallyallowsthebypassingofMarketplaceprocedureandallowsyoutosideload(rununsignedapplicationswithouttherestrictionslisted)anunpublishedapplication.

SideloadingusingChevronWP7

Asexplainedearlier,inordertoinstalltheappthatprovidesaccesstothefilesystemofthephone,wefirstneedtounlockthedevice(similartojailbreakingoniOSdevices).ThismethodwillonlyworkonaWindowsPhonethatisnotlockedwithapasscode.ThiscanbedoneusingtheChevronWP7toolbyperformingthefollowingsteps:

1. DownloadChevronWP7.exeandChevronWP7.cerfiles.Notethatthesefilesareoftenremovedandarenotalwaysavailableonthesamesite.Onelocationthatcurrentlyhasthefilesavailablefordownloadishttp://www.4shared.com/file/HQGmwIRx/ChevronWP7.htm?locale=en.

2. InstallChevronWP7.cerontheWindowsPhone.NotethatthemethodsforinstallingChevronWP7mayrequiretechniquesnotstandardtoforensicpractices.Thus,allmethodsmustbetestedonasampleWindowsPhonetoensureuserdataisnotlostintheprocessofattemptingtoextractthedata.OnemethodforinstallingChevronWP7includessendingittoane-mailandaccessingit.Thismethodshouldbeusedasalastresortwhenallotheracquisitionmethodsfail.

3. Connectthephonetoyourcomputerandmakesurethatthedeviceisnotpasscode-locked.Ifthedeviceislockedandthepasswordisknown,enterthepasswordonlywhenpromptedbythecomputer.DonotguessthepasswordontheWindowsPhoneasmultipleincorrectguessesmaywipetheuserdata.

4. RunChevronWP7.exeandcheckboththeboxesshowninthefollowingscreenshotandclickonUnlock.Thisenablesthedeveloperunlockonthedeviceandalsoenablesyoutoinstallanythird-partyappwithoutaMarketplacedeveloperaccount.

TheChevronWP7tool

Toexecutenativecodeinauserapp,theWindows.Phone.interopServiceDLLisused.ThisDLLprovidesthemethodRegisterComDLL,whichcanimportnativemanufacturerDLLs.HencebyincludingthisDLLinauserapp,itispossibletoexecutenativecodewithintheappandgetaccesstotheentirefilesystemofthephone,includingtheisolatedstorage.

Extractingthedata

Onanunlockeddevice(again,similartoajailbrokeniOSdevice),itispossibletorunanappthatcanextracttheuserdatapresentinthephone.TheappTouchXperience,whichcomesalongwiththeWindowsMobileDeviceManager(WPDM),canbeusedforthispurpose.WindowsMobileDeviceManageristhemanagementsoftwareforWindowsPhone7.TheclientappTouchXperienceextractsdatasuchasthefilesystemfromthemobiledevice,andWPDMretrievesthisdataandconvertsitintoahumanreadablegraphicalformat.ThefollowingarethestepswhichwillhelpaforensicexaminerextractuserdatapresentonanunlockedWindowsPhonedevice:

1. DownloadWindowsPhoneSDK7.1andtheZunesoftwareontheforensicworkstationandinstallit(http://www.microsoft.com/en-us/download/details.aspx?id=27570).

2. DownloadtheWindowsPhoneDeviceManagerontheworkstation,andlaunchWPDeviceManager.exe(http://touchxperience.com/windows-phone-device-manager/).

3. Connectthedevicetotheworkstation,anditshouldbedetectedautomatically.Ifitisnotdetected,makesureapasscodeisnotsetonthedevice.Ifitis,thisprocessmayfailifthepasscodeisunknown.

4. WindowsPhoneDeviceManagerwillautomaticallyinstalltheTouchXperienceappwhenthephoneisconnectedforthefirsttime.Makesureyousetwhatthesoftwareisallowedtodoonthedevice(thatis,makesurenottochangetheuserdata,notupdatedate/timesettings,oranythingelsethatwillmodifytheuserdata).MakesuretodocumentthatTouchXperiencewasinstalledinordertoextractdatafromtheWindowsPhoneasstandardforensicmethodsprovidelittlesupportforthesedevices.

5. Thereafter,thefollowingscreenispresented,whichprovidesaccesstoavastamountoffilespresentonthedevice:

WindowsPhoneDeviceManager

Thehomescreendisplaysinformationaboutthemodelofthephone,OSversion,andmore.ClickonManageapplicationstoseetheinformationaboutinstalledappsonthedevice,asshowninthenextscreenshot.WPDMalsoprovidesotherfunctionality,suchasmediamanagement,synchronizationoffilesandfolders,andmore.Fromaforensicpointofview,theFileExploreristhemostinterestingpartofthissoftware.Itprovidesread,write,andexecutableaccesstomostofthefilespresentontheWindowsPhone7device.

Havealookatthefollowingscreenshot:

WindowsPhoneDeviceManager—TheManageApplicationsscreen

Usingthisacquisitiontechnique,youcanacquiretwotypesofdata:systemdataandapplicationdata.Systemdataismainlythedatathatisrequiredtorunthephone,andapplicationdataisthedatacreatedandusedbydifferentapplicationsinstalledonthedevice.Whilesystemdatamaynotcontaindatarelevanttoyourinvestigation,applicationdataisverymuchvaluable.Regardless,alldatashouldbeacquiredfromanysmartphoneastheexaminationmustbecompleteandcapturealldatacontainedonthedevicewhenpossible.ThefollowingsectionsdiscussthestepstobefollowedtoextractapplicationdatafromaWindowsPhonedevice.Theapplicationdatawillcontainthebulkoftheuser-createddataandwillprovidethemostvaluetoyourinvestigation.

ExtractingSMS

Alltheincomingandoutgoingshortmessages(SMSes)inWindowsPhone7arestoredinthefilenamedstore.vol,whichispresentunderthedirectory\ApplicationData\Microsoft\Outlook\Stores\DeviceStore,asshowninthenextscreenshot.However,itisnotpossibletocopythisfiledirectlybecausethisfileisalwaysinuse.Whenthefileisrenamed(saystore.vol.txtorstore.bkp),itautomaticallycreatesacopyofthefile.Oncethecopyismade,thisfilecannowbeexaminedusinganormaltexteditor.Notethatthisfilecanalsoexistinthe\APPDATA\Local\Unistoredirectory.Havealookatthefollowingscreenshot:

Thestore.volfileinWindowsPhone

Extractinge-mail

WindowsPhone7devicesuseOutlookastheirstandarde-mailclient.Thiscanbeusedtosynchronizewithvariouse-mailservicessuchasGoogle,YahooMail,andmore.AnydatathatbelongstoOutlookisstoredunderthedirectory\ApplicationData\Microsoft\Outlook\Stores\DeviceStore\data,asshowninthefollowingscreenshot:

WindowsPhone:extractinge-mail

Asshowninthenextscreenshot,therearedifferentfolderspresentthatcontaindifferentdata.Forexample,folder3containspicturesoftheuser'scontacts(e-mailreceivers).Thisfolderisbeingusedasanexample.Thisfolderwillnotbeconsistentlynamedfolder3acrossWindowsPhonedevices.Havealookatthe

followingscreenshot:

WindowsPhone:folder3

Althoughthefilesarepresentwiththe.datextension,byrenamingthemto.jpg,wecanviewthepicturesasshowninthefollowingscreenshot:

WindowsPhone:renamingdatafilestoJPGfiles

Similarly,folder4containsinformationaboute-mailmessages.ByrenamingthefilestoHTML,wecanviewthecontentofthee-mailmessages.Again,eachfoldershouldbeexaminedforrelevanceastheymaycontaine-mailmessages,attachments,contacts,andmore.

Extractingapplicationdata

TheApplicationsfoldercontainsalltheapplicationsinstalledonthephone.Eachapplicationhasitsowndirectory,whichisidentifiedwithauniqueapplicationID.InsidetheapplicationIDfolder,thereareotherimportantfolders,suchasCookies,History,IsolatedStore,andmore.MostofthecrucialinformationisusuallypresentintheIsolatedStorefolder.Forexample,asshowninthenextscreenshot,theIsolatedStorefolderinFacebookcontainsthefollowingdata:

ContentsoftheIsolatedStorefolder

Byanalyzingthesefolders,aforensicanalystcangatheralotofinformationthatcouldaidintheinvestigation.ThefollowingaresomeofthefindingsfromourFacebookappanalysisexample:

Thefileuserid.settingsshowninthefollowingscreenshotcontainstheuser'sprofilenameandalinktotheuser'sprofileandprofilepicture.AllthepicturesusedbytheFacebookapparestoredintheImagesfolderpresentinthedirectoryIsolatedStore.Toviewtheimages,changetheextensionofthefilestoJPG.TheDataCache.userIDfoldercontainsmostoftheinformationabouttheFacebookaccount.Byparsingthisfolder,informationaboutfriends,friendrequests,messages,andmorecanbeobtained.Thisisstraightforwardasallthefiles,onceextracted,canbemanuallyexaminedforrelevancetotheinvestigation.

TheDataCache.UserIDfolderoftheFacebookapp

Similarly,byexaminingtheInternetExplorerapp,aforensicexaminercangatherinformationaboutthesitesvisitedbytheuser.AllthisdatacanbefoundundertheApplicationData\Microsoft\InternetExplorerfolder.ByanalyzingtheMapsapplication,informationabouttheuserlocationandotherdetailscanbeobtained.Thecalllogscanberecoveredfrom\APPDATA\Local\UserData\Phoneonmostdevices.KeepinmindthatthelocationmayvarydependingontheOSandtheWindowsdevice.However,the

directorycontainingthedata(phone,store.vol,andsoon)remainsthesame.AgreatsourceforconductingforensicsonaWindowsPhonedevicecanbefoundathttp://cheeky4n6monkey.blogspot.com/2014/06/monkeying-around-with-windows-phone-80.html.

SummaryAcquiringdatafromWindowsPhonedevicesischallengingastheyaresecure,andascommercialforensictoolsandopensourcemethodsdonotprovideeasysolutionsforforensicexaminers.chip-off,JTAG,andthemethodsdefinedinthisbookaresomeofthemethodsthatprovideaccesstouserdataonWindowsPhonedevices.Thebiggestchallengeisgettingaccesstothedevice,acquiringthedata,andextractingtherawfilesforanalysis.Oncethedataisavailable,alltheinformationaboutSMS,e-mail,applicationdata,andmorecanbeanalyzedbytheexaminer.Again,thedevicemustnotcontainapasscode,mustbeunlocked(jailbroken/rooted),andwillbemodifiedbytheexaminerinordertoextractthedatausingthemethodsdefinedinthischapter.Whilesomemaychallengeusandsaythesemethodsarenotcommoninforensicpractices,theymustrealizethatthesemethodsmaybetheonlywaytoobtainuserdatafromWindowsPhonedevices.Inthenextchapter,wewillcoverBlackBerryforensics,which,whilechallenging,ismoresupportedbycommercialandopensourcemethods.

