JETZT ONLINE BESTELLEN
Add to Cart
View at Cart
iPhone Forensics
Recovering Evidence, Personal Data, and Corporate Assets

First Edition September 2008
ISBN 978-0-596-15358-8
138 Seiten
EUR38.00, SFR64.90
Weitere Informationen zu diesem Buch

Inhaltsverzeichnis | Kolophon | Rezensionen |
Beispiele |

Inhaltsverzeichnis
Chapter 1: Introduction to Computer Forensics
Inhaltsvorschau
Forensic science dates back as early as the second century B.C., to Archimedes. Its most modern roots came from the mid to late 1800s, from a man named Henry Faulds. Faulds was a Scottish doctor, archaeologist, and missionary. Discovering fingerprints that had been left in ancient pottery, Faulds published a paper in 1880 suggesting that fingerprints could be used to uniquely identify criminals. This dovetailed the work of William J. Herschel, a British officer stationed in India, who had previously been using fingerprints and handprints as a means of identification on legal notes.
Modern day forensics can be described as the fusion of methodology and science, as it applies to the scientific process of documenting an event or an artifact. As it pertains to criminal and civil court cases, the science and methodology that is performed must adhere to rules of evidence and practices generally accepted within the given legal jurisdiction.
Computer forensics is a branch of forensic science involving the application of science and methodology to preserve, recover, and document electronic evidence. Instead of dealing with dead bodies, examiners in this field deal with dead hard drives. As it pertains to the iPhone, your challenge is even greater in that you will be examining an embedded device, which has been intentionally closed off and was not intended for recovery.
Before getting started, it’s important to emphasize the need for keeping your search legal. In a corporate environment, the company usually has no legal right to seize or examine a personal device belonging to the employee, but can usually examine devices belonging to the company. In corporate , therefore, it’s important to verify ownership of the device before performing an examination. Your department should implement an inventory procedure to record the International Mobile Equipment Identity (IMEI) and serial numbers of all corporately owned mobile devices to guarantee ownership prior to examination. Otherwise, your evidence may be ruled inadmissible if criminal charges are filed, and you may even expose the company to a lawsuit.
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Making Your Search Legal
Inhaltsvorschau
Before getting started, it’s important to emphasize the need for keeping your search legal. In a corporate environment, the company usually has no legal right to seize or examine a personal device belonging to the employee, but can usually examine devices belonging to the company. In corporate , therefore, it’s important to verify ownership of the device before performing an examination. Your department should implement an inventory procedure to record the International Mobile Equipment Identity (IMEI) and serial numbers of all corporately owned mobile devices to guarantee ownership prior to examination. Otherwise, your evidence may be ruled inadmissible if criminal charges are filed, and you may even expose the company to a lawsuit.
Law enforcement officers should follow the appropriate steps to acquire a search warrant for the device and desktop machine. The search warrant should specify all electronic information stored on the device including but not limited to text messages, calendar events, photos and videos, caches, logs of recent activity, map and direction queries, map and satellite imagery, personal alarms, notes, music, email, web browsing activity, passwords and personal credentials, fragments of typed communication, voicemail, call history, contacts, information pertaining to relationships with other devices, and items of personal interest.
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Rules of Evidence
Inhaltsvorschau
In both civil and criminal cases, five general rules are used to weigh the value of evidence. These five rules are:
Admissible
Evidence must have been preserved and gathered in such a way that it can be used in court. Many different errors can be made that could cause a judge to rule a piece of evidence as inadmissible. These can include failure to obtain a proper warrant, breaking the chain of evidence, and mishandling or even destroying the evidence.
Authentic
The evidence must be relevant to the case, and the forensic examiner must be able to account for the origin of the evidence. For example, intercepting an email transmission is not enough to prove that the alleged sender was responsible for the message. A relationship must be established between the message and the computer it was sent from. It will also need to be established, beyond reasonable doubt, that there was a relationship between the computer, the message, and the person who sent the message.
Complete
When evidence is presented, it must tell the whole story. A clear and complete picture must be presented that can account for how the evidence came to be. If unchecked, incomplete evidence may go unnoticed, which can be even more dangerous than no evidence at all. As a recent example, consider the case of a man who was charged with possession of child . The evidence presented showed that the images had been downloaded onto the man’s work computer, but it wasn’t until much later in the case that the defense revealed that the images had been downloaded by a virus on the machine, and not by the defendant. An innocent man was almost convicted and put in prison because the prosecution’s examiner did not present complete evidence—and a jury is not technically savvy enough to see this. With all of the different processes running on a computer, it’s critical to be able to tie a piece of evidence to its origins and tell the whole story.
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Good Forensic Practices
Inhaltsvorschau
As you practice the techniques in this book, keep the following in mind.
Never work on original copies of evidence. As soon as you recover evidence, create a read-only master copy and check it into a digital vault. All further processing should be performed on copies of the evidence. Since you’re dealing with digital evidence, and not old 8-tracks, the copies you make will be identical to the masters. Some tools, if not used properly, can make modifications to the data that’s being operated on.
In addition to this, never run any applications on the device until after you’ve recovered and checked in the evidence. Any time you use the device, something on the disk is likely to be changed. Perform only the tasks that are absolutely necessary, and keep your intrusion into the system minimal.
Whenever a master copy is made, use a cryptographic digest such as MD5 to ensure the evidence hasn’t been altered in any way. Digests should be stored separately from the data itself, so as to make it even more difficult to tamper with. Digests and proper documentation will help ensure that no cross- has taken place.
In addition to this, document all of the methods you used to collect and extract the evidence. Detail your notes enough that another examiner could reproduce them. This isn’t a rule of thumb, but rather is required in many cases. Your work must be reproducible should another forensic examiner challenge your evidence. If your evidence cannot be reproduced, a judge may rule it .
Simply walking into a crime scene destroys evidence—footprints, blood, hairs, and even computer bits can get stomped on when processing the crime scene. It’s important to document your entire recovery process, and especially any intentional changes made. For example, if your forensic tool of choice sliced up the disk image to store it, this must be documented. You should document every time you reboot the device, sync it to a desktop case-evidence account, or use an application.
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Technical Processes
Inhaltsvorschau
This book covers the following key technical processes:
Physical handling
The physical handling of the device, prior to its examination. This includes dusting for prints and ensuring you have the right equipment to keep the device charged and connected. You’ll also want to remove the SIM card from the device or place the device in a Faraday cage. A Faraday cage is a shielded enclosure that blocks electrical fields, including cellular transmissions.
Establishing communication
Unlike a desktop machine, where the hard disk can be removed, mobile devices cannot generally be image-processed unless you have special equipment to perform chip dumps. As a result, the device must be “talked to” in order to recover evidence. Establishing communication with the device means setting up the proper physical and network connections to install a forensic toolkit and perform recovery.
Forensic recovery
The recovery process involves extracting the evidence from the device to create a master copy. This requires special integrity checks to ensure the data hasn’t changed between the iPhone and the desktop.
Electronic discovery
Electronic discovery is the process by which the evidence is processed and analyzed. During this stage, deleted files are recovered and the live filesystem is analyzed. The evidence discovered here will ultimately build an explanation of the evidence that will be delivered through an attorney.
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Chapter 2: Understanding the iPhone
Inhaltsvorschau
Although different models of the iPhone vary, the following core components are commonly found in Apple’s first-generation iPhones:
Capability
Equipment
CPU
Samsung/ARM S5L8900B01 512 Mbit SRAM
EDGE
Infineon PMB8876 S-Gold 2 EDGE Baseband Processor
GSM
Infineon M1817A11 GSM RF Transceiver
Disk
Samsung 65-nm 8/16 GB (K9MCG08U5M), 4 GB (K9HBG08U1M) MLC NAND Flash
Amplifier
Skyworks SKY77340-13 Signal Amplifier
Wireless
Marvell 90-nm 88W8686
I/O Controller
Broadcom BCM5973A
Flash Memory
Intel PF38F1030W0YTQ2 (32 MB NOR + 16 MB SRAM)
Audio Processor
Wolfson WM8758
Bluetooth
CSR BlueCore 4
Touchscreen
Philips LPC2221/02992
The iPhone runs a mobile build of Mac OS X 10.5 (Leopard), which has many similarities to its desktop counterpart. The primary differences include:
ARM architecture
The iPhone uses the ARM (advanced RISC machine) processor architecture, originally developed by ARM Ltd. In contrast, a majority of desktop machines use the Intel x86 architecture.
Hardware
Special hardware has been added to the iPhone to make it an effective and powerful mobile device. This includes various sensors, such as an accelerometer and proximity sensor, multi-touch capable screen to support gestures, and of course various radios including GSM, Wi-Fi, and .
User interface frameworks
Apple has built a custom set of user interfaces around the iPhone to accommodate the proprietary hardware sensors and the use of multi-touch. While the desktop version of Leopard contains frameworks for building windows and common controls, the iPhone version of Leopard has replaced these frameworks with a version tailored for creating simple page-like user interfaces, transitions, and finger-friendly controls such as sliders and picker wheels.
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
What’s Stored
Inhaltsvorschau
While limited portions of personal data can be viewed directly on the iPhone using the GUI interfaces in the iPhone’s software, much more hidden and ostensibly deleted data is available by examining the raw disk image, which is why forensic examination of the iPhone is so important. Not only is the live data on the iPhone of interest, but the deleted information can be of even greater benefit. Because a significant amount of personal information is stored in database files, some deleted information remains live on the filesystem, possibly being retained for months or longer.
It is extremely difficult to permanently delete data from an iPhone; however, more recent versions of software have added a secure wipe feature to assist in this process. Many users believe that the iTunes “restore” process formats the device, but in actuality, even this leaves a majority of the old data intact—just not directly visible. In fact, at one time, Apple’s own refurbishing process appeared to have taken the iPhone’s restore mode for granted: many refurbished devices were reported to contain personal information from the last owner!
Information stored by the iPhone includes:
  • Keyboard caches containing usernames, passwords, search terms, and historical fragments of typed communication. Nearly everything typed into the iPhone’s keyboard is stored in a keyboard cache, which can linger even after deleted.
  • Screenshots are preserved of the last state of an application, taken whenever the home button is pressed or an application is exited. These are used by the iPhone to create aesthetic zoom effects, and often provide several dozen snapshots of user activity.
  • Deleted images from the user’s photo library, camera roll, and browsing cache can be recovered using a data carving tool.
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Equipment You’ll Need
Inhaltsvorschau
In order to process an iPhone as evidence, you’ll need the following:
  • A desktop/notebook machine running either Mac OS X Leopard or Windows XP. The tools used in this book are also compatible with Tiger and Vista but are not as widely tested. Examples in this book are provided for both operating systems, so use whichever you’re most comfortable with. Due to the compatibility of the iPhone and its native HFS filesystem, however, it is easier to operate on the iPhone’s live filesystem using a Leopard-based Mac.
  • An iPhone USB dock connector or cable. This will be required to install the forensics recovery toolkit into a nondestructive location on the device and to keep the device charged during the recovery process.
  • A working Wi-Fi connection on your desktop machine and an access point to which both the iPhone and the desktop can connect (preferably securely). In the event that you don’t have access to an access point that is isolated from other machines on the network, this book also provides instructions for creating an ad-hoc network. In most cases, disk copies can be performed over an SSH tunnel to further secure the data while in transit.
  • An implementation of SSH (Secure Shell) on your desktop, including ssh and scp tools. These are part of the OpenSSH package, and can also be found in the free SSH packages at http://www.ssh.fi.
  • The iTunes software from Apple. Versions 7.6 (for firmware v1.x) and 7.7 (for firmware v2.x) were used for this book, but other versions are likely to work as well. If you’re planning on reproducing source code proofs-of-concept, you’ll specifically require iTunes version 7.4.2.
  • Adequate disk space on the desktop machine to contain copies of the iPhone’s media partition and digital vault. The minimum recommended space is three times the device’s advertised capacity: one slice for the actual disk image, one slice for a copy to work with, and one slice for digital recovery.
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Determining the Firmware Version
Inhaltsvorschau
If you’ve already seized a device, you’ll want to make sure that its firmware version is supported by the methods in this book. To determine the version of operating firmware installed on the iPhone, tap on the Settings icon, then select General About. The version number will be displayed with a build number in parentheses. Before proceeding, ensure that the firmware version of the device falls within the range of versions supported by this document.
If the device is passcode protected, you will need to circumvent this security measure in order to determine the firmware version. See for more information.
Never upgrade a device running v1.x firmware to v2.x, or you will destroy evidence. Use the latest version of v1.x software for v1.x devices.
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Disk Layout
Inhaltsvorschau
By default, the iPhone is configured with two disk partitions. These do not reside on a physical disk drive (the type with spinning platters) since the iPhone uses a solid state NAND flash, but are treated as a disk by storing a partition table and formatted filesystem on the flash.
The first partition is a 300 MB system (root) partition used to house the operating system and all of the preloaded applications used with the iPhone. This partition is mounted as read-only by default, and is designed to stay in a factory state for the entire life of the iPhone. The remaining available space is assigned to the user (or “media”) partition, which is mounted as /private/var on the iPhone. This partition is where all of the user data gets written—everything from music to personal contacts. This dual-partition scheme was the most logical way for Apple to perform easy upgrades to the iPhone software, because the first partition can be formatted by iTunes without deleting any of the owner’s music or other data.
Because the system partition is intended to remain in a factory state by default, there is no useful evidentiary information that can be obtained from it—it’s essentially irrelevant in forensics. The second partition is where all of the useful information resides, and so the first partition is safe for installing forensic tools. The tools used in the coming chapters will be used to remount the system partition as read-write to allow the installation of an open source forensic recovery toolkit. This will be done without changing the behavior of the iPhone or its preloaded applications, and without disturbing user data.
The actual device nodes for the disk are as follows, with the system partition mounted at / and the media partition mounted at /private/var:
Block devices:
brw-r-----   1 root  operator   14,   0 Apr  7 07:46 /dev/disk0    Disk

