iPhone and iOS Forensics This page intentionally left blank iPhone and iOS Forensics Investigation, Analysis and Mobile Security for Apple iPhone, iPad, and iOS Devices Andrew Hoog Katie Strzempka Technical Editor Robert Maxwell Acquiring Editor: Angelina Ward Development Editor: Heather Scherer Project Manager: Jessica Vaughan Designer: Eric DeCicco Syngress is an imprint of Elsevier 225 Wyman Street, Waltham, MA 02451, USA # 2011 Elsevier, Inc All rights reserved No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein) Notices Knowledge and best practice in this field are constantly changing As new research and experience broaden our understanding, changes in research methods or professional practices, may become necessary Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information or methods described herein In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein Library of Congress Cataloging-in-Publication Data Hoog, Andrew iPhone and iOS forensics : investigation, analysis, and mobile security for Apple iPhone, iPad, and iOS devices / Andrew Hoog, Katie Strzempka p cm Includes index ISBN 978-1-59749-659-9 iPhone (Smartphone) iPad (Computer) iOS (Electronic resource) Data recovery (Computer science) I Strzempka, Katie II Title QA76.8.I64H665 2011 005.8’6–dc23 2011013050 British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library ISBN: 978-1-59749-659-9 Printed in the United States of America 11 12 13 14 15 10 For information on all Syngress publications visit our website at www.syngress.com Contents Acknowledgments ix Preface xi About the Authors xiii About the Technical Editor xv CHAPTER Overview .1 Introduction Strategy Development community iPhone Models iPhone hardware Forensic Examination Approaches iPhone leveling 10 Acquisition types 12 Forensics with Linux 15 CHAPTER Device features and functions 35 Introduction 35 Apple Device Overview 35 Operating Modes 37 Normal mode 37 Recovery mode 37 DFU mode 37 Exiting Recovery/DFU mode 41 Security 42 Device settings 42 Secure erase 43 App security 44 iTunes Interaction 44 Device Synchronization 44 iPhone backups 45 iPhone restore 46 iPhone iOS updates 46 Upgrade 46 Downgrade 47 The App Store 52 MobileMe 52 v vi Contents CHAPTER File system and data storage 55 Introduction 55 What Data is Stored 55 Where Data is Stored 56 How Data is Stored 59 Internal storage 59 SQLite database files 60 Property lists 62 Network 65 Memory Types 65 RAM 65 NAND Flash 66 iPhone Operating System 70 iOS layers 70 File System 71 Volumes 74 Journaling 74 iPhone disk partitions 75 CHAPTER iPhone and iPad data security 79 Introduction 79 Data Security and Testing 80 Computer crime laws in the United States 80 Data protection in the hands of the administrators 82 Security testing procedure 85 Application Security 93 Corporate or individual mobile app consumers 94 Corporate or individual mobile app developers 96 Application security strategies for developers 97 Recommendations for Device and Application Security 101 CHAPTER Acquisitions 107 Introduction 107 iPhone Forensics Overview 107 Types of investigations 108 Difference between logical and physical techniques 109 Modification of the target device 109 Handling Evidence 111 Passcode procedures 111 Network isolation 111 Powered-off devices 112 Imaging an iPhone/iPad 112 Backup acquisition 112 Contents Logical acquisition 119 Physical acquisition 120 Imaging Other Apple Devices 133 iPad 133 iPod Touch 134 Apple TV 134 CHAPTER Data and application analysis 137 Introduction 137 Analysis Techniques 137 Mount disk image 137 File carving 138 Strings 144 Timeline development and analysis 146 Forensic analysis 153 iPhone Data Storage Locations 159 Default applications 160 Downloaded apps 167 Other 170 iPhone Application Analysis and