Week 12 - iOS Data Flashcards

1
Q

Accessing iOS Data - what are the two security features from iOS v 7.0 onwards?

A

iOS v. 7.0 onwards - when connecting to a computer with iTunes you get 2 security prompts. First about whether you want to allow the computer to access the info on that iPhone. Then second asking if you trust the computer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is a trusted pair lockdown certificate?

A

When an iOS device connects to a computer (with iTunes installed) and says yes to the 2 security prompts, then a lockdown certificate (or record) is created.

The mobile device and computer exchange cryptography keys and create an xml binary file (the lockdown certificate / record).

It contains the name of the device and unique ID.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Where are the lockdown records / certificates stored?

A
  • Windows 7/8/8.1/10: C:\Program Data\Apple\Lockdown
  • Mac OS X: /var/db/lockdown
  • WindowsVista: C:\Users[username]\AppData\roaming\Apple\Computer\Lockdown
  • Windows XP:
    C:\DocumentsandSettings[username]\Application
    Data\Apple Computer\Lockdown
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How do these lockdown certificates help the forensic investigator?

A

These lockdown certificates may be used to access data on an iOS device without the unlock code or touch ID, provided the ios device has been unlocked at least once since the lockdown certificate was created (iOS 8 and above)

If device (iOS 8 and above) is turned off at point of seizure then turned on for examination cannot have data acquired without the unclock code (or biometric ID)
iOS 7 and below can.

However, copying the lockdown certificates from the original paired machine to the examination machine may allow examination of the device without unlock code.

Computers that have had multiple devices paired will have multiple lockdown certificates

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the acquisition options for iOS data?

A

Depends on a no. of factors incl. the software version, the device type, the user security features enabled and condition of device.

  • Screen capture
  • Direct using non forensic tool
  • Backup/Logical Acquisition
  • Advanced Filesystem Acquisition
  • Physical Acquisition
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What does screen capture involve?

A

In some circs it may be necessary to interact with the device manually and to record on screen info. Not ideal method but can be used if there is no other way to acquire the data.
Need access to an unlocked and functioning device.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is direct capture using a non forensic tool?

A

Non forensic data management tools like dr phone or iexplorer can be used.
Depends on iOS version and model as to the level of support. Needs the phone to be unlocked and powered on or the lockdown certificate installed on the examination machine

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is back-up / logical aquisition?

A

Will provide a limited file system acquisition. Uses the iTunes back-up or associated iTunes libraries.

However one issue is that the user may have enabled a back-up password. This means that any back-up acquisition will be encrypted unless the back-up pw is known and entered. OR a pw breaking tool can be used on the plist pw file to attempt to obtain the pw.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is advanced File System Acquisition?

A
  • Using forensic tools,
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is a physical acquisition

A

A bit for bit version of the device flash memory.

This may provide more information than a logical acquisition such as passwords, messages and app data.

A physical acquisiton was possible on devices up to iPhone 4 which used the vulnerability in the trusted boot to enter DFU mode and bypass security certification. Typically invovled use of a custom RAM disk to obtain a bit for bit version of the flash memory. Apple patched this feature in later versions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Do you need iTunes installed on your examination machine?

A

It depends!
Some forensic tools have an iTunes installation as part of the tool, some require it to be seperately installed. Some methods do not require it at all.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What do we need to consider about iOS and Application encryption improvements?

A

In addition to Apple constantly evolving their security features, individual applications upgrade their encryption and security making it harder to access content.

For example Signal introducing Post Quantum Cryptography

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What file types do apple use to store data?

A
  • plist (property list file type). most common. File extension is .plist
    They commonly store info about the OS, user data & configurations of applications. Data is stored as keys and values (e.g. username = ‘carly’)
  • sqlite databases (.db). these are binary self contained database fiels. Lightweight & portable. Each file is divided into pages that hold data and index info

Also other file types have emerged over time such as:
- segb

Some data stored on iOS devices is transient and purged regularly without any user knowledge. Acquire data asap.
For exampled hashed location information and application useage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What time stamps do iPhone commonly use?

A
  • iPhone commonly uses UNIX time or MAC Absolute Time in
    records
  • UNIX time epoch is 00:00:00 on 1 January 1970 UTC
  • All UNIX times reference that date
    1323424800 = 10:00:00 9th December 2011
  • MAC Absolute Time epoch is 00:00:00 on 1 January 2001
  • All MAC times reference that date
    3406269600 = 10:00:00 9th December 2011
  • Most forensic tools decode automatically
  • Free tools such as Dcode or Hex Assistant
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the UNIX time EPOCH?

A

UNIX time epoch is 00:00:00 on 1 January 1970 UTC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the MAC Absolute Time EPOCH?

A

MAC Absolute Time epoch is 00:00:00 on 1 January 2001

17
Q

What are Property Lists?

A
  • Property list (plist) organize data into named values and lists
    of values using several object types
  • iPhone uses property lists to store data and preferences
    from applications
  • Two common types used Extensible Markup Language (XML) and Binary

Some forensic tools have plist viewers integrated. There are also free online viewers.

18
Q

What are the key features of XML plist files?

A
  • XML plist files can be viewed in a text editor
  • Begins with a standard header
    <?xml version=”1.0” encoding=”UTF-8”?>
  • Document Type Definition (DTD) follows header and
    indicates the file is a plist
  • <!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN”
    “http://www.apple.com/DTDs/PropertyList-1.0.dtd”>
19
Q

What are the key features of a binary plist file

A
  • Have a hex header value of 62706C6973743030 (binary plist 00 in ASCII)
  • Not viewed easily in text editor
20
Q

What are some plist files that may be useful to the investigator?

