sm13: iphone forensics, application - uni-koblenz.deaggrimm/teaching/2015ss/sma/sm13_dhein_i... ·...

SS 2015, A. Dhein

1

Seite 1

Security for Mobile Applications (Prof. R. Grimm)

SM13: iPhone Forensics, Application

A. Dhein Institute for Information Systems Research K15, IuC Forensics, tech investigation Ass.University Campus Koblenz Criminhal Policedepartment Koblenz

• Opportunities• Which kind of evidences can be found on mobile phones

• Limitations• Many different mobile devices

• Dumb phones, Smartphones

• Many different operating systems• Even differences between different OS versions

• Data acquisition techniques• Logical gathering• Physical imaging

• Decoding• Wear-Leveling• Flash Translation Layer

• Examination• Different sources• Different formats

• Reporting

Recap

2015 © A. Dhein 2 / 64

SS 2015, A. Dhein

2

Seite 2

Content1. Introduction

• iDevice Teardown (ifixit)• iDevice Feature Evolution• iDevice Hardware Evolution• Limits and how to deal with

1. Data Acquisition

1. Getting in touch with the content

1. Data Analysis I• Where to find what• How to deal with

1. Data Analysis II • Extraction examples

1. Data Analysis III• Media extraction

1. Summary / Questions

2015 © A. Dhein 3 / 64

• Does that matter forforensic reasons?

• Most of the time: NO ☺

• But be aware of• Damaged devices

• Repair to gain back access to device

• Chip-Off

• JTAG

iDevice teardownOverview

2015 © A. Dhein 4 / 64

SS 2015, A. Dhein

3

Seite 3

We’ll see later:

Most of the time iOS features are more

important than device features


• Most of the time: Maybe �

• Be aware of• Different sensors / chips

• e.g. cameras, connectivity

• Different dock interfaces• 30pin / 9pin (Lightning)

• Features not (yet) availablemay not produce artifacts (?)

iDevice feature evolutionOverview

2015 © A. Dhein 5 / 64


• Most of the time: YES �

• Think of• Physical Imaging requires

hardware (e.g.CPU) bugs • to overcome boot-loader

limitations• e.g. limera1n, GreenPois0n

• iPhone 4• iPhone 4S and later

iDevice CPU evolutionOverview

iPhone 4Apple A4

We’ll see later:

Most of the time Logical Acquisition is

quite enough for accessinguser generated data

2015 © A. Dhein 6 / 64

SS 2015, A. Dhein

4

Seite 4

• Model specs printed on the backside

iPhone 2G A1203 iPhone1,1iPhone 3G A1241 iPhone1,2iPhone 3GS A1303 iPhone2,1iPhone 4 A1332 iPhone3,1

iPhone3,2A1349 iPhone3,3

iPhone 4S A1387 iPhone4,1A1431*

iPhone 5 A1428 iPhone5,1A1429 iPhone5,2A1442*

iPhone 5C A1456 iPhone5,3A1532A1507 iPhone5,4A1516A1526*A1529

iPhone 5S A1453 iPhone6,1A1533A1457 iPhone6,2A1518*A1528*A1530

iPhone 6 A1549 iPhone7,2A1586

iPhone 6 Plus A1522A1524 iPhone7,1

Green = physical acquisition possibleOrange = logical acquisition only

* Chinese version

iDevice model evolutionOverview

2015 © A. Dhein 7 / 64

Recap: What to get for with which acquisition metho d?

User-generated data

Addressbook (+Images), Caches (Safari, Maptiles, etc.), Calendar, CallHistory, Cookies, DataAccess (e.g. online-storage), Keyboard-Dictionaries, Maps (searches, routes, pois), Map-Tiles (for reconstruction), Notes, Recordings (answering machine, memos), Safari (history, bookmarks), SMS/MMS, WhatsApp (other chat-software-logs as well), WebClips

User-generated data + media data

Camera Roll (Photos, Videos)Photo Library (Photos, Videos)iTunes Library (Music, Videos)

User-generated data + media data + restricted data + deleted data

Apparently everything, e.g.Deleted data (if NAND is not encrypted)Geolocation Data (we’ll discuss that later)And even: Emails (most forensic suites simply ignore mails)

Phy

sica

l

Logi

cal

iTun

es-B

acku

p

File

syst

em

NA

ND

-dum

p

Overview

2015 © A. Dhein 8 / 64

SS 2015, A. Dhein

5

Seite 5


1. Data Acquisition• iTunes syncing philosophy• Logical backup

• iTunes• Media access (3rd-party-Apps)

• Physical imaging• Netcat• zdziarski method(s)• commercial solution





2015 © A. Dhein 9 / 64

1. Always syncing from Master (Mac) to Slave (iDevice)• Used iDevices on a new Mac will be cleaned prior to sync!!

2. “smart syncing” or “lazy syncing” i.e.• Only sync back, what is not already on the Mac

• Photo-Library is already on the Mac, no syncing required• iTunes-Library is already on the Mac, no syncing required• New firmware derives from Apple, no need to backup system image

• SHA-1 hashes instead of directories/filenames• Result is “flat”

• Result is “obfuscated”

• Changes can be determined be comparing hash before sync

iTunes syncing philosophyiTunes

2015 © A. Dhein 10 / 64

SS 2015, A. Dhein

6

Seite 6

• Important!!!• Prevent changes!!!