Reference 178 Default applications 178 Third-party (downloaded) applications 201 CHAPTER Commercial tool testing 213 Introduction 213 Data Population 214 Analysis Methodology 218 CelleBrite UFED 220 Installation 221 Forensic acquisition 222 Results and reporting 222 iXAM 228 Installation 229 Forensic acquisition 229 Results and reporting 230 Oxygen Forensic Suite 2010 234 Installation 236 Forensic acquisition 236 Results and reporting 237 XRY 239 Installation 242 Forensic acquisition 242 Results and reporting 242 vii viii Contents Lantern 245 Installation 248 Forensic acquisition 248 Results and reporting 248 MacLock Pick 251 Installation 253 Forensic acquisition 254 Results and reporting 254 Mobilyze 255 Installation 257 Forensic acquisition 257 Results and reporting 257 Zdziarski Technique 260 Installation 263 Forensic acquisition 263 Results and reporting 263 Paraben Device Seizure 266 Installation 268 Forensic acquisition 268 Results and reporting 269 MobileSyncBrowser 272 Installation 273 Forensic acquisition 273 Results and reporting 274 CellDEK 275 Installation 276 Forensic acquisition 278 Results and reporting 278 EnCase Neutrino 279 Installation 281 Forensic acquisition 282 Results and reporting 282 iPhone Analyzer 285 Installation 287 Forensic acquisition 287 Results and reporting 287 Appendix A 291 Appendix B 293 Appendix C 295 Index 303 Acknowledgments When making the decision to co-author this book, I was well aware of the impact it was going to have on my life, but did not fully realize all of the others that would be directly or indirectly involved Luckily, I have this section to show my appreciation I must first thank my family and friends for being so understanding on those many nights and weekends where I was M.I.A Specifically .thanks to my dad for editing Chapter 2, even though “the Linux stuff was kind of way over my head,” and to my mom for always trying to convince me that I am way smarter than I actually am Thank you to my brother, Danny, for caring for my dog when I was unable to Jill, thank you for your encouragement throughout the entire process, especially when it involved cupcakes filled with cookie dough An additional thank you to my friends for convincing me to take occasional breaks to eat sushi and play darts To Dr Marcus Rogers and Purdue’s Cyber Forensics program: thank you for helping me prepare for a career in this field and to continue to advise me on professional decisions I also owe a great deal of gratitude to the viaForensics folks, mainly for putting up with Andrew and my constant talk of the “wordcount meter.” Big thanks to Ted for his ability to concatenate my iPhone simulator photos, Catherine for letting me vent on a daily basis, and Chris for forcing me to invent new ways of analyzing the iPhone, even when I laughed at him and said, “there is NO WAY we can recover those videos!” This book would not have been completed without the help of my co-author, Andrew Hoog, who has taught me that everything can and should be done using command line (even if there is a GUI that can it 10 times faster) ix 296 APPENDIX C iPhone file system mobile Applications 0ACAACB7-AC9A-4A12-87E3-F7BE8EEF26A5 Documents Dropbox.app iTunesArtwork iTunesMetadata.plist Library Caches Preferences tmp Library AddressBook AddressBookImages.sqlitedb AddressBook.sqlitedb Caches AccessToMigrationLock AccountMigrationInProgress com.apple.AppStore com.apple.itunesstored com.apple.mobile.installation.plist com.apple.notes.sharedstore.lock com.apple.pep.configuration.plist com.apple.persistentconnection.cache.plist com.apple.springboard.displaystate.plist com.apple.UIKit.pboard com.apple.WebAppCache Maps MapTiles MapTiles.sqlitedb TransitIcons Info.plist MapTiles MapTiles.sqlitedb Safari SafeBrowsing SafeBrowsing.db