All posts by Heather Mahalik

A glimpse of iOS 10 from a smartphone forensic perspective

I immediately installed and started using iOS 10.0.1 when the full release was available. For this testing, I used my non-jailbroken iPhone 6S and iTunes 12.4.2.4 with the addition of free and commerical tools. My intention is to share my initial thoughts on what is different in iOS 10 and what to expect when you see a device running this version. For more in depth details, analysis tips and tricks on iOS, refer to for585.com/course.

I expected major artifact location changes in iOS 10.  I based this assumption on the fact that iOS 7 to iOS 8 was drastic in artifact changes. Nothing really changed when we upgraded to iOS 9, so I assumed… I’m happy to report that upon my initial research, I haven’t found drastic changes for most files of interest. I plan to keep digging here, just to be sure. As capabilities increase, we know that log files and usage artifacts are left on the device. These need to be researched further.

One major change I have noticed is with the structure of the iOS device backup. Below is an example of the new file structure.

backup_structure

A few things of interest:

  1. The Manifest.mbdb is now a SQLite database file – Manifest.db
  2. Instead of seeing all of files or “strings of letters” representing backup file contents, you now have folders containing these files, as shown above in the boxed area.

Once I had my backup, I starting digging through the files and panicked!  Everything of interest appeared to be encrypted. This includes simple things like contacts, call logs, SMS and locations pulled from Apple maps.  I frantically sent a Tweet seeing if this is what others were seeing and heard nothing. My tools all flopped. After the panic subsided, I decided to launch iTunes and take a look at my settings. Here is what I saw… The pesky box to Encrypt iPhone backup was checked even though I have been backing up to iCloud for as long as I can remember. Good think I remembered the password.

itunes_issue

I was confused by this for several reasons. One, most of the commercial tools prompt you to enter a backup password and decode the data when this setting is enabled. Also, encrypting a backup and knowing the password provides us additional access to data – not blocks us from it!  What could be going wrong? Could it be examiner error? Next, I did what most examiners would do and attempted to force my tools to parse this image. I launched UFED Physical Analyzer, IEF and BlackLight and entered the password (don’t worry, my passwords are much stronger than this, but I used a “dummy” one for this example.)

ufed-pw_prompt

To my surprise, all of the databases of interest were still encrypted even after I asked the tool to decrypt my data with the correct passcode. To my dismay, nothing of interest was parsed, other than the Info.plist and Manifest.plist files. Even the Manifest.db was encrypted. Below you can see that the file system was parsed and accessible, but the databases and files of interest were encrypted, so this isn’t very helpful.

encrypted_backup

(Once opened, the History.db looked like this)

encrypted_safari

So now what? If you know the user’s backup password or can crack it, the password can be removed in iTunes. I tried this and then backed my phone up again.

First, I launched iTunes and unchecked the box for Encrypt iPhone Backup. I correctly entered my password.

itunes1

The encryption was removed.

itunes2

When I loaded this unencrypted version of my iOS backup file into forensic tools, some crashed, but I did have success in others.  The first think I noticed was that the Manifest.db was no longer encrypted.

manifest

This gave me hope. I started examining the files that were previously encrypted within the iOS backup and found that they too, were accessible. Below, the CallHistory.storedata shows my call logs. When I initially created my backup, this file, like the Safari History.db, was encrypted!

callhistory

I have reported these issues and concerns to the vendors and they are working on the issue. Here are some things they provided me in the meantime.

  1. Do not update to the latest version of iTunes if you are creating backups as forensic images. It causes issues.
  2. Do not select to “Encrypt” the backup in Physical Analyzer when obtaining an Advanced Logical Extraction. That too will render your data encrypted.
  3. Hope that the user never used iTunes encryption!

If you come across an encrypted iOS backup file, try to crack it. Personally, I rely on Elcomsoft tools to handle this.  If you crack the password, you will manually have to remove the iTunes restriction and back the data up again until the tools adapt to handle iOS 10 backup file encryption.

In the meantime, practice on your own device and sign up for FOR585 Advanced Smartphone Forensics, where we cover topics like bypassing encryption and cover the cool artifacts of iOS. Happy iOS hunting!

for585.com/course

GASF

So you want to break into the field of Digital Forensics…

It seems like I am asked this question at least twice a month via email. This week, I was asked 4 times. Instead of telling people the same thing over and over, I figured I would write a blog and refer the next person to it. Having said that, if you have positive experiences to add, please do so in the comments. Remember, we all needed to get our start somewhere. The biggest mistake we can make is not helping those who want to do what we do every single day!

