iPhone forensics based on Macintosh open source and freeware tools Thomas H¨one and Reiner Creutzburg Fachhochschule Brandenburg - University of Applied Sciences, Department of Informatics and Media, Magdeburger Straße 50, D-14770 Brandenburg, Germany ABSTRACT The aim of this article is to show the usefulness of Mac OS X based open source tools for forensic investigation of modern iPhones. It demonstrates how important data stored in the iPhone is investigated. Two different scenarios of investigations are presented that are well-suited for a forensics lab work in university. This work shows how to analyze an Apple iPhone using open source and freeware tools. Important data used in a forensics investigation, which are possibly stored on a mobile device are presented. Also the superstructure and functions of the iPhone are explained. Keywords: Apple iPhone, iPhone forensics, mobile forensics, Mac OS X forensics
1. INTRODUCTION Mobile phones are often a part of criminal activity. With an analysis of the data and files on a mobile device it is possible to investigate such criminal activities. It is most important to ensure the integrity of the evidence in such cases. In 2007 Apple revolutionized the market of mobile phones. The company sold 14.1 million iPhones in the last quarter of 2010.1 Since 2007 Apple sold 73.732.000 iPhones.2 The many applications and personal data on an iPhone can be a very important and good source of information for criminal investigations.
2. THE IPHONE This chapter explains some terms around the iPhone and shows which security leaks exist and how they can be exploited.
2.1 Jailbreak Jailbreak is an established designation of iPhone hackers. This represents the limited access on an original iPhone. Additionally to the jailbreak the device can be unlocked. That means it is possible to use other SIM cards then the licensed provider. A jailbreak is only possible in the DFU mode. The DFU mode is a status of the iPhone operating system. In this mode the system can be overwritten. For example with modified iPhone firmware like Cydia application. Cydia is not an authorized AppStore. It’s possible to download applications with Cydia, which are not authorized by Apple for example OpenSSH, Netcat or Terminal.
2.2 No Jailbreak A jailed iPhone is a device with not modified software or not modified operating system. On a jailed iPhone only applications which are authorized from Apple over the AppStore can be installed. From the perspective of a forensic examiner a jailbroken iPhone is better than a jailed iPhone. Thats why on a jailed iPhone it isn’t possible to install OpenSSH and Netcat to make a connection over WiFi/WLAN. Further author information: (Send correspondence to Thomas H¨ one) Thomas H¨ one: E-mail:
[email protected], Phone: +49 (0) 162 13 11 096 Reiner Creutzburg: E-mail:
[email protected], Phone: +49 (0) 3381 355 442
Multimedia on Mobile Devices 2011; and Multimedia Content Access: Algorithms and Systems V, edited by David Akopian, Reiner Creutzburg, Cees G. M. Snoek, Nicu Sebe, Lyndon Kennedy, Proc. of SPIE-IS&T Electronic Imaging, SPIE Vol. 7881, 78810P · © 2011 SPIE-IS&T · CCC code: 0277-786X/11/$18 · doi: 10.1117/12.879318 SPIE-IS&T/ Vol. 7881 78810P-1
Figure 1. iPhone file structure
2.3 iPhone Operating System The iPhone operating system is based on a special customized Mac OS X. The operating system has different layers:3 • Cocoa Touch (application framework), • Media (audio, video und graphics), • Core Services, • Core OS (kernel and drivers). The integrated NAND flash memory is divided into two partitions. The first one is the Master Boot Record (MBR) and responsible to load the operating system. The second one is the media partition that stores movies, music, photos, contacts and more.4 Figure 1 shows the access rights of a jailed and jailbroken iPhone, respectively. With a jailed iPhone one has access to the dashed marked box. The bold marked box shows the access to the root directory.
SPIE-IS&T/ Vol. 7881 78810P-2
2.3.1 Passcode Lock The passcode lock is a security option. If this option is activated the user has to enter a four-digit passcode to unlock the phone. Since iOS 4 the passcode can also contain characters. To prevent a brute force attack the user can activate an option that the iPhone will be completely delete all data after ten times of incorrect passcode input. Since the iPhone OS 2.2 the passcode lock, email passcode and other passcodes of applications are saved in the Keychain file. Bypassing the Passcode Lock There exists a method of bypassing the passcode lock. But this method works only with iPhone OS 1.1.2. The procedure is explained in a whitepaper of Troy Lawrence, iPhone Passcode Work-Around, 26.02.2008.5 Keychain Database Another method to bypass or deactivate the passcode lock only works with jailbroken iPhone. In this method the keychain database is deleted. The path to the keychain database is given by. / p r i v a t e / var / K eychains/ keychain −2.db With the freeware tool iPhone Explorer the examiner can navigate to this file and copy and delete it. After deleting this file, the device must reboot. Then the passcode is deactivated. The disadvantage of this method is that the other passcodes are deleted too. Certainly the keychain file can be saved so that the passcodes can be restored.6 2.3.2 iTunes iPhone Backup The iPhone can be managed with the Apple software iTunes. If the phone are synchronized iTunes creates a backup. All the data of the mobile phone is stored in the backup. It is possible to encrypt the backup. If the backup is not encrypted, it is easy for an examiner to find and use the iPhone backup. Elcomsoft Phone Password Breaker is a tool for easy decryption of the backup.