Thumbnails SBShutdownCookie Snapshots com.apple.mobilemail-Default.jpg com.apple.mobilenotes-Default.jpg com.apple.mobilesafari-Default.jpg SpringBoardIconCache SpringBoardIconCache-small Calendar Calendar.sqlitedb iPhone file system CallHistory call_history.db Carrier Bundle.bundle -> /System/Library/Carrier Bundles/ 310410 com.apple.iTunesStore com.apple.itunesstored itunesstored2.sqlitedb itunesstored_private.sqlitedb ConfigurationProfiles EASPolicies.plist PasswordHistory.plist PayloadManifest.plist Cookies com.apple.itunesstored.plist Cookies.plist DataAccess AccountInformation.plist ASFolders-492BF7DC-7739-47B8-9B5D-01111DF482C9 ASFolders-D9D2E90A-5A76-4C92-B598-012C2BA348F6 Keyboard dynamic-text.dat Logs ADDataStore.sqlitedb ADDataStore.sqlitedb-journal AppleSupport general.log CrashReporter MobileInstallation Mail AutoFetchEnabled Envelope Index IMAP-test@viaforensics.com INBOX.imapmbox Messages 23.2.emlxpart 23.4.emlxpart 30.1.emlxpart 4.2.emlxpart Mailboxes metadata.plist MFData Maps Directions.plist History.plist MobileInstallation ApplicationAttributes.plist 297 298 APPENDIX C iPhone file system Notes notes.db notes.idx Operator Bundle.bundle -> /System/Library/Carrier Bundles/ 310410 Preferences com.apple.accountsettings.plist com.apple.aggregated.plist com.apple.AppStore.plist com.apple.AppSupport.plist com.apple.apsd.plist com.apple.BTServer.airplane.plist com.apple.BTServer.plist com.apple.carrier.plist -> /System/Library/Carrier Bundles/310410/carrier.plist com.apple.commcenter.plist com.apple.dataaccess.launchd com.apple.GMM.plist com.apple.iqagent.plist com.apple.itunesstored.plist com.apple.locationd.plist com.apple.Maps.plist com.apple.mobilecal.alarmengine.plist com.apple.mobilecal.plist com.apple.MobileInternetSharing.plist com.apple.mobileipod.plist com.apple.mobilemail.plist com.apple.mobilenotes.plist com.apple.mobilephone.plist com.apple.mobilephone.speeddial.plist com.apple.mobilesafari.plist com.apple.mobileslideshow.plist com.apple.MobileSMS.plist com.apple.mobile.SyncMigrator.plist com.apple.mobiletimer.plist com.apple.operator.plist -> /System/Library/Carrier Bundles/310410/carrier.plist com.apple.PeoplePicker.plist com.apple.persistentconnection.plist com.apple.preferences.datetime.plist com.apple.preferences.network.plist com.apple.Preferences.plist com.apple.springboard.plist com.apple.voicemail.plist com.apple.weather.plist com.apple.youtubeframework.plist com.apple.youtube.plist dataaccessd.plist iPhone file system RemoteNotification Clients.plist Safari Bookmarks.plist History.plist SuspendState.plist SMS Drafts PENDING.draft message.plist Parts 02 03 3-0.jpg 3-0-preview sms.db sms-legacy.db Voicemail 1.amr 4.amr _subscribed voicemail.db Weather WebClips WebKit Databases Databases.db http_m.mg.mail.yahoo.com_0 0000000000000004.db http_m.yahoo.com_0 0000000000000002.db https_mail.google.com_0 0000000000000001.db https_mlogin.yahoo.com_0 0000000000000003.db LocalStorage http_m.mg.mail.yahoo.com_0.localstorage http_m.yahoo.com_0.localstorage https_mlogin.yahoo.com_0.localstorage http_www.google.com_0.localstorage YouTube Media com.apple.itdbprep.postprocess.lock com.apple.itunes.lock_sync 299 300 APPENDIX C iPhone file system DCIM 100APPLE IMG_0001.JPG IMG_0002.JPG IMG_0003.JPG IMG_0004.JPG Downloads manifest.plist iTunes_Control iTunes Music Ringtones Photos Photo Database Thumbs Podcasts Purchases Recordings Safari MobileDevice ProvisioningProfiles msgs preferences AeneasCustomFlags.plist csidata SystemConfiguration com.apple.AutoWake.plist com.apple.network.identification.plist com.apple.wifi.plist NetworkInterfaces.plist preferences.plist root Library Caches com.apple.pep.configuration.plist locationd cache.plist cells-local.plist cells.plist clients-b.plist ephemeris h-cells.plist