Chapter13.BlackBerryForensicsBlackBerrydevicescomewiththeResearchinMotion(RIM)softwareimplementationofproprietarywirelessprotocols.BlackBerrydevicesposeasignificantchallengetoforensicexaminationsduetothelackofphysicalparsingsupportanddeviceencryption.ThischapterwillcoverthevarioussecurityfeaturesthatcomewithBlackBerrydevices,theavailabletechniquestoextractdatafromadevice,andthebestmethodstoanalyzethedataextracted.

BlackBerryOSBlackBerryOSisaproprietarymobileoperatingsystemdevelopedbytheCanadiancompanyRIMusedonallBlackBerrydevicesuntilBlackBerry10,whichintroducedQNX.BlackBerryRIMisnowreferredtoasBlackBerryLimited.TheinitialBlackBerryoperatingsystemisknowntosupportspecializedfunctions,suchastrackball,trackwheel,trackpad,andmore.BlackBerryOSwasinitiallyreleasedin1999forthedevicePagerBlackBerry580.BlackBerryQNX(OS10)usesaLinuxvariantthatwasinitiallyintroducedwiththeBlackBerryPlaybookandisnowusedonBlackBerrydevices.WithQNX,BlackBerryWorldandBalancewereintroducedalongwithotherfeaturesmorecomparabletoAndroidandiPhone(http://searchitchannel.techtarget.com/feature/Introduction-to-the-BlackBerry).

ThefollowingtableprovidesinformationabouttheversionhistoryofBlackBerryOS:

Version Releaseyear

1 1999

3.6 2002

5 2008

6 2010

7 2011

7.1 2012

10 2013

10.1 2013

10.2 2013

BlackBerryOSversions

TheBlackBerryOSoffersnativesupportforcorporatemailthroughMIDP,whichallowswirelesssyncingwithMicrosoftExchange,LotusDominoande-mail,contacts,calendar,notes,andmore,whileusedalongwiththeBlackBerryEnterpriseServer.ThisOSadditionallysupportsWAP1.2.WiththeadventofAndroidandiOS,themarketshareofBlackBerryOShassteadilydecreasedovertheyears.Neverthelesstherearemorethan70millionBlackBerryusersworldwideandthesedevicesarefrequentlyencounteredduringforensicinvestigations,especiallyforinternalcorporateinvestigations.TheBlackBerryEnterpriseServer(BES)consistsofsoftwarethatfacilitatescorporatemessagingtoallowthesyncingofcorporatee-mailwiththeuser'sdevice.ABESadministratorofanITdepartmentnormallymanagesBESservices.TheBlackBerryInternetService(BIS)isaservicethatallowstheusertoconfigureupto10e-mailaccountstosynctotheBlackBerrydevice.

BlackBerryallowstheinstallationofthird-partyappsfromBlackBerryWorld,whichistheappdistributionservice.BlackBerryappsaredevelopedusingaJavaDevelopmentEnvironment(JDE)orRIM'sMobileDataSystem(MDS).IftheapplicationcanrunindependentlyofaBlackBerrysolution,suchasBISorBES,aJavaapplicationwouldservethepurpose.Iftheapplicationrequirese-mailforfunctionalityorneedssupportfromaBlackBerrydevicetohelpitoperate,MDSisusuallypreferredtodeveloptheapplication.

Securityfeatures

TherearetwotypesofBlackBerryusers—consumerswhobuyandusethedevice,andenterpriseuserswhoareprovidedwiththeBlackBerrydevicebytheiremployers.TheconsumerdevicesareusuallyconfiguredtousetheBIS,whereastheenterpriseuserdevicesareconfiguredtouseBES.InaBESenvironment,securityisusuallyenforcedbytheenterprisethroughappropriatesettingsandapplicationcontrols.

AlthoughBlackBerryusesaproprietaryoperatingsystem,itsthird-partyapplicationframeworkismostlybasedonJava.Third-partyappsthatarenotsignedhaveverylimitedaccesstothisrestrictivefunctionality.Eveninthecaseofsignedapplications,userpermissionisneededtoperformimportantactionssuchascallinganumber,accessingacontact,andmore.BlackBerryappsarewritteninJavaandthencompiledintoCODfiles.Butbeforecompilingtheapps,theyarepreverifiedforcertainsecuritychecksandaretaggedtoconfirmthatthecheckshavebeencarriedout.WhentheJavaVirtualMachine(JVM)presentonBlackBerryloadstheclass,itcancross-checkandperformitsownverificationmuchfaster.AnychangestothecodeafterthepreverificationcanbeeasilydetectedatruntimeandJVMwillpreventtheirexecution.ThismakesBlackBerryasecureplatformthatislesssusceptibletomalwarewhencomparedtoothersmartdevices.

InorderforanapplicationtogetfullaccesstoalltheAPIs,theapplicationmustbesignedbyRIM.WhenthedevelopersfirstregisterwithRIM,theyreceiveadeveloperkey.UsingthesigningtoolprovidedbyRIM,theSHA1hashoftheapplicationcanbesenttoRIM.Uponreceivingthis,RIMgeneratesasignature,whichisthensentbacktothedeveloperandaddedtotheapplication.WhenthesignedapplicationisloadedontoaBlackBerrydevice,theJVMlinkstheCODfilewiththeAPIlibrariesandchecksthattheapplicationhastherequiredsignatures.Iftherequiredsignatureisnotpresent,JVMwillrefusetolinktheapplicationtotherespectiveAPIs,andhence,theapplicationwillfailatruntime.Thisway,BlackBerryensuressecurityforthedevicethroughthecode-signingprocess.

ThesecuritystrengthofBlackBerrycanbeattributedtothegranularcontrolthatitprovidesthroughtheITpoliciespresentontheBES.Itisimportanttonotethat

manyofthesecuritycontrolsthatareenabledwithBESdevicesarenotpresentinconsumerdevicesthatuseBIS.BESdevicescomewithvarioussecurityfeatures,asfollows:

Dataprotection:AllthedatathatissentbetweentheBESandaBlackBerrydeviceisencryptedusingBlackBerrytransportlayerencryption.BeforetheBlackBerrydevicesendsamessage,itcompressesandencryptsthemessageusingthedevicetransportkey.WhentheBESreceivesamessagefromtheBlackBerrydevice,theBlackBerryDispatcherdecryptsthemessageusingthedevicetransportkeyandthendecompressesthemessage.TheBlackBerryusesAESorTripleDESasthesymmetrickeycryptographicalgorithmforencryptingdata.Bydefault,theBESusesthestrongestalgorithmthatboththeBESandBlackBerrydevicessupportfortheBlackBerrytransportlayerencryption.Moreinformationondataprotectioncanbefoundathttp://btsc.webapps.blackberry.com/btsc/viewdocument.do;jsessionid=E8567E865DBC9668D3F8740BEB9D65E6?externalId=KB13160&sliceId=1&cmd=displayKC&docType=kc&noCount=true&ViewedDocsListHelper=com.kanisa.apps.common.BaseViewedDocsListHelperImplProtectionofdataandencryptionkeysonthedevice:Ifthecontentprotectionoptionisturnedon,BlackBerrydevicescanbeconfiguredtoencryptdatastoredonthedevice.Bydefault,alockedBlackBerrydevicewascreatedtouseAES-256encryptiontoencryptstoreddataandanECCpublickeytoencryptdatathatissenttothelockedBlackBerrydevice(http://docs.blackberry.com/en/admin/deliverables/25763/Encrypting_user_data_on_a_locked_BB_device_834471_11.jspAlso,BlackBerryisdesignedtoprotecttheencryptionkeysthatarestoredonthedevice.Thedeviceencryptstheencryptionkeyswhenthedeviceislocked.Bettercontroloverthedevice:YoucanuseanITpolicytocontrolaBlackBerrydevice.TheITpolicyusuallyconsistsofmultiplepolicyrulesthatmanagethesecurityandbehavioroftheBES.Forexample,usingtheITpolicyrules,thefollowingsecurityfeaturesonaBlackBerrydevicecanbecontrolled:

EncryptionofdatatransmittedbetweentheBlackBerryserverandthedeviceConnectionsthatuseBluetoothwirelesstechnologyProtectionofuserdatastoredontheBlackBerrydeviceControlofprotecteddeviceresources,suchasthecameraorGPS,thatareavailabletothird-partyapplications

Inadditiontoallthis,theBESadministratorcanalsoresetuserpasswords

Inadditiontoallthis,theBESadministratorcanalsoresetuserpasswordsfortheBlackBerrydeviceandinitializearemotewipe,whichmustbeconsideredduringforensicinvestigations.

BlackBerrysecurityisahugehurdleforforensicexaminers.WhileaBESadministratorcanbeusedtoresetadevicepassword,whichmayallowanexaminertoaccessthedevice,theycanalsoremotelywipethedevice.Thus,followingstepssimilartothoseforAndroidandiOS,theexaminermustplacethedeviceinairplanemodeanddisableallremoteconnectionstothedevice.ABlackBerrywipeinitiatedviatheBEScanexistforanextendedperiodoftime.ThismeansthatevenifthebatteryisremovedfromthedeviceandtheBlackBerryboots,thewipecouldimmediatelybesenttoaconnectedBlackBerry.WhileAndroidandiOSprovedtobeeasiertoaccesswhenlocked,alockedBlackBerrydeviceismoredifficult.ThelevelofprotectiononthesedevicesmayrendertheextracteddataencryptedevenafteraJTAGorchip-offextraction.Physicalsupport,toincludebothacquisitionandanalysis,islimitedforBlackBerrydevices.Asdescribedinthefollowingsections,mostofthedataisobtainedbysimplyobtainingabackupofthedevice.

DataacquisitionWhilethesalesofBlackBerrydevicesisonthedecline,theyarestillencounteredduringforensicinvestigations.CommercialforensictoolsprovidelimitedsupportforBlackBerrydevicesincomparisontoothersmartphones.Evenworse,opensourcemethodsarenotavailablefordataacquisitionofBlackBerrydevices.Henceitisimportantfortheexaminerstounderstandallpossiblemethodsofdataextractionavailableforthesedevices.ThefollowingsectionsdiscussthevariousstepsinvolvedinacquiringdatafromaBlackBerrydevice.

