All posts by Heather Mahalik

Rotten to the Core? Nah, iOS14 is Mostly Sweet

By Heather Mahalik

This blog is a cursory glance of iOS14, which was officially released this week. To keep with my previous trends, I focus on basic artifacts that impact almost every investigation and then dive in and take a bite from the apple. Think of this blog as the bobbing part. 😊 For this blog, I tested the tools that I have available to me personally. If you think something is missing – share it. If you are a vendor and think something is missing – share it with me and I will try it for myself. At this point in time, an encrypted iTunes backup seemed to be the most stable option. I know that vendors are releasing updates to support iOS14 shortly, so be patient. If you DO NOT encrypt the backup, you will NOT extract Calls, Apple Maps (some databases extracted but are empty), Safari, Health and probably a lot more!

Apple didn’t go of the beaten path to much for the primary artifacts. There are some strange things I noted and those will be shared. Since iOS13, best practices are to encrypt your backups! If you do not, you will not get all the databases needed for basic examinations.

For this blog, I acquired many ways to compare the differences. The ones in bold were the best acquisition.

Mac Acquisition Tests:

  • Backup on a Mac using Finder – Encrypted
  • Backup on a Mac using Finder – No encryption set
  • Backup on a Mac using Finder – Encryption set but DID NOT save the password to the keychain

The issue I found when backing up to a Mac and saving the encryption passcode to the keychain is that the Manifest.plist does not show the encryption flag and the tools do not request the passcode for parsing.

Manifest.plist comparison

Thus, you don’t get much of anything! I loaded all of these extractions into Cellebrite Physical Analyzer and Magnet AXIOM to verify and the keychain taking the passcode really limits us examiners so pay attention when using a Mac to create a backup and DO NOT let that box stay checked or your examination opportunities will be limited.

Backing up using a Mac

Windows Acquisition Tests:

I first attempted to use a previous version of iTunes and it didn’t even see my device running iOS14. I updated and all was good from that point forward.

  • Backup with iTunes – Encrypted
  • Backup with iTunes – No encryption set

There weren’t any oddities here other than the fact that as soon as I moved my backup from the MobileSync directory, iTunes claimed it was never backed up to this PC.

iTunes backup

And a backup a few mins later.

iTunes view after backup was moved from the MobileSync directory

Keep in mind, I did about 10 backups of this device because I kept adding data and then pulling it. It makes sense if you think about it, but I know that the device stores this information, so I was surprised to see iTunes simply relying on the backup directory for this information. Bottom line do not trust what iTunes states regarding backups on the summary screen because the truth lies within the iOS device.

For this test, I created new Contacts, placed Calls (both FaceTime and regular), texted (used the new “reply to a message” feature, took photos, searched for directions (and even had to do extra drives to get really test Maps), created a note, and browsed using Safari. These are the key items that everyone should examine for most cases, so I tend to start there. My colleagues and I are going to dive into the harder artifacts (KnowledgeC, locations, Health, etc.) and will do a separate blog on that.

The common artifacts:

Contacts: var/mobile/Library/AddressBook/AddressBook.sqlitedb – parsed by commercial tools

Calls: var/mobile/Library/CallHistoryDB/CallHistory.storedata – – parsed by commercial tools

PA Parsed Call Logs
PA Call logs with Source File

SMS: var/mobile/Library/SMS/sms.db – mostly parsed by commercial tools. See below for more details.

Safari: var/mobile/Library/Safari/History.db – mostly parsed by commercial tools. Note: Make sure your tool parses history, Google searches and Tab history.

AXIOM Tabbed Sessions
PA Safari History
PA Safari History – Source

Photos: var/mobile/Media/DCIM/100APPLE/ – parsed by commercial tools – However, there is a new table. Take a look below.

PA Photos

The table ZGENERICASSET that we have relied upon for so long is now ZASSET. Thanks to Jared Barnhart for finding this first. 🙂 And thanks to Scott Koenig for this query to parse it all. https://drive.google.com/drive/folders/1v6T6OqD8eyL1xwHXDMePaXxEZ3IZssp2

Notes: var/mobile/Containers/Shared/AppGroup/group.com.apple.notes/NoteStore.sqlite – parsed by commercial tools

**NEW File and Path***

Maps: var/mobile/Containers/Shared/AppGroup/group.com.apple.Maps/Maps/MapsSync_0.0.1

var/mobile/Containers/Shared/AppGroup/group.com.apple.Maps/Maps/MapsSync_0.0.1_deviceLocalCache.db

Apple Maps is the biggest change and to be honest, I thought I lost them again. If you aren’t sure what I am referring to, please read my previous blogs on Apple Maps. I have spent countless hours trying to find locations and you know what’s sad – I don’t even like Apple Maps. I prefer Waze. However, as a researcher, I must test all things. Let’s take a historical look at Apple Maps.

History. mapsdata – was the primary storage file for Maps until iOS 8

GeoHistory.mapsdata – the primary storage file for Maps from iOS 8 – iOS 11(ish). Went to cloud storage for iOS12 and then came back and stored here again for iOS13 – again refer to my previous blogs –How the Grinch stole Apple Maps artifacts… or did he just hide them? and First the Grinch and now the Easter Bunny! Where is Apple Maps hiding?

MapsSync_0.0.1 – the new file on the block – this is the primary file storing iOS 14 Maps data.

MapsSync_0.0.1 seems to only keep the last 15 history items. This is about 3-5 directions/lookups/searches based upon my testing. I dumped my device several times to confirm this. Let’s look.

Here is how it looked when I first extracted the data.

Apple Maps Data – DB Browser for SQLite

And just two Apple Maps searches later, it looked like this.

Apple Maps Data – DB Browser for SQLite

The bad news is that none of the tools I tested parse this file. The good news? Here is a query for you. Use your tool of choice to parse it. Keep in mind the “Time Created” below will reflect the time The device was updated to iOS14. Thus, this is NOT when that search occurred. To get that information, you need to examine GeoHistory.Mapsdata – the protobuf that stores this historical information.

SELECT
ZHISTORYITEM.z_pk AS "Item Number",
CASE
when ZHISTORYITEM.z_ent = 14 then "coordinates of search"
when ZHISTORYITEM.z_ent = 16 then "location search"
when ZHISTORYITEM.z_ent = 12 then "navigation journey"
end AS "Type",
datetime(ZHISTORYITEM.ZCREATETIME+978307200,'UNIXEPOCH','localtime') AS "Time Created",
datetime(ZHISTORYITEM.ZMODIFICATIONTIME+978307200,'UNIXEPOCH','localtime') AS "Time Modified",
ZHISTORYITEM.ZQUERY AS "Location Search",
ZHISTORYITEM.ZLOCATIONDISPLAY AS "Location City",
ZHISTORYITEM.ZLATITUDE AS "Latitude",
ZHISTORYITEM.ZLONGITUDE AS "Longitude",
ZHISTORYITEM.ZROUTEREQUESTSTORAGE AS "Journey BLOB",
ZMIXINMAPITEM.ZMAPITEMSTORAGE as "Map Item Storage BLOB"
from ZHISTORYITEM
left join ZMIXINMAPITEM on ZMIXINMAPITEM.Z_PK=ZHISTORYITEM.ZMAPITEM

When examining the output, I was perplexed by the lack of results, which is when I realized that number of 15 stayed constant no matter what I searched for. It appears to be transactional in nature. Also, I went through all the coordinates and realized that the Type “coordinates of search” will not show as “navigation journey” unless selected.  For example, I searched for UMMC (no longer part of this database in my final dump, but the “coordinates of search” persist. The one set of coordinates is for the University Medical Center in Maryland (the one I navigated to) and the other a University Medical Center in Mississippi, which I never selected.

The good news – GeoHistory.mapsdata has the historical searches made in iOS13! If you do not see these in the MapsSync_0.0.1 database, go back and examine the protobuf for locations of interest. Below we can see the searches for UMMC, which are no longer in MapsSync_0.0.1 exist here.

Protobuf View in PA

What about those BLOBS stored in “zrouterequeststorage” you ask? Well, they store your starting location and your final destination. Pretty important, right? This is the literal journey.

BLOBS embedded in Apple Maps
BLOBS embedded in Apple Maps

These BLOBs are protobufs and a special shout out to Jon Baumann who stayed up late to fix his script for me. You can find his script here to parse these nasty buggers. https://github.com/threeplanetssoftware/sqlite_miner/tree/protobuf

Here is some sample output of my file. Note that it isn’t perfect (he worked on this in minutes) and may have false positives.

SQlLte-Miner-.pl output

Protoc can be used to look at the protobufs. And there are many scripts to help. One recommended by the Cheeky4n6Monkey is https://github.com/mildsunrise/protobuf-inspector.

Another consideration is going back into your tool and searching around. Cellebrite Physical Analyzer has a built in button to search in binary blobs. I did two searches here. One for my home street (not sharing that here) and one for a location I navigated to/searched for (chantilly).

Searching Binary BLOBS in PA

Another option is to convert the BLOBS from the query provided above to Hex so you see the output and are alerted. Again, this is a preference thing. Thanks Jared Barnhardt for the suggestion here!