2.4 Overview and technical data of iPhone models With the overview (table 1) of iPhone models, the examiner can classify the model in hand. From color and memory size the examiner can conclude the iPhone model and operating system. This classification is important because it helps the examiner to find the right manual of the corresponding device. If the operating system is determined, the examiner can make conclusions, on the applications installed by default. Hence it is easier to find files to analyze in criminal scenarios.
3. USING BASICS OF COMPUTER FORENSICS ON AN IPHONE 3.1 Preservation of mobile devices The flow chart of Geschonneck (see appendix) shows a general step by step approach for the preservation of mobile devices. Some points in the figure 7 can be or must be ignored in the preservation of an iPhone. For example, the iPhone doesn’t have a removable memory card. If an iPhone will be preserved, the first thing is to remove the SIM card. Because the device can by deleted by remote access. This is possible with the Apple service MobileMe. Without the SIM card the user is not able to locate and wipe it. The following questions are important for an examiner when an iPhone was found: • Which iPhone generation? (2G, 3G, 3GS, 4) • Which size has the memory of the hard drive? (4 GB, 8 GB, 16 GB, 32 GB) • Which operating system is installed? • Does the device have a jailbreak?
SPIE-IS&T/ Vol. 7881 78810P-3
Table 1. Overview and technical data of iPhone models7
Device
Release
Color
iPhone OS / iOS
Memory
min. iTunes Version
iPhone 2G
06/2007
silver
1.0 - 3.1.3
4 GB
7.3
iPhone 2G
06/2007
silver
1.0 - 3.1.3
8 GB
7.3
iPhone 2G
02/2008
silver
1.0 - 3.1.3
16 GB
7.5
iPhone 3G
07/2008
black
2.0 - 4.0.1
8 GB
7.5
iPhone 3G
07/2008
black
2.0 - 4.0.1
16 GB
7.7
iPhone 3G
07/2008
white
2.0 - 4.0.1
16 GB
7.7
iPhone 3G
06/2009
black
2.0 - 4.0.1
8 GB
8.2
iPhone 3G S
06/2009
black
3.0 - 4.0.1
16 GB
8.2
iPhone 3G S
06/2009
white
3.0 - 4.0.1
16 GB
8.2
iPhone 3G S
06/2009
black
3.0 - 4.0.1
32 GB
8.2
iPhone 3G S
06/2009
white
3.0 - 4.0.1
32 GB
8.2
iPhone 4
06/2010
black
4.0 - 4.0.1
16 GB
9.2
iPhone 4
06/2010
white
4.0 - 4.0.1
16 GB
9.2
iPhone 4
06/2010
black
4.0 - 4.0.1
32 GB
9.2
iPhone 4
06/2010
white
4.0 - 4.0.1
32 GB
9.2
• Is a SIM card included? • Is the passcode lock active? • Which applications and games are installed? • Are there applications of MobileMe installed? • Are there applications like TomTom or Navigon installed? • Which books are saved in iBooks (since iOS 4)? • Are there any bookmarks in the Safari browser? • Are there any voice memos saved? • Are there notes on the device? • WhichYouTube videos were viewed? • Which pictures are in the Snapshot cache saved?
3.2 Preservation of iPhone A related flow chart to figure 7 can be developed for iPhones and is presented in figure 8. Here, the analysis of the SIM card is not part of the forensic preservation, since all new messages and contacts are not saved on SIM card. In only rare cases there are important information on the SIM card. Contacts and messages are normally saved on the hard drive. But if the card originates from a different mobile phone, contacts and messages can be found on this SIM card.
SPIE-IS&T/ Vol. 7881 78810P-4
4. FORENSIC INVESTIGATION OF IPHONES This chapter includes two different experiments for forensic investigation of an Apple iPhone. Furthermore, this chapter shows the practical use of some open source and freeware tools.