lto2.dat stats.plist wifi iPhone file system Lockdown activation_records data_ark.plist device_private_key.pem device_public_key.pem pair_records Preferences com.apple.locationd.config.plist run asl_input configd.pid lockbot lockdown localcomm syslog.sock mDNSResponder pppconfd SCHelper syslog syslog.pid utmpx vpncontrol.sock tmp DAAccountsLoading.lock launchd sock payloads vm 301 This page intentionally left blank Index Note: Page numbers followed by b indicate boxes, f indicate figures and t indicate tables A Acquisitions Apple devices imaging (see Apple devices imaging) handling evidence network isolation, 111–112 passcode procedures, 111 powered-off devices, 112 precautionary measures, 111 imaging an iPhone/iPad (see Imaging an iPhone/iPad) iPhone forensics overview (see iPhone forensics overview) Apple developer site, Apple device, 35–37 Apple devices imaging Apple TV, 134 iPad, 133–134 iPod touch, 134 Apple hacking community, 15 Apple strategy, Apple tutorial sites, 2–3 Application security strategies credit card data, 98–100 passwords, 97–98 secure socket layer, 100–101 user names, 97 B Bookmarks, 214t C Calendar, 214t CDMA devices, 59–60 CellDEK, 279, 281f built-in screen and report viewer, 278 cellphone data extraction device, 275 forensic acquisition, 278 forensic extraction, 275 installation, 276–278 iTunes and iPhone, 277 Manage Files, 278 Secure Erase feature, 275 Transferred Files, 278–279, 279f USB flash drive, 277 User Files, 279, 280f CelleBrite UFED data types, 221 forensic acquisition, 222 installation, 221–222 physical analyzer accuracy results, 227, 228f AFC, backup, lockdown Services, 224 deleted call logs, 225, 226f file system dump summary, 225, 226f HTML report, 227, 227f SQLite databases, 225–227 XML geotags information, 227, 228f SIM card reader and clone, 220 standard acquisition, 223–224 USB flash drive or SD card, 221 Commercial tool testing analysis methodology, 218–220 CellDEK (see CellDEK) celleBrite UFED (see CelleBrite UFED) data population, 218, 218t iPhone, 213–214 test scenarios, 214, 214t Encase Neutrino (see Encase Neutrino) iPhone analyzer browse files and examine files, 287 forensic acquisition, 287 installation, 287 open-source product, 286 Lantern (see Lantern) MLP (see MacLock Pick) Mobilyze (see Mobilyze) MSB (see MobileSyncBrowser) Oxygen Forensic Suite 2010 (see Oxygen Forensic Suite 2010) Paraben device seizure (see Paraben device seizure) XRY (see XRY) Zdziarski technique (see Zdziarski technique) Computer Forensics Tool Testing (CFTT) Project, 219–220 Configuration files, 214t Cookies, 214t Cydia, 303 304 Index D Data and application analysis analysis techniques download, compile, and install TSK, 147–148 file carving (see File carving) file permissions, 151t file system metadata, 146 “fls” tool, 147, 149t forensic analysis (see Forensic analysis) forensic timeline, build, 146 MACB, definition, 150–151 MAC/MACB, 146 mactime options, 150t “mactime” script, 147 mount disk image, 137–138 Sleuth Kit (TSK), 147 strings, 144–146 timeline analysis, 150–153 usage, timeline creation, 148–150 iPhone application analysis and reference (see iPhone application analysis and reference) iPhone data storage locations (see iPhone data storage locations) Data security assessment and methodology activation and data population process, 88 data analysis at rest, 88–89 in transit, 89–91 Data storage applications, 56–57, 57f info.plist, 57–59 internal storage CDMA devices, 59–60 internal NAND Flash memory, 59–60 iTunes Artwork, 57–59 iTunesMetadata.plist, 57–59 jail-broken phone, 56 library folder, 57 mobile directory, 56–57 network, 65 private/var/mobile/ path, 56–57 property lists ASCII format conversion, 63–64 bookmarks, 65 Cocoa Foundation, 62–63 com.apple.Maps.plist file, 62–63 Core Foundation, 