9(2) Forensic Opportunities - iOS devices

Question 1

What is the iOS Bootrom Exploit (checkm8)?

Answer 1

• discovered by axi0mX a researcher
• applicable on iPhone 4s up to iPhone X
• it is a Boot Rom vulnerability so cannot be patched remotely by apple.
• Checkm8 is the exploit that makes a full file extraction possible on these devices - making it gamechanging for LE
• To exploit the vulerability to obtain full file extraction need to jailbreak the device
• CheckraIn is the tool used to exploit this vulerability and is intergrated into many iOS forensic tools. Requires device to be put into DFU mode.
• A full file extraction using checkraIn is possible when the passcode is KNOWN
• if passcode is not known then a partial extraction can be done in BFU mode. (Before First Unlock)
• Can use GreyKey to brute force the passcode on an iPhone.

Question 2

What is DFU mode?

Answer 2

DFU = Device Firmware Upgrade.

Allows the user to chose what firmware version they wish to install.

Question 3

iOS Evidence - Wifi and Cell site evidence: What files contain relevant data?

Answer 3

◼ plistprivate/var/root/Library/Caches/location/cache_encryptedB.db
Contains data that assists in identifying where user has been from:
- WifiLocation info
- LteCellLocation info

◼ /private/var/root/Library/Caches/com.apple.wifid/ThreeBars.sqlite
- contains wifi connections

◼ /private/var/root/Library/Caches/com.apple.routined/Cache.sqlite
- ZRTWIFIACCESSPOINTMO (wifi access point info)
- ZRTCLLOCATIONMP

These can be accessed once the device has been jailbroken.

Question 4

How can you view sqlite database files?

Answer 4

The threeBars.sqlite database can be viewed using application db browser for sqlite.

Question 5

How are apple timestamps stored?

Answer 5

Core data is a data stroage framework used to manage objects in iOS and OS X applications. It is part of the Cocoa API.

A core data timestamp (AKA Mac Absolute time) is the number of seconds or nano seconds since MIDNIGHT on !ST JANUARY 2001.

The difference between a core data time stamp and a unix timestamp is 978307200 seconds (unix being seconds since 1st Jan 1970)

Question 6

How can you convert core data timestamps to human readable time?

Answer 6

Use epochconverter.com/coredata

Question 7

How can we understand the wifi data?

Answer 7

wigle.net allows us to enter the MAC address (BSSID) for the access point or lat and long both from the sqlite and gives us info about it

Question 8

Where can we find cell site evidence (iOS) - i.e what files contain this after doing a full file system extraction using checkraIn?

Answer 8

◼ locationd_cacheencryptedAB_celllocation.txt

The cell site information can then be parsed using
APOLLO Parsing Tool

https://github.com/mac4n6/APOLLO/blob/master/modules/locationd_cacheencryptedAB_celllocationharvest.txt

can use annteannaesearch.com to enter cell tower info from the cell location sqlite.

Question 9

Where can we find location data (iOS) - i.e what files contain this after doing a full file system extraction using checkraIn?

Answer 9

/private/var/root/Library/Caches/locationd/
◼ cache_encryptedB.db
◼ cache_encryptedA.db
◼ lockCache_encryptedA.db

The location data can be analysed using an iOS Location scraper tool:
iOS Location Scraper
https://www.mac4n6.com/blog/2016/6/6/new-script-ios-locationsscraper

Question 10

Why are iPhone back up files important?

Answer 10

May contain back ups of deleted files

Question 11

Where can we find iPhoen back up files?

Answer 11

◼ /private/var/mobile/Library/Preference/com.apple.mobile.l
dbackup.plist

Contains a LastCloudBackupDate (can view and determine whn it was last updated to icloud - then can request from apple). Need to convert from Apple Cocoa Core Data timestamp.

There is a free tool to decipher the back up from deciphertools.com (the decipher back-up browser)

Question 12

Where do you find the SMS content (iOS)?

Answer 12

◼ SMS Folder
- sms-temp.db (contains all SMS messages since last successful unlock)

Question 13

What are some iOS files of Interest?

Answer 13

◼ CallHistoryDB
- CallHistory.storedata
- CallHistoryTemp.storedata (call history since last successful unlock of device)

◼ CrashReporter
- Crash Logs
- WiFi Manager Logs
- Sysdiagnose Logs

◼WiFi Subfolder
- SysdiagnoseWi-Fi Net Script (free tool)
- SysdiagnoseWi-Fi KML Script (free tool)

Question 14

List some other important files relating to iPhone connections

Answer 14

◼ /private/var/db/dhcp_leases (DHCP logs)

◼ /private/var/db/dhcpclient/leases

◼ /private/var/mobile/Library/preferences/com.apple.MobileSMS.plist

◼ /private/var/mobile/Library/preferences/com.apple.locationd.plist

◼ /private/var/mobile/Library/preferences/com.apple.wifi.plist

◼ /private/var/mobile/Library/Caches/location/cache.plist

Question 15

What is APOLLO?

Answer 15

Apple Pattern Of Life Lazy Outputter

• location mapping
• personal health
• apps used

Question 16

What is knowledgeC.db

Answer 16

KnowledgeC.db is a database file.
It is part of the Knowledge framework, which Apple uses to collect and manage various usage metrics and behavior data on the device.
Used for:
- Activity tracking
- Contextual suggestions
- Analytics