4.1 Experiment 1: Forensic analysis of a jailbroken iPhone 3G 4.1.1 Experiment description In this experiment a jailbroken iPhone 3G will be analyzed. The jailbreak was made with RedSn0w 0.9.5b5-5. The operating system iOS 4 is installed. The passcode lock and the SIM code are active. The analysis is made on an independent computer. So the computer wasn’t synchronized with this device. 4.1.2 Analysis and evaluation Access with iPhone Explorer After the iPhone is connected over an USB cable, the program iPhone Explorer can start. The program has full access after the boot process is finished. The user needs no PIN and no passcode. After that the whole file structure can be copied. But the copy is not a forensic image. That means all the MAC times of files are changed. Access with OpenSSH This method needs some requirements. The device must have a jailbreak and Cydia, OpenSSH, and Netcat must be installed. The user can edit the root-passcode. All iPhones and iPod Touches were delivered with default root-passcodes which are apline or dottie 4 .8 To connect over SSH with the device the user have to create a mobile ad hoc network∗ If booth devices (iPhone and forensic computer) are connected in the ad hoc network the examiner can use the terminal to get an access to the iPhone. The following listing shows the command. [ ˜ ] s s h − l r o o t After that the root-passcode must be entered. As already mentioned now the examiner has to enter apline or dottie. But this will not works if the passcode was edited by the owner. The last option is now a brute-force search† . The next listing shows how to generate a hash‡ .8 [ ˜ ] md5 / dev / r d i s k 0 s 1 Now the examiner has to open a port (with Netcat) to transfer files to create the image. [ ˜ ] nc − l 26000 > ipho ne . r ep The command in the following listing will create the image and will copy it to the forensic computer. [ ˜ ] dd i f =/dev / r d i s k 0 s 1 conv=sync , n o e r r o r bs=4k | nc −w1 26000 ... 524288000 b y t e s (5 2 4 MB) c o p i e d , 5 0 1 . 3 0 4 s , 1 . 0 MB/ s After that the image from the media partition will be created. [ ˜ ] dd i f =/dev / r d i s k 0 s 2 conv=sync , n o e r r o r bs=4k | nc −w1 26000 ... 524288000 b y t e s (5 2 4 MB) c o p i e d , 5 0 1 . 3 0 4 s , 1 . 0 MB/ s ∗
Sometimes called a mobile mesh network, is a self-configuring network of mobile devices connected by wireless links. In computer science, brute-force search or exhaustive search, also known as generate and test, is a trivial but very general problem-solving technique that consists of systematically enumerating all possible candidates for the solution and checking whether each candidate satisfies the problem’s statement. ‡ A hash function is any well-defined procedure or mathematical function that converts a large, possibly variable-sized amount of data into a small datum, usually a single integer that may serve as an index to an array. †
SPIE-IS&T/ Vol. 7881 78810P-5
Figure 2. Find Any File search results with data paths and results of FileJuicer sorting
Alternative to the last commands it is possible to image the booth partitions. Which shows the next listing. # f o r e n s i c computer : [ ˜ ] nc − l 26000 > ipho ne . r ep # iPhone : [ ˜ ] dd i f =/dev / r d i s k 0 conv=sync , n o e r r o r bs=4k | nc −w1 26000 Now multiple examiners can work with the image. In this work the tools Find Any File and FileJuicer will be applied. Searching files with Find Any File To search with Find any File the iPhone image must be mounted as a drive. The tool is only useful if the examiner knows which files are important and how the files are named. For example it is possible to search for all database files. The figure 2 shows the results of the database search. Data sorting with FileJuicer An other method for a structures search can be realized with FileJuicer. FileJuicer is a freeware sorting tool. All different data types will sorted in folders like all .png or all .db files of the image are copied in one folder.