brw-r-----   1 root  operator   14,   1 Apr  7 07:46 /dev/disk0s1  System

brw-r-----   1 root  operator   14,   2 Apr  7 07:46 /dev/disk0s2  Media
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Communication
Inhaltsvorschau
The iPhone can communicate across several different mediums, including the serial port, 802.11 Wi-Fi, and Bluetooth. Due to the limitations of Bluetooth on the iPhone, the two preferred methods are via the serial port and Wi-Fi.
AFC (Apple File Connection) is the serial port protocol used by iTunes to copy files to and from the device and to send firmware-level commands, such as how to boot up and when to enter recovery mode. It is used for everything from copying music to installing a software upgrade. This takes place over the device’s USB dock connector, using a framework named MobileDevice, which gets installed with iTunes. Third-party jailbreak tools sometimes load this framework to perform ad-hoc operations on the iPhone.
A framework is a shared resource used in Mac OS X, similar to a DLL (dynamic linked library) and SO (shared object) in other operating systems. The Windows version of iTunes uses a DLL rather than a framework. For all purposes here, the terms are interchangeable.
By default, iTunes isn’t allowed to access the entire iPhone, but is placed in a jailed environment. A jailed environment is an environment subordinate to the administrative environment of a system, generally imposing additional restrictions on what resources are accessible. In other words, iTunes is permitted to access only certain files on the iPhone—namely those within its jail rooted in the /private/var/mobile/Media folder on the device (or /private/var/root/Media for older versions of the software). The term jailbreaking originated from the very first iPhone hacks to break out of this restricted environment, allowing the AFC protocol to read and write files anywhere on the device. The AFC protocol will be used by some of the tools outlined in this book to place the device into recovery mode and, once jailbroken, to install the recovery toolkit on the system partition.
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Upgrading the iPhone Firmware
Inhaltsvorschau
Apple provides periodic firmware updates for the iPhone that update the operating system, radio baseband, and possibly other device firmware. Thus far, these updates have not resulted in the loss of any live user data, but do frequently rename files and may occasionally write new ones to the media partition. It is therefore advisable not to update the iPhone’s firmware for forensic purposes, except as a last resort. You’ll have to perform an upgrade only if the device is running an older version of the firmware than is supported by this book (1.0.0 or 1.0.1), and if no other suitable techniques are available to access these older firmware versions in a nondestructive manner.
To upgrade the iPhone firmware to the latest version, use the “update” button available in iTunes. If the most recent version of device firmware is not supported, the closest supported version may be downloaded manually and by holding down the Option (Mac) or Shift (Windows) key while clicking the Update button. This will allow the examiner to select the desired firmware file to upgrade to.
This book covers a wide range of iPhone software versions, but you might run into a snag with a particular application if it does not support your version of iPhone software. Do not upgrade the iPhone’s firmware unless absolutely necessary. If an upgrade is required, use the closest supported version to the currently installed version.
The following supported iPhone firmware updates can be downloaded from Apple’s cache servers:
1.0.2
1.1.1
1.1.2
1.1.3
1.1.4
See Apple’s iTunes documentation for more information about updating the iPhone firmware.
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Restore Mode and Integrity of Evidence
Inhaltsvorschau
Imagine an employee who has been caught selling corporate secrets. He has just discovered that he is under investigation by the company, and the company’s security officers are headed his way to interview him. The first thing he might do is to try and destroy evidence on his iPhone. He presses and holds the Home and Power buttons until the device is forced into recovery mode. Is his data gone? Can it be recovered? What if the employee had a few minutes to initiate a full restore using iTunes?
There are two steps involved in restoring an iPhone: placing the device in restore mode, and performing the actual restore with iTunes. In the scenario just described, simply placing the device into restore mode has only stopped the iPhone from booting—and temporarily at that. The “Please Connect to iTunes” display is simply the iPhone’s way of saying, “I was told not to boot up, so this is what I’m doing instead.” Simply placing a device into restore mode does not destroy the filesystem. A forensic examiner may even enter the device into restore mode himself to perform certain tasks such as circumventing passcode protection. If the owner does this, or if a mistake is made during the recovery process leaving the iPhone in recovery mode, don’t panic. All data still remains intact. The device can in fact be made to boot back into the operating system without a loss of data, provided the user has not initiated the actual restore process (by docking it and invoking a restore through iTunes). The next chapter shows how to reboot the iPhone back into its normal state.
Some versions of iPhone firmware have been reported to kick themselves out of recovery mode within ten minutes of sitting idle while connected to the dock.
Let’s say the worst has occurred: the employee had the time to initiate a restore through iTunes and the device is being formatted. The first thing you should do is
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Cross-Contamination and Syncing
Inhaltsvorschau
The last thing you should know before you get started is that the iPhone likes to sync data, and this can present a risk of cross-contamination. When the iPhone syncs to a desktop, it can copy the desktop’s address book, photos, music, and other data. The desktop can also copy its own data back to the iPhone. Therefore, before performing any of the steps in the coming chapters, be sure to disable all automatic syncing in order to keep the iPhone’s current data pristine:
  1. Open iTunes on the desktop machine.
  2. Select Preferences from the iTunes menu.
  3. Click on the Syncing tab.
  4. Check the box next to “Disable automatic syncing for all iPhones and iPods.” This is illustrated in .
Figure : iTunes preferences with automatic syncing disabled
As an alternative, consider using a bootable CD or virtual machine to perform the recovery steps outlined throughout the rest of this book.
In addition to this procedure, it’s also a good idea to conduct all of your forensic recovery and examination using a desktop machine with a separate user account for each case. Think of a user account as an “evidence box”—you wouldn’t consider putting evidence from two different cases in the same box! Ensure that you have created and are logged into a separate, nonprivileged user account. When using Mac OS X, the user account may also be encrypted with file vault to prevent cross-contamination between nonadministrative .
Never attempt to sync a suspect’s device manually unless it is with a new, nonprivileged user account designated specifically for the case at hand.
A whole lot of personal activity is stored on the iPhone, and much of this is useful for evidence. Your investigation should produce useful evidence if you remember the :
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Chapter 3: Accessing the iPhone
Inhaltsvorschau
After reading the earlier chapters of this book, you should have a rudimentary understanding of how the iPhone functions on an operating system level, and should have created a secure environment to work on your desktop without the risk of cross-contamination. In this chapter, you’ll install the forensic recovery toolkit—an open source toolkit containing tools for recovering the raw disk image of the iPhone. While some example toolkits have been provided online to complement this book, all payload and staging files are simple zip archives. This means you can easily replace the standard toolkit with your own tools, which can be compiled for the iPhone using a publicly available open source tool chain. Instructions for setting up the tool chain can be found on Jay Freeman’s website: http://www.saurik.com/id/4.
Whether you use the stock recovery tools or build your own, these tools will be the means by which you’ll gain access to the device’s operating system. You’ll access the device by installing a forensic-friendly jailbreak tool that safeguards against writes to the user partition of the device. This will, in turn, install an SSH daemon on the iPhone, allowing you to access it over a secure network connection.
The iLiberty+ program is a free tool designed by Youssef Francis and Pepijn Oomen for unlocking the iPhone/iPod and installing various payloads onto the iPhone/iPod Touch. Under normal circumstances, the iPhone’s built-in digital signing mechanism will allow only firmware that has been signed by Apple to be installed. iLiberty+ takes advantage of a loophole in the v1.x firmware and instructs the iPhone’s kernel to boot an unsigned RAM disk. This allows for software that is otherwise unsanctioned by Apple to be booted out of the iPhone’s memory. The RAM disk used by iLiberty+ contains a payload delivery system, which has been enhanced to safely install our forensic toolkit payload onto the device.
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Installing the Recovery Toolkit (Firmware v1.0.2–1.1.4)
Inhaltsvorschau
The iLiberty+ program is a free tool designed by Youssef Francis and Pepijn Oomen for unlocking the iPhone/iPod and installing various payloads onto the iPhone/iPod Touch. Under normal circumstances, the iPhone’s built-in digital signing mechanism will allow only firmware that has been signed by Apple to be installed. iLiberty+ takes advantage of a loophole in the v1.x firmware and instructs the iPhone’s kernel to boot an unsigned RAM disk. This allows for software that is otherwise unsanctioned by Apple to be booted out of the iPhone’s memory. The RAM disk used by iLiberty+ contains a payload delivery system, which has been enhanced to safely install our forensic toolkit payload onto the device.
