iPhone forensics, without the iPhone

Download iPhone forensics, without the iPhone

Post on 26-Jan-2015




3 download

Embed Size (px)


How to pull data from an iPhone backup archive on a PC, including full text of SMS and MMS images, passwords and usernames for apps, etc.


  • 1. iPhone Forensics, sans iPhone Adam Crosby (adam@uptill3.com)March 14, 2010 Saturday, March 20, 2010

2. Background Info Saturday, March 20, 2010 3. iTunes Sync What happens when you plug in... Saturday, March 20, 2010 4. OS ImageThe OS image for an iPhone isNOT backed up on each syncThe image is only backed upwhen the phone software isupgradeThe image only changesbetween major versions - nopatches for iPhone OS.Does not contain ANY userapps or dataSaturday, March 20, 2010 5. Apps / User Data Initial sync with iTunes creates anarchive on the computer of all of theuser apps/data from the phoneThe les contained in the archiveare all obfuscatedVirtually none of the les or data areencrypted (!)Files are updated in place with everysync of the phoneThis archive is used to recover thephone if neededSaturday, March 20, 2010 6. Obfuscated Information Saturday, March 20, 2010 7. Thats a lot of files... And none of those names are meaningful.The Archive Is Located At: ~/Library/Application Support/MobileSync/Backup// Saturday, March 20, 2010 8. What kind of Data? A whole bunch of different kinds Saturday, March 20, 2010 9. plist --> Apple Property List iPhone uses 3 main standard plist lesInfo.plist, Manifest.plist, and Status.plistInfo.plist is by far the most interesting (more later)These are plaintext XML documentsEasily read, not always easy to decipherMay contain substantial Base64 encoded chunksOpen with text editor, or plistlib in Python 2.5+ (yay!) Info.plist example Saturday, March 20, 2010 10. mdinfo --> Apple bplist filesSpecial kind of plist - binary packedLuckily, Apple provides an easy to use OS X utility called plutilplutil -convert xml1 Converts the bplist le into a standard plist in place (so copy it out of the livearchive folder before digging in.Many of the bplist les have Base64 encoded property values that arethemselves bplistsThe SMS db bplist le is like this.Just unencode it and run it through plutil again to get the embedded plist dataoutSaturday, March 20, 2010 11. mddata --> The goodsThe mddata les are simply renamed copies of whatever the originalsource le described by the mdinfo le was. There are images,databases, text chunks, and application specic stuff (such as MOBIebooks).No formatting changes - you can open the PNGs/JPGs as-is and lookat the picturesAny other tools (such as sqlite3) can open les of the correct type inplace as wellle *.mddata in the archive will give a great listing of each le and itsactual data typeSaturday, March 20, 2010 12. File Names Saturday, March 20, 2010 13. Crazy file names (learn to love SHA1)iPhone OS storage is broken into something called DomainsEach le has a le name, path, and a particular storage domainTwo primary domains are HomeDomain and MediaDomainThe lenames of the mddata and mdinfo les are a SHA1 hash of thefull path of the les on-handset location and the domain it is locatedin.Filenames do not appear to change, but worst case scenario isiterating over mdinfo les to nd the actual le name you needSaturday, March 20, 2010 14. Embedded b64 bplistDecoded Domain Pathprintf(MediaDomain-Library/SMS/Parts/98/02/15874-4.jpg) | shasum39cf2a2aaa3dd7d72243e3d638217ccc15ad2575Saturday, March 20, 2010 15. So whats in there? Saturday, March 20, 2010 16. Info.plist - All about the phoneThis is an unencoded, standard Apple Property List le (XML text)It contains a wealth of useful information about the phone:ICC-ID - Integrated Circuit Card ID, the hardware serial number of the installed SIM cardIMEI - International Mobile Equiment Identity, the hardware serial number of the handsets baseband proc [*]Phone Number - Duh.Serial Number - The iPhones serial number (this shows in iTunes)Product Type - What kind of iPhone (iPhone2,1 = 8GB 3GS, iPhone1,2 = 8GB 3G, etc.)Product Version - What iPhone OS revision (3.1.3, 3.1.2, etc.)Data of Last backup - Duh.iPhone preferences plist (base64 encoded embedded plist)Misc. other stuff (encoded / binary application specic data) Saturday, March 20, 2010 17. A note about IMEI and ICC-IDICC-ID is burned into the SIMIMEI is burned into the phoneIt is illegal (and technically difcult) to change either the ICC-ID or the IMEIThe ICC-ID identies which network/carrier sold the SIMThe IMEI can be used to uniquely identify a given handset, and is used by carriers todisable stolen handsets, even if a new SIM is swapped in.Neither the