Category Archives: Open Source

A glimpse of iOS 10 from a smartphone forensic perspective

I immediately installed and started using iOS 10.0.1 when the full release was available. For this testing, I used my non-jailbroken iPhone 6S and iTunes 12.4.2.4 with the addition of free and commerical tools. My intention is to share my initial thoughts on what is different in iOS 10 and what to expect when you see a device running this version. For more in depth details, analysis tips and tricks on iOS, refer to for585.com/course.

I expected major artifact location changes in iOS 10.  I based this assumption on the fact that iOS 7 to iOS 8 was drastic in artifact changes. Nothing really changed when we upgraded to iOS 9, so I assumed… I’m happy to report that upon my initial research, I haven’t found drastic changes for most files of interest. I plan to keep digging here, just to be sure. As capabilities increase, we know that log files and usage artifacts are left on the device. These need to be researched further.

One major change I have noticed is with the structure of the iOS device backup. Below is an example of the new file structure.

backup_structure

A few things of interest:

  1. The Manifest.mbdb is now a SQLite database file – Manifest.db
  2. Instead of seeing all of files or “strings of letters” representing backup file contents, you now have folders containing these files, as shown above in the boxed area.

Once I had my backup, I starting digging through the files and panicked!  Everything of interest appeared to be encrypted. This includes simple things like contacts, call logs, SMS and locations pulled from Apple maps.  I frantically sent a Tweet seeing if this is what others were seeing and heard nothing. My tools all flopped. After the panic subsided, I decided to launch iTunes and take a look at my settings. Here is what I saw… The pesky box to Encrypt iPhone backup was checked even though I have been backing up to iCloud for as long as I can remember. Good think I remembered the password.

itunes_issue

I was confused by this for several reasons. One, most of the commercial tools prompt you to enter a backup password and decode the data when this setting is enabled. Also, encrypting a backup and knowing the password provides us additional access to data – not blocks us from it!  What could be going wrong? Could it be examiner error? Next, I did what most examiners would do and attempted to force my tools to parse this image. I launched UFED Physical Analyzer, IEF and BlackLight and entered the password (don’t worry, my passwords are much stronger than this, but I used a “dummy” one for this example.)

ufed-pw_prompt

To my surprise, all of the databases of interest were still encrypted even after I asked the tool to decrypt my data with the correct passcode. To my dismay, nothing of interest was parsed, other than the Info.plist and Manifest.plist files. Even the Manifest.db was encrypted. Below you can see that the file system was parsed and accessible, but the databases and files of interest were encrypted, so this isn’t very helpful.

encrypted_backup

(Once opened, the History.db looked like this)

encrypted_safari

So now what? If you know the user’s backup password or can crack it, the password can be removed in iTunes. I tried this and then backed my phone up again.

First, I launched iTunes and unchecked the box for Encrypt iPhone Backup. I correctly entered my password.

itunes1

The encryption was removed.

itunes2

When I loaded this unencrypted version of my iOS backup file into forensic tools, some crashed, but I did have success in others.  The first think I noticed was that the Manifest.db was no longer encrypted.

manifest

This gave me hope. I started examining the files that were previously encrypted within the iOS backup and found that they too, were accessible. Below, the CallHistory.storedata shows my call logs. When I initially created my backup, this file, like the Safari History.db, was encrypted!

callhistory

I have reported these issues and concerns to the vendors and they are working on the issue. Here are some things they provided me in the meantime.

  1. Do not update to the latest version of iTunes if you are creating backups as forensic images. It causes issues.
  2. Do not select to “Encrypt” the backup in Physical Analyzer when obtaining an Advanced Logical Extraction. That too will render your data encrypted.
  3. Hope that the user never used iTunes encryption!

If you come across an encrypted iOS backup file, try to crack it. Personally, I rely on Elcomsoft tools to handle this.  If you crack the password, you will manually have to remove the iTunes restriction and back the data up again until the tools adapt to handle iOS 10 backup file encryption.

In the meantime, practice on your own device and sign up for FOR585 Advanced Smartphone Forensics, where we cover topics like bypassing encryption and cover the cool artifacts of iOS. Happy iOS hunting!

for585.com/course

GASF

What are your forensic tools really good at?