The default payload allows the media partition to be accessed through the user interface, which is preferred for most examinations.
The recovery toolkit includes:
  • A basic Unix world
  • OpenSSH, a secure shell
  • The netcat tool, for sending data across a network
  • The md5 tool, for creating a cryptographic digest of the disk image
  • The dd disk copy/image tool, used to access the disk device
    For a low-level explanation of the technical procedures used by this tool, see the section in the Appendix.
Download the latest version of iLiberty+ from http://theiphoneproject.org. of the versions used in this book may also be downloaded from the O’Reilly website at http://www.oreilly.com/9780596153588.
iLiberty+ version 1.6 or greater is recommended, especially for law enforcement purposes. Version 1.6 corrects problems with inadvertent (yet minor) writing to the user data partition present in version 1.51. It also adds compatibility with certain older versions of iPhone software.
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Circumventing Passcode Protection (Firmware v1.0.2–1.1.4)
Inhaltsvorschau
The iPhone uses two types of locks: a SIM lock and an OS-level passcode. When the passcode is active, the iPhone cannot be synced or accessed
The SIM lock can be bypassed by simply removing or replacing the protected SIM card. This section shows how to bypass the OS-level passcode. The forensic toolkit cannot be installed while either form of protections is active.
The procedures in this section disable the passcode by issuing raw commands to the iPhone to load a specially crafted RAM disk. This custom RAM disk moves the configuration file for passcode protection safely out of the way. When the iPhone boots, it will see that this configuration file is missing and fail over to its default mode of operation, which doesn’t require a passcode. Neat, huh?
Newer versions of iLiberty+ support a “Bypass Passcode” feature integrated right into the software. To use this, the device will need to be placed into a clean recovery state:
  1. Cleanly power the device down by holding the Power button until the “Slide to Power Off” slider appears. Slide this to power off the device.
  2. After the device is powered down, press and briefly hold the Power button, then immediately release it when the iPhone appears to be powering on.
  3. After releasing the Power button, press and hold both the Power and Home buttons until the device again power cycles and the restore logo is displayed.
  4. After the device is in recovery mode, make sure it is connected to the dock and launch iLiberty+. Select “Bypass Passcode” from iLiberty+’s Advanced menu, as shown in . On a Mac, this will be at the top of the screen.
Figure : iLiberty+ “Bypass Passcode” menu item
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Installing the Recovery Toolkit (Firmware v2.x)
Inhaltsvorschau
The latest v2.x firmware changed much about how the iPhone communicates, warranting the need for a different approach to “owning” (or as some like to say, “pwning”) the firmware in order to install a recovery toolkit. The methods used for v2.x achieve the same overall goal as the previous techniques in this chapter: booting an unsigned RAM disk, which installs a recovery toolkit. The mechanism by which this is delivered, however, has changed considerably.
The procedure for v2.x involves taking advantage of a vulnerability in the iPhone’s boot ROM that allows it to accept unsigned firmware upgrades. A popular tool known as Pwnage exploits this vulnerability and builds a custom firmware package. Normally, this would destroy the filesystem on the iPhone, so before restoring the firmware, you’ll use another tool named Xpwn to modify the firmware “restore” to act as more of an “upgrade” to install your recovery payload. Thus, the procedure will install both the recovery toolkit and a patched operating system kernel, which is needed in order to run unsigned applications. The steps are rather involved, but once you’ve assembled the proper firmware bundles, you’ll be able to easily reuse them for future examinations. The overall plan follows:
  1. Use Pwnage to hack the boot ROM on the iPhone and build a custom firmware package. At the time of this writing, all iPhones on the market are supported by Pwnage, and newer device models are generally added within a few weeks.
  2. Use Xpwn to create a “Stage 1” customized firmware bundle that will upgrade the NOR (kernel cache) without destroying live data.
  3. Use Xpwn to create a “Stage 2” customized firmware bundle that will install the forensic recovery toolkit.
  4. Install each customized firmware through iTunes with the iPhone in DFU mode to gain access to the iPhone.
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Removing the Forensic Recovery Toolkit
Inhaltsvorschau
Later on, when you’ve finished examining the device, you’ll want to remove the toolkit and undo any changes you’ve made. To do this, simply use the iTunes “Restore” mode function to restore the device to its original firmware. If data exists on the device, sync it first with a separate, protected user account on the machine to back up the data. You will then be able to restore this backup after the restore.
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Chapter 4: Forensic Recovery
Inhaltsvorschau
In the previous chapter, you learned how to install a recovery toolkit on the iPhone. When the toolkit is installed, an OpenSSH daemon begins accepting connections on the device, and a Unix world is ready to service requests from the examiner. This chapter walks you through the process of configuring the iPhone to communicate with your desktop on the same Wi-Fi network so you can recover the raw media partition. Once recovered, you’ll be introduced to data recovery tools for carving and validating files, which you’ll use for further recovery of deleted files.
The media partition must be recovered over Wi-Fi, so your wireless network must be configured to connect the iPhone and desktop machine. Depending on the level of integrity your examination requires, the following options are available, each with differing levels of complexity:
  • Use an insecure access point with or without an encrypted tunnel or MD5 digests
  • Use a WPA-encrypted or WEP-encrypted access point
  • Use an ad-hoc network
WEP-encrypted networks suffer from an initialization vector vulnerability, where a malicious actor could deduce the network key by watching encrypted traffic as it flows across the network. This means that a WEP-encrypted network is susceptible to potential tampering while your data is in transit. To counter this, you may choose to use a network supporting WPA (Wi-Fi Access), which is newer and more secure. Alternatively, the md5 utility, installed with the recovery toolkit, can be used to create a cryptographic digest of the media partition before and after transmission to ensure that it has not been tampered with during transit.
  1. To configure wireless access on the iPhone, tap the Settings icon. A list of options will appear.
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Configuring Wi-Fi and SSH
Inhaltsvorschau
The media partition must be recovered over Wi-Fi, so your wireless network must be configured to connect the iPhone and desktop machine. Depending on the level of integrity your examination requires, the following options are available, each with differing levels of complexity:
  • Use an insecure access point with or without an encrypted tunnel or MD5 digests
  • Use a WPA-encrypted or WEP-encrypted access point
  • Use an ad-hoc network
WEP-encrypted networks suffer from an initialization vector vulnerability, where a malicious actor could deduce the network key by watching encrypted traffic as it flows across the network. This means that a WEP-encrypted network is susceptible to potential tampering while your data is in transit. To counter this, you may choose to use a network supporting WPA (Wi-Fi Access), which is newer and more secure. Alternatively, the md5 utility, installed with the recovery toolkit, can be used to create a cryptographic digest of the media partition before and after transmission to ensure that it has not been tampered with during transit.
  1. To configure wireless access on the iPhone, tap the Settings icon. A list of options will appear.
  2. Tap the option labeled Wi-Fi, second down from the top. This will transition to a window where the wireless network can be configured. If Wi-Fi is turned off, tap the switch at the top to turn it on.
  3. A list of available wireless networks will appear in the section labeled “Choose a Network Tap” on the network that your desktop is presently connected to. As the iPhone joins the network, a wait indicator will be displayed.
  4. Once the network has been joined, tap the blue disclosure arrow to the right of the selected network. This will allow you to view and change the iPhone’s IP address and other network settings.
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Recovering the Media Partition
Inhaltsvorschau
With the recovery toolkit installed and the iPhone sharing a network connection with your desktop, the media partition can finally be recovered. Depending on what level of integrity you’re looking to establish, there are many ways to accomplish this. This section walks you through the different steps involved in recovering the media partition. Some processes are optional, and it will ultimately be up to you to determine which security options are important.
Prior to performing a recovery, it’s a good idea to disable the iPhone’s locking mechanism. Click on the Preferences icon, then General. Change the Auto-Lock option to Never.
Much of the work involved from here on out will be performed on the command line, so it’s important to know how to invoke a command-line terminal window.

