Transcription of iOS Forensic Investigative Methods - Zdziarski
1 _____. iOS Forensic Investigative Methods Jonathan Zdziarski TECHNICAL DRAFT 5/13/12 9:50:38 AM. FOREWORD 11 FROM THE book IPHONE FORENSICS 11 PREFACE 13 AUDIENCE 14 ONLINE FILE REPOSITORY 14 ACKNOWLEDGMENTS 15 ORGANIZATION OF THE MATERIAL 15 CONVENTIONS USED IN THIS DOCUMENT 15 LINE BREAKS 16 LEGAL DISCLAIMER 16 CHAPTER 1 18 INTRODUCTION TO COMPUTER FORENSICS 18 MAKING YOUR SEARCH LEGAL 19 BUILDING A CORPORATE POLICY 19 RULES OF EVIDENCE 20 GOOD Forensic PRACTICES 22 Secure the Evidence 22 Preserve the Evidence 23 Document the Evidence 24 Document All Changes 24 2 TECHNICAL DRAFT DO NOT DISTRIBUTE. Establish an Investigation Checklist 24 Be Detailed 24 TECHNICAL PROCESSES 24 CHAPTER 2 27 INTRODUCTION TO THE IPHONE 27 SOUND FORENSICS VS. JAIL- BREAKING 30 WHAT'S STORED 31 EQUIPMENT YOU'LL NEED 32 HARDWARE IDENTIFICATION 33 SOFTWARE IDENTIFICATION 33 Software Identification Using iRecovery 34 DISK LAYOUT 36 COMMUNICATION 36 UPGRADING ANCIENT IPHONE FIRMWARE 37 RESTORE MODE AND INTEGRITY OF EVIDENCE 38 CROSS- CONTAMINATION AND SYNCING 39 The Takeaway 40 CHAPTER 3 42 Forensic RECOVERY 42 DFU AND RECOVERY MODE 43 AUTOMATED LAW ENFORCEMENT TOOLS 45 3 TECHNICAL DRAFT DO NOT DISTRIBUTE.
2 Setting Up The Automated Tools 45 Running Scripts 46 Setting Up A New Module 46 Using A Platform- Specific Module 47 Using the Multiplatform Module 49 RECOVERY FOR FIRMWARE , IPHONE (FIRST GEN) 53 What You'll Need 53 Step 1: Dock the iPhone and Launch iTunes 53 Step 2: Launch iLiberty+ and Verify Connectivity 54 Step 3: Activate the Forensic Recovery Agent Payload 55 Step 4: Institute the Recovery Agent 56 Circumventing Passcode Protection 57 CHAPTER 4 59 DATA CARVING 59 MAKING COMMERCIAL TOOLS COMPATIBLE 59 PROGRAMMABLE CARVING WITH SCALPEL/FOREMOST 60 Configuration for iPhone Recovery 61 Building Rules 63 Scanning with Foremost/Scalpel 63 AUTOMATED DATA CARVING WITH PHOTOREC 64 VALIDATING IMAGES WITH IMAGEMAGICK 65 STRINGS DUMP 66 Extracting Strings 66 THE TAKEAWAY 66 4 TECHNICAL DRAFT DO NOT DISTRIBUTE.
3 CHAPTER 5 68 ELECTRONIC DISCOVERY 68 CONVERTING TIMESTAMPS 68 Unix Timestamps 68 Mac Absolute Time 68 MOUNTING THE DISK IMAGE 69 Extracting File System Archives 69 Disk Analysis Software 69 GRAPHICAL FILE NAVIGATION 70 EXTRACTING IMAGE GEO- TAGS 71 SQLITE DATABASES 73 Connecting to a Database 73 SQLite Built- in Commands 73 Issuing SQL Queries 74 Important Database Files 74 Address book Contacts 75 Address book Images 76 Google Maps Data 77 Calendar Events 82 Call History 82 Email Database 83 Consolidated GPS Cache 83 Notes 84 Photo Metadata 85 SMS Messages 85 5 TECHNICAL DRAFT DO NOT DISTRIBUTE. Safari Bookmarks 86 SMS Spotlight Cache 86 Safari Web Caches 86 Web Application Cache 86 WebKit Storage 86 Voicemail 87 REVERSE ENGINEERING REMNANT DATABASE FIELDS 87 SMS DRAFTS 88 PROPERTY LISTS 89 Important Property List Files 89 OTHER IMPORTANT FILES 93 CHAPTER 6 96 DESKTOP TRACE 96 PROVING TRUSTED PAIRING RELATIONSHIPS 96 Pairing Records 97 SERIAL NUMBER RECORDS 98 Mac OS X 99 Windows XP 99 Windows Vista 99 Backup Manifests 99 DEVICE BACKUPS 100 Extracting iTunes 8 Backups (mdbackup) 101 Extracting iTunes Backups (mdinfo, mddata) 103 Extracting iTunes and 9 backups (mdinfo, mddata) 104 6 TECHNICAL DRAFT DO NOT DISTRIBUTE.
