Embed Size (px)
Citation preview
1
iPhone Forensics
Ruben Gonzalez
2
Agenda
• I am the iPhone• iPhone Components• OS and System Architecture• Let’s Dive into iPhone Forensics• Evidence Left Behind• Forensic Software Tools Needed to do the Job• Dissecting One Forensic Tool• Basic Things to Understand• One Last Thing
3
Hello … I am the iPhone and I don’t need introduction!
45 million units will be sold this year!
4
OS and System Architecture• Arm Processor
– Contrast with x86
• Hardware– Various sensors
• Accelerometer• Proximity Sensor• Multi-touch Capable Screen• Various Radios
• User Interface Frameworks– Leopard or Tiger (iPhone Version)
• Kernel (Signed Kernel)– Used to prevent tampering
5
iPhone Core Components
6
Let’s Dive into iPhone Forensics
• Facts about iPhone (Forensically Speaking)– It is extremely difficult to permanently delete
data from an iPhone• Secure wipe has been installed in recent versions
– iTunes "restore" process formats the device• In actuality, even this leaves a majority of the old
data intact—just not directly visible
• A refurbished iPhone may contain last owner’s information
7
Evidence Left Behind
• Keyboard caches– usernames, passwords, search terms, and
historical fragments of typed communication.– Even when deleted
• Deleted images • Browsing cache and deleted browser objects• Exhaustive call history, beyond that
displayed, is generally available
8
Evidence Left Behind (… cont)
• Map tile images from the iPhone's Google Maps
• Application direction lookups and GPS coordinates
• Deleted voicemail recordings
• Pairing records establishing trusted relationships
9
Forensic Software Tools Needed to do the Job
• Commercial Tools– Device Seizure 2.0 (Paraben)– Aesco (Radio Tatics, LTD)– Sixth Legion (WOLF)
• Open Source Tools– iLiberty (iPhone v.1.x)– Pwnage (iPhone v.2.x)
10
Dissecting One Forensic Tool
• iLiberty– A basic Unix world– OpenSSH, a secure shell– The netcat tool, for sending data across a network– The md5 tool, for creating a cryptographic digest of the
disk image– The dd disk copy/image tool
• Is it really a forensic tool if you write to the HD?• Other tools may provide a similar solution
11
Basic Things to Understand
• Apple File Communication Protocol (AFC)– Uses a framework (MobileDevice) to allow iTunes to
write to the Media (jailed) Partition
• iTunes can read info from device but not raw data• AFC is used to boot RAM disk containing
forensic payload into the iPhone’s running memory– After rebooting, it installs UNIX tools (ssh, dd, … etc)
12
Basic Things to Understand• Where Things are Written and Where can You Write
– Think UNIX– There is a System Partition (root)
• 300 MB• Read only• Intended to remain in factory state• This is where the Forensic Tool will be installed
– Media Partition• The rest of the disk
– Mounted as /private/var– Contains all user information– Writing to it = Contamination
13
Basic Things to Understand • Avoid cross contamination
• iPhone will Sync if not prevented– You must prevent this before connecting the
phone to the desktop
• As of today, there is no iPhone write blocker
14
iPhone with Payload InjectedUNIX Commands
directory
root
15
One Last Thing
• Because of Apple’s IP– Apple has made it difficult for developers to make
Forensic Tools to work as well as their desktop counter parts
• Aforementioned tools not able to get a true physical HD image• iLiberty is exception, but not considered forensic
– Hacking the System Partition violates Apple’s IP– There is no way at this point in time to get a perfect
image from the user partition– Things may change once the new iPhone is released in
June• Not necessarily a change for the better
16
Questions?