62–63 data types, 64, 64t digital forensics, 65 favorites, 65 iOS devices, 62–63 property list utility, 63–64 Safari web history, 65 TextWrangler, 62–63 XML to binary conversion, 63–64 YouTube data, 65 SQLite database files single cross-platform file, 61 SMS database structure, 61–62, 61f SQLite Database Browser, 62 tmp folder, 57 Wi-Fi, 56 yahoo applications, 57–59 Device failsafe utility (DFU) mode Device Firmware Upgrade, 37 lsusb command, 39–41 System Profiler, 38, 39, 39f terminal window, 39, 39f Device features and functions Apple device, 35–37 iTunes interaction (see iTunes interaction) operating modes DFU (see Device failsafe utility) exiting recovery, 41–42 normal, 37 recovery, 37 security App security, 44 device settings, 42–43 secure erase, 43–44 Digital Millennium Copyright Act (DMCA), 14–15 DiskImageMounter, 293 E Email, 214t Encase Neutrino, 285, 286f deleted notes, 282–284, 285f forensic acquisition, 282 installation, 281–282 keyword prescription, 282–284, 284f MediaDomain folder, 284 mobile devices and Smartphone operating systems, 280 plist and SQLite database files, 284–285 SMS Messages, 282, 284f Epoch Converter Website, 293 F Facebook analyst notes, 201–202 file system layout, 201–202 friends.db, databases/plists, 201–202 Index File and data types Disk Image File, 293 Mac OS X Epoch Timestamps, 293 plists, 293 SQLite database, 293 Unix Epoch Timestamps, 293 File carving “amr” file, 139–140 binary data extraction, 138 data carving tool, 139 file fragmentation, 138 files recoveing through scalpel, 144t installing Scalpel, 140–142 scalpel tool, 140 SmartCarving technique, 138–139 usage, 142–144 Forensic analysis CFAbsoluteTimeConverter, 159f hex editor, 153 logical acquisition/ logical file system analysis, 153 Mac command, 158–159 OSX-Epoch timestamp, 159 pipe (“j”) operator, 154–155 SQLite Database Browser, 155–156 SQLite file, 154 sqlite3 sessions, 156–157 Forensic examination approaches iPhone 3G device, 10 iPhone leveling (see iPhone leveling) linux (see Linux) NIST, 10 Forensic Image, 230, 231f G Global Position System (GPS), 55, 214t bluetooth connections, 59 Wi-Fi, 59 Google Maps, 172, 214t H HTML, 214t I Imaging an iPhone/iPad acquisition - iXAM acquisition - jailbroken device, 129b acquisition - zdziarski technique automated tools, 124 connect the device, 124–125 imaging process, 125–126 post-acquisition steps, 126–127 set up the automated tools, 125 backup acquisition, 112–119 elcomsoft iPhone password breaker testing, 118–119 encrypted, 115–119 iPhone password breaker exercise, 115–118 tools, 112 unencrypted, 113–115 high-level steps, 129 iPhone remote connection, 130–132 logical acquisition, 119–120 physical acquisition, 120–133 FTS’s iXAM software, 121 hardware encryption, 120–121 install appropriate iTunes version, 122–124 iPhone security mechanisms, 120 jail-broken device, 121 locate model and firmware version, 121–122 physical bit-by-bit copy, file, 120 Zdziarski method, 121 post-acquisition steps, 133 wireless network creation, 129–130 Internal NAND Flash memory, 59–60 iOS simulator, 3–4, 4f iPad, 133–134 iPhone data storage (see Data storage) default application data, 55 disk partitions Rdisk0s1, 76 Rdisk0s2, 76 Slice 1, 76 Slice 2, 75 system/firmware partition, 75 downloaded application data, 55 file system Brian Carrier’s Sleuth Kit, 71–72 disk utility program, 73–74 HFS Plus, 71 HFS vs HFS Plus, 71, 71t Mac computers, 71 general device settings, 55 GPS, 55 bluetooth connections, 59 Wi-Fi, 59 iTunes App Store, 55 jail-broken phone, 55 journaling, 74–75 memory types NAND Flash (see NAND Flash) RAM, 65–66 305 306 Index iPhone (Continued ) mobile forensic analysis, 55 operating system iOS layers, 70–71 Mac OS X, 70–71 synchronized data, 55 volumes allocation file, 74 attribute files, 74 