SELECT
ZHISTORYITEM.z_pk AS "Item Number",
CASE
when ZHISTORYITEM.z_ent = 14 then "coordinates of search"
when ZHISTORYITEM.z_ent = 16 then "location search"
when ZHISTORYITEM.z_ent = 12 then "navigation journey"
end AS "Type",
datetime(ZHISTORYITEM.ZCREATETIME+978307200,'UNIXEPOCH','localtime') AS "Time Created",
datetime(ZHISTORYITEM.ZMODIFICATIONTIME+978307200,'UNIXEPOCH','localtime') AS "Time Modified",
ZHISTORYITEM.ZQUERY AS "Location Search",
ZHISTORYITEM.ZLOCATIONDISPLAY AS "Location City",
ZHISTORYITEM.ZLATITUDE AS "Latitude",
ZHISTORYITEM.ZLONGITUDE AS "Longitude",
hex(ZHISTORYITEM.ZROUTEREQUESTSTORAGE) AS "Journey BLOB(hex)",
hex(ZMIXINMAPITEM.ZMAPITEMSTORAGE) as "Map Item Storage BLOB(hex)"
from ZHISTORYITEM
left join ZMIXINMAPITEM on ZMIXINMAPITEM.Z_PK=ZHISTORYITEM.ZMAPITEM
BLOB output as HEX – DB Browser for SQLite

I plan to keep digging into Apple Maps and will blog more as I find more information. For now, use this query if you dump a device running iOS14. Don’t be afraid to make it your own too! You will see many columns that I could not get to populate with valuable information.

For iMessage, you can now reply to a single portion of the conversation. The below screenshot shows you how this appears on the device.

Reply To Message

The database has two new columns called “thread_originator_guid” and “thread_originator_part” which appear to be what the tools are not yet parsing and is what alerts you to the message the reply was to. I have yet to determine what the “thread_originator_part” means.

SMS Reply To – DB Browser for SQLite
SMS Reply To – DB Browser for SQLite

Refer to the screenshot from the phone to put this all together. Until the tools catch up, here is a query that will get you part of the way. It’s not perfect, and I plan to try to merge them. Maybe one of my friends will help write a script for it (Calling Brigs, Ian and Cheeky4n6Monkey!). The query below has been updated for iOS14.

SELECT message.rowid,
chat_message_join.chat_id,
message.handle_id,
message.text,
message.thread_originator_guid,
message.thread_originator_part,
message.service,
message.account,
chat.account_login,
chat.chat_identifier,
case when LENGTH(chat_message_join.message_date)=18 then
datetime(chat_message_join.message_date/1000000000 + 978307200,'unixepoch','localtime')
when LENGTH(chat_message_join.message_date)=9 then
datetime(chat_message_join.message_date + 978307200,'unixepoch','localtime')
else 'NA'
END as "Message Date",
case when LENGTH(message.date_read)=18 then
datetime(message.date_read/1000000000 + 978307200,'unixepoch','localtime')
when LENGTH(message.date_read)=9 then
datetime(message.date_read+978307200,'unixepoch','localtime')
else 'NA'
END as "Date Read",
case when message.is_read=1
then 'Incoming'
when message.is_read=0
then 'Outgoing'
end as "Message Direction",
case when LENGTH(chat.last_read_message_timestamp)=18 then
datetime(chat.last_read_message_timestamp/1000000000+978307200,'unixepoch','localtime')
when LENGTH(chat.last_read_message_timestamp)=9 then
datetime(chat.last_read_message_timestamp + 978307200,'unixepoch','localtime')
else 'NA'
END as "Last Read",
attachment.filename,
datetime(attachment.created_date+978307200,'unixepoch','localtime') AS "Attachment Date",
attachment.mime_type,
attachment.total_bytes
FROM message
left join chat_message_join on chat_message_join.message_id=message.ROWID
left join chat on chat.ROWID=chat_message_join.chat_id
left join attachment on attachment.ROWID=chat_message_join.chat_id
order by message.date_read desc;

Bottom line – Apple isn’t rotten. The days I spend researching and blogging are for my family until I press submit! 😊 Please research and share! Validation is key. We all need to do it! Create test data and try it for yourself. If you find bugs, report them to vendors. If you find gaps, report them, and find someone who can build a tool to parse it. It’s our job in DFIR to educate and share. Happy hunting on iOS 14! And you may see this image coming to you publicly soon!

Using Photos.sqlite to show the relationships between photos and the application they were created with? By Scott Koenig

First, I would like to thank Heather Mahalik for her help with this process and for allowing me to post something on her blog. It’s an honor! Additionally, thanks to Jared Barnhart for his assistance with research and with testing.

I must apologize if you have already taken the time to read through this blog. It was my first research blog and after it was posted, I felt it was missing a few things. I debated over rewriting it or just following up with an additional blog. I came to the conclusion editing the original and reposting the entire blog was the best method to get you all of the information. 

Synopsis: During an examination and analysis, I learned some interesting things and would like to share them with you. After the examination of an Apple iPhone 7, I discovered some photos were captured using the camera application (com.apple.camera.CameraMessagesApp) from within the native iPhone messaging application (com.apple.MobileSMS). As a result of photos being captured, several files were created that I have not observed during my past examinations and I had a few questions.

Was this because I was examining a full file system extraction?

or

Was it because I haven’t been paying close enough attention during my exams?

Either way, I set out to test and validate what I discovered.

Suspect’s Device:                                             Test Device:

Apple iPhone 7 (A1778)                                   Apple iPhone XS (A1920)

iOS 13.4.1 (17E262)                                         13.5.1 (17F80)

During testing, I did not find any significant changes between 13.4.1 and 13.5.1 that would make the testing invalid. I did notice when looking an iOS 12.*.* FFS extraction there were some differences.  

Important to note: While working on cases after this blog was initially written I noticed there were some difference between iOS 12 and iOS 13. Mainly, iOS 13 devices contained more data in /private/var/mobile/Containers/Data/PluginKitPlugin/<UUID>/tmp/ locations than iOS 12 devices. I only mention this so you are aware there could be additional differences that have not been discussed.      

Acquisitions:

  • After First Unlock (AFU) Full File System (FFS) (Suspect’s device and test device).
  • Cellebrite UFED 4PC Advanced Logical and Logical extraction (Suspect’s device only).

Tools Used:

Forensic Questions:

While examining the suspect’s device and analyzing the data, I had a few questions about the data being displayed and how it was created. I formulated a few scenarios that might help demonstrate and explain what happened:

Scenario #1 – What happens when a photo is captured (com.apple.camera.CameraMessagesApp) within the native iOS messenger (com.apple.MobileSMS) and sent as an attachment?

Scenario #2 – What happens when a photo is captured from within native iOS messenger, sent as an attachment message and the message that contained the attachment is later deleted from the conversation thread (/private/var/mobile/Library/SMS/Attachments/)?

Scenario #3 – What happens when a photo is captured within native iOS messenger, sent as an attachment message and the photo sent as an attachment is later deleted from the Photos Application (/private/var/mobile/Media/DCIM/)?

Scenario #1 – What happens when a photo / live photo is captured using the camera application within native iOS messenger and sent as an attachment:

During the testing I followed the steps below to capture both photos and live photos:

  1. Launched the native iOS messenger application (Figure 1.1) and entered a conversation thread (Figure 1.2).

                                                                                                    

Figure 1.1
Figure 1.2
  1. From the conversation thread clicked the camera icon (Figure 1.3), a photo was captured (Figure 1.4) and clicked done (Figure 1.5). Note: Figure 1.5 this is a preview of the photo that can be sent. But wasn’t this a photo that was captured?? Thanks to Jared Barnhart’s help, I learned this photo is in fact saved to the device even if the user chooses to “Retake” the photo. This photo will be stored in the /private/var/mobile/Containers/Data/PluginKitPlugin/<UUID>/tmp/ folder.

             

Figure 1.3
Figure 1.4
Figure 1.5
  1. A preview then appeared (Figure 1.6) and clicked the up arrow to send the photo to its recipient without any text (Figure 1.7).

                                               

Figure 1.6
Figure 1.7

Now let’s take a look at what happens within the device when these actions occurred.

The application usage and applications in focus was recorded within the KnowledgeC database. There are several resources and published research about the KnowledgeC database and what can be found within it. I would encourage you to take the time to review the list of references and other sources at the end of this blog.

8:21:22 PM – 8:22:54 PM the application (com.apple.MobileSMS) was launched and in use.

During that time:

8:22:01 PM – the back camera was turned on

8:22:03 PM – the application (com.apple.camera.CameraMessagesApp) was launched and several cached locations were created and stored in Cache.sqlite – ZRTCLLOCLATIONMO table. These locations were accurate for where the device was located during testing. If you have additional questions about location data please see Ian Whiffin’s presentation in the list of resources.

8:22:03 PM – Miscellaneous file path locations were opened, modified and created related to \private\var\db\uuidtext\. I haven’t researched or decoded any of these but wanted to mention it.

Figure 1, Figure 2, Figure 2.1 Figure 3 and Figure 4 are examples of how different tools represented the launched applications and what was decoded.