• iTunes is configured to synchronize devices automatically

• So disable syncing before connecting the device• Preferences – Devices

• Prevent iPods, iPhones and iPads from synching automatically

Logical backup using iTunesLogical acquisition

2015 © A. Dhein 11 / 64

iTunes 10 device overview

• iDevices appear in the left view (Devices)• Check summary before saving backup

• iPhone 3. Generation / iOS 4.3.3 / 16GB • Audio (1,08GB), Video (1,11GB), Photos (5,2GB),

Apps (4,1GB), Books (0,02GB), Other (0,33GB)

Logical acquisition

2015 © A. Dhein 12 / 64

SS 2015, A. Dhein

7

Seite 7

• Syncing is “more integrated”, more obfuscated (?)• iDevices now appear in upper right corner

iTunes 11 device overviewLogical acquisition

2015 © A. Dhein 13 / 64

iTunes 12 device overview

• New Design Director Jonathan Ive introduced flat design• iDevices back in upper left corner

Logical acquisition

2015 © A. Dhein 14 / 64

SS 2015, A. Dhein

8

Seite 8

iTunes backup process in action

Mac: ~/Library/Application Support/MobileSync/Backup/Windows XP: \Documents and Settings\(username)\Application Data\Apple Computer\MobileSync\Backup\Windows Vista and Win 7: \Users\(username)\AppData\Roaming\Apple Computer\MobileSync\Backup\

(„show hidden directories“ – Option in Windows-File-Explorer)

Source: http://support.apple.com/kb/HT1766?viewlocale=de_DE

< iOS 4,x | iOS5,6,7,8 >

Logical acquisition

2015 © A. Dhein 15 / 64

iDevice Manager (Mac/Win)

• Operates on connected device

• Applications• Documents• Library• Cache• Temp

• Media• Photos• Music• Videos• ...

http://www.software4u.de/de/products/idevicemanager/default.aspx (free)

Logical acquisition

2015 © A. Dhein 16 / 64

SS 2015, A. Dhein

9

Seite 9

Sharepod iExplorer (Mac/Win)

• Operates on connectediPhone / iPod

• Decodes namesof music titles

• Copy Music to PC• Offers Picture Previews• And even more!!

http://www.getsharepod.com https://www.macroplant.com/iexplorer (demo)

Logical acquisition

2015 © A. Dhein 17 / 64

• Prerequisites• jailbroken iPhone

• openSSH installed

• Run NC on the Mac• nc -l 7000 | dd of=./iPhoneImg.dd

bs=4096

• Then on the iPhone• ssh -l root 192.168.178.28

• Password: alpine• /bin/dd if=/dev/rdisk0s2 bs=4096 |

nc 192.168.178.20 7000

Netcat | dd

Log-Information

1838214+0 records in1838214+0 records out7529324544 bytes (7.5 GB) copied, 10901.9 s, 691 kB/s(ca. 9 hours over wifi)

Physical acquisition

2015 © A. Dhein 18 / 64

SS 2015, A. Dhein

10

Seite 10

Netcat | dd

mounted dd-Image• Mac: Rename dd to dmg


2015 © A. Dhein 19 / 64

• Hacker pseudonym: ‘NerveGas”, former Dev-Team Member (resp. for jailbreak-solutions)

• Books • iPhone Forensics* • iOS Security

• Software (Automated Tools) for law-enforcement first,now also commercial (via Forensics; senior for. scientist)

• Idea: • Inject/Infect the bootloader temporary • Execute unsigned boot-code• Boot own OS to RAM with recovery agent

Jonathan ZdziarskiPhysical acquisition

* http://www.zdziarski.com/blog/wp-content/uploads/2013/05/iOS-Forensic-Investigative-Methods.pdf

2015 © A. Dhein 20 / 64

SS 2015, A. Dhein

11

Seite 11

Zdziarski – method 1 / boot [specific] kernelPhysical acquisition

cd iphoneinsecurity/automatedtools/5/OSX/MULTIPLATF ORM_IOS4/sh boot-liverecovery.sh...w a i t...

iPhone restarts################################

greenpois0nhttp://www.greenpois0n.com

################################unable to find gBdevListunable to find fs_mountunable to find fs_unmountunable to find fs_load_fileGreenpois0n initialised

...w a i t...

iPhone restarts

some quickly rushing text lines, boots regularly afterwards

sh boot-kernel.sh

iPhone has to be set to DFU-Modus once again...

iPhone restarts

some quickly rushing text lines, boots regularly afterwards

iPhone back in normal operation mode? (recovery-server is running)

cd ../Recovery_Module/

sh recover.sh (enter root-password)Connecting to recovery agent on 127.0.0.1:7777Connected. Downloading user image to rdisk-1299353466-127.0.0.1-7777.dd...