catalog file, 74 extents overflow file, 74 header/alternate volume header, 74 iPhone and iPad data security application security business apps, 93 chief security officer, 93 CIAC, 94 GPS location, 93–94 mobile app consumers (see Mobile app consumers) mobile app developers (see Mobile app developers) personal or company-sensitive information, 94 strategies (see Application security strategies) third-party applications, 93–94 data protection four-digit PIN, 82 iPhone configuration utility-creating a profile, 83f iPhone configuration utility-restrictions, 84f OTA settings, 83–85 passcode policy configurations, 82f signing profile, 85 VPN and Wi-Fi settings, 83 data security and testing, 80–93 device and application security data encryption, 101–102 security informations, 103 security testing procedure, 85–93 data population, 85–93 data security assessment and methodology (see Data security assessment and methodology) findings, 85–93 forensic imaging, 85–93 United States computer crime laws CFAA, 80 collecting communication metadata, 81 CSEA, 81 DMCA, 81 ECPA, 81 regulations, 81 Stored Communication Act, 81 iPhone application analysis and reference analyst notes, 179–180 calendar, 180–181 calendar.sqlitedb, databases/plists, 181 call history analyst notes, 182–183 databases/plists, 182 file system layout, 182 databases/plists, 179 default applications, 178–201 dropBox analyst notes, 206, 207–208 databases/plists,com.getdropbox.Dropbox plist, 206, 207 databases/plists,ropbox.sqlite, 206, 207 file system layout, 206 facebook analyst notes, 201–202 file system layout, 201–202 friends.db, databases/plists, 201–202 file system layout, 179 geographical info analyst notes, 198, 201 cache.plist, 198, 199–200 cells.plist, 198, 200–201 consolidated.db, 198, 199 file system layout, 198–199 groupon analyst notes, 202, 204 file system layout, 202 myGroupons.plist, 202, 203 userInfo.plist, 202, 203–204 Kik messenger analyst notes, 205, 206 com.kik.chat.plist, 205–206 file system layout, 205 kik.sqlite, 205 mail analyst notes, 187–188 databases.db, 185 file system layout, 184–185 http_m.mg.mail.yahoo.com_0, 185–186 https_mail.google.com_0, 186–187 keychain-2-db, 185 maps analyst notes, 189–190 file system layout, 189 Mint.com analyst notes, 208, 209 databases/plists, mint_gala.db, 208–209 Index file system layout, 208 notes analyst notes, 190–191 databases/plists, notes.db, 190 file system layout, 190 photos/videos analyst notes, 195–197 file system layout, 195–196 photos.sqlite, 195–196 SMS, 178–180 third-party (downloaded) applications, 201–210 third-party apps analysis, 178 user account info analyst notes, 197–198 file system layout, 197 keychain-2.db, 197 user dictionary/keyboard analyst notes, 183–184 file system layout, 183 voicemail analyst notes, 194 database/plists, voicemail.db, 194 file system layout, 193 Web browsing analyst notes, 193 bookmarks.plist/bookmarks.db, 191–192 file system layout, 191 history.plist, 192–193 suspendstate.plist, 193 Windows Live Messenger analyst notes, 209, 210 databases/plists, 209 file system layout, 209 YouTube analyst notes, 195 file system layout, 194, 195 om.apple.youtube.plist, 195 iPhone data storage locations calendar.sqlitedb - database structure, 163f calendar.sqlitedb - event table, 164f default applications, 160–167 directory structure, 159 downloaded apps applications folder, directory creation, 168 “AroundMe” app, 168–170 “AroundMe” app, 168–170 document folder, 170 library folder, 170 tmp folder, 170 geographical location data cache.plist, 174–175 consolidated.db - celllocation table, 172f consolidated.db - wifilocation table, 171, 171f Google Maps, 172 GPS and WiFi data, 170, 171 latitude and longitude conversion-googls maps, 172f “locationd” folder, 173–174 paired devices, 177–178 