Figure 1 – PA
Figure 2 – AXIOM
Figure 2.1 – ArtEX
Figure 3 – KnowledgeC.db PA

8:22:03 PM – a property list (plist) was created:

private\var\mobile\Library\SMS\PluginMetaDataCache\BB6846A9-F53A-4DDA-9FA9-75B5E4FDF94E\com.apple.messages.MSMessageExtensionBalloonPlugin:0000000000:com.apple.camera.CameraMessagesApp.plist

In Figure 4 we can see this plist can be viewed within AXIOM and could also be viewed within PA. I saved, exported and opened the plist using Ian Whiffin’s Mushy plist viewer. See Figure 4.1. The plist contained the phone number and the associated UUID’s for the device the attachment message was sent to.

Figure 4 – AXIOM
Figure 4.1 – Mushy Plist Viewer

This plist was also in the suspects device and contained a list of phone numbers and their associated UUID’s. There appears to be different property lists for different types of messages sent:

  • com.apple.messages.MSMessageExtensionBalloonPlugin_0000000000_com.apple.Animoji.StickersApp.MessagesExtension.plist
  • com.apple.messages.MSMessageExtensionBalloonPlugin_0000000000_com.apple.camera.CameraMessagesApp.plist
  • com.apple.messages.MSMessageExtensionBalloonPlugin_0000000000_com.apple.mobileslideshow.PhotosMessagesApp.plist
  • com.apple.messages.MSMessageExtensionBalloonPlugin_0000000000_com.apple.PassbookUIService.PeerPaymentMessagesExtension.plist
  • com.apple.messages.MSMessageExtensionBalloonPlugin_0000000000_com.apple.siri.parsec.HashtagImagesApp.HashtagImagesExtension.plist
  • com.apple.messages.MSMessageExtensionBalloonPlugin_EWFNLB79LQ_com.gamerdelights.gamepigeon.ext.plist

At 8:22:20 PM a live photo of my friend Dexter was captured, which resulted in several files being created on the device to include the following:

Each tool used to examine the test data, put these files in a different order in the timeline, but they all had the same capture and created time of 8:22:20 PM. See Figure 5.

Figure 5 – PA
Figure 5.1 – AXIOM

Figure 5.1 within AXIOM – Timeline, there is an event for an entry being made into the Photos.sqlite database. See Figure 5.2 and Figure 5.3 for more details.

Figure 5.2 – AXIOM

Photos.sqlite information

Figure 5.3 – Photos.sqlite – PA

In Figure 5.3 we are looking within PA SQLite Viewer and looking at the Photos.sqlite database ZGENERICASSET table. Notice that all of the PK values are in sequential order and there are no missing values, indicating that the list is complete. I just stated when I took a photo of Dexter there were multiple files created to include IMG_0012.MOV. Where is the information about the additional files? More on this is to come in this blog.

Notice in Figure 5.3 there’s indication that an entry was also made in Photos.sqlite ZADDITIONALASSETATTRIBUTES table. Notice AXIOM is indicating that both the Z_PK value and the ZADDITIONALASSETATTRIBUTES value are the same. More about this later in the blog. Got to give a big shout out to Ian Whiffin here. I first noticed these values when viewing the full file system dump from within his tool Artifact Examiner (ArtEx). I reached out to him with a few questions, which he answered right away. It helped so much while examining the suspect’s device…Thanks Ian!! See Figure 6.

Figure 6 – ArtEx

In Figure 7 we can see the ZADDITIONALASSETATTRIBUTES table and some key information about IMG_0012.JPG.

Figure 7 – PA SQLite Viewer

I wanted to take a minute and discuss some of the items I discovered while examining at the ZADDITIONALASSETATTRIBUTES table. First notice, that Z_PK entries 1-6 do not have a date in the ZEXIFTIMESTAMPSTRING column. These images were not captured with the test device. They were sent to the test device as MMS from an android device. These photos were then saved to the photos application via the native iOS messenger application. Notice the ZCREATORBUNDLEID indicates com.apple.MobileSMS. See Figure 7.1.

Figure 7.1 ZADDITIONALASSETATTRIBUTES table

Z_PK entries 7-11 and 17-22 were captured with the test device native camera application, launched from the springboard. Notice there isn’t an entry for ZCREATORBUNDLEID, but there is a value for ZIMPORTEDBY. Using the suspect data and the test data, I believe I’ve decoded some of the values. These are preliminary and require additional testing:

  • 0 = Is related to .MOV files.
  • 1 = Captured via native Back facing camera
  • 2 = Captured via native Front facing camera
  • 3 = Third Party Application – Snapchat
  • 6 = Third Party Application – Facebook
  • 8 = Captured via native Back facing Camera
  • 9 = Saved from outside source (SMS, Safari)

Notice there is a binary property list located in the ZREVERSELOCATIONDATA column for each one of these entries. Location services was active for the camera application when the photos were captured. Notice that entries 21 and 22 do not have binary property lists. These photos were captured minutes before the device data was extracted. I believe data did not have time to populate this field prior to the device being acquired. I will discuss the contents of this bplist later in this blog. See Figure 7.2 and Figure 7.3.

Figure 7.2, Figure 7.2.1 and Figure 7.2.2 Screenshots of test device location services settings

Figure 7.2
Figure 7.2.1
Figure 7.2.2
Figure 7.3 ZADDITIONALASSETATTRIBUTES table – PA

Z_PK entries 12-16 were captured via the Camera Application from within iOS Messenger. See Figure 7.4.

Figure 7.4 ZGENERICASSET table and ZADDITIONALASSETATTRIBUTES table – PA

Something to notice here…ZORIGINALFILENAME column. All of the photos captured using the CameraMessagesApp have an UUID as the original file name. If you remember when I was discussing the Photos.sqlite – ZGENERICASSET table, these files are not listed in the ZFILENAME column. Another note, only the JPG files that were created are listed. Remember there were several files created as the result of me capturing a live photo of Dexter using the CameraMessagesApp: 

  • /private/var/mobile/Media/DCIM/100APPLE/IMG_0012.MOV
  • /private/var/mobile/Media/DCIM/100APPLE/IMG_0012.JPG
  • /private/var/mobile/Containers/Data/PluginKitPlugin/45AAD7D6-8C36-411A-B311-04EAE0B5C470/tmp/61777214012__81412243-7181-4BFA-BAE0-7101DC818736.MOV
  • /private/var/mobile/Containers/Data/PluginKitPlugin/45AAD7D6-8C36-411A-B311-04EAE0B5C470/tmp/61777214080__90B95980-BB3C-4A7A-B74E-82C62C923CC2.JPG
  • /private/var/mobile/Library/SMS/Attachments/eb/11/A4BDFF37-B875-44DE-A094-1AC66A6DC059/61777214080__90B95980-BB3C-4A7A-B74E-82C62C923CC2.JPG
  • /private/var/tmp/com.apple.messages/com.apple.MobileSMS/LinkedFiles/CB11EDB0-B428-49A4-9913-2C959289C3BC/61777214080__90B95980-BB3C-4A7A-B74E-82C62C923CC2.MOV

Date, Times and Time Zone:

Notice in the ZADDITIONALASSETATTRIBUTES table ZEXIFTIMESTAMPSSTRING column and the ZGENERICASSET table ZDATECREATED column the dates and time values are being stored in different formats. The values in the ZDATECREATED are natively stored as unix epoch and require conversion, but the values in ZEXIFTIMESTAMPSSTRING column are being stored according to the device time settings when the files were captured. In the test device, the date and time settings were set to auto and the time zone was set to Cupertino also known as Pacific Time (UTC -8 or -7…damn DST). There are other columns within the database that record the time zone setting at the time the files are created ZADDITIONALASSETATTRIBUTES table ZTIMEZONEOFFSET, ZINFERREDTIMEZONEOFFSET and ZTIMESONENAME columns.      

Orientation:

In ZGENERICASSET table there is a column ZORIENTATION. Using the test device data, I determined 1 = Horizontal and 6 = Vertical. The photos I sent from an android to the test device had both horizontal and vertical original orientations. When they were saved to the test device, all of the photos were saved with a horizontal orientation. **Make sure to validate these are correct on each iOS version as they seem to change.

Locations:

In Figure 5 from Physical Analyzer, there is no location data being parsed for the photos that were captured using the CameraMessagesApp. After closer analysis, I could not locate any location data that was recorded within the EXIF data or database metadata for any of the items that were created with com.apple.camera.CameraMessagesApp application. During testing, location services was tuned on and the location was recorded for the files captured with the native camera (com.apple.camera), just not the files captured with com.apple.camera.CameraMessagesApp. Not sure if this is a security feature to conceal the location because the files are being sent via messenger. Note: I did a brief overview of the file at the hexadecimal level and did not find any location data. Additional analysis and research might be required to for a definitive conclusion.

In Figure 8 I have highlighted the columns related to the ZREVERSELOCATIONDATA column. Notice the ZREVERSELOCATIONDATAISVALID column and the values are 1 and 0. I believe based on the test data the values indicate 1 = If available has been populated and 0 = If available has not populated. This also appears to be related to ZGENERICASSET – ZANALYSISSTATEMODIFICATIONDATE. The items with a value of 0 in the ZREVERSELOCATIONDATAISVALID were also missing an Analysis State Modification Date. Additional testing and acquisitions are required for further analysis.