4 Extracting iTunes 10 Backups (Manifest mbdb, mbdx) 105 Decrypting iTunes 10 Backups 109 IPHONE BACKUP EXTRACTOR 110 IPHONE BACKUP BROWSER 110 ACTIVATION RECORDS 111 CHAPTER 7 114 CASE HELP 114 EMPLOYEE SUSPECTED OF INAPPROPRIATE COMMUNICATION 114 Live Filesystem 114 Data Carving 116 Strings Dumps 116 Desktop Trace 116 EMPLOYEE DESTROYED IMPORTANT DATA 116 SEIZED IPHONE: WHOSE IS IT AND WHERE IS HE? 117 Who? 117 What? 118 When and Where? 118 How Can I Be Sure? 118 APPENDIX A 120 DISCLOSURES AND SOURCE CODE 120 POWER- ON DEVICE MODIFICATIONS (DISCLOSURE) 120 ADDITIONAL TECHNICAL PROCEDURES [ ] 121 Unsigned RAM Disks 121 7 TECHNICAL DRAFT DO NOT DISTRIBUTE. Source Code Examples 122 LIVE RECOVERY AGENT SOURCES 124 SOURCES FOR 3G[S] CODE INJECTION (INJECTPURPLE) 126 APPENDIX B 130 LEGACY Methods 130 RECOVERY FOR FIRMWARE , IPHONE 2G/3G, LIVE AGENT 131 What You'll Need 131 Preparing Tools 131 Step 1: Download and Patch Apple's iPhone Firmware 132 Step 2: Option 1: Download a Prepared RAM Disk 134 Step 2, Option 2: Prepare a Custom RAM Disk 135 Step 3: Execute the RAM Disk 137 Step 4: Boot the device with an unsigned kernel 139 RECOVERY OF FIRMWARE , IPHONE 3G[S], LIVE AGENT 142 What You'll Need 142 Preparing Tools 142 Step 1: Download and Patch Apple's iPhone Firmware 143 Step 2: Download a Prepared RAM Disk 144 Step 3: Execute the RAM Disk 144 Step 4.
5 Boot the device with an unsigned kernel 144 RECOVERY OF FIRMWARE , IPHONE 3G[S], LIVE AGENT 146 What You'll Need 146 Preparing Tools 146 Step 1: Download and Patch Apple's iPhone Firmware 147 8 TECHNICAL DRAFT DO NOT DISTRIBUTE. Step 2: Download a Prepared RAM Disk 147 Step 3: Execute the RAM Disk 148 Step 4: Boot the device with an unsigned kernel 148 REPAIRING FIRMWARE AND , IPHONE 2G/3G 150 What You'll Need 150 Step 1: Download and Patch Apple's iPhone Firmware 150 Step 2: Customize the Repair Firmware 153 Step 3: Execute the Repair Firmware Bundle 156 INDEX 158 CHANGE LOG 163 9 TECHNICAL DRAFT DO NOT DISTRIBUTE. 10 TECHNICAL DRAFT DO NOT DISTRIBUTE. Foreword From the book iPhone Forensics The iPhone is a very useful tool, but you should be aware of some very important things. This book will shed some light about just how private a device like the iPhone really is.
6 The iPhone is essentially a full-fledged computer, running a slimmed down version of the Unix operating system and Apple's Leopard. Like most mainstream operating systems, deleting a file only deletes the reference to the data, and not the actual data. This is why data recovery programs work. For the iPhone, the same is also true, but in addition, the amount of data stored on the iPhone extends far beyond what is perceived to be stored on it or what is accessible through its user interface. This data is, however, accessible with the tools and procedures outlined in this book . A criminal might attempt to delete all of the data he thinks exists on the phone but, in most cases, will have only made it inaccessible to the average person. A. criminal might also think simple security, such as a passcode, will safeguard self-incriminating evidence from the police.
7 As you'll see, this too only keeps the average person out. Fortunately for you, if you are reading this book , you are not an average person. My opinion on crime is this: any self-respecting criminal is likely to use a desktop computer with encryption or other tools to hide his dirty deeds. With strong encryption, new laws such as the Foreign Intelligence Surveillance Act which gives the Government unfettered access to our private email, text messages, and voice conversations can be rendered useless. Good encryption is effective, even against government bodies, but involves time and know-how. Fortunately, it's easy to catch a criminal with his pants down, unless he is very careful. However, in my opinion, the list of criminals that can effectively use encryption, or other technical means of hiding their communication, is a very small list.
8 Therefore, this book is going to help you catch most everyone else. With respect to the few who do outsmart the government, it can be more important to monitor endpoints of communication than the actual communication itself that is, who is associated with who. Should a criminal's contacts be exposed, law enforcement officials can trace the date, time, and phone numbers back to actual people, easily cross-indexed with the massive databases our governments no doubt keeps. If a criminal is using an iPhone, she's already compromised her operation on some level. Computer security is a never-ending war between those who desire to hide information and those who work to expose it. There's no telling who is winning, but this book can help tip the scales in favor of the good guys. The detailed content of this book will appeal to various types of readers.
9 Although it has its roots in police forensics (having been distributed to hundreds of law enforcement agencies prior to being published), this book will also prove very useful to computer security professionals and anyone seeking a deeper understanding of how the iPhone works. It comes highly recommended to have this book in anyone's library. Cap'n Crunch 11 TECHNICAL DRAFT DO NOT DISTRIBUTE. 12 TECHNICAL DRAFT DO NOT DISTRIBUTE. Preface The iPhone and iPad have quickly become mobile market leaders in the United States and other countries, finding their way into the corporate world and the everyday lives of millions of end users. Their wide range of functionality, combined with a mobile, always on design, has allowed them to be used as a functional mobile office - an acceptable temporary replacement for a traditional desktop computer.
10 The cost of productivity, however, is the danger of storing sensitive data on such a device. Any given device is likely to contain sensitive information belonging to its owner, and some types of information that may belong to others corporate email, documents, and photos, to name a few. As the dark side of such versatile devices becomes more evident, so does a need to recover personal information from them. Problem employees engage in activities that put the company at risk, sometimes leaving an evidence trail on corporately owned equipment. The use of digital forensics has become an effective tool in conducting investigations and evaluating what activities a suspect employee has engaged in. Recovering deleted email, SMS, and other digital evidence can expose an employee who is stealing from the company, having an affair at work, or committing other acts that a corporation may need to investigate.