snapshots, 176–177 user names and passwords, 175–176 WiFiLocation table, 173 on-board camera, 167 “tree” output, 167 iPhone file system, 295–301 iPhone forensics overview disk or memory acquisition, 107 holy grail, 107 investigations types, 108 logical vs physical techniques, 109 target device modification direct interaction, 110 guiding principles, forensic investigation, 109 issue guidelines, 110 leveraging encryption, 109–110 power and functionality, 109 iPhone leveling acquisition types backup, 13 logical, 13 nontraditional, 14–15 physical, 13–14 chip-off, 12 classification tool, 10–11, 11f hex dump, 12 logical extraction, 11 manual extraction, 11 micro read, 12 iPhone models CDMA cellular protocols, iOS versions, 5, 5t iPhone hardware baseband version, 7, 8f 3G(s) hardware components, 5, 6t iPhone tear-down image, 8, 9f samsung CPU, 5–7 NAND Flash memory, specifications and features, 5, 6t iPhone simulator and Xcode files, 3, 3f iPod Classic, 36 iPod Nano, 36 iPod Shuffle, 36 iPod Touch, 36, 134 iTunes backup location, 291–292 307 308 Index iTunes interaction device synchronization, 44–45 downgrade App Store, 52 exit recovery mode, 51 hosts file, 48–51, 50f iOS version, 47 iPhone software file, 47 MobileMe, 52 restore ipsw file, 51 SHSH blobs, 47, 48, 49f iPhone backups, 45–46 iPhone iOS updates, 46 iPhone restore, 46 upgrade, 46–47 iXAMÒ accuracy results, 233, 234f Apple iPhoneÔ and iPod TouchÔ, 228 deleted SMS messages, 233 forensic acquisition, 229–230 installation, 229 iXAMiner main screen, 231, 232f NIST, 229 recovered E-mails, 233f scalpel, 252 speed dials/favorites, 231, 232f standard acquisition, 230–231 zero-footprint forensic acquisition, 228 J Jailbreaking, 14, 14b K Kik messenger analyst notes, 205, 206 com.kik.chat.plist, 205–206 file system layout, 205 kik.sqlite, 205 L Lantern, 251, 252f Artifact Root Directory, 249, 250f data categorized, 248–249 Deleted folder, 249–250, 250f forensic acquisition, 248 Info section, 249f installation, 248 Internet History and Bookmarks, 250 Katana Forensics, 245 SMS and MMS message, 250 SQLite deleted data and blackberry monitoring programs, 247 Voicemail, 249–250, 250f Linux basic commands, 17 apt-get description, 25 cat description, 23 cd description, 20 chmod description, 24 chown description, 25 find description, 24 grep description, 26 help description, 19 Is description, 22 less description, 23 man description, 17 mkdir description, 20 pico/nano description, 21 piping and redirecting files description, 26 rmdir/rm description, 20 sudo description, 25 tree description, 22 xxd description, 27 file types, 16–17 operating system, 15–16 tools, 30–32 virtual machine (VM) IP address, 30 oracle VM VirtualBox, 28, 29f remote desktop protocol (RDP), 30 VBoxHeadless session, 30 VirtualBox, 28 windows or Mac environments, 15 Linux forensics tools, 30b M MacLock Pick, 255, 256f forensic acquisition, 254 installation, 253–254 MacLockPick Reader, 254, 254f MDBACKUP files, 251 USB device., 251 user interface, 254–255, 255f Mail analyst notes, 187–188 databases.db, 185 file system layout, 184–185 http_m.mg.mail.yahoo.com_0, 185–186 https_mail.google.com_0, 186–187 keychain-2-db, 185 Maps analyst notes, 189–190 file system layout, 189 Index Mint.com analyst notes, 208, 209 databases/plists, mint_gala.db, 208–209 file system layout, 208 Mobile app consumers additional security tests, 95 applications, 95 appWatchdog, 94–95 CIAC bulletin, 96 forensic techniques, 95 lost or stolen device, 95–96 remote wiping, 94 securely stores application data on the device, 95 securely stores credit card information, 95 securely stores passwords, 95 securely stores user names, 95 Mobile app developers, security evaluation, 96–97 Mobile devices, MOBILedit, 219–220, 220t MobileSyncBrowser (MSB), 275, 277f