Mac OS X

Find the Terminal application by opening the Applications folder, and double-clicking on the Utilities folder. Double-click Terminal to open the application. Subsequent windows can be opened by selecting New Window from the Terminal menu.

Windows

Click on the Start menu, then highlight Programs, followed by Accessories. Click on the Command Prompt application. This will open a new window with what you may refer to as a “DOS prompt.”
To recover the media partition, you’ll need two command-line tools on the desktop: dd and nc. The dd tool is a disk copy tool used to copy the raw drive image, while the nc tool (also known as netcat) is used to send (and receive) data across a network. Both of these tools must be installed on both the desktop and the iPhone. The recovery toolkit automatically installs the iPhone builds of these tools, leaving the desktop portion up to you.
The file copy over netcat is insecure unless forwarded through an SSH tunnel. In both cases, for evidentiary integrity, it is recommended that this copy be conducted over a private, encrypted wireless network, or that MD5 digests be used to verify the integrity of the image.
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Data Carving Using Foremost/Scalpel
Inhaltsvorschau
To recover deleted files, you need a data-carving tool. Data carving is the process of extracting structured data from unstructured data. Until mounted as a filesystem, the raw partition recovered from the iPhone looks like one big file to the computer, and contains both live and deleted data. A data-carving tool can scan the disk image for traces of desired files, such as images, voicemail, and other files. It then carves these smaller files out of the image for further analysis. Foremost and Scalpel are both data-carving tools.
Foremost is a free forensics tool developed by Special Agents Kris Kendall and Jesse Kornblum of the U.S. Air Force Office of Special Investigations. Foremost can be freely downloaded from http://foremost.sourceforge.net and compiled/installed on most desktop operating systems. Mac OS systems may either build from sources or install using MacPorts (http://www.macports.org):
$ sudo port install foremost
Scalpel is a tool based on Foremost and performs much faster analysis using an identical configuration file. Scalpel is available at http://www.digitalforensicssolutions.com/Scalpel/. Windows binaries for Scalpel are included in the distribution. Scalpel can be compiled and installed on a Mac desktop using the following commands (if the version number has changed, simply substitute the current version in the following file and directory names):
$ tar -zxvf scalpel-1.60.tar.gz

$ cd scalpel-1.60

$ make bsd

$ sudo mkdir -p /usr/local/bin /usr/local/etc

$ sudo cp -p scalpel /usr/local/bin

$ sudo cp -p scalpel.conf /usr/local/etc
To compile software on a Mac, Xcode Tools must be installed. This package can be downloaded free from the Apple Developer Connection website at http://developer.apple.com.
Data carving is by no means an exact technique, and some deleted data may be partially overwritten. Foremost and Scalpel both rise to the challenge by allowing examiners to specify headers (and optionally footers) that identify the beginning and end of the desired data they are searching for. The default configuration file includes data types for several different file formats, leaving it up to the examiner to uncomment the lines for files they want to carve out.
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Validating Images with ImageMagick
Inhaltsvorschau
Recovery tools generally err on the side of generating too much data, rather than skipping files that could be important. As a result, they extract a lot of data that may be partially corrupt or unwanted altogether. Finding valid images to examine can be a time-consuming process in the presence of thousands of files, so a few simple recipes can greatly help reduce the amount of time needed.
The ImageMagick package contains a set of image processing utilities, one of which can be used to display information about images. The identify tool included with ImageMagick is perfect for sifting through the thousands of files created by data-carving tools to identify the readable images. ImageMagick can be downloaded from http://www.imagemagick.org/script/index.php. Mac OS users may build from sources or use MacPorts (http://www.macports.org) to install the package:
$ sudo port install imagemagick
Once installed, write a simple bash script to test the validity of an image file. For the purposes of this example, name the file test-script.sh:
#!/bin/bash

mkdir invalid

identify $1 || mv $1 ./invalid/
Some images may be corrupt, but still somewhat recognizable. These images may appear invalid to the identify tool. It is therefore recommended that images only be moved, not deleted, so that invalid images can be later reviewed by hand.
When calling ImageMagick’s identify tool for a given file, a successful exit code will be returned if the image can be read. The previous script moves all invalid images to a subdirectory named invalid, leaving the valid images in the original directory where you invoke the script. The script can then be invoked for a given supported image type (.jpg, .gif, .png, etc.) using a simple recipe with the find command:
$ mkdir invalid

$ chmod 755 test-script.sh

$ find foremost-output -type f -name "*.jpg" -exec ./test-script.sh {} \;
The syntax of the
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Strings Dump
Inhaltsvorschau
As a final means to turn up data, the strings from the raw disk image can be extracted and saved to a file. The output will be enormous, but it will allow loose text searches for a particular conversation or other data.
To extract the strings from the disk image, perform the following.

Mac OS X

The strings utility comes integrated with Mac OS X, as it is a standard Unix tool. Simply issue the following from a terminal window:
$ strings rdisk0s2 > filename

Windows

Download the Windows version of strings from http://technet.microsoft.com/en-us/sysinternals/bb897439.aspx. Issue the following command to dump the text strings from the disk image:
$ strings.exe rdisk0s2 > filename
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
The Takeaway
Inhaltsvorschau
  • There are a lot of different security measures you can take to securely obtain the raw disk partition from the iPhone. Use the safest method that meets your goals. There is no need to overdo it.
  • Data carving can be used to pull any type of data from a raw image or other file, but it’s up to the examiner to have some clue about what to look for. If you’re unsure, enable all file types and take the extra time to look through the results.
  • Using simple tools like strings can give you a very large file of text to search through for key words or phrases.
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Chapter 5: Electronic Discovery
Inhaltsvorschau
In the previous chapter, you learned how to recover the raw media partition from the iPhone and use data-carving tools to pull out potentially deleted images, email messages, and other useful files. This chapter will help you make sense of what you’ve recovered, and guide you through working with live data on the .
Data carving is very useful for recovering files that the suspect had intentionally deleted or forgotten about. The disk image can also be mounted as a live disk, allowing access to the live (not deleted) data on the iPhone. This allows you to examine the live filesystem and determine the data’s filenames so that you know exactly what data is where.
Instructions for working with the live filesystem commonly refer to the /mobile directory. If the iPhone is running firmware version 1.1.2 or earlier, these files are instead stored in /root. Be sure to make the necessary changes to your method to accommodate any changes in file location.
Many of the timestamps found on the iPhone are presented in Unix timestamp format. To convert these to actual dates and times, use an online Unix timestamp converter, such as the ones found at http://www.4webhelp.net/us/timestamp.php and http://www.onlineconversion.com/unix_time.htm.
From the command line, a simple Perl script can be executed on Mac desktops:
$ perl -e 'require "ctime.pl"; print ctime(1200000000) . "\n";'

Thu Jan 10 16:20:00 2008
When you transmit the disk image from an iPhone, you’re getting a complete HFS/X filesystem (or HFS+ if you converted it). As a filesystem, this can be mounted on a Mac or Windows machine with a little work.
Be sure you are working with a copy of the disk image by now, and not the original. The section in Chapter 4 explains why.
Before the disk image can be mounted, you may need to perform certain tasks or install software so that your computer can properly read the disk image.
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Converting Timestamps
Inhaltsvorschau
Many of the timestamps found on the iPhone are presented in Unix timestamp format. To convert these to actual dates and times, use an online Unix timestamp converter, such as the ones found at http://www.4webhelp.net/us/timestamp.php and http://www.onlineconversion.com/unix_time.htm.
From the command line, a simple Perl script can be executed on Mac desktops:
$ perl -e 'require "ctime.pl"; print ctime(1200000000) . "\n";'

Thu Jan 10 16:20:00 2008
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Mounting the Disk Image
Inhaltsvorschau
When you transmit the disk image from an iPhone, you’re getting a complete HFS/X filesystem (or HFS+ if you converted it). As a filesystem, this can be mounted on a Mac or Windows machine with a little work.
Be sure you are working with a copy of the disk image by now, and not the original. The section in Chapter 4 explains why.
Before the disk image can be mounted, you may need to perform certain tasks or install software so that your computer can properly read the disk image.