I am often asked, “how did you get into this field and how did you get where you are today?” My response, “I was in the right place at the right time.” I graduated with a BS in Forensic and Investigative Science from WVU and could not get a job in Bloodstain Pattern Analysis, as I had planned. Remember, this was 2002, before CSI! Yes, I am older than 24… hard to believe. 😉 I applied and interviewed with several Government agencies and Police Departments. Nobody would hire a grad with no experience and the Forensic degree was a new thing. I was one of the first 4 with this degree in the United States. This makes me feel old…

So how did I get from here (I actually did this in college):   blood

 

To this?????              PC

This is where the Air Force helped me. I joined the Air National Guard to pay my tuition so I could get my degree. On my way to a drill weekend, flying in the back of a C-130, I met an IT guy from ManTech. He told me he could put me in touch with someone hiring an evidence technician. And the rest was history. Well, not really – they didn’t want to hire me because I didn’t understand digital evidence as my experience was in physical evidence. However, I made them see that it is really the same. How we handle it is the same. They took a chance and my career in Digital Forensics began. I was lucky to have a great boss who was willing to teach me how the tools worked and no just press buttons. Without him (nickname: Lancer), I have no idea where I would be today. I showed the interest and he took the time to teach me.

So, how can you meet your Lancer, you ask? You need to meet people to introduce you to opportunities. You need to network! Emailing someone on LinkedIn is not fully networking.  You need to get out there and go to conferences where these people thrive. Don’t be afraid to introduce yourself and ask for help. There is always someone who will help you. If you get turned away, you haven’t found your Lancer. Keep looking and don’t give up.

When I am approached for help, I ask a few things?

  1. What is your background?
  2. What do you want to do? Most people don’t know, so I point them to webcasts and blogs to see what sparks their interest (see below).
  3. Can you get a clearance?
  4. Are you willing to move?

You need to take the initiative to show your interest. By this, I mean take any training you can. Not all training is cheap and the courses I teach are expensive, but are worth the money. If you cannot pay for training, take free training, watch free webcasts, read forensic blogs and books and practice on your own. This will give show you are trying, show you are passionate about the field and give you some cool stories to share at your interviews.

Your best bet is to pay and attend a forensic conference to meet people who are in the field. My favorite is the SANS DFIR Summit, for the sole reason that examiners present – not vendors. So you are getting a glimpse of different careers, the tools and methods they use and how they fill the gaps that the tools cannot meet. It’s amazing and it’s the best networking experience of the year. But, it’s not free! Can’t afford it, ask a speaker to sponsor you as their guest! Again – back to that networking thing. You have to jump out of your shell and ask! Other conferences that may be helpful (and there are so many) EnFuse, HTCIA, BlackHat, DEFCON, Mobile Forensics World, Paraben and others. Before attending one, I recommend you look at the agenda, the speakers and determine if this is what you want to spend your time and money attending. Each offers something different and all have a target audience.

Take forensic training. It’s that simple. Learn the trade. Some courses are free and some cost a good chunk of change! Again, take what you can and remember it’s better to start somewhere vs. never getting started. Here is a list you can refer to: http://www.forensicswiki.org/wiki/Training_Courses_and_Providers

Shameless plug: I author and teach for the SANS Institute. I recommend FOR585 Advanced Smartphone Forensics. Why? Because it’s fun, cutting edge, vendor neutral and it’s my baby. 🙂 Plus, who doesn’t have a phone? May as well learn how to forensicate it.

Books to read (just Google them – you can buy them in several placed):

These are the books that helped me get into this field and still help me during my investigations:

File System Forensic Analysis – Brian Carrier

Handbook of Digital Forensics and Investigations – Eoghan Casey

Harlan Carvey’s books on Windows and Registry Forensics

Practical Mobile Forensics 2nd Edition – Mahalik and Tamma (again shameless plug…)

These books are necessarily something you would read cover to cover, but they are great reference material. Will show you how to examine your own computer and phones and will get you some hands on experience! Most suggest free and commercial tools, so you can access what we use on a daily basis. There are several others out there, but these are general enough and have helped me.

Blogs:

This is a great place to start because it’s free and you can hop around as you wish. Clearly you are here on my blog, but others I recommend are:

Cheeky4n6monkey –Learning about digital forensics

Az4n6blog – Another Forensics Blog

Mac4n6blog – Mac Forensics (iOS too)

SANS – DFIR Blog

Gillware – Murphy’s Laws of Digital Forensics

Gillware Digital Forensics Blog | Cindy Murphy

Webcasts:

The SANS institute sponsors and hosts webcasts, where professionals give you a glimpse of topics they care about, courses they teach and developments in forensics. Check it out! It’s free and you can refer back to archives and get tons of free training. https://www.sans.org/webcasts/

If you have done all of these things and you are ready to break into forensics, let’s talk. I hope to meet you at a SANS event or conference soon. Good luck and never let anyone tell you it’s to hard to get into. It’s not always what you know, but who you know and how hard you are willing to work!

spok

iPhone Forensics – Separating the Facts from Fiction

For those of you who missed the efforts that Sarah Edwards, Cindy Murphy and I put together, the links are below for you to enjoy.
The webcast provides and overview of our thoughts on what is being requested by the FBI, what Apple may be able to do and how we, examiners, need to be properly trained and ready to handle the hard evidence that comes across our desks.
The blog goes into more detail on technical aspects of this “situation.” Sarah, Cindy and I hope you enjoy it and find it useful.