SPIE-IS&T/ Vol. 7881 78810P-6
Figure 3. iPhoneBackupExtractor
4.2 Experiment 2: Forensic analysis of iPhone backup files on a Mac 4.2.1 Experiment description To perform iPhone forensic an examiner does not need an iPhone. In this experiment we will analyze an iPhone backup by iTunes. This backup includes some interesting .plist and .db files. If a Macintosh computer is part of a criminal investigation it can be useful for an iPhone analysis. Particularly if an iPhone was synchronized with the Mac an iPhone backup exists. An examiner can create an image and copy that onto another Mac which is not an evidence. This is important to ensure the integrity. Now, on this computer some useful applications like iPhoneBackupExtracter, HexFiend, SQLite Browser and many more can be installed. The backup is alway found under the following paths: / U s e r s /∗∗∗∗/ L i b r a r y / A p p l i c a t i o n Support / MobileSync /Backup/ 4.2.2 Analysis and evaluation If more than one backup is found on the the confiscated Macintosh computer the examiner can choose this backup which is most useful for the investigation. That is shown in figure 3 (left). First of all the examiner has to look at the iPhone OS Files which include the most important information. The backups from the applications are mostly uninteresting. Thats why there is no general provision for a forensic flow. Special files for examiners are found under following paths: ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗
Library/ Preferences /. GlobalPreferences . p l i s t L i b r a r y / P r e f e r e n c e s /com . a p p l e . a c c o u n t s e t t i n g s . p l i s t L i b r a r y / P r e f e r e n c e s /com . a p p l e . Maps . p l i s t L i b r a r y / P r e f e r e n c e s /com . a p p l e . m o b i l e s a f a r i . p l i s t L i b r a r y / P r e f e r e n c e s /com . a p p l e . youtube . p l i s t L i b r a r y / AddressBook / AddressBook . s q l i t e d b L i b r a r y / C a l l H i s t o r y / c a l l h i s t o r y . db L i b r a r y /Maps/ H i s t o r y . p l i s t Library/ S a fa r i / History . p l i s t
SPIE-IS&T/ Vol. 7881 78810P-7
Figure 4. SMS database
∗ L i b r a r y /SMS/sms . db ∗ L i b r a r y / Notes / n o t e s . db ∗ Media /DCIM/100 Apple The figure 4 shows the SMS database it was open with the SQLite Browser. Under Adress all the telephone numbers are listed. The point Flag shows the different between incoming and outgoing calls. The ID 3 means a outgoing call and the ID 2 a incoming call. So the examiner is able to understand connections and relationships between different persons. Additionally the messages with input times are saved in this file. The time is the Unix time it easy to convert. The figure 5 (left) shows all entries from the address book. The address book includes telephone numbers, emails and addresses. Also accounts from AIM, ICQ, Skype and many more are saved in the address book. The call register has different IDs for incoming and outgoing calls. The ID 4 stands for an incoming call and the ID 5 for an outgoing call. The Navigon application on iPhone The iTunes backup can contain a backup of navigation software like Tom Tom or Navigon. This can be interest for an investigation. The iPhoneBackupExtractor can extract this. There are some important files which is shown in the following listing. ∗ com . na vig o n . NavigonSelectTmoD/ Documents / Recent . t a r g e t s ∗ com . na v ig o n . NavigonSelectTmoD/ Documents / F a v o u r i t e . t a r g e t s The Recent.targent can be opened with HexFiend. The examiner can find there some interesting addresses. Figure 6 shows one example of this file.
SPIE-IS&T/ Vol. 7881 78810P-8
Figure 5. Address book database and database of call register
Figure 6. Recent.targets, opened with HexFiend
SPIE-IS&T/ Vol. 7881 78810P-9
5. CONCLUSION The most important thing in the investigation of an iPhone is the question if the device has a jailbreak or not. If an iPhone has a jailbreak and no edit root passcode an examiner is able to perform a post-mortem-analysis. If not, it’s not possible to create a forensic image with the tools from this work. The examiner has to perform a live analysis. Disadvantages of open source and freeware tools there mostly not admitted by a law. Because new methods are hard to establish. Also open source and freeware can not create a report. With commercial software like Oxygen Forensic Suite and Paraben Device Seizure the examiner is able to create a complete report. The reports from commercial software are mostly accepted by a court. The area of mobile devices will be more important for law enforcement in future. Mobile devices will be smaller, increasingly powerful and have more functions. Hence mobile devices include more and more data. The applications for iOS devices will increase. So in future the apps are the most important thing for a criminal investigation.
ACKNOWLEDGMENTS ¨mmel (M. Sc.) and Silas Luttenberger (B. Sc.) who helped us during the Special thanks to Karl Ku preparation of this paper and preparing the experiments.
REFERENCES [1] Apple Inc., Apple reports fourth quarter results, 2010. [2] Wikipedia, Apple iPhone, 2010. [3] Forward Discovery, Forensic Solutions for the Digital World, 2008. [4] Kubasiak, R. R. and Morrissey, S., Mac OS X, iPod, and iPhone Forensic Analysis DVD Toolkit, 2009. [5] Lawrence, T., Apple iPhone Passcode Work-Around, 2008. [6] Antoniewicz, B., Defeating the iPhone Passcode, 2009. [7] Erdmann, G. and Stanek, C., iPod + iTunes, OReilly, 2nd ed., 2007. [8] Zdziarski, J., iPhone Forensics, OReilly, 2008. [9] Geschonneck, A., Computerforensik - Computerstraftaten erkennen, ermitteln, aufkl¨ aren, dpunkt.Verlag, 2008. [10] H¨one, Th., iPhone-Forensik mit Mac OS X basierten Open-Source-Anwendungen, Bachelor Thesis, FH Brandenburg (Germany), 2010.
SPIE-IS&T/ Vol. 7881 78810P-10
Figure 7. Flow chart of Geschonneck9 for preservation of mobile devices
SPIE-IS&T/ Vol. 7881 78810P-11
¨ ne10 for preservation of iPhones Figure 8. Flow chart of Ho
SPIE-IS&T/ Vol. 7881 78810P-12