Mac OS X and native HFS support

Mac OS X supports the HFS+ filesystem natively, so it is already able to read the disk image without any additional software. You’ll need to rename the file you downloaded, however, to have a .dmg extension. You can then directly mount it from the finder:
$ mv rdisk0s2 rdisk0s2.dmg

$ hdid –readonly rdisk0s2.dmg
Once mounted, the volume should appear on the desktop and on the Finder’s sidebar, listed under Devices. It can then be browsed to with the Finder or examined using Unix tools from a terminal window. The volume will be mounted in /Volumes.

Windows and HFSExplorer

Windows doesn’t understand the HFS/X disk image format by default, so you’ll need a tool that’s capable of reading the format. HFSExplorer is an application that can extract files from an HFS+ volume and load raw image files such as the one you dumped from the iPhone. It is published under the GNU General Public License (GPL) and is freely available at http://hem.bredband.net/catacombae/hfsx.html. To use HFSExplorer, you’ll also need Sun’s JVM (Java Virtual Machine) for Windows, also freely available at http://www.java.com.
  1. Install HFSExplorer and Java for Windows.
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Graphical File Navigation
Inhaltsvorschau
Both Mac OS X and Windows support preview panes within their file browsers. Mac OS X, in particular, provides a very useful graphical interface for browsing the directories and files created by the data carving described in .
Using Mac OS X, browse to the scalpel-output folder that is created during the data carving process (if you used the Scalpel tool). At the top of the finder window, a series of buttons should be visible, allowing you to select which view mode you’d like to use. Click the rightmost icon, which displays the cover flow view ().
Figure : Cover flow view button
The contents of the directory will now appear in a graphical representation, including previews of images, HTML, and other readable files. The entire can now be visually examined, saving a considerable amount of time. See for an example of the display.
Figure : Cover flow view of recovered data (Mac OS X)
Many image files are likely to appear more than once, as they are sometimes rewritten when the iPhone syncs with a desktop. Album covers are also likely to appear several times, once for each song.
Browsing through your recovered images directory may take some time, but can turn up both live and deleted files containing such valuable data as:
  • Photos taken with the iPhone’s camera
  • Photos synced to the device from a desktop photo library
  • Photos from the web browsing cache/history
  • Google Maps tiles of maps or satellite imagery looked up by the suspect
  • Multiple snapshots of running applications in the state they were in when the suspect pressed the home button, including:
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Extracting Image Geotags with Exifprobe
Inhaltsvorschau
Geotagging is the process of embedding geographical metadata to a piece of media. In the iPhone’s case, these are images. An iPhone running firmware v2.0 or greater can embed longitude and latitude coordinates inside images snapped with the built-in camera. Geotagging can be disabled when photos are taken, but in many cases, a suspect may either forget to disable it or fail to realize its consequences. By extracting the geotag from an image, you’ll be able to pinpoint the general location where the photo was snapped.
As of firmware v2.0, geotag information is missing the degree of seconds, making an exact pinpoint impossible. This may be corrected in future versions.
Exifprobe is a camera image file utility developed by Duane Hesser. Among its features is the ability to extract image metadata. Download Exifprobe from http://www.virtual-cafe.com/~dhh/tools.d/exifprobe.d/exifprobe.html.
To check an image for geotags, call exifprobe on the command line:
% exifprobe –L filename.jpg
If the image was tagged, you’ll see a GPS latitude and longitude reported, as shown below:
JPEG.APP1.Ifd0.Gps.LatitudeRef                 = 'N'

JPEG.APP1.Ifd0.Gps.Latitude                    = 42,57.45,0

JPEG.APP1.Ifd0.Gps.LongitudeRef                = 'W\000'

JPEG.APP1.Ifd0.Gps.Longitude                   = 71,32.9,0
In this example, the photo was taken at 42.57450, −71.3290.
In addition to a geotag for the image, the timestamp that the actual photo was taken can be recovered:
JPEG.APP1.Ifd0.Exif.DateTimeOriginal            = '2008:07:26 22:07:35'

JPEG.APP1.Ifd0.Exif.DateTimeDigitized           = '2008:07:26 22:07:35'
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
SQLite Databases
Inhaltsvorschau
The iPhone makes heavy use of database files to store information such as address book contacts, SMS messages, email messages, and other data of a personal nature. This is done using the SQLite database software (version 3), which is an open source, public domain database package. SQLite databases typically have the file extension .sqlitedb, but some databases on the iPhone have the .db extension instead. In order to access the data stored in these files, you’ll need a tool that can read them. Good choices include:
Mac OS X Leopard includes the SQLite command-line client, so we’ll use command-line examples here. SQLite’s command-line utility can easily access the individual files and issue SQL queries against a database.
The basic commands you’ll need to learn will be explained in this chapter. For additional information about Structured Query Language (SQL), read Learning SQL by Alan Beaulieu (O’Reilly).
To open a SQLite database from the command line, invoke the sqlite3 client. This will dump you to a SQL prompt where you can issue queries:
$ sqlite3 filename

SQLite version 3.4.0

Enter ".help" for instructions

sqlite>
You are now connected to the database file you’ve specified. To disconnect, use the .exit command; be sure to prefix the command with a period. The SQLite client will exit and you will be returned to a terminal prompt:
sqlite> .exit

$
After you connect to a database, there are a number of built-in SQLite commands you can issue to obtain information or change behavior. Some of the most commonly used commands are the following:
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Important Database Files
Inhaltsvorschau
The following SQLite databases are present on the iPhone, and may be of interest depending on the needs of the case.
These files exist on the media partition, which is mounted at /private/var on the iPhone. The pathnames provided here are based on your local desktop mount of the disk image, and therefore will not include /private/var in the path.
The address book contains individual contact entries for all of the contacts stored on the iPhone. The address book database can be found at /mobile/Library/AddressBook/AddressBook.sqlitedb. The following tables are primarily used:
ABPerson
Contains the name, organization, department, and other general information about each contact.
ABRecent
Contains a record of recent changes to properties in the contact database and a timestamp of when each was made.
ABMultiValue
Contains multivalue data for each contact, including phone numbers, email addresses, website URLs, and other data for which the contact may have more than one. The table uses a record_id field to associate the contact information with a rowid from the ABPerson table. To query all of the multivalue information for a particular contact, use two queries: one to find the contact you’re looking for, and one to find their multivalue data:
sqlite> select ROWID, First Last, Organization, Department, JobTitle,

CreationDate, ModificationDate from ABPerson where First = 'Jonathan';

ROWID|Last|Organization|Department|JobTitle|CreationDate|

ModificationDate

22|Jonathan|O'Reilly Media|Books|Author|234046886|234046890



sqlite> select * from ABMultiValue where record_id = 22;

UID|record_id|property|identifier|label|value

57|22|4|0|7|jonathan@zdziarski.com

59|22|3|0|3|603-555-0000

60|22|3|1|7|603-555-0001
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Property Lists
Inhaltsvorschau
Property lists are XML manifests used to describe various configurations, states, and other stored information. Property lists can be formatted in either ASCII or binary format. When formatted for ASCII, a file can be easily read using any standard text editor.
When formatted for binary, a property list file must be opened by an application capable of reading or converting the format to ASCII.

Mac OS X

Mac OS X includes a tool named Property List Editor. This can be launched by simply double-clicking on a file ending with a .plist extension.