Can’t Crack into that iOS device?

Good afternoon everyone! One of the most common questions I get is in regards to accessing locked iOS devices. My first response is always, “it depends.” Anyone who conducts smartphone forensics on a regular basis knows that nothing is consistent and that there always seems to be a way around a hurdle, but that is not always true when dealing with iOS.

For newer 64-bit iOS devices, if they are locked and you don’t have access to the passcode, the pairing/lockdown file and the device is not jailbroken, you are going to have a hard time successfully getting into the device.  I recommend trying all tools available to you, just to make sure you have tried everything! Elcomsoft provides physical support for jailbroken 64-bit devices, and it may work for you, so try it if you have access to the tool. Or ask for a demo! You never know when it may be your lucky day.

Before researching your options, you have to know the version on the device, if you don’t know the version, you can obtain in on a Mac by using libimobiledevice from http://www.libimobiledevice.org/ and running ideviceinfo.  This method will work on locked iOS devices, enabling the examiner to identify the iOS version they are facing on the device.  Simply follow these steps:

  1. Launch Terminal

2.  Type the  command below to create the libimobiledevice-macosx directory on the user’s desktop and place the libimobiledevice command-line tools into it.

$ git clone https://github.com/benvium/libimobiledevice-macosx.git~/Desktop/libimobiledevice-macosx/

3.  Navigate to the libimobiledevice-macosx directory, as follows:

$ cd ~/Desktop/libimobiledevice-macosx/

4.  Create and edit the .bash_profile file using the nano command, as follows:

$ nano ~/.bash_profile

5.  Add the following two lines to the .bash_profile file, as follows:

export DYLD_LIBRARY_PATH=~/Desktop/libimobiledevice-
macosx/:$DYLD_LIBRARY_PATH

PATH=${PATH}:~/Desktop/libimobiledevice-macosx/

6.  Press Ctrl + X, y and hit Enter

7.  Return to the terminal and run the following command:

$ source ~/.bash_profile

Your device information will be displayed. 🙂

On a Windows platform (version 7 or later), simply plug the iOS device into a PC that does not have iTunes installed and follow these steps:

  1. Plug the iOS device into the PC

2.  Go to My Computer

3.  Right click on the iOS device

4.  Select Properties

apple

 

 

 

 

 

 

 

 

 

Today, Dylan Dorow, kindly shared some useful cheat-sheets on what’s currently possible for locked iOS devices.  They are attached below and are available for download in my Reading Room. These are extremely useful when trying to decide what is possible for accessing a locked iOS device.

iDevice_Make_Model_and_iOS_version iOS_Device_Bypass_WorkFlow

Good luck cracking those devices! And make sure you stay current on what the tools are capable of supporting because it changes quickly!

Practical Mobile Forensics eBook 50% Off!

PMF50 smarter forensics

Back by request, here is another coupon code offering 50% off the eBook of Practical Mobile Forensics. This code is only valid until October 2nd and is for the eBook directly from our publisher’s site.

To order, click the link below and enter the Discount code prior to checkout.

Unique link: http://bit.ly/1Qvf018

Discount code: PMF50

We hope this book helps you get the most bang for your buck in mobile forensics. We aimed to include as many open source solutions as possible to conduct mobile device forensics.

Happy Reading!

LE Discount for SANS Courses

All,

I know that training is expensive. Here is a way to attend FOR585 for half the price! Next up:

Tysons Corner, VA

Prague (Cindy Murphy)

Ft. Lauderdale

SANS has a standing Local LE Only discount program for a limited number of seats per class at 50% off.

All SANS DFIR training listed on this site qualify: http://digital-forensics.sans.org/training/courses (I recommend FOR585 Advanced Smartphone Forensics)
Local and state programs are the only ones allowed to apply for the discount.  The nutshell details are that you must be a badge carrier currently.  No retirees or support staff unfortunately at this time.
If you are interested in the program — sometimes calling SANS our customer service folks forget about the program.  But cc’ed on this email is the program lead, Henri Van Goethem.  Henri and I worked in Air Force OSI together back in the day and knows how much this program is needed.   Henri’s email is hvangoethem@sans.org if you would like to get exact details on the program and to apply.
Henri generally responds to all requests within a week or so.  If you are trying to attend training last minute – please cc myself on it and I can ensure it will get seen with enough time to sign up for the course.