Standardacquisitionmethods

StandardforensicacquisitionmethodscanbeappliedtoBlackBerrydevices.However,encryptedandlockeddevicesmaynotbepossibletoacquire,anditwillbeevenmoredifficult(ifnotimpossible)toanalyzewhetherthepasswordorencryptionkeysarepresent.Thelevelofacquisitionsupportavailabledependsontheforensickit,thedevicemodel,andthesecuritylevelcurrentlybeingusedontheBlackBerrydevice.Asexplainedinpreviouschapters,logicalandphysical(toincludefilesystem)acquisitionmethodsarepossibleonBlackBerrydevices.TheCellebriteUFEDTouchprovidesthegreatestlevelofphysicalacquisitionsupportforBlackBerrydevices(atthetimeofwritingthis).ThefollowingtwoimagesshowthedifferentsupportprovidedbytheCellebriteUFEDTouchontwodifferentmodelsofBlackBerry.

Notethatonemodelhasfullacquisitionsupportwhiletheotheronlyofferslogicalacquisition.

TheBlackBerryZ10supportinCellebriteUFEDTouch

ThefollowingimageshowsthattheBlackBerryZ10devicecanonlybelogicallyacquiredusingtheCellebriteUFEDTouch.WhenattemptingtoacquireaBlackBerry8300usingtheUFEDTouch,logical,physical,andfilesystemacquisitionsupportispossible,asshowninthefollowingimage:

TheBlackBerryCurvesupportinCellebriteUFEDTouch

Thedevicepasscodemustbeknownforphysicalacquisition.ThisisoneofthemajordifferencesbetweenBlackBerry'sphysicalacquisitionandAndroidandiOS.KeepinmindevenifaBlackBerrydeviceisphysicallyacquired,anytoolcurrentlyavailabletoforensicexaminersmaynotsupporttheanalysisportion.Thesechallengeswillbediscussedintheanalysissection.LogicalsupportforBlackBerrydevicesismorecommonandissupportedbymostcommercialforensictoolstoincludeOxygenForensics,MicrosystemationXRY,CellebriteUFEDTouch,andmore.MostBlackBerrysupportprovidedbycommercialforensictoolsappliestodevicesusingBlackBerryOS(Java-based)andnotQNX(BlackBerry10OS).

AphysicalacquisitionofaBlackBerrydevicewillcaptureacompletebinary

imageoftheBlackBerrydevice.ThismethodofacquisitionnormallyrequirestheBlackBerrytobepoweredoffandinterceptsthedatapriortothedevicebooting.Filesystemacquisitionsmaybepossibleusingcommercialtoolsifthedevicepasscodeisknown.ThismethodofacquisitionnormallycapturesdatafromthedeviceandtheSDcard.Asmentioned,evenifaphysicalorfilesystemacquisitionissupportedandsuccessful,theexaminershouldalwaysobtainalogicalacquisitiontoavoidsituationswherephysicaldataparsingisnotsupportedbytheforensicanalysistool.OneofthebiggesterrorsinBlackBerryforensicsoccurswhenanexaminerobtainsonlyaphysicalimage,returnsthedevicetotheuser/suspect,andthenrealizesthedataisencryptedorcannotbeparsedbytheiranalyticaltool.Makesureyoudonotfindyourselfinthispositionbytakingthetimetoacquirethedeviceusingallpossiblemethods.Thefollowingscreenshotshowssecuritypromptsthattheexaminermayencounterduringtheacquisitionand/oranalysisofaBlackBerrydevice:

Theencryptedbackupfilepasswordprompt

TheprecedingscreenshotshowsthepromptfortheusertoenterthepasswordfortheencryptedbackupfilewhenattemptingtoopentheimageinCellebritePhysicalAnalyzer.Allforensictoolsthatattempttoparsetheimageorbackupfileforanalysiswillrequirethepassword.Withoutthepassword,theexaminercannotaccesstheimage.

ThefollowingscreenshotshowstheprompttoopentheimagefileinOxygenForensicsSuite.

ForensicsSuite.

TheencryptedbackupfilepasswordpromptinOxygenForensicsSuite

CreatingaBlackBerrybackup

WithBlackBerrydevices,asignificantamountofdatacanbeextractedusingtheBlackBerryDesktopManager(BDM)orBlackBerryLink(BlackBerry10devices),whichcanbedownloadedforfree.ThismethodofacquiringdatafromaBlackBerrydevicesometimesprovestoobtainandprovidedataforexaminerstoanalyze.Again,thepasscodemustbeknownfortheexaminertocreateabackupofaBlackBerrydevice.Acquiringthislogicalbackupisrecommendedbecauseitcanprovideaformofvalidationforthedataacquiredthroughforensictools.ThebackupfileexistsasaBBBorIPDfileandcontainsdifferenttypesofdatastoredontheBlackBerrydevice,includingcalllogs,calendaritems,contacts,pictures,e-mail,andmore.

ABlackBerryBackup(BBB)fileiscreatedwhenBDMv7.0andlaterversionsoraMaccomputerisusedtocreatethebackupfile.TheBBBfilewilleitherbeaZIPcontainercomprisedofanIPDfileorDATfiles,dependingonthemethodtocreatethebackupfile.ABBBfilethatcontainsanIPDfilehasthesamefileheaderasaZIPfile.InHex,thisfileheaderis0x504B.AnInter@ctivePagerBackup(IPD)iscreatedwhenBDMv6.0orearlierisusedtocreatethebackupfile.CommercialforensictoolsmayalsocreateBlackBerrybackupfilesandusetheIPDformat.ShafikPunjamaintainsablog,highlydedicatedtohisworkonBlackBerry,thatprovidesadeeperlookintoBlackBerrybackupfiles(http://qubytelogic.blogspot.com/).

Itisimportanttonoteherethat,bydefault,theBDMisconfiguredtosynchronizesomedatabetweenthedeviceandthecomputer.Hence,itisimportanttodisablethisfeatureinordertopreventanychangesofdataonthedevice.Inaforensicprocess,evenaminorchange,suchasalteringthetimezonesonadevice,wouldmakeitdifficultforaninvestigatortoanalyzewhenspecificeventsexactlyoccurredandwillbeevenmoredifficulttodefendincourt.HenceitisnecessarytodisablethesynchronizationprocessintheBDMbydisablingtheoptionsasshowninthefollowingscreenshot.TheoptionUpdatedevicedataandtimeisselectedbydefault,soitisnecessarytoexplicitlydeselectthisoption.Itistheexaminer'sjobtoensurethattotalcontrolismaintainedduringtheentireforensicprocess.Thismeansthattheforensicworkstationissterileandfreeofolddataandthatthetoolsarenotsettoautomaticallyread/writedatatoandfromtheBlackBerrydevice.IftheBDM

requiresthedevicebeconnectedinordertoselecttheoptions,itiswisetoattemptthesettingswithatestBlackBerrydeviceofthesamemodelasyourevidence.

BlackBerryDesktopManager

Thefollowingisthestep-by-stepproceduretocreateabackupoftheBlackBerrydeviceusingBlackBerryDesktopManager:

1. Ontheforensicworkstation,installBlackBerryDesktopSoftware.CertainversionsofBDMmayberequiredtoconnectwitholderBlackBerrydevices.

Note

Downloadlink:http://in.BlackBerry.com/software/desktop.html

2. ConnecttheBlackBerrydevicetotheworkstationandobservethatthedeviceisdetected.

3. ClickonBackupunderDevice,asshowninthefollowingscreenshot:

4. SelectBackuptypeasFull(alldevicedataandsettings)toperformafullbackup,asshowninthefollowingscreenshot:

FullbackupoptioninBlackBerry

5. Asshownintheprecedingscreenshot,theFilenameandlocationtosavethebackupfilemustbeselected.Youarerecommendedtonamethefileaccordinglytoreflectthenamingconventionimplementedbyyourorganizationortosimplyusethedevicenameandserialnumber.Thiswillensurethatthebackupfilecaneasilybeassociatedbacktotheoriginaldevice.Oncethisiscomplete,clickonBackup.

BlackBerryanalysisBlackBerrydevicesarestillusedbyemployeesofmajorcorporationsduetothegreatsecurityfeatures.eDiscoverycasesoftenrequiretheexaminertobewellversedinextractingandanalyzingdatafromcomputers,servers,andsmartphonessuchasBlackBerrydevices.CommercialtoolsareavailablefortheanalysisofBlackBerrydevices.Themethodofacquisitionwilldeterminetheamountofanalysispossiblebytheexaminer.Forexample,aphysicalacquisitionmayhavebeenobtained,buttheforensictooldoesnotautomaticallyparsethedataintheimagefile.Thisrequirestheexaminertomanuallycarveandreconstructthedata.BlackBerrydevicesareoneofthemostcomplicatedsmartphonestounderstandandconsistentlyreconstructbymanualexamination.TheprevioussectionprovidedsomestepstosuccessfullyextractingdatafromBlackBerrydevices.Theacquisitionstepsshouldbefollowedtoensurethatdataisnotmissed.MultipleacquisitionsmayberequiredinordertoextractandrecovertheuserdatafromaBlackBerrydevice.ThemethodologiesandforensictoolsrequiredtoanalyzedatafromBlackBerrybackupfilesandforensicimagesdiffer,andtheyaredefinedinthefollowingsections.

BlackBerrybackupanalysis

BlackBerrybackupfilescanbefoundnativelyonharddrivesorotherexternalmediaduringaforensicinvestigationormayexistastheforensicimagecreatedbytheexaminerinordertocompletetheirforensicinvestigation.Sometimes,thebackupfilecontainsmoreusabledatathanaphysicalimage.Again,italldependsonthedevicemodel,themethodofacquisitionandtheforensictoolusedforanalysis.Aspreviouslymentioned,BlackBerrybackupfilesexistasIPDandBBBfilesandarecreatedbytheBDMortheBlackBerryLinksoftware.Whencreatedbyauser,theBlackBerrybackupfilesarecommonlystoredintheMyDocumentsfolderonaWindowsplatform.Thebackupfilecontainsvariousdatabases(tables)presentontheBlackBerrydevice.ItisnamedbydefaultintheformatBackup(yyyy-mm-dd).ipd.

BestpracticessuggestsearchingforIPDandBBBfilesacrossdigitalmediasuspectedofcontainingBlackBerrybackupfilessincetheusercanmodifythefilenameofthebackup.IftheBlackBerrybackupfilewasrecoveredfromaharddriveorotherdigitalmedia,thefollowingtwoformatsmayexist:

Loaderbackup(yyyy-mm-dd).ipd

AutoBackup((yyyy-mm-dd).ipd

TheLoaderbackupfileiscreatedautomaticallywhenthedeviceOSisbeingupdated.Thisensuresthatrequireddataisreadilyavailableshouldthedevicecrashduringtheupgrade.TheAutobackupfileiscreatedwhentheuserelectstohavethedevicesettobackuponaregularorscheduledbasisorwhenthedeviceissyncedwithaPC.