Happy Saturday everyone! Several of my SANS FOR585 students have asked me to document my opinions on what tools I like and how I find them to be helpful. Again, I am not including every single tool out there or highlighting all of their capabilities, so if one is missing that you find useful, please post in the comments. This is simply a quick blog to highlight what has helped me in the past 6+ months.

I am not going to dive too deep into acquisition. There are so many tools and methods available that most people can figure out a way to get the data. I recommend you always get a physical dump and logical or backup to help you parse the data. Pick your poison on obtaining the data (Cellebrite, MSAB, Lantern, Blacklight, ViaExtract, flasher boxes…. it goes on and on). Each tool has their pros and cons and it’s a bad idea to only have one tool in your toolbox. Smartphones are beasts and security is getting stronger. Make sure you test your tools and test them often. Don’t let one hurdle knock you down. Try to trick your tool into working for you if needed.

I think the easiest way to write this blog is to include highlights and then touch on them. What is your tool really good for based upon my experience:

Commercial Solutions (Not in any particular order):

  • IEF Mobile – Great for Internet evidence and parsing 3rd party application data. One of the best iOS app parsers out there.
  • Physical Analyzer – Probably the best analytical platform out there specific to smartphone tools. It doesn’t parse everything, but it gives us a platform for analysis where we can make it find the evidence with some manual carving and hex searches.  Best physical search feature for locating data in raw hex.
  • MSAB XRY/XACT – One of the only tools that provides access to the raw files during a logical acquisition. Guess what, to recover data that the tools don’t parse you need the raw files. This tool give you access to them!
  • Lantern – Great Facebook app support. Seems to parse more data than the others on specific iOS devices.
  • Blacklight – Great tool that can run on a Mac! Great support for iOS devices. Haven’t you heard that you should examine a Mac with a Mac? A wise examiner once told me that and it still resonates with me.
  • Mobilyze – Best triage tool for iOS and Android.
  • MPE+ – The SQLite builder is a great feature when manually examining databases from 3rd party apps.
  • Oxygen – The best tool for BlackBerry. Acquires the event log and provides a secure way to create a BB backup file. Also counts out all those nasty little databases for you. I also like how Oxygen parses 3rd Party Apps.

Open Source and Other Solutions (Not in any particular order):

  • Andriller – This is one of my new favorites. This tool can crack passcodes and provides parsers for iOS, Android and Windows 3rd Party Application files. Free for LE and well worth it for everyone else. The fee is small the results are huge! https://andriller.com/
  • Now Secure CE (used to be ViaExtract CE) – Andrew Hoog was kind to release this awesome tool. It provides acquisition support for free! Parsers are pretty kick-ass too. Check it out. https://www.nowsecure.com/forensics/community/
  • Sanderson Forensics tools – Great SQLite support! The SQLite Forensic Toolkit is so useful in recovering deleted data and for converting those pesky timestamps. http://www.sandersonforensics.com/forum/content.php
  • Parsers developed by the community. Mari DeGrazia (http://az4n6.blogspot.com/)and Adrian Leong (http://cheeky4n6monkey.blogspot.com/) are rockstars and often give back by developing scripts to help us sift through application and smartphone data. Check out their blogs to see what has been helping us sift through the massive amounts of data.
  • Autopsy – The Android Analyzer module supports parsing commonly missed items from Android devices. It also gives you access to the File System directory tree faster than any commercial tool out there. http://sleuthkit.org/autopsy/

I am sure I have forgotten to give credit to some where it’s due, so I am requesting that you help me out. What tools really help you and how? Is there one that is strong with Base64 decoding? What about the double Base64? Don’t know what that means??? Take FOR585 and Cindy Murphy and I will teach you.  If you need more references on how to use the tools and the open source/free solutions, read the following books:

Practical Mobile Forensics

Learning Android Forensics

Learning iOS Forensics

Good luck and keep digging in that Hex! The data is there and it’s your job to find it.

Want your own copy of Practical Mobile Forensics for $5?

Hey everyone,

It’s the Holidays, so why not treat yourself to a copy of Practical Mobile Forensics? You can get the eBook for $5 until January 6th directly from Packt!  This book was designed to help both new and experienced examiners capture and analyze data from mobile devices.  Our goal was to use Open Source solutions as much as possible.  Check out the book and happy forensicating!