Windows

Two tools can help you view binary property lists:
The following property lists are stored on the iPhone and may contain useful information:
/mobile/Library/Cookies/Cookies.plist
Contains website cookies saved from the Safari web browser. These can be a good indication of what websites the user has been actively visiting, and whether he has an account on the site.
/mobile/Library/Mail/Accounts.plist
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Other Important Files
Inhaltsvorschau
This section lists some other potentially valuable files that don’t fall into a particular class. Although each case may call for different evidence, the files covered in this section are generally useful for most types of examination.
/mobile/Library/Keyboard/dynamic-text.dat
A binary keyboard cache containing text entered by the user.
The text displayed may be out of order or consist of various “slices” of different threads assembled together. View it using a hex editor or a paging utility such as less.
/mobile/Library/Preferences/com.apple.Maps.plist
Contains the last longitude and latitude coordinates viewed in the Google Maps application.
/mobile/Library/Preferences/com.apple.Safari.plist
Contains a list of recent searches performed in Safari.
/mobile/Library/LockBackground.jpg
The current background wallpaper set for the device.
/mobile/Media/WebClips
Contains a list of web pages assigned as buttons on the device’s home screen. Each page will be housed in a separate directory containing a property list named Info.plist. This property list contains the title and URL of each page.
/mobile/Media/DCIM/100APPLE
Photos taken with the device’s built-in camera and accompanying .
/mobile/Media/iTunes_Control/Music
Location of all music synced with the device.
/root/Library//Caches/locationd/cache.plist
Contains the last coordinates fixed on by the GPS (iPhone 3G only).
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Chapter 6: Desktop Trace
Inhaltsvorschau
Recovering evidence from an iPhone can be an important step in building evidence for a case, but you can also find a wealth of information on any desktop machines that have been previously synced with the device. In a criminal investigation, a search warrant can be obtained to seize desktop equipment belonging to the suspect. In a corporate investigation, company-owned desktop or notebook machines can usually be examined.
The evidence found on a desktop or notebook computer can provide information about the trusted pairing relationship to the iPhone. The computer can also store backup copies of various data files, which are useful if the iPhone has been damaged or destroyed. This information can be used both as evidence and to further prove a relationship between the desktop and mobile device. If the suspect is trying to claim that the iPhone in evidence doesn’t belong to him, this is a great way to disprove it.
This book doesn’t cover desktop forensics, but assumes that the reader is with desktop procedures. Most of the information gathered on the desktop can be found on the live filesystem, unless it has been deleted. Nonetheless, you should have a firm understanding of the procedures necessary to preserve evidence on the desktop, or the information you obtain may not be admissible. For more information about desktop forensics, check out File System Forensic Analysis by Brian Carrier (Addison-Wesley Professional).
A desktop trace should be gathered through standard forensic recovery procedures on the desktop machine. Both live and deleted data can be of great use to the examiner. This chapter describes the types of relevant data present on the desktop.
“The phone’s not mine,” the suspect insists. “I took it off this dude who owed me money.”
You reply, “Look, it’s got your prints all over it. It’s yours.”
The suspect starts grinning. “Prove it.”
Cheesy dialogues like this often make their way into the latest TV shows, but there is a serious theme to all of this: when such a small device is seized, possession can often be confused with ownership. It’s important to get rid of any reasonable doubt of the device’s ownership before making a final case against the suspect.
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Proving Trusted Pairing Relationships
Inhaltsvorschau
“The phone’s not mine,” the suspect insists. “I took it off this dude who owed me money.”
You reply, “Look, it’s got your prints all over it. It’s yours.”
The suspect starts grinning. “Prove it.”
Cheesy dialogues like this often make their way into the latest TV shows, but there is a serious theme to all of this: when such a small device is seized, possession can often be confused with ownership. It’s important to get rid of any reasonable doubt of the device’s ownership before making a final case against the suspect.
Even though you found the iPhone on the suspect when you arrested him, it can sometimes be difficult to prove that the device really does belong to him. In the case of a drug dealer, the only real proof of ownership may be a few photos of a drug stash and some contacts who know him only by an alias. His contacts might be prepaid, or he may have used the last name “hoe” for all of his girlfriends, as one suspect did, so they can’t be easily tracked down. His email account could even be Gmail, making it more ambiguous. You may know very well that the iPhone belongs to him, but if you can’t prove it in court, any evidence might not be admissible. How can you prove that the phone (and the digital evidence on it) belongs to him?
To add more consideration for trusted pairing relationships, consider that the iPhone may not belong to the suspect, but rather was stolen from the victim. If the victim was killed in a robbery, his iPhone may have been wiped and is now being used by the suspect. Not only can you prove a trusted pairing relationship to the suspect’s computer, but also to the victim’s, definitively linking all three.
Every time the iPhone is synced with a desktop machine, it leaves behind trace evidence that can be used to link the two. If you can establish that the desktop machine in the suspect’s house knows about the iPhone, you can demonstrate to a jury that the iPhone is tied to his personal user account. The iPhone and the desktop share a set of pairing records, which are essentially keys used for sharing data. Proving that the device was paired with a particular desktop machine can be of vital importance in a case like the one just discussed, especially if you can secure the suspect’s desktop machine.
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Serial Number Records
Inhaltsvorschau
In addition to pairing records, a manifest is written to the desktop machine to keep track of the names and serial numbers of devices paired with it, allowing the examiner to verify that a desktop not only knows how to sync with a particular iPhone, but also knows the iPhone’s hardware serial number. The manifest file can be used to match the serial number recorded in the file with the serial number of the mobile device.
The serial number of the mobile device can be obtained by tapping the Settings button on the device and then selecting General About.
A binary property list with a filename beginning with com.apple.iTunes may be found in the directory /Users/username/Library/Preferences/ByHost. Each host paired with the device will be assigned a separate file in this directory. The property list stores information about the device in a binary format, but you can use the strings tool described in earlier chapters to dump the ASCII data encapsulated within the binary information and search for the mobile device’s serial number:
$ strings com.apple.iTunes.001b619668af.plist
Scan through the output of this command and visually search for the device’s serial number, or use the grep command to scan for a specific string.
A match to the serial number can be found in a file named C:\Documents and Settings\username\Local Settings\Application Data\Apple Computer\iTunes\iPodDevices.xml.
A match to the serial number can be found in a file named C:\Users\username\AppData\Local\Apple Computer\iTunes\iPodDevices.XML.
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Device Backups
Inhaltsvorschau
If the iPhone was damaged or destroyed, it may not be possible to get as much information off of it. This is when the device’s backup files are of particular importance. Any time an iPhone is synced with a desktop machine, a backup of its configuration, address book, SMS database, camera photo cache, and other personal data is stored on the desktop in backup files. Each device paired with the desktop is assigned a special backup directory named after the device’s unique identifier. Within this directory can be found a backup manifest, device information, and the individual data files. These files are normally copied back to the device in the event that the device is restored to its factory settings by the owner. While a suspect could manually delete such backups, many are not aware that such backups are being made, or choose to store the backups .
The serial number of the iPhone can also be found in device backup files on the desktop machine.
Device backups can be found in the following locations, depending on your operating system:
Operating systemLocation
Mac OS X/Users/username/Library/Application Support/MobileSync/Backup/deviceid
Windows XPC:\Documents and Settings\username\Application Files\MobileSync\Backup\deviceid
Windows VistaC:\Users\username\AppData\Roaming\Apple Computer\MobileSync\Backup\deviceid
The backup manifest file, Info.plist, contains a device profile including the serial number of the paired device, firmware revision, phone number, and timestamp. This can be used to prove not only that the two devices were paired, but also that a particular phone number was active when the device was synced. This can be useful if phone records are included as evidence in the investigation.
This backup directory will contain multiple files ending with a .mdbackup
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Activation Records
Inhaltsvorschau
When an iPhone is activated, various information about the device is stored within the device’s activation records. Activation records can be found on the iPhone in the directory /private/var/root/Library/Lockdown/activation_records, which will be accessible as /root/Library/Lockdown/activation_records on the user disk image. The information is stored using a base64 encoding and can be easily decoded back to plain text using any base64 decoder or the openssl command-line tool.
Inside the activation_records directory is a property list containing several different certificates. This includes the FairPlay certificate for encrypted music on the device and various account tokens. For an investigation, the most useful section is the AccountToken section of the property list:
<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"

"http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

        <key>AccountToken</key>

        <data>

        ... data follows ...
When decoded, the information in this section contains the unique device identifier assigned when the pairing relationship to the desktop was made. This identifier will determine the filename of pairing records on the desktop machine. An activation ticket and hardware identities (including the IC Card, mobile subscriber, and mobile equipment identity) are also stored.
To decode the information in this section, paste the encoded portion of it into a separate file and use a base64 decoder, such as openssl:
$ openssl enc -d -base64 -infilename

{

    "ActivationRandomness" = "AEC80D06-1948-494C-846E-9A9FC02CF175";

    "UniqueDeviceID" = "d5d9f86cfc06f8bce3d31c551ccc69788c4579ea";

    "ActivationTicket" =

"0200000029338284e1a7309dd143c60aa20a7176fba9d1db44860ba2e8b214c471e3d06

b92089c06826dcc7a4f06e8200228d974cf6b5518baebe3457ccaffe9395a81d5a94a8e3

a7c1c71746aaebc39d9ddc3acf2fd359448dd2d2379782606a4eec99e62298c26439d299606

bbadb00d9439b63cfed42921f767d8316ce42e212082c58a1e5ee1fb619e0fb2f753b0f86

a2db7cace003e5a47efb32a2b4e33d1787d0f6681edfc0737877ee6a28cec242418402cfda

695060bd75f396c909c0b1ba3236519d29291012fbdadd2c8d0d7caae1ea33ac6841b3b6d64ca

69145f7b072304a4f980d907d10b18bee9dd5df8cd8aea6ff11b339e8cc34d7f572c6de69c

53076e8a4f057e46cf6ebe879480f62e1f966abb1f05049b328a3cb47d7208521901e6772

c393251f13ce9ed9daaf21240617a89a813e7c48dbacd099d84979984deecc01e842da38a

199e9e6ef67b84325f18a73c2f9f0fb4c11ce4933eed7728960ad637565e5589dc0faeb84

a28990d71fceb0757f9131e4c151a48df520d427a66c2d2f2d0d4270d4e756c9baa9600da

7f62f8dacf7ab83bb454d5e48e078bad04ade6b98661859c3e9606a5e983a8f7e37d8fac3

b9cc091d518e5b153e8404486533bfc1aa20af4a6633245bc2de2afbf820f9065bae

956690481d0df591dc1073011e6caf8d47f8278f7a0d526a14948c33cc8f252e03c40

d6f91c9a6229770eac49b2498630a468061892420518576dfc0e045598475b68cedb

071e1bf41476569da801081a39e7e658698bb54875ba74ed0af5c95c3fe037b9c8f5f

547c926baa9dd055a4264";