AfullbackupofaBlackBerrydeviceshouldcontaindetailssuchasaddressbook,e-mail,SMS,calllogs,andmore.However,thebackupfilemaynotcontainalltheapplicationdatabecausethethird-partyapplicationsmaynotalwaysprovideaccesstotheirdata.Abackupfilecontainsthefollowinginformation:

Fileheader:TheheadercontainsinformationabouttheRIMsignature,databaseversion,numberofdatabasesinthecurrentfile,andsoon,asshowninthefollowingtable:

Name Length(inbytes) Offset

RIMsignature 37 0x0

Linebreak 1 0x25

Databaseversion 1 0x26

Numberofdatabases 2 0x27~0x28

Databaseseparator 1 0x29

Databasenameblocks:Thesearepresentaftertheheaderinformation.Ineachblock,thenamelengthandnamearestored.Databaserecords:Thesearepresentafterdatabasenameblocksandcontainrealdata.TheycontaininformationaboutdatabaseID,recordlength,databaseversion,databaserecordhandle,databaseuniqueID,andsoon.Databaserecordfields:Thesecontainrecorddatalength,recordtype,andrecorddata.

OnceyouhaveaccesstotheBlackBerrybackupfile,useanyoftheavailabletoolsdiscussedintheForensictoolsforBlackBerryanalysissectiontoreadtheinformationpresentinthefile.

BlackBerryforensicimageanalysis

ThemethodofobtainingtheforensicimageofaBlackBerrydevice,whetherlogical,physical,orfilesystem,maylimitthetoolsavailabletoanalyzethedata.Forexample,arawimagecreatedusingJTAGorchip-offshouldbeingestibleandparsedbyanyforensictoolthatprovidesphysicalanalysissupportforthatmodelofBlackBerry,aslongasthedevicewasunlockedorthepasscodeisknown.Itisbesttousemorethanonetoolduringyourforensicanalysistoverifytheresultsoftheforensicimage.

BlackBerryfilesystemsaredifficulttoreconstructduetotheproprietaryformatdevelopedbyRIM.Unlikeothersmartphonedevices,BlackBerryfilesystemsvarygreatlypermodel.Commercialtoolswillattempttoreconstructthefilesystems,butthesupportislowandmaynotbeaccurate.Itisbesttovalidateyourfindingsusinglogical,filesystem,orbackupfileacquisitionandanalysistoensureyourfindingsarecorrect.

OnceanexaminergainsexperienceanalyzingBlackBerrydevices,thefilesofinterestbecomemoreapparentregardlessoftheimageformat.Aphysicaldumpandbackupfilemayactuallycontainthesameamountofdatareadilyavailabletotheexaminer.Thetoolofchoicetoexaminethedatawilldeterminetheamountofaccessyouhavetothatfile.Asexplainedinpreviouschapters,deleteddatacanresideindatabasefilesjustasAndroidandiOS,BlackBerrydatabases/tablesmaycontaindeleteddata.IfyourforensictooldoesnotprovideaccesstothenativefileforexportorforexaminationinHex,youwillmissthisdeleteddata.

ThefollowingscreenshotshowsthefilesystemrepresentationofaBlackBerrybackupfileinCellebritePhysicalAnalyzer.NoticethattheAddressBookisbeingexaminedinrawhex.Thismethodofanalysisispreferredtovalidateyourlogicalresultsorthedataprovidedinthetoolreport.

CellebritePhysicalAnalyzer—AddressBookexamination

BlackBerrydata,storedindatabases/tables,isoftenproprietary,whichcausesdifficultieswhenattemptingtointerpretdatausingthetoolandmanuallybytheexaminer.Whencomparedtoothersmartphonedevices,theredoesn'tappeartobeaclearstandardfordataonBlackBerrydevices.Forexample,statusflagsassociatedwiththee-mailapphavebeenfoundtobeinconsistentamongdifferentdevices.Commonly,astatusflagisconsistentwithinatableforaspecificmodel.ThishasbeenfoundtobeuntrueforBlackBerry.Forexaminers,thismakesvalidationofyourtooldifficult.BlackBerrytimestampsarecommonlyinasimpledateformat,whichiscompatiblewithJavaandissupportedtoparsebymostforensictools.

ThereareavarietyofBlackBerrytimestamptypesthataredefinedindetailat

http://www.swiftforensics.com/2012/03/blackberry-date-formats.html.WhenexaminingSMSmessages,theexaminershouldusemorethanonetooltoensurethedataisparsedproperly.Currently,thereisnostandardforhowSMSmessagesarestoredonBlackBerrydevices.TheSMSmessagesmaybeencrypted,compressed,orexistasaproprietary7-bitformat.SeveralfactorsweighontheformattostoretheSMSmessagecontent,includingdevicesecuritysettings,devicemodel,administratorsettings,andmore.

Unlikeothersmartphones,third-partyapplicationdatacannotbestoredinternallyontheBlackBerrydevicememoryiftheapplicationusesSQLitedatabasestorage,whichapplicationscommonlydo.Allthird-partyapplicationdatawillresideontheSDcard(oreMMC)associatedtotheBlackBerrydeviceinanapplicationfolder.MoreinformationonusingSQLiteonBlackBerrydevicescanbefoundathttp://blog.softartisans.com/2011/03/29/using-sqlite-in-blackberry-applications/.Thesefoldersanddatabasefilesmustbeexaminedforrelevancetotheinvestigation,asdefinedinpreviouschapters.DuetotheunknownnatureofRIMandtheproprietarymethodstostoreuserdata,itisrecommendedthattheexaminerexamineanydatabase/tablerecoveredfromtheBlackBerrydevicethatmaybeofinteresttotheinvestigation.Manualexaminationistime-consuming,butitwillensurethatdataisnotoverlooked.

EncryptedBlackBerrybackupfiles

Duringyourforensicexaminations,itislikelythatanencryptedBlackBerrybackupfilewillrequireanalysis.ElcomsoftdevelopedthePhonePasswordBreaker,whichallowstheexaminertousevariousbruteforceanddictionaryattackstocrackencryptedbackupfiles.

Thefollowingisthestep-by-stepproceduretocrackanencryptedBlackBerrybackupfileusingElcomsoftPhonePasswordBreaker:

1. Ontheforensicworkstation,installElcomsoftPhonePasswordBreaker.Thefullanddemoversioncanbefoundathttp://www.elcomsoft.com/eppb.html.

ElcomsoftPhonePasswordBreaker

2. Navigatetothebackupfile.3. Selecttheattackmethod.Severaloptionsareavailableanddictionariescan

beaddedtoincreasethesuccessrateoftheattack,asshowninthefollowingscreenshot:

TheElcomsoftPhonePasswordBreakerattackoptions

4. Ifcracked,thepasswordwillbedisplayedandcanbeusedtoaccesstheencryptedbackupfilewiththeuseofaforensictool.Itisimportanttouseaforensictoolthatwillpromptyouforthepassword.Somewillsimplyfailorfinishwitherrorsandprovidenoaccesstotheencrypteddata,asshowninthefollowingscreenshot:

ElcomsoftPhonePasswordBreaker

ForensictoolsforBlackBerryanalysis

SeveralforensictoolsareavailabletoparsedatafromBlackBerrybackupfilesandforensicimagesofBlackBerrydevices.Thebesttoolsshouldprovideaccesstotherawdatabasefilestoensurethatdatanotsupportedbytheforensictoolcouldbemanuallyparsedbytheexaminerandtoavoiddeleteddatanotbeingrecovered.KnowingwheretofindthedataondevicestakespracticeandtheexaminershouldbetrainedonexaminingdatafromBlackBerrydevices.

SomeforensictoolsavailableincludeCellebritePhysicalAnalyzer,OxygenForensicsSuite,MicrosystemationXRY,AccessDataMPE+,andseveralothers.SometoolsarespecificallydesignedtoanalyzeBlackBerrybackupfiles.CommontoolsthatprovidesupportforbackupfilesincludeOxygenForensicsIPDViewer,ElcomsoftBlackBerryBackupExplorer,andBlackBerryBackupExtractor.BulkExtractor,createdbyDr.SimsonGarfinkle,isafreetoolthatcanparsedatafromrawBlackBerryimagefiles(physicaldumps)evenifthepasswordisunknown.

BulkExtractorscanstheimagefileandpullsusefulinformation(calls,URLs,e-mailaddresses,andmore)withoutparsingthefilesystemandprovidestheresultstotheexaminer.BulkExtractorcanbedownloadedfromhttp://digitalcorpora.org/downloads/bulk_extractor/.AnexampleofaBulkExtractoroutputfortelephonenumbersisshowninthefollowingscreenshot:

TelephonenumbersparsedbyBulkExtractor

Thefollowingisastep-by-stepproceduretoviewtheinformationpresentinanIPDfileusingBlackBerryBackupExtractor.Thistoolprovidesaccesstothenativefilesforfurtherexamination.AtoolsuchasBlackBerryBackupExtractormaybehelpfulwhenyourcommercialforensictooldoesnotprovideaccesstotheactualfilesrecoveredfromtheBlackBerrybackupfile.

1. DownloadandinstallBlackBerryBackupExtractorontheforensicworkstation(http://www.blackberryconverter.com/).

2. ClickontheOpenbackup…buttontoloadtheIPDbackupfileintothesoftwareasshowninthefollowingscreenshot:

BlackBerryBackupExtractor

3. Selectthefolderwherethedatawillbesavedandextracted.Whentheprocessbegins,thetoolsdisplayinformationaboutthenumberofdatabasescurrentlybeingextracted.

4. Oncetheextractioniscomplete,youwillfindinformationaboutsente-mails,receivede-mails,contacts,SMS,calendarappointments,andmore,asshowninthefollowingscreenshot:

E-mailextractedfrombackup

Thecontacts,calllogs,andotherdataextractedbythetoolcanbenavigatedtoandexaminedforrelevanceasshowninthefollowingscreenshot.Again,BlackBerryBackupExtractordoesnotprovideananalyticalplatformtoviewalloftheextracteddatainanormalizedmanner;therefore,manualreviewoftheresultsisrequired.

Contactsextractedfrombackup

Otherinformationthatcanbecrucialduringinvestigations,suchasbrowserURLs,browserdatacache,andsoon,arealsoextractedasshowninthefollowingscreenshot:

Otherusefuldataextractedfromthebackup

TheBlackBerrybackupfilecontainsa2-bytehexadecimalvaluethat,whenconvertedtodecimal,revealsthenumberofdatabasefilescontainedwithinthatbackupfile.ThetwobytesofinterestarethethirdandfourthbytesfollowingthefileheaderoftheIPDbackupfile.Asshowninthefollowingscreenshot,theIPDfileisbeingexaminedinaHexviewertodeterminethenumberofdatabasefilescontainedwithintheIPDfile.Thethirdandfourthbytes(006D)aregoingtobeconvertedfordatabaseverificationpurposes.Inthefollowingscreenshot,Hex6Disconvertedtodecimal,whichis109.Therefore,thereare109databasescontainedwithinthisIPDfile.Itisimportantfortheforensictooltodisplay109databases/tablesfortheexaminertoanalyze.