Let’s take a look at ZREVERSELOCATIONDATA bplist. This plist can be viewed from both Cellebrite PA SQLite Viewer and Magnet AXIOM SQLite Viewer, but like I stated earlier I used Ian Whiffins tool Mushy Plist Viewer. The locations discovered within this bplist were accurate as to where the device was located at the time the photos were captured. See Figure 8.1 and Figure 8.2.

Figure 8 we can see the ZADDITIONALASSETATTRIBUTES table – PA
Figure 8.1 ZADDITIONALASSETATTRIBUTES table ZREVERSELOCATIONDATA column – PA
Figure 8.2 ZREVERSELOCATIONDATA Plist in Mushy Plist Viewer

There is a significant amount of data being stored within the Photos.sqlite database and there has been recent research and publications about this database by researchers far more advanced than I. I would strongly encourage you to review the reference material list at the end of this blog for additional details and links to the other research.

I located a Magnet Custom Artifact for Photos.sqlite. The custom artifact was submitted by Costas Katsavounidis. The SQLite query was based on iOS 8 and up operating systems. The custom artifact can be located on Magnet Forensics Custom Artifact Exchange. After reviewing the query and its listed references, I learned of additional decoding for information being stored in the database. During the review, I learned lots of the information being decoded by Costas Katsavounidis’s query also applies to iOS 13. This information, along with the information from Jared Barnhart’s research has been included in the query I used and have shared. Please test and validate prior to using within your cases. I have also submitted the query to be added to the Magnet Custom Artifact Exchange. Here is a link to a google drive for the query and custom artifact:

https://drive.google.com/file/d/1EiZWfahyKShkIo3LPA3T_r4U5LGsFV6Q/view?usp=sharing

Original file name & /private/var/mobile/Containers/Data/PluginKitPlugin/<UUID>/tmp/:

After running the SQLite script in Navicat (paid) and DB Browser (free), I exported the output into a CSV. For this portion, I will again focus on the live photo that was created at the start of this presentation (IMG_0012.JPG). Figure 9 is a portion of the output to show how the files are related:

Figure 9 SQLite script output

Notice the original file name for IMG_0012.JPG is 61777214080__90B95980-BB3C-4A7A-B74E-82C62C923CC2.JPG.

The file 61777214080__90B95980-BB3C-4A7A-B74E-82C62C923CC2.JPG is being stored at:  /private/var/mobile/Containers/Data/PluginKitPlugin/45AAD7D6-8C36-411A-B311-04EAE0B5C470/tmp/

During the examination of the suspect device, some of the files created during this testing process were located, but the more obvious files that should have been present appeared to be deleted. What does that mean?

If this photo was attached to a message, sent to another device, and has not been deleted, there should be a file being stored in the device at: /private/var/mobile/Library/SMS/Attachments/. During testing, the files stored at in the /Containers/Data/PluginKitPlugin/<UUID>/temp and /SMS/Attachments/ locations had the same file name and hash.

In the suspect’s device, I located files being stored in the /private/var/mobile/Containers/Data/PluginKitPlugin/<UUID>/tmp/ file location. Notice that I removed the UUID and replaced it with <UUID>. In the suspect’s device the UUID for this temporary file location was different than the one listed in my test device. Here are the two file paths:

Suspect Device:

/private/var/mobile/Containers/Data/PluginKitPlugin/6E9D5BDD-2BF6-4203-9608-BAEF8CAAD00A/tmp/

Test Device:                                     

/private/var/mobile/Containers/Data/PluginKitPlugin/45AAD7D6-8C36-411A-B311-04EAE0B5C470/tmp/

When this was discovered in the test device, I believed there had to be documentation which indicated a relationship between the temporary file location and an associated application. Figure 10 is a screenshot from Physical Analyzer that shows the temporary file and a view of the file system. Notice in the file system there is a plist in the root of the “45AAD7D6-8C36-411A-B311-04EAE0B5C470 folder.

Figure 10 – PA

In Figure 11 I exported the plist (.com.apple.mobile_container_manager.metadata.plist) and when viewed with Mushy Plist Viewer, I discovered a “MCMMetadataIdentifier: AsciiString = com.apple.CameraMessagesApp.” This appears to be the application associated with the folder path UUID.

Figure 11 Mushy Plist Viewer

Based on the testing and what was observed in the suspect’s device, I came to the conclusion that if a file was stored in this file path, it was captured/created via the CameraMessagesApp.

Note: This was not the only application that was storing data at /private/var/mobile/Containers/Data/PluginKitPlugin. There are several other applications storing data at this location, to include SnapChat. I haven’t gone into detail about the other data contained here, but it would be very beneficial to analyze this file location to see if any evidence you are looking for could be found here.  

Now that we have discussed what files are created during the process of capturing a photo within native iOS messenger, let’s take a look at what’s left behind after deleting one or more of those files.

Scenario #2 What happens when a photo is captured from within native iOS messenger, sent as an attachment message and the message that contained the attachment is later deleted from the conversation thread:

The summary for this scenario is that a photo (IMG_0014.JPG) was captured using Camera Messenger Application. When this photo was captured Live Photos was turned OFF. The photo was captured, attached to a message, and then sent to another device. Later, the sent message with the attachment was deleted from messenger.

On July 29, 2020 at 8:23 PM, via the test device, I disabled live photos.

At 8:26:46 PM, the messages application (com.apple.MobileSMS) was launched from the springboard. See Figure #12.

Figure 12

At 8:27:09 PM, the messages camera application (com.apple.camera.CameraMessagesApp) was launched. See Figure #13.

Figure 13

At 8:27:15 PM, A photo was captured of Dexter via com.apple.camera.CameraMessagesApp. The photo depicted Dexter laying down and his eyes could not be seen in the photo. The photo was attached to a message and sent to an android device. The message did NOT contain a text message. 

Note: This message and the attachment was deleted prior to the device data extraction.

Several other photos were captured via com.apple.camera.CameraMessagesApp and sent via messages to an android device. In Figure 16, notice that all of the other photos sent during testing have the paperclip icon indicating they are attachments.

At 8:30:05 PM, the messages application, com.apple.MobileSMS, was closed.

At 8:57:08 PM, the messages application was launched.

At 8:58 PM, the message and attachment which contained the earlier discussed photo of Dexter was deleted from the message’s conversation thread.

At 9:00:04 PM, the photos application (com.apple.mobileslideshow) was launched and in focus.

At 9:01 PM, The “Recently Deleted” items were accessed and there were no photos being listed in this area. Upon examining the device data using Physical Analyzer, I located an entry for application usage. It indicated the com.apple.mobileslideshow was launched and used between 9:01:30 – 9:01:34 PM. It indicated an “Activity Type: com.apple.mobileslideshow.album.”

Note: I located data within the KnowledgeC database ZSTRUCTUREDMETADATA table that indicated there might be an expiration date for this data. The expiration date was listed in the column labeled: Z_DKAPPLICATIONACTIVITYMETADATAKEY_EXPIRATIONDATE. I have not tested this but wanted to mention it. See Figure 14.

Figure 14 – Timeline

In Figure 15, we can see the timeline for when a photo was captured and a message with the attachment was sent. This is an example of what the data might look life if the message was not deleted. Notice the outgoing MMS Message entry.

Figure 15 – Timeline

Note: This message did not have a body of text sent with the attachment. After testing, I learned if a message is sent and the message has only had an attachment it will not have an entry for KnowledgeC ZSTREAMNAME – /app/intents messages. After additional testing, I learned this also applies if a message has both a body of text and an attachment. Additionally, there will be only one entry in the sms.db – message table for the body of text and the attachment.   

In Figure 16, we can see the files that were created when I captured the live photo. Notice, as previously stated, the files being stored in /SMS/Attachments and /Containers/Data/PluginKitPlugin locations have the same file name.

Figure 16 – Artifacts Media Merged

Let’s get back to the deleted file. In Figure 17 we can see the Artifact view – Media – Thumbnail view and notice the file missing from this process is the photo that would be stored at: /private/var/mobile/Library/SMS/Attachments/.

Figure 17 – Artifacts Media Merged

Figure 18 is another look at the same files but from within Artifacts – Media – Table view. Notice the bar column indicating only two files are being merged with the main record and neither of them are the attachment file.

Figure 18 – Artifacts Media – Table View Similar Items Merged

As mentioned in the previously, the files created and saved to /Containers/Data/PluginKitPlugin/<UUID>/tmp/ will be present regardless if the message and attachment is deleted.

Note: I am not sure how long these files will be present in the device. The files that were present in the first extraction (7/31/2020) were also present in the second extraction (9/5/2020).

Let’s try and find all of the items that are stored in PluginKitPlugin location for that specific application (com.apple.camera.CameraMessagesApp). While in thumbnail view, I filtered the merged similar items based on the UUID “45AAD7D6-8C36-411A-B311-04EAE0B5C470.” See Figure 19.

Figure 19

In Figure 19, all of the duplicates and similar items are merged with each other, hence the layered squares icon on the bottom left of each photo. When examining the icon notifications within Physical Analyzer, I noticed two icons were missing from the highlighted photo. One was the outgoing message icon that indicates a message was sent and the other was the paperclip icon used to indicate attachment. These icons are missing because the message and the attachment were deleted from the message thread. When the message and the attachment were deleted, the associated file being stored at /private/var/mobile/Library/SMS/Attachments/ was deleted. I could not locate the file and it appeared to be removed from the device as soon as the message was deleted.