A

WiFi connections history
/private/var/Preferences/SystemConfiguration/com.apple.network.ident
ification.plist

Known WiFi networks list:
/private/var/Preferences/SystemConfiguration/com.apple.wifi.plist

IMSI/ICCID data:
/private/var/mobile/Library/Preferences/com.apple.commcenter.plist

Installed applications list:
/private/var/mobile/Library/Preferences/com.apple.springboard.plist

Springboard:
/private/var/mobile/Library/Preferences/ com.apple.springboard.plist

Last Maps search
/private/var/mobile/Library/Preferences/com.apple. Maps.plist

Youtube Videos recently viewed
/private/var/mobile/Library/Preferences/com.apple.youtube.plist

Private keys used for desktop sharing
/private/var/root/Library/Lockdown/pair_records

Recent Safari Searches
/private/var/mobile/Library/Preferences/com.apple.mobilesafari.plist

List of all installed applications
/private/var/mobile/Library/Caches/com.apple.mobile.installation.plist

Application configuration information
/private/var/mobile/Library/Preferences

21
Q

What are SQLite databases?

A
  • Lightweight cross platform open source database
  • Uses structured query (SQ) for data operations
  • Deployed in other mobile phone operating systems such as
    Android, Symbian and Blackberry
  • iOS stores a large volume of data in sqlite databases incl the potential to store deleted info.
22
Q

What atre the key features of SQLite files?

A
  • Files can have sometimes no extension or .db or .sqlitedb
  • Common 15 byte header as viewed in Hex Editor
    53514C69746520666F726D61742033 (SQLite format 3)
23
Q

How to view SQLite Files?

A
  • SQLite files can be viewed using tools such as SQLite
    Database Browser
  • Available at http://sqlitebrowser.org/
  • Most forensic tools have an integrated SQLite tool
24
Q

How can you use SQL Commands to find relevant data?

A
  • Numerous SQLite databases exist in an iPhone
  • Can contain a large volume of records which can include
    deleted data
  • Common SQL commands can be used to retrieve (query) the
    databases for data
  • SELECT command is used to query the database for data
  • Additional information must be included in the statement to
    identify the column and table the data is to be retrieved from
  • If multiple columns data is required then a comma (,) should
    be between each column name
    e.g. SELECT column1, column2, column3 etc
  • If all the columns data are to be retrieved then a wildcard
    character * can be used
    e.g. SELECT *
  • FROM is used in the statement to identify the table the data
    should be extracted from
    e.g. SELECT * FROM table
    SELECT column1 FROM table1
    SELECT column1, column 2 FROM table1
    SELECT column1, column 4 FROM table1
25
Q

Example SQL Command: What would the command SELECT * FROM _SqliteDatabaseProperties
retrieve?

A

It would retrieve all data from the _SqliteDatabaseProperties table

26
Q

Example SQL Command: What would the command SELECT value FROM _SqliteDatabaseProperties
retrieve?

A

All of the data from the VALUE collumn in the _SqliteDatabaseProperties table

27
Q

More SQL Commands

A
  • In order to search for particular data, conditions are used to
    specify what return is required
  • Data is searched for
    1. equal (=) a value
    2. Not equal (<>) a value
    3. Like (LIKE) a value
    4. Between (BETWEEN) a value
  • A test value must be defined for the search to look for in
    the column.
  • % character used to search within strings for a keyword
  • ‘’ character must be used for text based queries
28
Q

List some common databases that may be useful to an investigator

A

** note that not all may be visible unless phone is jailbroken**

  • Call History
    /private/var/wireless/Library/CallHistory/call_history.db
    /private/var/wireless/Library/CallHistory.storedata
    /var/mobile/Library/CallHistoryDB/CallHistory.storedata
  • Contacts
    /private/var/mobile/Library/AddressBook/AddressBook.sqlitedb
    /private/var/mobile/Library/AddressBook/AddressBookImages.sql
    itedb
  • Calendar
    /private/var/mobile/Library/Calendar/Calendar.sqlitedb
  • Notes
    /private/var/mobile/Library/Notes/notes.sqlite
  • Location Information
    /private/var/root/Caches/locationd/consolidated.db
    /private/var/root/Caches/locationd/cache_encryptedA.db
  • Voicemail
    /private/var/mobile/Library/Voicemail/voicemail.db
    /private/var/mobile/Library/Voicemail/ directory
  • Images Metadata
    /private/var/mobile/Media/PhotoData/Photos.sqlite
  • Safari Bookmarks and Cache
    /private/var/mobile/Library/Safari/
    Bookmarks.db
    /private/var/mobile/Library/Caches/com.apple.mobilesafari/Ca
    che.db
29
Q

List some additional data that may be of interest (some may be enctrypted and some are tempory / transient)

A
  • Downloaded Applications
    /private/var/mobile/Applications/
  • Recordings
    /private/var/mobile/Media/Recordings/
  • Images
    /private/var/mobile/Media/DCIM
    /private/var/mobile/Media/PhotoData/Photos.sqlite
  • Screen Snapshots
    /private/var/mobile/Library/Caches/Snapshots
  • Keyboard Cache
    /private/var/mobile/Library/Keyboard/dynamic-text.dat
  • KnowledgeC (introduced in iOS 11)
    /private/var/mobile/Library/Coreduet/Knowledge/
    Additional Data
  • Safari History
    – /private/var/mobile/Library/Safari/History.db
  • Maps
    – /private/var/mobile/Applications/com.apple.Maps/Librar
    y/Maps/History.mapsdata (pre iOS 11)
    /private/var/mobile/Applications/com.apple.Maps/Librar
    y/Maps/GeoHistory.mapsdata (iOS11 onwards)
  • Health
    – /private/var/mobile/Health
  • Biome (introduced in iOS15)
    – /private/var/mobile/Library/Biome
    – /private/var/mobile/Library/Biome/Streams/