TheHexviewofIPDfile

Someforensictoolswillconvertthisnumberforyou,whichistruewithOxygenForensicsIPDViewer,asshowninthenextscreenshot.OxygenForensicsSuiteisoneofthemostpowerfulcommercialforensictoolstoparsedatafromBlackBerrybackupfiles.ThissuiteoftoolsoffersbothabackupfileparseraswellasanIPDViewer.Someforensictoolsomitemptydatabases,providepartialsupportforbackupfiles,orrequiretheexaminertomanuallyconvertandverifythenumberoftables.Toverifythenumberofdatabases/tablesinaBlackBerrybackupfile,ElcomsoftIPDViewercanbeusedbyperformingthefollowingsteps:

1. InstallOxygenForensicsSuite(licenserequired)onyourforensicworkstation.

2. SelectBlackBerryIPDViewerandnavigatetothebackupfile.Havealookatthefollowingscreenshot:

OxygenForensicsSuiteBlackBerryIPDViewer

3. Ifencrypted,enterthepassword.Ifyoudonotknowthepassword,thedatacannotbedecryptedforexamination.Keepinmindthatyouwillneedthispasswordeverytimeyouopentheimagefileforexamination,asshowninthefollowingscreenshot:

OxygenForensicsSuiteBlackBerryIPDViewer—theencryptedfile

4. Thedecrypteddatawillbeprovidedforexamination.Notethatthenumberofdatabasescontainedwithinthisbackupfilewas107asshowninthefollowingscreenshot:

TheOxygenForensicsSuiteBlackBerryIPDViewerresults

SummaryForensicsupportforBlackBerrydevicesislimitedwhencomparedtoothersmartphonedevices.OpensourcetoolssupportingBlackBerryphysicalacquisitionarenotcurrentlyavailable,andbypassingalockeddeviceiscomplicatedandoftenrendersthedataencryptedandunusable.UnlikeiOSandAndroiddevices,ourmostsuccessfuldataextractionsofBlackBerrydevicesusuallycomefromthefilesystemimageorbackupfile.Informationsuchase-mail,SMS,contacts,andmorecanbeextractedfromBlackBerrybackupfiles.Sometimes,themostusefulinformationisthedataextractedfromabackupfile,whichprovidesaccesstothemostdataforanalysis.

IndexA

acquisitionviaacustomramdiskabout/Acquisitionviaacustomramdiskforensicenvironmentsetup/Theforensicenvironmentsetupforensictoolkit,creating/Creatingandloadingtheforensictoolkitdevicecommunication,establishing/Establishingcommunicationwiththedevicepasscode,bypassing/Bypassingthepasscodedatapartition,imaging/Imagingthedatapartitiondatapartition,decrypting/Decryptingthedatapartitiondeleteddata,recovering/Recoveringthedeleteddata

acquisitionviajailbreakingperforming/Acquisitionviajailbreaking

ActivationLock,iOSsecurityabout/ActivationLock

adbabout/Usingtheadbpullcommand

adbpullcommandused,forlogicaldataextraction/Usingtheadbpullcommand

AddressBook.sqlitedbabout/AddressbookcontactsABPerson/AddressbookcontactsABMultiValue/AddressbookcontactsABMultiValueLabel/Addressbookcontacts

AddressBookImages.sqlitedbfileabout/Addressbookimages

AddressSpaceLayoutRandomization(ASLR),iOSsecurityabout/AddressSpaceLayoutRandomization

AFLogical/Usingcontentprovidersabout/TheAFLogicaltooleditions/TheAFLogicaltoolOSE/TheAFLogicaltoolLE/TheAFLogicaltool

AFLogicalLE

about/AFLogicalLawEnforcement(LE)logicaldata,extractingfromdevice/AFLogicalLawEnforcement(LE)

AFLogicalOSEabout/AFLogicalOpenSourceEditioninstalling/AFLogicalOpenSourceEdition

AFLogicalOSE1.5.2downloading/Usingcontentproviders

Alpine/1.x–thefirstiPhoneAndroid

about/AndroidAndroidapp

analysis/AndroidappanalysisAndroidapps

reverseengineering/ReverseengineeringAndroidapps,StepstoreverseengineerAndroidapps

AndroidDebugBridge(adb)about/AndroidDebugBridgeused,foraccessingdevice/Accessingthedeviceusingadb

Androiddeviceaccessing,adbused/Accessingthedeviceusingadbconnecteddevices,detecting/Detectingconnecteddeviceslocaladbserver,killing/Killingthelocaladbserveradbshell,accessing/Accessingtheadbshellhandling/HandlinganAndroiddevicerooting/RootinganAndroiddevicerootaccess/Rootaccess–adbshellimaging/ImaginganAndroidPhonedataextractiontechniques/Dataextractiontechniques

Androiddevice,connectingtoworkstationdevicecable,identifying/Identifyingthedevicecabledevicedrivers,installing/Installingthedevicedrivers

Androidfilehierarchy/boot/Androidfilehierarchy/system/Androidfilehierarchy/recovery/Androidfilehierarchy/data/Androidfilehierarchy

/cache/Androidfilehierarchy/misc/Androidfilehierarchy

Androidfilesystemabout/Androidfilesystemviewing,onAndroiddevice/ViewingfilesystemsonanAndroiddeviceExtendedFileSystem(EXT)/ExtendedFileSystem–EXT

Androidmodelabout/TheAndroidmodelLinuxkernellayer/TheLinuxkernellayerlibraries/LibrariesDalvikvirtualmachine/Dalvikvirtualmachinedalvikvirtualmachine/Dalvikvirtualmachineapplicationframeworklayer/Theapplicationframeworklayerapplicationslayer/Theapplicationslayer

AndroidSDKabout/AndroidSoftwareDevelopmentKitdownloading/AndroidSoftwareDevelopmentKitinstalling/AndroidSDKinstallation

Androidsecurityabout/Androidsecuritysecurekernel/Securekernelpermissionmodel/Thepermissionmodelapplicationsandbox/Applicationsandboxsecureinterprocesscommunication/Secureinterprocesscommunicationapplicationsigning/Applicationsigning

Apex/4.x–GameCenterandmultitaskingAPKfile

extractingfromAndroiddevice/ExtractinganAPKfilefromanAndroiddevice

AppDomain/Recordapplicationframeworklayer,Androidmodel

about/Theapplicationframeworklayertelephonymanager/Theapplicationframeworklayercontentprovider/Theapplicationframeworklayerresourcemanager/Theapplicationframeworklayer

Applicationsandbox/Applicationsandboxapplicationslayer,Androidmodel

about/TheapplicationslayerAppsandboxing

about/AppsandboxingAppStore/2.x–AppStoreand3G

about/AppStorearchivingphase,Mobilephoneevidenceextractionprocess

about/ThearchivingphaseAutopsy

about/Autopsydownloadlink/AutopsyAndroid,analyzing/AnalyzinganAndroidinAutopsy

AVDabout/AndroidVirtualDevicecreating/AndroidVirtualDevice

Bb-treelayout/RecoveringdeletedSQLiterecordsbackupanalysis,BlackBerry

about/BlackBerrybackupanalysisbackupfile,BlackBerry

fileheader/BlackBerrybackupanalysisdatabasenameblocks/BlackBerrybackupanalysisdatabaserecords/BlackBerrybackupanalysisdatabaserecordfields/BlackBerrybackupanalysis

backupstructure,iTunesabout/Understandingthebackupstructureinfo.plistfile/info.plistmanifest.plistfile/manifest.pliststatus.plistfile/status.plistmanifest.mbdbfile/manifest.mbdb

BigBear/2.x–AppStoreand3GBlackBerryanalysis

about/BlackBerryanalysisbackupanalysis/BlackBerrybackupanalysisforensicimageanalysis/BlackBerryforensicimageanalysisencryptedBlackBerrybackupfile/EncryptedBlackBerrybackupfilesforensictools/ForensictoolsforBlackBerryanalysis

BlackBerrybackupcreating/CreatingaBlackBerrybackup

BlackBerryBackup(BBB)file/CreatingaBlackBerrybackupBlackBerryBackupExtractor/ForensictoolsforBlackBerryanalysis

using/ForensictoolsforBlackBerryanalysisURL/ForensictoolsforBlackBerryanalysisinstalling/ForensictoolsforBlackBerryanalysis

BlackBerrybackupfileabout/ForensictoolsforBlackBerryanalysis

BlackBerryDesktopManager(BDM)/CreatingaBlackBerrybackupBlackBerryDesktopSoftware

installing/CreatingaBlackBerrybackupURL/CreatingaBlackBerrybackup

BlackBerryEnterpriseServer(BES)/BlackBerryOS

BlackBerryInternetService(BIS)/BlackBerryOSBlackBerryLimited/BlackBerryOSBlackBerryLink/CreatingaBlackBerrybackupBlackBerryOS

about/BlackBerryOS,BlackBerryOSURL/BlackBerryOSversionhistory/BlackBerryOSsecurityfeatures/Securityfeaturesdataacquisition/Dataacquisition

BlackBerryRIM/BlackBerryOSBlackBerrysecurity

about/SecurityfeaturesBlackBerrytimestamptypes

URL/BlackBerryforensicimageanalysisBootROM/Normalmodebrowserhistory

extracting/ExtractingbrowserhistoryBulkExtractor

about/ForensictoolsforBlackBerryanalysisURL/ForensictoolsforBlackBerryanalysis

CCalendar.sqlitedbfile

about/Calendareventscalllogs

extracting/Extractingcalllogscall_history.dbfile

about/Callhistorycapabilities

about/Capability-basedmodelcapabilities-basedmodel,WindowsPhone

about/Capability-basedmodelCelleBrite

about/Cellebrite–UFEDCelleBritePhysicalAnalyzer

about/Cellebrite–UFEDCellebritePhysicalAnalyzer/BlackBerryforensicimageanalysisCelleBriteUFED

about/Cellebrite–UFEDCellebriteUFED

about/CellebriteUFEDPhysicalAnalyzerURL/CellebriteUFEDPhysicalAnalyzerfeatures/FeaturesofCellebriteUFEDPhysicalAnalyzerusage/UsageofCellebriteUFEDPhysicalAnalyzerphysicalacquisitionofiOS,performing/UsageofCellebriteUFEDPhysicalAnalyzersupporteddevices/Supporteddevices