In Figure 19 the other files being displayed were created via the same method as the one highlighted.

NOTE: It was not this easy when I was examining the suspects device!! There were thousands of photos and I had no idea what I was looking for or what I was looking at once these were found.

Figure 20 is a look into the sms.db – message table and notice there is a missing entry (ROWID 18) for the deleted message.

Figure 20 – sms.db – Messages Table
Figure 21 – Timeline

In Figure 21, we can see the timeline for the photo related to the deleted message and attachment. Notice the outgoing MMS entry is missing from the timeline. Notice the file is being stored in the PluginKitPlugin file location with the UUID file name. Additionally, there is a file being stored in the DCIM file location. We can also see the launched applications and applications in use before and after the photo was captured. This now serves as an indication to me that a message with an attachment might have been sent and then deleted.

Scenario #3 What happens when a photo is captured within native iOS messenger, sent as an attachment message and the photo sent as an attachment is later deleted from the Photos Application:

In Figure 22 we can see within PA a file, IMG_0013.JPG, that was captured using Camera Messenger Application. When this photo was captured Live Photos was turned OFF. The photo was captured, attached to a message and then sent to another device. At a later time, the photo being stored at /private/var/mobile/Media/DCIM/100APPLE was deleted. I was able to extract the device data before the photo was permanently deleted and removed from “Recently Deleted.” In this instance the files that remained on the test device were stored at:

/private/var/mobile/Library/SMS/Attachments/43/03/042886A9-EF88-4ADE-9AE7-013078A63B1F/61777224175__CCFF7725-BFDC-4CAA-84BA-DB045C7EAB28.JPG

/private/var/mobile/Containers/Data/PluginKitPlugin/45AAD7D6-8C36-411A-B311-04EAE0B5C470/tmp/61777224175__CCFF7725-BFDC-4CAA-84BA-DB045C7EAB28.JPG

/private/var/mobile/Media/DCIM/100APPLE/IMG_0013.JPG – “Recently Deleted”

Figure 22 – PA

Let’s take a look at what this looks like in via the SQLite query that was written for the Photos.sqlite database. See Figure 23. Notice that there is a status column for File Trash State and another column File Trash Date. The highlighted file, IMG_0013.JPG, is indicating the file is in the trash and it provides a trash date or the date it was flagged as “recently deleted.” Additionally, notice that there isn’t any missing entries Z_PK 1-22.

Figure 23 SQlite Query

Additional Information about the deleted files:

I restored IMG_0013.JPG from being recently deleted/removed from the trash. The only noticeable change in Photos.sqlite was the file no longer had a Trash State and File Trash Date. I then deleted IMG_0014.JPG, which was then flagged as recently deleted / in the trash. I made this change because I wanted to test if the file stored at /Containers/Data/PluginKitPlugin/<UUID>/tmp/ would remain if all of the other associated files were deleted.

After the file was no longer listed in recently deleted, a second full file system extraction was completed. In Figure 24 and Figure 25 we can see after all of the other associated files were deleted, the file being stored at /private/var/mobile/Containers/Data/PluginKitPlugin/<UUID>/tmp/ still remained.

Figure 24 – PA
Figure 25 – PA

Let’s take a look at what has changed in the Photos.sqlite via the query. See Figure 26. Notice Z_PK 14, the entire entry for IMG_0014.JPG has been deleted.

Figure 26

Summary:

During this blog we discussed some additional file locations that should be analyzed if you have an iOS Full File System (FFS) extraction.

You should check the Photos.sqlite database and review the original file names. This could indicate the existence of additional files to analyze and if a FFS extraction would be beneficial to your investigation.

Additionally, you should check Photos.sqlite creator bundle ID which could indicate which application was being used to capture/create the photo. Using this information, you can locate the appropriate /private/var/mobile/Containers/Data/PluginKitPlugin/<UUID>/tmp file location that can be examined for additional files.

The /private/var/mobile/Containers/Data/PluginKitPlugin/<UUID>/tmp file location can hold vital data that might not be present in other types of extractions. It can also contain files that were deleted by the user and they may not exist elsewhere on the device.  

I could not have completed this research without help from the other outstanding and knowledgeable professionals who have been doing this type of work long before I even acquired my first cell phone. I would like to take this time to say thanks to everyone who shares their experiences with the community and list some resources that I have used during my forensic examinations and to prepare this blog. I hope it can help you as much as it helped me.

Thanks, for going on this journey with me and please feel free to contact me if you have any questions about this research blog. As always, please test and validate your findings and take time to share!     

References and Resources:

Posted to CrowdStrike on August 25, 2020 by Jai Musunuri and Erik MartinFrom From The Front Lines

and many others!

DFIRSummit Laugh Track

First, thank you to everyone for humoring me and submitting jokes. If we cannot laugh at ourselves, we are way too serious. Here are some of my favorites from the DFIR Summit. On a positive note – always try to find the humor in the situation. Especially with all that 2020 has thrown our way. Laugh and smile. 🙂

*Due to covid-19 all TCP applications are being converted to UDP to avoid Handshakes..!!

*Bill Gates walked into an APPLE store and farted but it was APPLE’S fault that they had no WINDOWS

*Do you know why I like UDP jokes?” “I don’t care if you get it or not.

*Why doesn’t Tigger have any friends? Because he plays with Pooh!

*What concert costs just 45 cents? 50 Cent featuring Nickelback!

*This graveyard looks overcrowded. People must be dying to get in.

*On a Friday, its a five minute walk from my house to the bar. It’s a 35 minute walk from the bar to my house. The difference is staggering.

*How can you find a blind man on a nude beach” … come on… it’s not that hard.

*What do dentists call their x-rays? Tooth pics

*Why did the first restaurant on the moon go out of business? It had no atmosphere

*Why do ducks have feathers? To cover their butt quacks!

*My friend said he didn’t understand what cloning was. I said that makes two of us.

*A guy walks into a psychiatrist office fully naked and wrapped in saran wrap from head to toe. The Psychiatrist says I can clearly see you’re nuts.

*Where did the software developer go?! I don’t know, he ransomware!

*I once started a band. We were called 999MB. Unfortunately, we broke up because we couldn’t get a gig.

*When does a joke become a ‘dad’ joke? When it becomes apparent.

*Which computer has the best voice? A Dell.

*How do astronomers organize a party? They planet

*I always knock on the fridge door before opening it. I do it just in case a salad is dressing!

*At a job interview I continued filling my glass of water until it overflowed. “Nervous?” asked the interviewer. “No, I always give 110%”

*Why do milking stools have 3 legs? Because the cow has the udder

*Want to hear a construction joke? I am still working on it!

*Did you hear about the guy who invented the knock-knock joke? He won the ‘no-bell’ prize.

*what made the tomato red/blush? it saw the salad dressing

*a pirate walks into a bar. the bartender notices a GIANT ship steering wheel coming out of his pants. the bar tender asks “hey man, whats with the giant wheel?” the pirate answers (in pirate voice): “Yarrr, its driving me nuts”

*I pulled a muscle digging for gold… Just a miner injury

*I would not buy anything that’s Velcro, it’s a total rip off

*Why did Adele cross the road? To say hello from the other side

*What happens when you go to the bathroom in France? European

*One snowman turns to another snowman and says… “Is it just me, or do you smell carrots too?”

*Where did the military hide their armies? In their sleevies

*What do computers and air conditioners have in common? They both become useless when you open windows.

*There was a gorilla in my garden this morning. He stole my gnomes, my gate, my lawnmower. I didn’t want to say anything in case he took offense.

*Does anyone have any good elevator jokes? They’re just good on so many levels!

*I applied to be a doorman but didn’t get the job due to lack of experience. That surprised me, I thought it was an entry level position.

*I tell dad jokes, but I don’t have kids. Does this make me a faux pa?

*How many developers does it take to change a light bulb? None it’s a hardware problem.

*What are you called if you see a crime at an Apple Store? – An iWitness

*Why should you never trust stairs? They’re always up to something.

*What kind of shorts do clouds wear? Thunderpants

*Why did the duck get arrested? For selling quack

*How much do pirate earrings cost? A buck an ear.

*Have you heard the steak pun? It’s a rare medium well done.

*what did the fish say when he hit the wall…dam

*Why don’t ants get sick? Because they have little antibodies

*What do you call an elephant that doesn’t matter? An irrelephant.

*A chicken coup only has two doors. If it had four, it would be a chicken sedan

*I hate when my wife gets mad at me for being lazy. It’s not like I did anything

*What type of shoes do frogs wear? Open toad

*Why didn’t the invisible man take the job? He couldn’t see himself doing it!

*I take an extra pair of pants when I golf, just in case I get a HOLE IN ONE!

*I got fired from my job at an orange juice factory, I couldn’t concentrate properly

*My wife just completed a 40 week body building program this morning It’s a girl and weighs 7lbs 12 oz

*Researchers have discovered a pod of whales playing instruments. It’s an orca-stra

*bought a cute dog a few days ago. Every time when the doorbell rings he goes to the corner….. it’s a boxer

*Don’t worry if you miss a gym session. Everything will work out.