    "IntegratedCircuitCardIdentity" = "89014103211656554643";

    "InternationalMobileSubscriberIdentity" = "310410165655464";

    "InternationalMobileEquipmentIdentity" = "011472002196598";
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Chapter 7: Case Help
Inhaltsvorschau
Different cases require different types of information. This chapter will cover some of the most common corporate and law enforcement scenarios, and walk through the data you’ll want to gather. These scenarios, of course, provide only an overview of the evidence gathering process, so you should be sure to examine all of the evidence, not just what is outlined here.
All of these examples presume that you’ve already performed forensic recovery of the media partition and can view the live filesystem using one of the tools mentioned in . Some techniques are most easily executed by using the iPhone’s user interface, so if you have physical possession of the iPhone, your job will be a little easier.
Inappropriate communication could involve an affair with another coworker, sexual harassment, selling secrets, insider trading, or any other activities that may be a violation of corporate policy. If this is done on a company-owned device, you might have the right to seize the iPhone and conduct an .
There are many different forms of communication stored on the iPhone, with the two most dominant being email and SMS messages. Other forms of communication might include photos from the user’s photo library, which can be attached to outgoing email and online web forms. Finally, the suspect may have made personal notes such as safe combinations or box numbers using the iPhone’s notepad, or even have performed map lookups if there was a meeting involved. The following list suggests some key information to check.
SMS messages
Using as a guide, dump the live SMS database. You’ll also want to perform a strings dump to recover any deleted messages lurking in unused portions of the file. The SMS database can be found on the iPhone’s media partition in /mobile/Library/SMS/sms.db
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Employee Suspected of Inappropriate Communication
Inhaltsvorschau
Inappropriate communication could involve an affair with another coworker, sexual harassment, selling secrets, insider trading, or any other activities that may be a violation of corporate policy. If this is done on a company-owned device, you might have the right to seize the iPhone and conduct an .
There are many different forms of communication stored on the iPhone, with the two most dominant being email and SMS messages. Other forms of communication might include photos from the user’s photo library, which can be attached to outgoing email and online web forms. Finally, the suspect may have made personal notes such as safe combinations or box numbers using the iPhone’s notepad, or even have performed map lookups if there was a meeting involved. The following list suggests some key information to check.
SMS messages
Using as a guide, dump the live SMS database. You’ll also want to perform a strings dump to recover any deleted messages lurking in unused portions of the file. The SMS database can be found on the iPhone’s media partition in /mobile/Library/SMS/sms.db. Look for both message content and phone numbers.
Email
The second most likely form of communication is email. Scan the Envelope Index located at /mobile/Library/Mail/Envelope Index for messages in the suspect’s inbox as well as in sent mail. This is covered in . A strings dump can also be used to recover fragments of communication from deleted messages that may still be lurking in unused portions of the file. If the suspect is using an IMAP mail account, additional messages may be stored on the iPhone in separate files.
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Employee Destroyed Important Data
Inhaltsvorschau
On the iPhone, important data can be photos, email, a PDF, or other stored information. Simple information, such as a boarding pass number, can be of great importance if stored somewhere in the browser cache. Data can be destroyed intentionally or by accident, but in either case it’s important to understand how to properly recover the lost data. introduced you to Scalpel, a data-carving tool, which can recover deleted files from a disk image based on the file’s header (and optionally, footer). Become intimately familiar with Scalpel, as it is critical for recovering deleted information.
To recover deleted files, Scalpel requires a file header. This represents the first few bytes of the file that can be used to identify the kind of data you’re trying to recover. Many examples were given in to recover some types of proprietary files from the iPhone. Your first attempt at recovering the missing files is to run Scalpel with the rules from .
In the event that some of the data was damaged, it may still be possible to recover pieces of the missing files from the device, especially if they were unstructured communication.
Email
If part of the message was deleted, you may be able to scan for other parts of the message, such as “Subject: ” or a message boundary. Using another message from the same sender, examine the message’s source to find the type of message boundary it uses. Some mail agents will use the text NEXTPART followed by a random number, or something similar. Scanning for this with Scalpel will improve your chances of finding the remaining pieces of the message.
Web page data
If the information was stored on a web page, you may not find it by scanning for <HTML tags, especially if the website didn’t use the proper header tags. Scan for the beginnings of other common tags, such as
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Seized iPhone: Whose Is It and Where Is He?
Inhaltsvorschau
In some cases, iPhones have been recovered from a crime scene without immediate evidence of whom it belongs to. It could have been dropped by a fleeing suspect or left by a victim. In addition to finding out who he is, it may also be important to find out where he is. This is especially important if the owner was the victim of a kidnapping or other such crime, or if he is a suspect and possibly dangerous.
The easiest way to track an iPhone back to its owner is by the phone number. The phone number can be found by tapping on the phone icon, then pressing the Contacts button on the bottom bar. Scroll to the very top of the contacts list and you will see the text My Number, followed by the phone number programmed onto the SIM. This phone number, combined with a subpoena, is usually the easiest way to get a name and address from a telecommunications provider, or possibly from Apple, Inc.
If you are unable to identify the owner based on the phone number, examination of the device can provide you with much more information about the individual:
  • Saved email may contain the owner’s name and the service provider used. If the owner is connected to his corporate email, you’ll be able to find out what company he works for. If a name is unavailable and there are no other useful leads as to the person’s identity, consider scanning all email (including deleted email) for passwords or other account information. If the owner has recently signed up for a new account on any website, there is likely a trail of this somewhere on disk.
  • Contact records for people whom the owner frequently communicated with can help lead you to him, especially if he is a victim of a crime. If the owner is a suspect in, say, a murder, you may have just uncovered dozens of new leads.
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Appendix : Disclosures and Source Code
Inhaltsvorschau
This appendix includes details about the procedures and results described in this book that a court may require from law enforcement witnesses, prosecutors, and defendants.

Power-On Device Modifications (Disclosure)

Installation Record (Disclosure)

Technical Procedure

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Power-On Device Modifications (Disclosure)
Inhaltsvorschau
When any computer is turned on, files are read and written. iPhone examiners need only be concerned with what is written, as the iPhone’s filesystem is mounted with the noatime option, even if the option is not specified in /etc/fstab. This option prevents access times from being updated when a file is read or its metadata (such as its name) is changed on the device. Therefore, the access time shown on a file should reflect either its creation or the last time some change was made to the content, allowing you to concentrate on only the files that have been actually changed.
In the likely event that you don’t possess special equipment to physically dump the iPhone’s memory chip, the device must be powered on and booted into its operating system to recover data. Furthermore, the forensic tools described in this book require that the device be rebooted after the toolkit payload is .
Just like a desktop operating system, the iPhone’s Leopard operating system performs minor writes to certain files upon booting. The purpose of most writes is to replace or reset existing configuration files, and writes generally don’t add any new data to the filesystem. Some writes, however, append a very minor amount of data to files. Overall, the writes to the filesystem are minimal, but are disclosed here in for integrity.
On iPhone firmware versions lower than or equal to 1.1.2, the mobile directory is replaced with root.
Table : Bytes added to files during boot
Filename
/private/var/log/lastlog
28 bytes
/private/var/mobile/Library/Preferences/com.apple.voicemail.plist
1275 bytes
/private/var/preferences/csidata
121 bytes
/private/var/run/configd.pid
3 bytes
/private/var/run/resolv.conf
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Installation Record (Disclosure)
Inhaltsvorschau
The forensic toolkit payload installed by iLiberty+ places a set of open source tools onto the otherwise read-only portion of the device, resulting in no destruction to user-level data stored on the device’s media partition. At the time of payload installation, the following files are written to the system (root) .
File size may vary depending on the application and payload versions used. Some files are deleted after toolkit installation.
/usr/libexec/ipluspwns (basepack)

-rwxr-xr-x  1 root wheel   25212 Mar 27 08:59 chmod*

-rwxr-xr-x  1 root wheel   38320 Mar 27 08:59 echo*

-rwxr-xr-x  1 root wheel   23292 Mar 27 08:59 iPipe*

-rwxr-xr-x  1 root wheel   14352 Mar 27 08:59 mv*

-rwxr-xr-x  1 root wheel   13760 Mar 27 08:59 reboot*

-rwxr-xr-x  1 root wheel   19128 Mar 27 08:59 rm*

-rwxr-xr-x  1 root wheel 1298880 Mar 27 08:59 sh*

-rwxr-xr-x  1 root wheel   39036 Mar 27 08:59 sleep*

-rwxr-xr-x  1 root wheel   14916 Mar 27 08:59 umount*

-rwxr-xr-x  1 root wheel  141528 Mar 27 08:59 unzip*

     /bin (basepack)