CellebriteUFEDTouch/StandardacquisitionmethodsBlackBerryZ10support/StandardacquisitionmethodsBlackBerryCurvesupport/Standardacquisitionmethods

cgroupfilesystem/ViewingfilesystemsonanAndroiddevicechambers

about/WindowschambersChevronWP7

about/Dataacquisitionused,forsideloading/SideloadingusingChevronWP7

Chip-off

about/Chip-offprocess/Chip-off

chip-offmethodabout/Chip-off

chip-offtechnique,screenlockbypassingtechniques/OthertechniquesClockworkMod/RootinganAndroiddeviceClockworkrecovery/RootinganAndroiddeviceCocoaTouchlayer,iOS

about/TheCocoaTouchlayercodesigning,iOSsecurity

about/Codesigningcodesign_allocatetoolpath

verifying/Verifyingthecodesign_allocatetoolpathCODfiles/SecurityfeaturesConnectorapp/MOBILeditconsolidated.dbfile

about/ConsolidatedGPScacheconsolidatedGPScache

about/ConsolidatedGPScachecontentproviders

used,fordataextraction/Usingcontentproviderscookies

about/CookiesCoreOSlayer,iOS

about/TheCoreOSlayerCoreServiceslayer,iOS

about/TheCoreServiceslayercustomramdisk

building/Buildingacustomramdiskbooting/Bootingthecustomramdisk

Cydiaapplication/Acquisitionviajailbreaking

D.dumptable-namecommand/SQLitespecialcommands/datadirectory

extracting,onrooteddevice/Extractingthe/datadirectoryonarooteddeviceextracting,onnon-rooteddevice/Extractingthe/datadirectoryonarooteddevice

Dalvikbytecode/ReverseengineeringAndroidappsDalvikVirtualMachine(DVM)/ReverseengineeringAndroidappsdataacquisition

about/Dataacquisitionsideloading,ChevronWP7used/SideloadingusingChevronWP7data,extracting/Extractingthedata

dataacquisition,BlackBerryabout/Dataacquisitionstandardacquisitionmethods/StandardacquisitionmethodsBlackBerrybackup,creating/CreatingaBlackBerrybackup

dataacquisitionmethodsabout/Dataacquisitionmethodsphysicalacquisition/Physicalacquisitionlogicalacquisition/Logicalacquisitionmanualacquisition/Manualacquisition

dataexecutionprevention(DEP),iOSsecurityabout/Dataexecutionprevention

dataextraction,WindowsPhonedeviceperforming/ExtractingthedataSMS,extracting/ExtractingSMSe-mail,extracting/Extractinge-mailapplicationdata,extracting/Extractingapplicationdata

dataextractiontechniques,Androiddevicetypes/Dataextractiontechniquesmanualdataextraction/Manualdataextractionlogicaldataextraction/Logicaldataextractionphysicaldataextraction/Physicaldataextraction

dataprotection,iOSsecurityabout/Dataprotection

datarecoveryabout/Datarecoveryperforming/Datarecoverydeletedfiles,recovering/Recoveringthedeletedfilesdeleteddata,recoveringfromSDcard/RecoveringdeleteddatafromanSDcarddeleteddata,recoveringfrominternalmemory/Recoveringdatadeletedfrominternalmemorydeletedfiles,recoveringbyparsingSQLitefiles/RecoveringdeletedfilesbyparsingSQLitefilesfiles,recoveringusingfilecarvingtechniques/Recoveringfilesusingfile-carvingtechniques

datastorage,Androiddevicesharedpreferences/Usingtheadbpullcommandinternalstorage/Usingtheadbpullcommandexternalstorage/UsingtheadbpullcommandSQLitedatabase/Usingtheadbpullcommand

datasynchronization/iTunesbackupdatawipe,iOSsecurity

about/DatawipedeletedSQLiterecords

recovering/RecoveringdeletedSQLiterecordsdeviceinformation

extracting/Extractingdeviceinformationdevicelocking/HandlinganAndroiddevicedevptsfilesystem/ViewingfilesystemsonanAndroiddevicedex2jartool/StepstoreverseengineerAndroidappsDFUmode,iOSdevices

about/DFUmodeenabling/DFUmodeverifying/DFUmode

differentialbackupabout/Understandingthebackupstructure

DiskDigger/Recoveringfilesusingfile-carvingtechniquesdisklayout,iOSdevices

systempartition/Disklayoutabout/Disklayout

userdatapartition/Disklayoutmountedpartitions,viewing/Disklayoutrawdiskimages,viewing/Disklayout

documentandreportingphase,Mobilephoneevidenceextractionprocessabout/Thedocumentandreportingphase

dotcommandsabout/SQLitespecialcommands.tables/SQLitespecialcommands.schematable-name/SQLitespecialcommands.dumptable-name/SQLitespecialcommands.outputfile-name/SQLitespecialcommands.headerson/SQLitespecialcommands.help/SQLitespecialcommands.exit/SQLitespecialcommands.modeMODE/SQLitespecialcommands

downloadedapplicationsabout/Downloadedapplications

DVMabout/Dalvikvirtualmachine

E.exitcommand/SQLitespecialcommandse-maildatabase

about/E-maildatabaseeDiscovery

about/BlackBerryanalysisEffaceableStorage/RecoveringthedeleteddataEIFT

about/ElcomsoftiOSForensicToolkitURL/ElcomsoftiOSForensicToolkitfeatures/FeaturesofEIFTusage/UsageofEIFTguidedmode/Guidedmodemanualmode/Manualmode

EIFT-supporteddevicesabout/EIFT-supporteddevicescompatibilities/Compatibilitynotes

ElcomsoftBlackBerryBackupExplorer/ForensictoolsforBlackBerryanalysisElcomsoftIPDViewer

using/ForensictoolsforBlackBerryanalysisElcomsoftPhonePasswordBreaker/EncryptedBlackBerrybackupfilesElevatedRightsChamber(ERC)

about/Windowschambersencryptedbackup,iTunes

creating/Encryptedbackupextracting/Extractingencryptedbackupsextracting,iPhoneDataProtectionToolsused/iPhoneDataProtectionToolskeychain,decrypting/Decryptingthekeychain

encryptedBlackBerrybackupfileabout/EncryptedBlackBerrybackupfilescracking/EncryptedBlackBerrybackupfiles

encryption,iOSsecurityabout/Encryption

Escrowkeybag/Pairingrecords

ESExplorer/ExtractinganAPKfilefromanAndroiddeviceevidence

about/Potentialevidencestoredonmobilephonesrules/Authenticsecuring/Securingtheevidencepreserving/Preservingtheevidencedocumenting/Documentingtheevidence

evidenceintakephase,Mobilephoneevidenceextractionprocessabout/Theevidenceintakephase

ExtendedFileSystem(EXT)about/ExtendedFileSystem–EXT

FFastbootutility/Flashinganewrecoverypartitionfilecarving

about/Recoveringfilesusingfile-carvingtechniquesused,forrecoveringfiles/Recoveringfilesusingfile-carvingtechniques

filesystem,iPhoneHFSX/Filesystem

FindMyFriendsservice/iCloudbackupFindMyiPhoneservice/iCloudbackupFlashFriendlyFileSystem(F3FS)/ExtendedFileSystem–EXTforensicbestpractices

evidence,securing/Securingtheevidenceevidence,preserving/Preservingtheevidenceevidence,documenting/Documentingtheevidenceallchanges,documenting/Documentingallchanges

forensicenvironmentsettingup/AforensicenvironmentsetupAndroidSDK/AndroidSoftwareDevelopmentKitAndroidSDKinstallation/AndroidSDKinstallationAVD/AndroidVirtualDeviceAndroiddevice,connectingtoworkstation/ConnectinganAndroiddevicetoaworkstationconnecteddevice,accessing/AccessingtheconnecteddeviceAndroidDebugBridge(adb)/AndroidDebugBridgeAndroiddevice,accessingwithadb/AccessingthedeviceusingadbAndroiddevice,handling/HandlinganAndroiddevice

forensicenvironmentsetup,acquisitionviaacustomramdiskperforming/Theforensicenvironmentsetupldidtool,downloading/Downloadingandinstallingtheldidtoolldidtool,installing/Downloadingandinstallingtheldidtoolcodesign_allocatetoolpath,verifying/Verifyingthecodesign_allocatetoolpathOSXFuse,installing/InstallingOSXFusePythonmodules,installing/InstallingPythonmodulesiPhoneDataProtectionTools,downloading/DownloadingiPhone

DataProtectionToolsIMG3FStool,building/BuildingtheIMG3FStoolredsn0w,downloading/Downloadingredsn0w

forensicimageanalysis,BlackBerryabout/BlackBerryforensicimageanalysis

forensictoolkit,acquisitionviaacustomramdiskcreating/Creatingandloadingtheforensictoolkitloading/CreatingandloadingtheforensictoolkitiOSfirmwarefile,downloading/DownloadingtheiOSfirmwarefilekernel,modifying/Modifyingthekernelcustomramdisk,building/Buildingacustomramdiskcustomramdisk,booting/Bootingthecustomramdisk

forensictoolsoverview/ForensictoolsoverviewAFLogicaltool/TheAFLogicaltoolMOBILedit/MOBILeditAutopsy/Autopsy

forensictools,forBlackBerryanalysisabout/ForensictoolsforBlackBerryanalysisCellebritePhysicalAnalyzer/ForensictoolsforBlackBerryanalysisOxygenForensicsSuite/ForensictoolsforBlackBerryanalysisMicrosystemationXRY/ForensictoolsforBlackBerryanalysisAccessDataMPE+/ForensictoolsforBlackBerryanalysis