*What do you call it when Batman skips church? Christian Bale

vWhat do you call a cow that just gave birth? Decaffeinated

*What didn’t the toilet paper cross the road? It was stuck in a crack

*What do sprinters eat before a race? Nothing. They fast

*Why are spiders so smart? They can find everything on the web.

*Why did the cryptographer send back his breakfast? Because the hash wasn’t salted.

*How do you make a tissue dance? You put a lil boogie in it

*Why do cows wear bells? Because their horns don’t work.

*How does a computer get drunk? A. It takes screenshots.

*What do you call it when you have your mom’s mom on speed dial? A. Instagram.

*A man was talking with a psychiatrist saying, “I’m a teepee. I’m a wigwam. I’m a teepee. I’m a wigwam.” The psychiatrist said, “Relax man, you’re two tents.

*why can’t you run while camping? You can only ran because it’s past tents

*Why do cows have hooves and not feet? They lactose

*I went camping, it was intents

*Why can’t a nose by 12 inches long? Because then it would be a foot

*I changed all my passwords to Kenny. Now I have all Kenny Loggins

*How do you make holy water? You boil the hell out of it

*It’s hard to explain puns to kleptomaniacs because they always take things literally

*What is the only car that can safely drive over a speedbump at 70mph?A rental car

*How do you get a squirrel to like you? Act like a nut

*Knock, knock Who’s there? Little ol’ lady. Little ol’ lady who? I didn’t know you knew how to yodel.

I hope you enjoyed the DFIRSummit. 🙂

“Life Has no ctrl+Alt+Del” – The New DFIR online Meetup

A DFIR Meetup

Most important – Sign up here: https://t.co/MqW8jmiCv6?amp=1

Working from home, social-distancing, travel restrictions, and homeschooling all related to COVID-19 have changed our lives. The new normal is not always fun, to be honest. This is why “Life Has No Ctrl+Alt+Del” was created. I wanted a forum where we could casually get together, but also include a way for us to stay engaged.

This is an online meetup/show that happens several days a week to enable you to listen, see and share with others in this community. It is not a formal presentation, sales pitch or place to bore you. It’s an open forum where anyone is welcome to speak! This meetup is supported by Cellebrite, but it’s not a Cellebrite centric event – it’s a DFIR event. Curious, join for at least one!

Name: Life Has No Ctrl+Alt+Del

Link to register: https://t.co/MqW8jmiCv6?amp=1

When: March 30th week – every weekday; after that M, W, F weekly

Host: Heather Mahalik (may have subs, if needed)

Guest Stars: Announced Weekly – Each star will decide if they want it to be recorded – all recordings will be shared!

Hashtag: #DFIRatHome

When you think of this show, I want you to imagine having lunch with friends when a cool conversation spikes. It’s literally that relaxed! I hope to see you on the show soon.

Twitter: @heathermahalik

Twitter: @Cellebrite_UFED

2020 Forensic 4Cast Nominations are open!

I have been meaning to get this out for a bit, so here it is. Something has been keeping me busy – you know kids, work, SANS and being all in the same place together 24 hours a day. 🙂

The forensic 4Cast awards by Lee Whitfield have really become quite a “thing” for many. It’s such a great idea and Lee, well done. You , my friend, give people and companies some to strive toward and I love it.

To nominate- click here: https://forensic4cast.com/forensic-4cast-awards/2020-forensic-4cast-awards/

Let’s get right to it. Opinions are my own and for that if you do not like them, no need to worry. Everyone has their own opinions and some simply want recommendations. Do I work for a vendor – yes. Do I sell training via SANS – yes. Do I have my own brain – YES!

I give a brief snippet for some, but not all. If you want to know who I really nominated, ask me. 🙂

DFIR Commercial Tool of the Year

  1. UFED Ultimate
  2. Elcomsoft Cloud Tools
  3. Oxygen Forensic Detective
  4. Magnet AXIOM

DFIR Non-commercial Tool of the Year

  1. iLEAPP
  2. KAPE
  3. Sysdiagnose scripts – Mattia Epifani, Adrian Leong, Heather Mahalik

DFIR Show of the Year

  1. DFIR Summit – Austin, TX
  2. Techno Security
  3. DFRWS

DFIR Blog of the Year

  1. www.cellebrite.com/blog
  2. www.elcomsoft.com
  3. www.forensicfocus.com

DFIR Article of the Year

  1. https://smarterforensics.com/2019/09/wont-you-back-that-thing-up-a-glimpse-of-ios-13-artifacts/ – shameless plug, but I put a lot of time and research into this right when it was released. 🙂

DFIR Social Media Contributor of the Year

  1. Heather Mahalik
  2. Alexis Brignoni
  3. Sarah Edwards

DFIR Degree Program or Training Class of the Year

  1. Cellebrite CCO/CCPA
  2. SANS FOR585
  3. SANS FOR498

DFIR Groundbreaking Research of the Year

  1. Cellebrite – checkra1n jailbreak development
  2. Sysdiagnose research – Mattia Epifani, Adrian Leong, Heather Mahalik
  3. Axi0mX – checkm8 –  need I say more?

DFIR Newcomer of the Year

  1. Geraldine Blay – She lives for DFIR, tests for everyone and is starting to blog
  2. Josh Hickman – Blogging, providing public images and staying on top of forensics

DFIR Mentor of the Year

  1. Alexis Brignoni – community contributions and work
  2. Scott Lorenz – EDL support and guidance

DFIR Resource of the Year

  1. Cellebrite Ask The Expert (Tip Tues, ATE series) – Provides snippets of information to make you smarter each week.
  2. Heather Mahalik – Cellebrite 😉 – Yes I am laughing, but again with the busting my butt thing to spread knowledge
  3. Digital Forensics Discord- A. Rathbun created this and it rocks

DFIR Team of the Year

  1. Cellebrite – I love my teammates. My SANS teammates wonder who I love more.
  2. SANS – See item 1
  3. Magnet – I have tons of friends at Magnet and they have good morale

Digital Forensic Investigator of the Year

  1. Mattia Epifani – He researches, blogs, teaches and PRODUCES! This man never sleeps.
  2. Shafik Punja – Continuous support to detecting and reporting bugs to vendors to make DF better for everyone.
  3. Ian Wiffin – Thinking outside of the box and developing tools to fill the gaps that commercial tools have yet to address.

So, some shameless plugs in there, but why not – my opinions right? Some categories were harder than others to pick just one, but you have to go with your guy. You will notice that I didn’t nominate Eric Zimmerman (my good friend) for Investigator of the Year. He is the Meryl Streep of the 4Cast! Time for the Hall of Fame Eric. 😉

Nominate now – https://forensic4cast.com/forensic-4cast-awards/2020-forensic-4cast-awards/

iOS 13 – Summary for those of you who enjoy the cliffsnotes

For those of you who don’t have time to read for585.com/ios13, here is a mini summary for you.

First – If the backup is NOT encrypted you will not get:

  • Maps
  • Calls
  • Safari
  • Health
  • Keychain
  • Wallet

Apple has upped their game on protection it seems, so you need to encrypt to extract. I used iTunes in my full blog and just testing PA 7.24 Method 1 with encryption and Method 2 is in progress. Worked like a charm and I got what I expected. You lock it up, or you don’t get much. Bottom line. Jessica Hyde wrote a post on protecting yourself from an accidental sync if using iTunes to create a backup: https://www.magnetforensics.com/blog/three-newer-things-that-may-surprise-you-about-ios-forensics/amp/ If you are using PA, you are protected from this.



While you are going to be forced to read the long blog for the juicy details, here are the file paths you need to be aware of for iOS 13:

  • Contacts /var/mobile/Library/AddressBook/AddressBookImages.sqlitedb
  • Calls /var/mobile/Library/CallHistoryDB/CallHistory.storedata
  • SMS /var/mobile/Library/SMS/sms.db
  • Maps /var/mobile/Applications/com.apple.Maps/Library/Maps/GeoHistory.mapsdata
  • Safari /var/mobile/Library/Safari/History.db
  • Photos Database /var/mobile/Media/PhotoData/Photos.sqlite

The biggest change other than encryption seems to be the use of protobufs, which Sarah Edwards is working on a blog to discuss, settings and how that may determine what is saved to device vs. cloud, Safari artifact storage, and encryption. Please read the full blog for all of the good details and stay tuned for my iOS series, webinars, etc.

Stay tuned for the release of PA 7.24 next week and also for #TipTues on Twitter where I will provide something useful, I hope. 😉

…Won’t you back that thing up: a glimpse of ios 13 artifacts

Don’t lie – the song is already in your head. And if not, maybe it will be by the end. If you know me, titles/taglines, whatever you want to call them, are not my thing. But since testing iOS 13, I feel like I have backed that thing up a billion times! I dump, I examine and then realize something so I then add/delete that “thing” and repeat. Hence the name of this blog!

