Week 12 - iOS Data Flashcards
Accessing iOS Data - what are the two security features from iOS v 7.0 onwards?
iOS v. 7.0 onwards - when connecting to a computer with iTunes you get 2 security prompts. First about whether you want to allow the computer to access the info on that iPhone. Then second asking if you trust the computer.
What is a trusted pair lockdown certificate?
When an iOS device connects to a computer (with iTunes installed) and says yes to the 2 security prompts, then a lockdown certificate (or record) is created.
The mobile device and computer exchange cryptography keys and create an xml binary file (the lockdown certificate / record).
It contains the name of the device and unique ID.
Where are the lockdown records / certificates stored?
- Windows 7/8/8.1/10: C:\Program Data\Apple\Lockdown
- Mac OS X: /var/db/lockdown
- WindowsVista: C:\Users[username]\AppData\roaming\Apple\Computer\Lockdown
- Windows XP:
C:\DocumentsandSettings[username]\Application
Data\Apple Computer\Lockdown
How do these lockdown certificates help the forensic investigator?
These lockdown certificates may be used to access data on an iOS device without the unlock code or touch ID, provided the ios device has been unlocked at least once since the lockdown certificate was created (iOS 8 and above)
If device (iOS 8 and above) is turned off at point of seizure then turned on for examination cannot have data acquired without the unclock code (or biometric ID)
iOS 7 and below can.
However, copying the lockdown certificates from the original paired machine to the examination machine may allow examination of the device without unlock code.
Computers that have had multiple devices paired will have multiple lockdown certificates
What are the acquisition options for iOS data?
Depends on a no. of factors incl. the software version, the device type, the user security features enabled and condition of device.
- Screen capture
- Direct using non forensic tool
- Backup/Logical Acquisition
- Advanced Filesystem Acquisition
- Physical Acquisition
What does screen capture involve?
In some circs it may be necessary to interact with the device manually and to record on screen info. Not ideal method but can be used if there is no other way to acquire the data.
Need access to an unlocked and functioning device.
What is direct capture using a non forensic tool?
Non forensic data management tools like dr phone or iexplorer can be used.
Depends on iOS version and model as to the level of support. Needs the phone to be unlocked and powered on or the lockdown certificate installed on the examination machine
What is back-up / logical aquisition?
Will provide a limited file system acquisition. Uses the iTunes back-up or associated iTunes libraries.
However one issue is that the user may have enabled a back-up password. This means that any back-up acquisition will be encrypted unless the back-up pw is known and entered. OR a pw breaking tool can be used on the plist pw file to attempt to obtain the pw.
What is advanced File System Acquisition?
- Using forensic tools,
What is a physical acquisition
A bit for bit version of the device flash memory.
This may provide more information than a logical acquisition such as passwords, messages and app data.
A physical acquisiton was possible on devices up to iPhone 4 which used the vulnerability in the trusted boot to enter DFU mode and bypass security certification. Typically invovled use of a custom RAM disk to obtain a bit for bit version of the flash memory. Apple patched this feature in later versions.
Do you need iTunes installed on your examination machine?
It depends!
Some forensic tools have an iTunes installation as part of the tool, some require it to be seperately installed. Some methods do not require it at all.
What do we need to consider about iOS and Application encryption improvements?
In addition to Apple constantly evolving their security features, individual applications upgrade their encryption and security making it harder to access content.
For example Signal introducing Post Quantum Cryptography
What file types do apple use to store data?
- plist (property list file type). most common. File extension is .plist
They commonly store info about the OS, user data & configurations of applications. Data is stored as keys and values (e.g. username = ‘carly’) - sqlite databases (.db). these are binary self contained database fiels. Lightweight & portable. Each file is divided into pages that hold data and index info
Also other file types have emerged over time such as:
- segb
Some data stored on iOS devices is transient and purged regularly without any user knowledge. Acquire data asap.
For exampled hashed location information and application useage.
What time stamps do iPhone commonly use?
- iPhone commonly uses UNIX time or MAC Absolute Time in
records - UNIX time epoch is 00:00:00 on 1 January 1970 UTC
- All UNIX times reference that date
1323424800 = 10:00:00 9th December 2011 - MAC Absolute Time epoch is 00:00:00 on 1 January 2001
- All MAC times reference that date
3406269600 = 10:00:00 9th December 2011 - Most forensic tools decode automatically
- Free tools such as Dcode or Hex Assistant
What is the UNIX time EPOCH?
UNIX time epoch is 00:00:00 on 1 January 1970 UTC