GGameCenter/4.x–GameCenterandmultitaskingGlobalPositioningSystem(GPS)/2.x–AppStoreand3Gguidedmode,EIFT

about/GuidedmodephysicalacquisitionofiPhone4,performing/Guidedmode

H.headersoncommand/SQLitespecialcommands.helpcommand/SQLitespecialcommandsHeavenly/1.x–thefirstiPhonehexdump

about/HexdumpHFSPlusfilesystem

about/TheHFSPlusfilesystemURL/TheHFSPlusfilesystem

HFSPlusvolumeabout/TheHFSPlusvolumestructure/TheHFSPlusvolume

HFSvolumes/TheHFSPlusfilesystemHFSX

about/FilesystemHierarchicalFileSystem(HFS)

about/TheHFSPlusfilesystemHomeDomain/RecordHomeDomainplistfiles

about/TheHomeDomainplistfiles

IiBackupBot/OpensourceorfreemethodsiBECloader

about/DFUmodeiBoot

about/NormalmodeiCloud/5.x–SiriandiCloud

about/iCloudbackupFindMyiPhoneservice/iCloudbackupFindMyFriendsservice/iCloudbackup

iCloudbackupperforming/iCloudbackupextracting/ExtractingiCloudbackups

identificationphase,Mobilephoneevidenceextractionprocessabout/Theidentificationphaselegalauthority/Thelegalauthorityexaminationsgoals/Thegoalsoftheexaminationmakeandmodel,identifying/Themake,model,andidentifyinginformationforthedeviceremovabledatastorage/Removableandexternaldatastoragepotentialevidencesources/Othersourcesofpotentialevidence

ideviceinfocommand-linetoolabout/iPhonemodelsURL/iPhonemodels

iExplorer/OpensourceorfreemethodsiFunBox/Opensourceorfreemethodsimagingprocess,memory(SD)card

memorycard,connecting/Imagingamemory(SD)cardmemorycard,protecting/Imagingamemory(SD)cardhashvalue,calculating/Imagingamemory(SD)carddiskimage,creating/Imagingamemory(SD)card

imagingthedeviceabout/ImaginganAndroidPhone

IMchatsanalysisabout/Analysisofsocialnetworking/IMchats

IMG3FStool

building/BuildingtheIMG3FStoolinfo.plistfile

about/info.plistcontent/info.plist

Innsbruck/7.x–theiPhone5SandbeyondInter@activePagerBackup(IPD)/CreatingaBlackBerrybackupiOS

about/iOS,iPhoneoperatingsystemdifferences,withMacOSX/iPhoneoperatingsystem

iOSacquisitionmethodsopensourcemethods/Opensourceorfreemethods

iOSarchitectureabout/TheiOSarchitecturelayers/TheiOSarchitectureCocoaTouchlayer/TheCocoaTouchlayerMedialayer/TheMedialayerCoreServiceslayer/TheCoreServiceslayerCoreOSlayer/TheCoreOSlayer

iOSdataanalysisandrecoverytimestamps/TimestampsSQLitedatabases/SQLitedatabasespropertylist/Propertylistscookies/Cookieskeyboardcache/Keyboardcachephotosdirectory/Photoswallpaperdirectory/Wallpapersnapshotsdirectory/Snapshotsrecordingsdirectory/Recordingsdownloadedapplications/DownloadedapplicationsdeletedSQLiterecords,recovering/RecoveringdeletedSQLiterecords

iOSdevicesiPhone/iPhonemodelsiPad/iPadmodelsdisklayout/Disklayoutoperatingmodes/OperatingmodesofiOSdevicesphysicalacquisition/Physicalacquisition

iOSfirmwarefiledownloading/DownloadingtheiOSfirmwarefile

iOShistoryabout/iOShistoryiPhoneOS1.x/1.x–thefirstiPhoneAppStore/2.x–AppStoreand3GiPhone3G/2.x–AppStoreand3GiPad/3.x–thefirstiPadgamecenter/4.x–GameCenterandmultitaskingmultitasking/4.x–GameCenterandmultitaskingSiri/5.x–SiriandiCloudiCloud/5.x–SiriandiCloudAppleMaps/6.x–AppleMapsiPhone5S/7.x–theiPhone5Sandbeyond

iOSsecurityabout/iOSsecurityfeatures/iOSsecuritypasscodes/Passcodecodesigning/Codesigningsandboxing/Sandboxingencryption/Encryptiondataprotection/DataprotectionAddressSpaceLayoutRandomization(ASLR)/AddressSpaceLayoutRandomizationprivilegeseparation/Privilegeseparationstacksmashingprotection/Stacksmashingprotectiondataexecutionprevention(DEP)/Dataexecutionpreventiondatawipe/DatawipeActivationLock/ActivationLock

iPadhardwareabout/iPadhardwareinternalimages/iPadhardware

iPadmodelsiOSversions/iPadmodelsspecificationsandfeatures/iPadmodels

IPDfileinformation,viewingwithBlackBerryBackupExtractor/Forensic

toolsforBlackBerryanalysisiPhone

about/iPhonemodelsmodels/iPhonemodelsmodel,identifying/iPhonemodelsexamining/iPhonemodelsmodelnumber/iPhonemodelsfirmwareversion/iPhonemodelsspecificationsandfeatures/iPhonemodelsfilesystem/Filesystem

iPhoneBackupBrowserunencryptedbackup,extracting/iPhoneBackupBrowserabout/iPhoneBackupBrowser

iPhoneBackupExtractorabout/iPhoneBackupExtractorunencryptedbackup,extracting/iPhoneBackupExtractor

iPhonebackupsiTunesbackup/iTunesbackupiCloudbackup/iCloudbackup

iPhoneDataProtectionToolsabout/Acquisitionviaacustomramdisk,iPhoneDataProtectionToolsinstalling/DownloadingiPhoneDataProtectionToolsunencryptedbackup,extracting/iPhoneDataProtectionToolsencryptedbackup,extracting/iPhoneDataProtectionTools

iPhonehardwareabout/iPhonehardwareinternalimages/iPhonehardware

iPhoneOSabout/iPhoneoperatingsystem

iPhonePasswordBreakerabout/iPhonePasswordBreakerbackuppassword,bruteforcing/iPhonePasswordBreaker

iPhoneSoftwareDevelopmentKit(SDK)/2.x–AppStoreand3GiRecoveryStick

about/ParabeniRecoveryStickURL/ParabeniRecoveryStick

features/FeaturesofParabeniRecoveryStickusage/UsageofParabeniRecoveryStickacquisitionofiOSdevice,performing/UsageofParabeniRecoverySticksupporteddevices/DevicessupportedbyParabeniRecoveryStick

isolationphase,Mobilephoneevidenceextractionprocessabout/Theisolationphase

iTunesabout/iTunesbackupauto-syncing,disabling/iTunesbackup

iTunesbackupperforming/iTunesbackuprecords,pairing/Pairingrecordsbackupstructure/Understandingthebackupstructureunencryptedbackup,creating/Unencryptedbackupencryptedbackup,creating/Encryptedbackup

IV(initializationvector)/Extractingencryptedbackups

Jjailbreaking

about/JailbreakingURL/Jailbreaking

JavaDevelopmentEnvironment(JDE)/BlackBerryOSJavaVirtualMachine(JVM)/SecurityfeaturesJD-GUItool/StepstoreverseengineerAndroidappsJointTestActionGroup(JTAG)method/Chip-offJTAG

about/JTAGprocess/JTAG

JTAGtechnique,screenlockbypassingtechniques/Othertechniques

KKernelAddressSpaceLayoutRandomization/AcquisitionviajailbreakingKernelAddressSpaceProtection/Acquisitionviajailbreakingkeyboardcache

about/KeyboardcacheKirkwood/3.x–thefirstiPad

Lldidtool

downloading/Downloadingandinstallingtheldidtoolinstalling/Downloadingandinstallingtheldidtool

LeastPrivilegedChamber(LPC)about/Windowschambers

libraries,Androidmodelabout/Libraries

LiMEabout/RecoveringdeleteddatafromanSDcard

Linuxkernellayer,Androidmodelabout/TheLinuxkernellayer

lockdowncertificates/Pairingrecordslogicalacquisitionmethod

about/Logicalacquisitionlogicaldataextraction

about/Logicaldataextractionperforming/Logicaldataextractionperforming,adbpullcommandused/Usingtheadbpullcommand/datadirectory,extractingonrooteddevice/Extractingthe/datadirectoryonarooteddevice/datadirectory,extractingonnon-rooteddevice/Extractingthe/datadirectoryonarooteddeviceperforming,SQLiteBrowserused/UsingSQLiteBrowserdeviceinformation,extracting/Extractingdeviceinformationcalllogs,extracting/ExtractingcalllogsSMS/MMS,extracting/ExtractingSMS/MMSbrowserhistory,extracting/Extractingbrowserhistorysocialnetworkinganalysis/Analysisofsocialnetworking/IMchatsIMchatsanalysis/Analysisofsocialnetworking/IMchatsperforming,contentprovidersused/Usingcontentproviders

logicalextractionprocessabout/Logicalextraction

Low-Levelbootloader(LLB)/Normalmode

M.modeMODEcommand/SQLitespecialcommandsM2Crypto

about/InstallingPythonmodulesinstalling/InstallingPythonmodules

Macabsolutetimeabout/Macabsolutetime

MacOSX10.8iPhonemodel,obtaining/iPhonemodelsiPhoneiOSversion,obtaining/iPhonemodels

manifest.mbdbfileabout/manifest.mbdbheader/Headerrecords/Record

manifest.plistfileabout/manifest.plistcontent/manifest.plist

manualacquisitionmethodabout/Manualacquisition

manualdataextractionabout/ManualdataextractionAndroiddevice,rooting/UsingrootaccesstoacquireanAndroiddevice

manualextractionprocessabout/Manualextraction

manualmode,EIFTabout/Manualmode

MCC/MNCcodesreferencelink/Callhistory

Medialayer,iOSabout/TheMedialayer

memory(SD)cardimaging/Imagingamemory(SD)cardimaging,WinHexused/Imagingamemory(SD)cardimagingprocess/Imagingamemory(SD)card

Mercurialsourcecodemanagementsystem

installing/InstallingPythonmodulesmicroread/MicroreadMicrosoft.NETFramework4/iPhoneBackupBrowserMobileDataSystem(MDS)/BlackBerryOSMobileDeviceManagement(MDM)/HandlinganAndroiddeviceMOBILedit

about/MOBILeditURL/MOBILeditused,forextractinginformationfromAndroidphone/MOBILedit

Mobileforensicapproachesabout/Practicalmobileforensicapproachesmobileoperatingsystemsoverview/MobileoperatingsystemsoverviewMobileforensictoollevelingsystem/Mobileforensictoollevelingsystemdataacquisitionmethods/Dataacquisitionmethods

Mobileforensicsabout/Mobileforensicschallenges/Mobileforensicchallenges

Mobileforensictoollevelingsystemabout/Mobileforensictoollevelingsystemmanualextraction/Manualextractionlogicalextraction/Logicalextractionhexdump/Hexdumpchip-off/Chip-offmicroread/Microread

mobileoperatingsystemsoverview/MobileoperatingsystemsoverviewAndroid/AndroidiOS/iOSWindowsphone/WindowsphoneBlackBerryOS/BlackBerryOS

Mobilephoneevidenceextractionprocessabout/Mobilephoneevidenceextractionprocessevidenceintakephase/Theevidenceintakephaseidentificationphase/Theidentificationphasepreparationphase/Thepreparationphase

isolationphase/Theisolationphaseprocessingphase/Theprocessingphaseverificationphase/Theverificationphasedocumentandreportingphase/Thedocumentandreportingphasepresentationphase/Thepresentationphasearchivingphase/Thearchivingphase

mobilephonesevidence/Potentialevidencestoredonmobilephones

modelnumber,iPhone/iPhonemodelsmountcommand/Disklayout

NNAND

about/Physicalacquisitionnormalmode,iOSdevices

about/NormalmodeNotesdatabase

about/Notes

O.outputfile-namecommand/SQLitespecialcommandsoperatingmodes,iOSdevices

about/OperatingmodesofiOSdevicesnormalmode/Normalmoderecoverymode/RecoverymodeDFUmode/DFUmode