First things first, Apple didn’t appear to mess with us too much with this update with a few exceptions. First, encryption is everything! Some artifacts moved, while others are back again (pending settings on the device) , some can be controlled by the user and some just stayed the same. For the artifacts that moved – this is where you need to TEST YOUR TOOLS! Do not trust a blog post from a vendor (even one from me) – TRY IT FOR YOURSELF. Testing and validation is so important. There are so many bugs in tool releases and even false claims of support. Try it and then rely on it.

At the time of writing this, Physical Analyzer Method 1 and Method 2 were not supporting iOS 13. A little birdie tells me it will be released next week and I may have seen the beta. For the tools that did acquire, iTunes was used. When this is the case, I just use iTunes so I can control the environment. I like to encrypt my backups because I want Health, Keychain, Safari, Calls, Maps and Wallet, but I did conduct an unencrypted one for comparison and for parsing in one tool that will be discussed in a bit. Did you notice I said Safari, Maps, and Calls in an encrypted backup – yep – stay tuned.

And then I did it again with 13.1 because I didn’t get my blog out fast enough. 🙁 So this blog really covers both, not that I expected major changes in a tiny update.

The backup content looks similar to iOS 12. The major difference was the name of the backup, which is shown below. The top backup is from iOS 13 and the bottom from iOS 12, but the hardware is different.

Bottom line – until I test the full release of Method 1 and Method 2 in PA and fairly compare it, I recommend doing an encrypted iTunes backup and here is why.

Artifact Locations – The good stuff

For this post, I tested my usual suspects of artifacts. The ones that every device should have. Contacts, Call Logs, SMS, iMessage, Maps, Photos, and Safari. Here is what I found:

Artifacts with no path changes or anything drastic:

  • Contacts/var/mobile/Library/AddressBook/AddressBook.sqlitedb
  • SMS/iMessage/var/mobile/Library/SMS/sms.db

My buddy Jared, who also enjoys 90s hiphop pointed out something cool to me. Look at the message below. For anyone working distracted driving cases, this could be amazing for you. Look how the messages were sent! I’m in a rush to get this out, so I hope something like this will be a quick #TipTuesday on where it exists in the sms.db. Thanks Jared!

  • Photos/var/mobile/Media/PhotoData/Photos.sqlite (nothing major about the graphics jumped out upon initial review.

I have been asked so many questions about photos.sqlite lately that it will also be a blog of its own. There is so much goodness contained there! I plan to do another blog on deleted artifacts and how to recover, if possible, so watch out for that. For fun – this is a screenshot I took today to share with Paul all for the fun of testing. You never know what I may share, right Sarah? 😉 Honestly, if you cannot make fun of yourself – you need to relax.

Artifacts with minor changes:

  • Calls/var/mobile/Library/CallHistoryDB/CallHistory.storedata

 For Calls, the data remains the same, but you need an encrypted backup to get the data. Additionally, one file was added –CallHistoryTemp.Storedata. Mine had nothing of interest, but keep an eye on this bugger. It was put there for a reason, I just don’t know the exact one yet. I initially thought that AXIOM missed the calls, but realized I gave AXIOM and unencrypted backup so it could handle the file system view.

 It is worth noting that I deleted a call and could not find it in the free pages of CallHistory.storedata. I tried Physical Analyzer, Oxygen (the trash can feature), BlackLight, AXIOM, Forensic Browser for SQLite (Paul Sanderson) and Mari’ Degrazia’s awesome script https://github.com/mdegrazia/SQLite-Deleted-Records-Parser And guess what – I didn’t find the call. So more on that in another blog. I bet it’s in the cloud… 

  • Health – (yes, I snuck this one in here because it is so valuable) /private/var/mobile/Health – examine the healthdb.sqlite and healthdb_secure.sqlite databases and take note of the new ones. I will write a complete Health blog soon. The tools may not be parsing everything, so refer to the presentation Sarah Edwards and I gave a few years ago: https://github.com/mac4n6/Presentations/blob/master/%23DFIRFIT%20or%20BUST/DFIRFIT.pdf

I do have to call out Oxygen Jet Engine here, who did a nice job on Health. Well done on connecting the device, OS version and locations. See a snippet below. More on this in my Health blog, where I plan to include Android health as well.

Apple switched the path up again – READ this part:

  • Safari/var/mobile/Library/Safari/History.db

IMPORTANT – the history.db is NO LONGER in com.apple.mobilesafari! See below. Here we have a visual of what is included in mobilesafari for an encrypted backup. The history.db. is no longer here. (NOTE: I would  examine all of these databases for relevant info. Mine didn’t have much, but I prefer Chrome.)

Take note here – at the time of testing, not all tools parsed Safari history! I assume they thought the database would remain in mobilesafari and guess what – that no longer exists. We are back to good ‘ole history.db in it’s first home in the Safari directory. Physical Analyzer, BlackLight and AXIOM parsed all of the searches I conducted in iOS 12 and 13 if an encrypted backup was obtained. NOTE – you will not get safari history in unencrypted backups anymore. You will simply get bookmarks and the dummy login for Safari, as shown below.

Additionally, it appears that Safari has moved all of the history data, which is uncommon. This history included much more data than that of iOS 13 and what is show below is history from May 2019 to present. 🙂 Makes it easier on us. Thank you Paul for sharing yours – again, I use Chrome. 

For the tools that didn’t parse Safari history, the database was there and the searches were as well. So they just need to catch up. I will explain which tools missed the artifacts at the end of this blog.

Something else worth noting is that it seems like Safari wants you to go into Private Browsing when you launch it. If this happens, you won’t find anything in history.db. Verify the setting on the iPhone. The user may not even realize it’s happening, which is what occurred while Paul and I were conducting our testing over the past few days. Screenshot of what this looks like for the user is below. Note, once Private is exited, all history is capture in an encrypted backup or Method 1 in PA.

In summary – for Safari, you MUST have an encrypted backup or an encrypted Method 1 from Physical Analyzer. I know this because we tested the beta of PA 7.24 and it works like a charm.  If it’s not encrypted by iTunes or the tool – you will not gain access to  Safari/history.db.  If the user last used Private browsing and did not close Safari, chances are good you will also get nothing. If you want to find Private Browsing traces – sign up for FOR585 Advanced Smartphone Forensic Analysis In-Depth and we will teach you. for585.com/course.  

It’s back – well, depending on your settings!

  • Maps/var/mobile/Applications/com.apple.Maps/Library/Maps/History.mapsdata  – older searches – pre iOS 11 and /var/mobile/Applications/com.apple.Maps/Library/Maps/GeoHistory.mapsdata – iOS 11 and newer searches

I have spent years on Apple Maps. Literally years… While it’s back, only some tools only parsed history.mapsdata! Again, make sure you use a tool that will parse both history.mapsdata and Geohistory.mapsdata. Verify the source of the data for everything parsed as your first clue. This is super important to ensure you aren’t missing information. Vendors – again, make sure you are doing this correctly. I found major gaps. This is what it looks like when the tool does it’s job.

You should also be able to manually examine the Geohistory.mapsdata file for confirmation.

If you see nothing at all for Maps, the user probably enabled the cloud setting for Maps, which seems to skip saving anything to the phone other than the group.com.apple.Maps.plist which stores the last search in Apple Maps and can be found here: /var/mobile/Applications/group.com.apple.Maps/Library/Preferences/. If that isn’t the case, you need to choose a tool you know properly parses Apple Maps.

Here is what the setting looks like that may keep Maps from being saved to the device. I have Maps turned off for iCloud, so the data was saved to Geohistory.mapsdata on my iPhone. On Paul’s device, his was turned on and he didn’t have a Geohistory.mapsdata. The settings seem to control what we can extract. You need to pull iCloud information to extract this and Elcomsoft does a fantastic job.

 

Tool Support

I’m not hiding, I swear!

If you are wondering where I have been, the answer is easy – busy! But I haven’t been ignoring you. Since joining Cellebrite, I have been working on sharing my research through their channels. To be honest, between that and SANS, I haven’t had time to blog on my own. So, here is just my promise to you – I will have another blog on here soon. Most likely on mobile acquisition techniques and iOS 13. I need to update some of the older posts anyway.

If you have missed my work, check out the following new stuff:

Cellebrite Webinar – http://bit.ly/2kx61bR Mastering the Mobile Device Challenges in eDiscovery – Do not let the term eDiscovery sway you from listenting to this. Here, I provided a preview of Physical Analyzer 7.23 as well as hints on what is coming in new releases. Learn about redaction, advanced searches and Legalview.

CellebriteWebinar – http://bit.ly/2kF09NJ – Fantastic Android Encryptions and How to Defeat Them – ‘nuf said 😉

Cellebrite Bloghttps://www.cellebrite.com/en/blog/mission-matters-thats-why-i-joined-cellebrite/

Cellebrite Bloghttps://www.cellebrite.com/en/topics/investigative-techniques/if-i-were-an-investigative-profiler-for-a-day/

DFIR Summit Presenationhttps://github.com/hmahalik/Presentations/blob/master/RollinHatin_iOSCarplay_AndroidAuto.pdf – Sarah Edwards and I researched and presented artifacts relating to iOS CarPlay and Android Auto.

Coming soon:

Cellebrite Connect events – San Fran and Chicago – https://www.cellebrite.com/en/events/

SANS – FOR585 – updated cheat sheets – waiting on iOS 13 to officially be released – Keep your eye out alumni!