-rwxr-xr-x  1 root  wheel   134152 Mar 27 08:59 awk

-rwxr-xr-x  1 root  wheel    23368 Mar 27 08:59 blcheck

-rwxr-xr-x  1 root  wheel    14368 Mar 27 08:59 cat

-rwxr-xr-x  1 root  wheel    25212 Mar 27 08:59 chmod

-rwxr-xr-x  1 root  wheel    80660 Mar 27 08:59 chown

-rwxr-xr-x  1 root  wheel    19644 Mar 27 08:59 cp

-rwxr-xr-x  1 root  wheel    18972 Mar 27 08:59 cut

-rwxr-xr-x  1 root  wheel    33288 Mar 27 08:59 dd

-rwxr-xr-x  1 root  wheel     9212 Mar 27 08:59 dirname

-rw-r--r--  1 root  wheel     2971 Apr  1 20:25 functions.inc

-rwxr-xr-x  1 root  wheel   158708 Mar 27 08:59 grep

-rwxr-xr-x  1 root  wheel    18056 Mar 31 14:03 iEdit

-rwxr-xr-x  1 root  wheel    20776 Mar 27 08:59 igsm

-rwxr-xr-x  1 root  wheel    13492 Mar 31 14:03 ln

-rwxr-xr-x  1 root  wheel    41028 Mar 27 08:59 ls

-rwxr-xr-x  1 root  wheel    13348 Mar 31 14:03 mkdir

-rwxr-xr-x  1 root  wheel    24244 Mar 27 08:59 plutil

-rwxr-xr-x  1 root  wheel    13760 Mar 27 08:59 reboot

-rwxr-xr-x  1 root  wheel    19172 Mar 27 08:59 rm

-rwxr-xr-x  1 root  wheel    42888 Mar 27 08:59 sed

-rwxr-xr-x  1 root  wheel  1298880 Mar 27 08:59 sh

-rwxr-xr-x  1 root  wheel     9392 Mar 27 08:59 sleep

-rwxr-xr-x  1 root  wheel   260244 Mar 27 08:59 tar

-rwxr-xr-x  1 root  wheel   141528 Mar 27 08:59 unzip

     /bin (payload)

-rwxr-xr-x  1 root  wheel  591364 Mar 16 09:23 bash

-rwxr-xr-x  1 root  wheel   45804 Feb 29 04:55 cat

-rwxr-xr-x  1 root  wheel   74456 Feb 29 04:55 chgrp

-rwxr-xr-x  1 root  wheel   65632 Feb 29 04:55 chmod

-rwxr-xr-x  1 root  wheel   74724 Feb 29 04:55 chown

-rwxr-xr-x  1 root  wheel  159704 Feb 29 04:55 cp

-rwxr-xr-x  1 root  wheel   33288 Apr  7 10:25 dd

-rwxr-xr-x  1 root  wheel  119948 Mar 27 07:48 grep

-rwxr-xr-x  1 root  wheel  115848 Feb 29 04:55 ln

-rwxr-xr-x  1 root  wheel  146360 Feb 29 04:55 ls

-rwxr-xr-x  1 root  wheel   44452 Feb 29 04:55 mkdir

-rwxr-xr-x  1 root  wheel   45900 Feb 29 04:55 mknod

-rwxr-xr-x  1 root  wheel  169368 Feb 29 04:55 mv

-rwxr-xr-x  1 root  wheel   39292 Feb 29 04:55 pwd

-rwxr-xr-x  1 root  wheel   13760 Apr  8 00:35 reboot

-rwxr-xr-x  1 root  wheel  142636 Feb 29 04:55 rm

lrwxr-xr-x  1 root  wheel       4 Apr  8 00:18 sh -> bash

-rwxr-xr-x  1 root  wheel   17004 Feb 27 18:50 sync

     /etc (payload)

-rw-r--r--  1 root  wheel  1418 Jun 12  2006 ssh_config

-rw-r--r--  1 root  wheel  3230 Aug 25  2007 sshd_config

     /sbin (payload)

-rwxr-xr-x  1 root  wheel  185008 Apr  8 00:34 fsck_hfs

-rwxr-xr-x  1 root  wheel   18052 May  7 12:12 md5

-rwxr-xr-x  1 root  wheel   19236 Apr  8 00:34 mount_hfs

-rwxr-xr-x  1 root  wheel   46300 Apr  8 00:35 newfs_hfs

-rwxr-xr-x  1 root  wheel  191976 May  7 12:22 ping

-rwxr-xr-x  1 root  wheel   14916 Apr  8 00:37 umount

     /usr/bin (payload)

-rwsr-xr-x  1 root  wheel   31712 Feb 27 18:50 login

-rwxr-xr-x  1 root  wheel   29520 Apr  8 00:34 nc

-rwxr-xr-x  1 root  wheel   56284 Aug 23  2007 scp

-rwxr-xr-x  1 root  wheel   88876 Aug 23  2007 sftp

-rwxr-xr-x  1 root  wheel  340340 Aug 23  2007 ssh

-rwxr-xr-x  1 root  wheel  103960 Aug 23  2007 ssh-add

-rwxr-xr-x  1 root  wheel   87336 Aug 23  2007 ssh-agent

-rwxr-xr-x  1 root  wheel  134264 Aug 23  2007 ssh-keygen

-rwxr-xr-x  1 root  wheel  198048 Aug 23  2007 ssh-keyscan





     /usr/lib (payload)

lrwxr-xr-x  1 root  wheel      18 Apr  8 00:18 libcurses.dylib ->

                                               libncurses.5.dylib

-r-xr-xr-x  1 root  wheel   35392 Jan  3 20:31 libhistory.5.2.dylib

lrwxr-xr-x  1 root  wheel      20 Apr  8 00:18 libhistory.5.dylib ->

                                               libhistory.5.2.dylib

lrwxr-xr-x  1 root  wheel      20 Apr  8 00:18 libhistory.dylib ->

                                               libhistory.5.2.dylib

-rw-r--r--  1 root  wheel   60780 Jan 14 21:44 libintl.8.0.2.dylib

lrwxr-xr-x  1 root  wheel      19 Apr  8 00:18 libintl.8.dylib ->

                                               libintl.8.0.2.dylib

lrwxr-xr-x  1 root  wheel      19 Apr  8 00:18 libintl.dylib ->

                                               libintl.8.0.2.dylib

-rw-r--r--  1 root  wheel     801 Jan 14 21:44 libintl.la

-rwxr-xr-x  1 root  wheel  105156 Feb 23 06:30 libncurses++.a

-rwxr-xr-x  1 root  wheel  379360 Feb 23 06:30 libncurses.5.dylib

lrwxr-xr-x  1 root  wheel      18 Apr  8 00:18 libncurses.dylib ->

                                               libncurses.5.dylib

-r-xr-xr-x  1 root  wheel  239308 Jan  3 20:31 libreadline.5.2.dylib

lrwxr-xr-x  1 root  wheel      21 Apr  8 00:18 libreadline.5.dylib ->

                                               libreadline.5.2.dylib

lrwxr-xr-x  1 root  wheel      21 Apr  8 00:18 libreadline.dylib ->

                                               libreadline.5.2.dylib

-rwxr-xr-x  1 root  wheel  247684 Jan  4 05:35 libresolv.dylib

lrwxr-xr-x  1 root  wheel      17 Apr  8 00:18 terminfo -> ../share/terminfo





     /usr/libexec (payload)

-rwxr-xr-x  1 root  wheel   59372 Aug 23  2007 sftp-server

-rwxr-xr-x  1 root  wheel  200664 Aug 23  2007 ssh-keysign

-rwxr-xr-x  1 root  wheel   35280 Aug 23  2007 ssh-rand-helper

-r-xr-xr-x  1 root  wheel     425 Dec 20  2006 sshd-keygen-wrapper



     /usr/sbin (payload)

-rwxr-xr-x  1 root  wheel   32784 Apr  8 00:36 fdisk

-rwxr-xr-x  1 root  wheel  414512 Aug 23  2007 sshd



     /Library/LaunchDaemons (payload)

-rw-r--r--  1 root  wheel  828 Feb  4  2006 com.openssh.sshd.plist
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.
Technical Procedure
Inhaltsvorschau
This section explains some low-level technical details of the operations performed by the iLiberty+ tool. These techniques are intended for those desiring a technical explanation of the procedure or who seek to reproduce or it, and are not necessary for general forensic examination.
Many different methods have been devised by the iPhone development community to gain access to an iPhone’s operating system, but very few of them are able to do so without destroying evidence, or even destroying the entire filesystem. The technique used in this manual is considered to be forensically safe in that it is capable of accessing the device without corrupting user data.
A RAM disk is a filesystem that resides in memory, and is not physically written on disk. Most Unix kernels are capable of booting the operating system from memory, and most versions of iPhone software also support this.
The technique used by iLiberty+ for iPhone software versions 1.0.2–1.1.4 gains access to the operating system by booting an unsigned RAM disk from the iPhone’s resident memory. This RAM disk is copied into the iPhone’s memory and booted by setting the appropriate kernel flags using Apple’s MobileDevice framework. This section is based specifically on version 7.4.2 of the device framework. Because the function calls change slightly for newer versions of the framework, you will have to install this framework with a copy of iTunes 7.4.2 in order to reproduce the procedure in this section.
Once the unsigned RAM disk is booted, the iPhone’s disk-based filesystem is mounted and the selected payload is copied. Depending on the payload, this could simply enable shell access, or install a surveillance kit or any other type of software. When the device boots back into its normal operating mode, the installed payload will be executed, performing whatever tasks it was designed for.
Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Zurück zu iPhone Forensics


Themen

Buchreihen

Special Interest

International Sites

O'Reilly China O'Reilly USA O'Reilly Japan O'Reilly Taiwan