OSXFuseinstalling/InstallingOSXFuse

overtheair(OTA)softwareupdates/5.x–SiriandiCloudOxygenForensicsIPDViewer/ForensictoolsforBlackBerryanalysisOxygenForensicsSQLiteViewer

about/RecoveringdeletedfilesbyparsingSQLitefilesOxygenForensicsSuite

installing/ForensictoolsforBlackBerryanalysisOxygenForensicSuite2014

about/OxygenForensicSuite2014URL/OxygenForensicSuite2014features/FeaturesofOxygenForensicSuiteusage/UsageofOxygenForensicSuiteacquisitionofiOS,performing/UsageofOxygenForensicSuitesupporteddevices/OxygenForensicSuite2014supporteddevices

Ppasscodes,iOSsecurity

about/PasscodePBKDF2(Password-BasedKeyDerivationFunction2)/Extractingencryptedbackupsphotosdirectory

about/Photosphotosmetadata

about/Thephotosmetadataphysicalacquisition,iOSdevices

about/Physicalacquisitionphysicalacquisitionmethod

about/Physicalacquisitionphysicaldataextraction

performing/PhysicaldataextractionJTAG/JTAGChip-offtechnique/Chip-off

plistabout/Propertylists

PlistEditorforWindowsURL/Propertylists

plutilcommand-lineutility,MacOSXabout/Propertylists

preparationphase,Mobilephoneevidenceextractionprocessabout/Thepreparationphase

presentationphase,Mobilephoneevidenceextractionprocessabout/Thepresentationphase

privilegeseparation,iOSsecurityabout/Privilegeseparation

processingphase,Mobilephoneevidenceextractionprocessabout/Theprocessingphase

procfilesystem/ViewingfilesystemsonanAndroiddevicepropertylist/Pairingrecords

about/PropertylistsPropertyListEditor

about/Propertylists

PropertyListEditorapplication/UnderstandingthebackupstructurePyCrypto/InstallingPythonmodulesPythonmodules

installing/InstallingPythonmodules

QQuickTimePlayer

about/Voicemail

Rre-balling

about/Chip-offread-onlymemory(ROM)/Normalmoderecordingsdirectory

about/Recordingsrecoveryloop

about/Recoverymoderecoverymode,iOSdevices

about/Recoverymoderedsn0wtool

about/Recoverymodedownloading/Downloadingredsn0w

RemoRecoverforAndroidtoolused,forrecoveringdeletedfilesfromSDcard/RecoveringdeleteddatafromanSDcardabout/RecoveringdeleteddatafromanSDcarddownloading/RecoveringdeleteddatafromanSDcard

ResearchinMotion(RIM)about/BlackBerryOS

reverseengineering,AndroidappsAPKfile,extractingfromAndroiddevice/ExtractinganAPKfilefromanAndroiddeviceperforming/StepstoreverseengineerAndroidapps

RobustFileSystem(RFS)/ExtendedFileSystem–EXTroot/Whatisrooting?rootaccess

gaining/GainingrootaccessRootDomainplistfiles

about/TheRootDomainplistfilesrootfsfilesystem/ViewingfilesystemsonanAndroiddevicerooting

about/Whatisrooting?Androiddevice/RootinganAndroiddeviceClockworkrecovery/RootinganAndroiddeviceClockworkMod/RootinganAndroiddevice

advantages/RootinganAndroiddevicedisadvantages/RootinganAndroiddeviceadbshell,running/Rootaccess–adbshell

rules,evidenceadmissible/Admissibleauthentic/Authenticcomplete/Completereliable/Reliablebelievable/Believable

S.schematable-namecommand/SQLitespecialcommandsSafaribookmarksdatabase

about/SafaribookmarksSafariwebcaches

about/TheSafariwebcachesSamsungAndroiddevice

dataextracting,UFEDused/Physicalextractionsandboxing,iOSsecurity

about/SandboxingScalpel

about/Recoveringfilesusingfile-carvingtechniquesusing,onUbuntuworkstation/Recoveringfilesusingfile-carvingtechniques

screenlockbypassingtechniquesabout/Screenlockbypassingtechniquespatternlock/ScreenlockbypassingtechniquesPINcode/Screenlockbypassingtechniquesalphanumericpasscode/Screenlockbypassingtechniquesadb,used/Usingadbtobypassthescreenlockgesture.keyfile,deleting/Deletingthegesture.keyfilesettings.dbfile,updating/Updatingthesettings.dbfilemodifiedrecoverymode,checking/Checkingforthemodifiedrecoverymodeandadbconnectionadbconnection,checking/Checkingforthemodifiedrecoverymodeandadbconnectionrecoverypartition,flashing/Flashinganewrecoverypartitionsmudgeattack/SmudgeattackGmailaccount,using/UsingtheprimaryGmailaccountJTAG/Othertechniqueschip-offtechnique/Othertechniques

securebootchain/NormalmodesecureROM/Normalmodesecuritychambers

about/WindowschambersTrustedComputingBase(TCB)/Windowschambers

ElevatedRightsChamber(ERC)/WindowschambersStandardRightsChamber(SRC)/WindowschambersLeastPrivilegedChamber(LPC)/Windowschambers

securityfeatures,BlackBerryabout/Securityfeatures

securitymodel,WindowsPhoneOSabout/Securitymodel

Siri/5.x–SiriandiCloudSleuthKit/AutopsySMS/MMS

extracting/ExtractingSMS/MMSSMSdatabase

about/SMSmessagesSMSSpotlightcache

about/SMSSpotlightcachesmudgeattack/Smudgeattacksnapshotsdirectory

about/Snapshotssocialnetworkinganalysis

about/Analysisofsocialnetworking/IMchatsSQLite

about/SQLitedatabasessqlite3command-lineutility/SQLitedatabasesSQLiteBrowser

URL/SQLitedatabasesused,forlogicaldataextraction/UsingSQLiteBrowser

SQLitecommand-lineclientURL/SQLitedatabases

SQLitecommandsabout/SQLitespecialcommands

SQLitedatabasesabout/SQLitedatabasesconnectingto/Connectingtoadatabasecommands/SQLitespecialcommandsstandardSQLqueries/StandardSQLqueriesaddressbookcontacts/Addressbookcontactsaddressbookimages/Addressbookimages

callhistory/CallhistorySMSdatabase/SMSmessagesSMSSpotlightcache/SMSSpotlightcachecalendarevents/Calendareventse-maildatabase/E-maildatabasenotesdatabase/NotesSafaribookmarks/SafaribookmarksSafariwebcaches/TheSafariwebcacheswebapplicationcache/ThewebapplicationcacheWebKitstorage/TheWebKitstoragephotosmetadata/ThephotosmetadataconsolidatedGPScache/ConsolidatedGPScachevoicemaildatabase/Voicemail

SQLitefilesusing/RecoveringdeletedfilesbyparsingSQLitefilesURL/RecoveringdeletedfilesbyparsingSQLitefiles

SQLiteProfessionalURL/SQLitedatabases

SQLiteSpyURL/SQLitedatabases

stacksmashingprotection,iOSsecurityabout/Stacksmashingprotection

standardacquisitionmethodsabout/Standardacquisitionmethods

StandardRightsChamber(SRC)about/Windowschambers

standardSQLqueriesSELECT/StandardSQLqueriesINSERT/StandardSQLqueriesDELETE/StandardSQLqueriesALTER/StandardSQLqueries

status.plistfileabout/status.plistcontent/status.plist

Sundance/6.x–AppleMapsSuperBackupapp

about/RecoveringdeleteddatafromanSDcard

Systemkeybag/Bypassingthepasscode,Pairingrecordssystempartition,iOSdevicedisklayout

about/DisklayoutSystemPreferencesDomainplistfiles

about/TheSystemPreferencesDomainplistfiles

T.tablescommand/SQLitespecialcommandsTelluride/5.x–SiriandiCloudTestAccessPorts(TAPs)/Chip-offtiles/WindowsPhoneOStimestamps

about/TimestampsUnixtimestamp/UnixtimestampsMacabsolutetime/Macabsolutetime

tmpfsfilesystem/ViewingfilesystemsonanAndroiddeviceTrustedComputingBase(TCB)

about/Windowschambers

UUFEDTouch

used,forextractingdatafromSamsungAndroiddevice/Physicalextraction

unencryptedbackup,iTunescreating/Unencryptedbackupextracting/Extractingunencryptedbackupsextracting,iPhoneBackupExtractorused/iPhoneBackupExtractorextracting,iPhoneBackupBrowserused/iPhoneBackupBrowser,iPhoneDataProtectionToolskeychain,decrypting/Decryptingthekeychain

UniqueDeviceIdentifier(UDID)/Bypassingthepasscode,UnderstandingthebackupstructureUnixtimestamp

about/Unixtimestampsuserdatapartition,iOSdevicedisklayout

about/Disklayout

Vverificationphase,Mobilephoneevidenceextractionprocess

about/Theverificationphaseextracteddata,comparingtohandsetdata/Comparingextracteddatatothehandsetdataresults,comparingusingmultipletools/Usingmultipletoolsandcomparingtheresultshashvalues,using/Usinghashvalues

VFAT/ExtendedFileSystem–EXTviaForensics/TheAFLogicaltoolVisualC++2010runtime/iPhoneBackupBrowservoicemaildatabase

about/Voicemailvolumestructure,HFSPlus

volumeheader/TheHFSPlusvolumeallocationfile/TheHFSPlusvolumeextentsoverflowfile/TheHFSPlusvolumecatalogfile/TheHFSPlusvolumeattributefile/TheHFSPlusvolumestartupfile/TheHFSPlusvolumealternatevolumeheaderfile/TheHFSPlusvolume

Wwallpaperdirectory

about/Wallpaperwebapplicationcache

about/ThewebapplicationcacheWebKitstorage,Safari

about/TheWebKitstorageWildcat/3.x–thefirstiPadWindowsphone

about/WindowsphoneWindowsPhoneDeviceManager

downloading/ExtractingthedataWindowsPhonefilesystem

about/WindowsPhonefilesystemApplicationDatadirectory/WindowsPhonefilesystemApplicationsdirectory/WindowsPhonefilesystemMyDocumentsdirectory/WindowsPhonefilesystemWindowsdirectory/WindowsPhonefilesystem

WindowsPhoneOSabout/WindowsPhoneOSsecuritymodel/Securitymodelchambers/Windowschamberscapabilities-basedmodel/Capability-basedmodelAppsandboxing/Appsandboxing

WindowsPhoneSDK7.1downloading/Extractingthedata

Windowsregistry/WindowsPhonefilesystemWinHex

used,forimagingmemory(SD)card/Imagingamemory(SD)cardWirelessDomainplistfiles

about/TheWirelessDomainplistfiles

YYetAnotherFlashFileSystem2(YAFFS2)/ExtendedFileSystem–EXT

ZZunesoftware

downloading/Extractingthedata