Podcast – Cyber Security Interviews with Doug Brush – https://cybersecurityinterviews.com/episodes/ (not yet published)

https://www.cellebrite.com/en/ask-the-expert/ – A video series with methods, tricks and just concepts you should know for investigations. I plan to blog for each one of these.

OSDFCON – iOS Sysdiagnose Bugs – Speaking with Mattia Epifani

ICAC NW – Speaking on Smartphones: How to Reach the Summit When You Have a Mountain of Data

DFIRCON 2019 –https://www.sans.org/event/dfircon-miami-2019/courses/ Teaching FOR585, Running DFIR Netwars with Eric Zimmerman and doing an @Night on A Wild Goose Chase: Hunting For Hard to Find Smartphone Apps and Malware

Published articles – I will tweet about them

A new podcast… just wait for it! I am better at talking when I think of something vs taking the time to write it all down. This is going to be fun!

As always, I will be teaching FOR585 around the world so look out for me. for585.com/course to see where not only me, but the team of instructors who support this are also teaching. We hope to see you there.

How was an iPhone setup?

I’ve realized just how important it is to blog vs just do a webcast when I was completing my course updates. I would stumble upon a webcast, but didn’t have time to watch it, so I looked in another direction. This made me realize that I should write down everything I put into a webcast. Will a webcast hold up in course? Do you have time to watch all of them? Seriously, I am curious about the impact so please let me know.

In 2019 – I am going to write down what I talk about in webcasts. If I have the time, I may try to blog about my speaking events as well (think Keynotes and SANS @Nights). Some blogs may be short and sweet, but this way when someone says, “how can I do X” I will point them to my blog. 🙂

To kick this one off, I am going to simply discuss a file that stores information on how an iOS device was setup. This is a file that I am asked about a few times a week. In many cases, it matters if the user synced from iCloud, started from scratch or restored from iTunes. So here goes!

First, you should be obtaining an encrypted backup at a minimum. If you have the ability to get a full file system dump, even better. Without encryption, I cannot guarantee that all of the files I plan to discuss in upcoming blogs will exist. Make sure your analytical tool of choice will decrypt the data. If you are trying to do this for free follow the steps below.

Creating and parsing an encrypted iOS backup for FREE:

  1. Launch iTunes on your forensic workstation. Update if necessary.
  2. Make sure you Trust the computer on the iPhone.
  3. Create an encrypted backup with a password you will remember (yep, people forget all of the time!)
  4. If you aren’t using a commercial tool or one that supports decrypting the backup, you may have to get crafty. I stumbled upon AnyTrans during my updates and it’s pretty sweet. To use this, you must know the password or crack it (refer to other blog posts in my archives.)
  5. Launch AnyTrans and it will show you if you have locked backups.

6. Select the locked backup (you know it’s locked because the option is to “unlock” it.

7. Enter the password and the backup will be unlocked! The top portion shown below is how the backup directory will look. The original backup remains and the unlocked version is called BackupUnlock. If you peek inside that directory, you will find the backup with the date it was unlocked.

8. From here, you can load the unlocked backup into iBackupBot or your tool(s) of choice (iExplorer, etc.). Note: Some commercial tools HATE this format and will not support it. The free ones seem happy enough!

Now let’s get to that file you care about. Once your backup or image is loaded into your tool, you need to locate the following file: /Library/Preferences/com.apple.purplebuddy.plist. I normally just search for purplebuddy.

This plist stores the SetupState of the device which will tell you how the device was setup by the user.

If the user selected to restore a backup from iCloud, the com.apple.purplebuddy.plist will show:

If the user setup the iPhone using iTunes, the com.apple.purplebuddy.plist will show:

It is worth noting that I am testing on an iOS 12.1.x device and I restored from iTunes in 2 ways to obtain these results. First, I wiped and set up via iTunes and then I also forced a restore of a backup via iTunes. I wanted to be sure the SetupState didn’t change. If you find that the user restored from iCloud, consider pulling cloud data if you are legally capable of extracting that form of evidence. Should you find the user restored from iTunes, you now have to find that host computer to do analysis on other potential backups. This is where the fun begins!

Bottom line, Apple has a ton of plists that are relevant. You need to hunt for them. Do a keyword search, dump your device (yep, use the free way I described above) and VALIDATE!!!

If you want to watch the webcast, check it out here: https://www.youtube.com/watch?v=AC2TpWsLPLQ



CAUTION: iBACKUPBOT and iOS10+ potential issues.

Below I am attempted to do the same thing with iBackupBot, but I ran into iOS version issues.

  1. Launch iBackupBot
  2. Make sure you Trust the computer on the iPhone.
  3. Create an encrypted backup. Notice that the tool is telling you that Backup encryption is turned on? This is good.

4. Select where to save the backup image. I recommend into your case directory for the investigation.

5. The backup will be created and then you can open it in iBackupBot for analysis. Once the backup is complete, it will prompt you to open it. If you have issues, this is an iOS10 error from what I have seen. :/ At this point, revert to iTunes.



Determining when an iOS backup was created

One point of contention in the FOR585 Advanced Smartphone Forensic class is – which files store the correct datetime for when a user created an iOS backup?  I’ve engaged in a few friendly arguments over this topic and it recently popped up again when Lee was teaching in NYC in August. Every time this question comes up, I test it again. I have probably tested this more times than I should have, which is why I am finally putting it in writing.

So, when you are asked – “When did a user last create an iTunes or iCloud backup?” – You can answer with confidence next time.

The first thing to consider is what you are examining. Are you looking at a backup file extracted from a PC or Mac? Are you looking at an iCloud backup? Are you looking at a file system dump created by a commercial or free tool? If you are looking at a backup (iTunes or iCloud) this process is a lot easier. If you are looking at a file system dump created by a tool, this is where the confusion may set in. I hope this blog makes your examination easier by breaking down what is happening for each file. For this test, I used my own iPhone that I use every day. Why? Because I know when I backup and I can then verify dates.

The files we are going to examine for backup datetime activity include:

  • info.plist
  • status.plist
  • manifest.plist
  • device_values.plist

All of these files are important, but the dates inside of each may vary and a smartphone tool may update the date inside of the file. If you are looking at a backup that was extracted from a PC or a Mac, the status.plist will contain the start date and time for an iTunes backup.  The info.plist also stores a datetime and whether the backup was successful (snapshot state), but it is not the start date. It is often the completion datetime and doesn’t state if the backup was successful, which is why I rely on the status.plist, when the file is available. The manifest.plist is more helpful when it comes to dealing with locked backup files that need to be cracked. The date in the manifest.plist is often the same as the date in the info.plist and again this file does not track if the backup was successful or not.

Now here is the tricky part. If you completed a file system dump of an iOS device, the following files will most likely show a date that is NOT when the user created a backup. This date will be when you created the forensic image. This makes people uncomfortable, but it makes sense if you think about it. iTunes (or a process like iTunes) is most likely being used in the background to create the forensic image. It makes sense that these datetimes would be trampled. In this case, I rely on device_values.plist which remains untouched by any tool or method you use to create a forensic image of an iOS device.

At this point I have either confused you or validated what you already know. Either way, let’s take a look at my test.

I dumped my iPhone using Cellebrite Physical Analyzer Method 1. I only did Method 1 because I wanted to make sure that it pulled the device_values.plist and I was doing this test during a lab and didn’t have much time. NOTE: I have noticed in the past that this file may only be pulled using Method 2, so use both just in case. If you are wondering why I recommend both of these extraction methods refer to my previous blog posts. I completed this extraction on August 18, 2018 around 14:20 (I had a few connection issues and had to troubleshoot which is why I state “around”). I did not backup my device at this time other than using my tool to create a file system dump (aka – I did not launch iTunes and create a backup).

The info.plist is shown below. Notice the timestamp matches the extraction completion time and NOT the time the device was backed up by the user? If you used a commercial tool to acquire the device, simply look at the Extraction details to compare extraction time.

Next, I looked at status.plist. Again the date is NOT when the user backed up the device. This is when the extraction completed in Physical Analyzer.

Finally, we look at the manifest.plist. And we see the same date, but a time that occurs before the times in info.plist and status.plist.

I believe this is when Cellebrite scans the phone to determine if the tool should present you with the check box to encrypt the backup, or not, if the device is already encrypted. This is also around the time I started the extraction.  So, this is really just showing you how long the Method 1 extraction took and has absolutely nothing to do with when the user last created a backup. Now we look at the device_values.plist and we get the correct answers.

Not only do we get to see datetimes for iTunes backups, but also iCloud, if the user has ever backed up to cloud under com.apple.mobile.backup. We simply have to decode our datetime stamp for the LastiTunesBackupDate and we get June 4, 2018 at 21:32:42 Eastern Time. (Note: I normally keep it at UTC, but I know when I created my last backup in local time and wanted to compare).

So, in short the forensic extraction methods will update the datetime in status.plist, info.plist and manifest.plist during the acquisition process. If you are conducting analysis of an iOS device image (not a backup) you should rely on the datetime recovered from device_values.plist. If you are dealing with a traditional backup file, use the status.plist for the datetime on when the last successful backup was created.