What’s your biggest hurdle in smartphone forensics?

Hey everyone,

Figured I would do a quick blog to see what your greatest issues are when dealing with the smartphones in your investigations:

– Locked devices? If so, which ones?

-Encryption (device level or application level)?

-Parsing the plethora of 3rd party apps found on devices?

Let me know your thoughts. Looking into my next research area and thought I would question the community first to see what is needed.

Have a great afternoon!

What are your forensic tools really good at?

Happy Saturday everyone! Several of my SANS FOR585 students have asked me to document my opinions on what tools I like and how I find them to be helpful. Again, I am not including every single tool out there or highlighting all of their capabilities, so if one is missing that you find useful, please post in the comments. This is simply a quick blog to highlight what has helped me in the past 6+ months.

I am not going to dive too deep into acquisition. There are so many tools and methods available that most people can figure out a way to get the data. I recommend you always get a physical dump and logical or backup to help you parse the data. Pick your poison on obtaining the data (Cellebrite, MSAB, Lantern, Blacklight, ViaExtract, flasher boxes…. it goes on and on). Each tool has their pros and cons and it’s a bad idea to only have one tool in your toolbox. Smartphones are beasts and security is getting stronger. Make sure you test your tools and test them often. Don’t let one hurdle knock you down. Try to trick your tool into working for you if needed.

I think the easiest way to write this blog is to include highlights and then touch on them. What is your tool really good for based upon my experience:

Commercial Solutions (Not in any particular order):

  • IEF Mobile – Great for Internet evidence and parsing 3rd party application data. One of the best iOS app parsers out there.
  • Physical Analyzer – Probably the best analytical platform out there specific to smartphone tools. It doesn’t parse everything, but it gives us a platform for analysis where we can make it find the evidence with some manual carving and hex searches.  Best physical search feature for locating data in raw hex.
  • MSAB XRY/XACT – One of the only tools that provides access to the raw files during a logical acquisition. Guess what, to recover data that the tools don’t parse you need the raw files. This tool give you access to them!
  • Lantern – Great Facebook app support. Seems to parse more data than the others on specific iOS devices.
  • Blacklight – Great tool that can run on a Mac! Great support for iOS devices. Haven’t you heard that you should examine a Mac with a Mac? A wise examiner once told me that and it still resonates with me.
  • Mobilyze – Best triage tool for iOS and Android.
  • MPE+ – The SQLite builder is a great feature when manually examining databases from 3rd party apps.
  • Oxygen – The best tool for BlackBerry. Acquires the event log and provides a secure way to create a BB backup file. Also counts out all those nasty little databases for you. I also like how Oxygen parses 3rd Party Apps.

Open Source and Other Solutions (Not in any particular order):

  • Andriller – This is one of my new favorites. This tool can crack passcodes and provides parsers for iOS, Android and Windows 3rd Party Application files. Free for LE and well worth it for everyone else. The fee is small the results are huge! https://andriller.com/
  • Now Secure CE (used to be ViaExtract CE) – Andrew Hoog was kind to release this awesome tool. It provides acquisition support for free! Parsers are pretty kick-ass too. Check it out. https://www.nowsecure.com/forensics/community/
  • Sanderson Forensics tools – Great SQLite support! The SQLite Forensic Toolkit is so useful in recovering deleted data and for converting those pesky timestamps. http://www.sandersonforensics.com/forum/content.php
  • Parsers developed by the community. Mari DeGrazia (http://az4n6.blogspot.com/)and Adrian Leong (http://cheeky4n6monkey.blogspot.com/) are rockstars and often give back by developing scripts to help us sift through application and smartphone data. Check out their blogs to see what has been helping us sift through the massive amounts of data.
  • Autopsy – The Android Analyzer module supports parsing commonly missed items from Android devices. It also gives you access to the File System directory tree faster than any commercial tool out there. http://sleuthkit.org/autopsy/

I am sure I have forgotten to give credit to some where it’s due, so I am requesting that you help me out. What tools really help you and how? Is there one that is strong with Base64 decoding? What about the double Base64? Don’t know what that means??? Take FOR585 and Cindy Murphy and I will teach you.  If you need more references on how to use the tools and the open source/free solutions, read the following books:

Practical Mobile Forensics

Learning Android Forensics

Learning iOS Forensics

Good luck and keep digging in that Hex! The data is there and it’s your job to find it.