170 likes | 203 Views
iPhone Forensics. Ruben Gonzalez. Agenda. I am the iPhone iPhone Components OS and System Architecture Let’s Dive into iPhone Forensics Evidence Left Behind Forensic Software Tools Needed to do the Job Dissecting One Forensic Tool Basic Things to Understand One Last Thing.
E N D
iPhone Forensics Ruben Gonzalez
Agenda • I am the iPhone • iPhone Components • OS and System Architecture • Let’s Dive into iPhone Forensics • Evidence Left Behind • Forensic Software Tools Needed to do the Job • Dissecting One Forensic Tool • Basic Things to Understand • One Last Thing
Hello … I am the iPhone and I don’t need introduction! 45 million units will be sold this year!
OS and System Architecture • Arm Processor • Contrast with x86 • Hardware • Various sensors • Accelerometer • Proximity Sensor • Multi-touch Capable Screen • Various Radios • User Interface Frameworks • Leopard or Tiger (iPhone Version) • Kernel (Signed Kernel) • Used to prevent tampering
Let’s Dive into iPhone Forensics • Facts about iPhone (Forensically Speaking) • It is extremely difficult to permanently delete data from an iPhone • Secure wipe has been installed in recent versions • iTunes "restore" process formats the device • In actuality, even this leaves a majority of the old data intact—just not directly visible • A refurbished iPhone may contain last owner’s information
Evidence Left Behind • Keyboard caches • usernames, passwords, search terms, and historical fragments of typed communication. • Even when deleted • Deleted images • Browsing cache and deleted browser objects • Exhaustive call history, beyond that displayed, is generally available
Evidence Left Behind (… cont) • Map tile images from the iPhone's Google Maps • Application direction lookups and GPS coordinates • Deleted voicemail recordings • Pairing records establishing trusted relationships
Forensic Software Tools Needed to do the Job • Commercial Tools • Device Seizure 2.0 (Paraben) • Aesco (Radio Tatics, LTD) • Sixth Legion (WOLF) • Open Source Tools • iLiberty (iPhone v.1.x) • Pwnage (iPhone v.2.x)
Dissecting One Forensic Tool • iLiberty • A basic Unix world • OpenSSH, a secure shell • The netcat tool, for sending data across a network • The md5 tool, for creating a cryptographic digest of the disk image • The dd disk copy/image tool • Is it really a forensic tool if you write to the HD? • Other tools may provide a similar solution
Basic Things to Understand • Apple File Communication Protocol (AFC) • Uses a framework (MobileDevice) to allow iTunes to write to the Media (jailed) Partition • iTunes can read info from device but not raw data • AFC is used to boot RAM disk containing forensic payload into the iPhone’s running memory • After rebooting, it installs UNIX tools (ssh, dd, … etc)
Basic Things to Understand • Where Things are Written and Where can You Write • Think UNIX • There is a System Partition (root) • 300 MB • Read only • Intended to remain in factory state • This is where the Forensic Tool will be installed • Media Partition • The rest of the disk • Mounted as /private/var • Contains all user information • Writing to it = Contamination
Basic Things to Understand • Avoid cross contamination • iPhone will Sync if not prevented • You must prevent this before connecting the phone to the desktop • As of today, there is no iPhone write blocker
iPhone with Payload Injected UNIX Commands root directory
One Last Thing • Because of Apple’s IP • Apple has made it difficult for developers to make Forensic Tools to work as well as their desktop counter parts • Aforementioned tools not able to get a true physical HD image • iLiberty is exception, but not considered forensic • Hacking the System Partition violates Apple’s IP • There is no way at this point in time to get a perfect image from the user partition • Things may change once the new iPhone is released in June • Not necessarily a change for the better