IMEI nor the ICC-ID is tied to the subscriber account at the GSM protocollevel (that would be the IMSI, which is NOT recorded anywhere but in the SIM)ATT or other carriers and Apple may be able to collaborate with LE to determine asubscribers identity via ICC-ID, IMEI and Apple ID, as the information does existSaturday, March 20, 2010 18. Delicious Databases Saturday, March 20, 2010 19. SQLite - Apple loves it, so should youOpen Source, le-based database engineApple uses it extensively across their platforms and applicationranges - most iPhone devs know it as CoreDataSimple relational database, supports most of SQL-92sqlite3 is the OS X built in CLI to access SQLite database lesIn the CLI, the .schema command shows database and table schemas Saturday, March 20, 2010 20. 3d0d7e5fb2ce288813306e4d4636395e047a3d28.mddata(also known as HomeDomain-Library/SMS/sms.db)SQLite databaseContains full SMS records (including full text) for phone, since owneroriginally created an iPhone account (my DB goes back to 2007)Updated in place during sync - deleted messages are removed, newmessages are insertedDoes NOT contain MMS info (although receipt of an MMS isindicated)Simple data structure for messages tableSaturday, March 20, 2010 21. Importantelds SMS message table schemaSaturday, March 20, 2010 22. SMS Message DB NotesAddress is either source or destination phone number, in 11-digit intl. format (18885551212)Time is in UNIX epoch format (# of seconds since 1/1/70 0:00 UTC)Easy to convert - date -r 1268603160 yields Sun Mar 14 17:46:00 EDT 2010Flags eld is used to indicate a number of things (these are all trial/error, not documented):2 = Message recieved from address3 = Message sent from handset to address33 = Message send failure (SMS never sent)35 = Message send failure (SMS never sent) (I think this also indicates a retry)129 = Message deleted (but still appears as a row - no contents though)131 = Unknown - no address / etc.Text eld is sometimes a plist - this typically indicates an MMS was recieved. MMS text/image information is stored separately(in mddata les outside of the SQLite db).The other elds appear unused or static (or not of great interest...)Saturday, March 20, 2010 23. 6639cb6a02f32e0203851f25465ffb89ca8ae3fa.mddata (also known as AppDomain-com.facebook.Facebook-Documents/friends.db) 3rd Party Application exampleSQLite database (hey, everybody uses it - thanks CoreData!)Contains Facebook Friends List and a tiny bit of extra infoFacebook UIDwww.facebook.com/prole.php?id=Direct URL to facebook prole picture (no login needed!)Friends phone numbers, as listed in their proleSaturday, March 20, 2010 24. Facebook App table schemaSaturday, March 20, 2010 25. What else is there? Saturday, March 20, 2010 26. Other identified databases FilenamePurpose 992df473bbb9e132f4b3b6e4d33f72171e97bc7a.mddata Voicemail List ff1324e6b949111b2fb449ecddb50c89c3699a78.mddataCall log 3d0d7e5fb2ce288813306e4d4636395e047a3d28.mddata SMS Data 740b7eaf93d6ea5d305e88bb349c8e9643f48c3b.mddataNotes App data 31bb7ba8914766d4ba40d6dfb6113c8b614be442.mddata Syncd Address book 6639cb6a02f32e0203851f25465ffb89ca8ae3fa.mddataFacebook App data 970922f2258c5a5a6d449f85b186315a1b9614e9.mddataFlightstats Info 5ad81c93601ac423bc635c7936963ae13177147b.mddata Daily Burn food logger Saturday, March 20, 2010 27. Other items to look forApp developers assume these les are on the phone, away fromprying eyes (or interested users...)Passwords and other account details stored in plaintextAt least Tweetie and Dailyburn store passwords in plaintext(See 87f665a66ead44fd5592fa427c4def228098fdda.mddata forTweeties twitter account information in bplist format)Cookies for some apps embedded browsers (see: Facebook) are storedin bplist les (for easier session hijacking, yay!)Saturday, March 20, 2010 28. Whats next?Time to start trolling through the app store for service apps - GMail,GReader, MySpace, etc. to look for more apps that store their usercreds in plaintextScripting out data extraction for interesting stuff (like nding out hotnumbers - who is called / calls the most, and do they have a Facebookpicture?)Integrating a scrape of the address book with the other data tables togive friendly names to each phone numberRelease existing tools open source via 757LabsSaturday, March 20, 2010 29. Thanks / Credits 757 Labs for hosting!dsp on LiveJournal for nally guring out how the sha1s aregenerated for le namesApple, for making CoreData so attractive for developers. SQLitemakes trolling through data easy :)Damon Durand, for some initial work on the meaning of SMS agsSaturday, March 20, 2010 30. Preguntas?Saturday, March 20, 2010


View more >