deleted note, 274, 275f Documents and Media folder, 275 forensic acquisition, 273–274 installation, 273 iPhone data, 274, 274f iTunes backups, 272 Library folder, 275 Microsoft Outlook, 275 Photos and Other Files, 275 user-friendly window, 274 Mobilyze, 260, 261f acquired Data, 258, 259f Applications icon, 257, 258f call logs and voicemails, 257–258 Device Info, 257 forensic acquisition, 257 forensically analyze, 255 installation, 257 photos and videos, 257 SMS and MMS messages, 257 tag selection for report, 260, 260f Multimedia Message Service (MMS), 214t N National Institute of Standards and Technology (NIST), 10, 229 Notes analyst notes, 190–191 databases/plists, notes.db, 190 file system layout, 190 O Oxygen Forensic Suite 2010, 239, 241f Browser Cache Files, 239 current software version, 235 Device Info section, 237–238, 237f Event Log, 238 extraction time and hash algorithm, 238 File Browser, 238, 239f forensic acquisition, 236–237 installation, 236 mobile device information analysis, 235 mobile forensic software, 234 Notes, 238 Search functionality, 238 SMS and MMS messages, 238 standard acquisition, 237 Wi-Fi connection, 239 P Paraben device seizure, 272, 273f cell phones, 267 deleted Call History, 269, 271f Device Seizure, 269 forensic acquisition, 268–269 forensic software tool, 266 installation, 268 Parsed Data folder, 269, 270f PDF report, 270, 272f report wizard, 270, 271f Passwords, 214t Personal data assistant (PDA), Phone Information, 214t Photos/videos analyst notes, 195–197 file system layout, 195–196 photos.sqlite, 195–196 S Safari web history, 65 Short Message Service (SMS), 178–180, 214t SmartCarving technique, 138–139 Software development kit (SDK), Speed Dials, 214t SQLite Database Browser, 293 T Tiny Umbrella, 48, 49f 309 310 Index V Voicemail analyst notes, 194 database/plists, voicemail.db, 194 file system layout, 193 W Web browsing analyst notes, 193 bookmarks.plist/bookmarks.db, 191–192 file system layout, 191 history.plist, 192–193 suspendstate.plist, 193 Web History, 214t Wi-Fi, 214t Windows Live Messenger analyst notes, 209, 210 databases/plists, 209 file system layout, 209 X XRY forensic tool, 245, 247f calendar events, 243, 245f calls section displays, 243 Device Manual, 241 forensic acquisition, 242 General Information icon, 242, 244f installation, 242 log file, 245, 246f logical and physical, 239, 241 Micro Systemation (MSAB), 239 Notes, 243, 245f options menu, 243–244, 246f pictures and videos, 244 SMS and MMS messages, 243–244 version 5.1, Forensic Pack, 242 XACT Hex Viewer application, 242 xry file, 242 Y YouTube, 214t analyst notes, 195 file system layout, 194, 195 om.apple.youtube.plist, 195 Z Zdziarski technique, 264, 267f automated tools set up, 125 connect the device, 124–125 deleted photo, 264, 266f desktop boot sequence, 262 forensic acquisition, 263 holy grail, 261–262 imaging process, 125–126 installation, 263 iPhone platform, 260 jailbreaking hacking technique, 262–263 jailbreaking methods, 262 Linux forensic workstation, 263 NerveGas, 260 Plist files, 264 post-acquisition steps, 126–127 procedure, 262 run strings, 264 scalpel output, 264, 265f SQLite databases, 264 user pass code, 262 .. .iPhone and iOS Forensics This page intentionally left blank iPhone and iOS Forensics Investigation, Analysis and Mobile Security for Apple iPhone, iPad, and iOS Devices Andrew Hoog... Cataloging-in-Publication Data Hoog, Andrew iPhone and iOS forensics : investigation, analysis, and mobile security for Apple iPhone, iPad, and iOS devices / Andrew Hoog, Katie Strzempka p cm Includes... http://viaforensics.com/education /iphone- ios- forensics- mobile- security- book/ About the Authors Andrew Hoog is a computer scientist, certified forensic analyst (GCFA and CCE), computer and mobile forensics