The link to purchase the book for $5 is

Happy Holidays!

Heather

Win A Free Copy of Packt’s Practical Mobile Forensics

I am pleased to announce that Packt Publishing is organizing a giveaway especially for you.   All you need to do is just comment below the post for a chance to win a free e-copy of Practical Mobile Forensics.  Two lucky winners will be selected.

book

Overview of Practical Mobile Forensics

  • Clear and concise explanations for forensic examinations of mobile devices
  • Master the art of extracting data, recovering deleted data, bypassing screen locks, and much more
  • The first and only guide covering practical mobile forensics on multiple platforms

How to Enter?

Simply post your expectations from this book as a comment or Tweet. You could be one of the 2 lucky participants to win the copy.

DeadLine: The contest will close on 09/25/04. Winners will be contacted by email, so be sure to use your real email address when you comment or contact me directly with it – hmahalik@smarterforensics.com.

Practical Mobile Forensics is RELEASED!

Happy Tuesday everyone. I am happy to say that Practical Mobile Forensics is officially released. http://www.packtpub.com/practical-mobile-forensics/book

This book was written by three of us hoping to guide those new to mobile forensics and those looking to branch into mobile device forensics. We provide practical methods for acquiring and analyzing data from smartphones and place an emphasis on open source tools, where possible.

Speaking of open source, the latest version of Autopsy is available and can be downloaded here: http://sourceforge.net/projects/autopsy/files/autopsy/3.1.0%20Beta%201/. This is a beta version, so your feedback is greatly appreciated.  Let me know what you think of the Android module. What is missing? Where should we focus our efforts?

Getting the most out of Smartphone Forensic Exams – SANS Advanced Smartphone Forensics Poster Release

Getting the most out of Smartphone Forensic Exams –

SANS Advanced Smartphone Forensics Poster Release

There is one certain thing in the DFIR field, and that is that there are far more facts, details and artifacts to remember than can easily be retained in any forensic examiner’s brain. SANS has produced an incredibly helpful array of Posters and Cheat Sheets for DFIR in order to assist examiners with those tidbits of information than can help to jumpstart their forensics exams and or intrusion and incident response investigations. The most recent addition to the SANS DFIR poster collection is the Advanced Smartphone Forensics Poster, created by SANS FOR585 authors Heather Mahalik, Domenica Crognale, and Cindy Murphy.

These days, digital forensic investigations often rely on data extracted from smartphones, tablets and other mobile devices. Smartphones are the most personal computing device associated to any user, and therefore often provide the most relevant data per gigabyte examined in an investigation. The Advanced Smartphone Forensics Poster will guide you through the elements of the mobile forensic process so that the results of your examination will hold up under scrutiny.

1

The acquisition of Smartphone evidence can be complicated by the large assortment of device makes, models, and operating systems, with varying levels of acquisition support. The Smartphone Acquisition guide included in the poster will guide you through the intricacies of acquiring data from locked and unlocked phones for the major Smartphone platforms.

2

Once data is acquired, interpretation of that data can involve complexities such as data encryption and encoding, and relics of flash memory storage. The Advanced Smartphone Forensics Poster will help you to work through the basics of flash memory data layout, and various types of data encryption and encoding common to Smartphone data to help you get the most out of the acquired evidence.

Commercial tools have a difficult standard to live up to in regards to data decoding and don’t fully address the challenges of mobile malware detection and analysis.  With all of the apps available, it’s nearly impossible to automate the process of decoding all of the relevant data. The Advanced Smartphone Forensics poster will help walk you through the basic steps of mobile malware detection and analysis, and provides you with common evidence locations for the major smartphone platforms to help you narrow down and efficiently identify data that is important to your investigation.

3

Use this poster as a handy reference guide to help you remember how to handle smartphones, where to obtain actionable intelligence, and how to recover and analyze data on the latest smartphones and tablets. Whether you’re new to smartphone forensics or you’re an experienced examiner, the SANS Advanced Smartphone Forensics Poster will help you get the most relevant evidence per gigabyte.

https://digital-forensics.sans.org/media/for585-poster.pdf

Cindy Murphy, SANS Instructor and Co-Author of FOR585