Image is going to be saved to current directory...w a i t...Transfer in progress [ 0.10 GB ] throughput 2.96 MB/s

(ca. 2 hours over USB)

2015 © A. Dhein 21 / 64

Zdziarski – method 2 / multiplatformPhysical acquisition

• Possible up to iOS 6.x (until iPhone 4)• sudo sh recover-keys.sh• sudo sh recover-[raw|filesystem].sh firmware_x.y.z.ipsw• python emf_decrypter.py rdisk-1309266207-

06_28_2011_09_03_27.dd keys-1309266207- 06_28_2011_09_03_27.txt

• python emf_undelete.py rdisk-1309266207-06_28_2011_09_03_27.dd keys-1309266207- 06_28_2011_09_03_27.txt

2015 © A. Dhein 22 / 64

SS 2015, A. Dhein

12

Seite 12

1. Recovery Mode• Disconnect / Power off

• Hold Home-Button andconnect USB-Dock cable...

• iTunes-Symbol appears...

• Still hold home button

• until.....

UFED Physical Analyzer (iPhone extraction module)Physical acquisition

2015 © A. Dhein 23 / 64

2. Firmware info appears• 4.3.2-4.3.3 (4.3.3)• Successful so far:

• 2G (3.1.3)• 3G (4.1)• 3GS (4.3.3)• 4 (4.2)

• Next ...


2015 © A. Dhein 24 / 64

SS 2015, A. Dhein

13

Seite 13

3. Start Acquisition• Enter DFU Mode

• Press Power + Home Button for 10s

• Release Power Button Still holding Home Button

• Wait for 10-20s

• Until ...


2015 © A. Dhein 25 / 64

UFED Physical Analyzer (iPhone extraction module)

Loading Cellebrite Agent ....


2015 © A. Dhein 26 / 64

SS 2015, A. Dhein

14

Seite 14

4. Capture• Full Physical Extraction

• Encrypted (?)• Passcode does not matter !

• File System Dump• Passcode does not matter!

• Shutdown• Power off Device


2015 © A. Dhein 27 / 64


iPhone 3GS (16GB / 4.3.3)

1 Std 8 min 30 min


2015 © A. Dhein 28 / 64

SS 2015, A. Dhein

15

Seite 15


iPhone 3GS (16GB / 4.3.3)


2015 © A. Dhein 29 / 64

Cellebrite UFED touch [physical]Physical acquisition

2015 © A. Dhein 30 / 64

SS 2015, A. Dhein

16

Seite 16

Zdziarski – latest approach (dunamis < ei < waterboard)Enhanced Logical Acquisition

• Advanced logical acquisition due to the fact, that there is no known hardware exploit for current devices available

• code-names• ./dunamis = God-like power• ./ei = Enhanced interrogation• ./waterboard = another torture technique

• Idea: • Use flaws in iTunes protocols to gain access to restricted data• Use hidden system services (e.g. com.apple.mobile.file_relay)

to access personal data

2015 © A. Dhein 31 / 64

Zdziarski – latest approach (dunamis, ei, waterboard)

• Workflow

1. List=> UniqueDeviceID

2. Pair• usb:UDID|ip:UDID

3. Aquire• Full• Quick• Backup• Appdata only• AFC data only

Enhanced Logical Acquisition

2015 © A. Dhein 32 / 64

SS 2015, A. Dhein

17

Seite 17

Cellebrite UFED 4PC (acquiring assistant)Enhanced Logical Acquisition

2015 © A. Dhein 33 / 64

A last word on device locksPhysical acquisition

• Prior to iOS8 encryption keys are bound to hardware• Since iOS8 encryption keys are bound to PIN

• Apple is not able to decrypt devices any more

• Is your data now secure?• There are keyback keys (an escrow bag) stored on your PC

• What you get then (even if the device is locked)• Camera reel, Videos, and Recordings

• Podcasts, Books, and other iTunes media

• All third party application data (iTunes backup)

Source: http://www.zdziarski.com/blog/?p=3875

2015 © A. Dhein 34 / 64

SS 2015, A. Dhein

18

Seite 18


1. Data Acquisition

1. Getting in touch with the content• Decoding iTunes backups manually• Tools for decoding iTunes backups





2015 © A. Dhein 35 / 64

iTunes backup < iOS 3.1.3

• Status.plist (true/false)• Manifest.plist (?)• Info.plist• *.mdinfo (MetaData)• *.mddata (Datei)

Decoding iTunes Backup

2015 © A. Dhein 36 / 64

SS 2015, A. Dhein

19

Seite 19

iTunes backup > iOS 4

• Status.plist• Manifest.plist• Manifest.mbdx• Manifest.mbdb• Info.plist• a08106bec36a03ed714f0908cf2a19e54df877d2


2015 © A. Dhein 37 / 64

iTunes backup ☺ > iOS 4 < iOS8 �

• http://stackoverflow.com/questions/3085153/how-to-parse-the-manifest-mbdb-file-in-an-ios-4-0-itunes-backup• http://code.google.com/p/iphonebackupbrowser/wiki/MbdbMbdxFormat

• Status.plist• Manifest.plist• Manifest.mbdx• Manifest.mbdb• Info.plist• a08106bec36a03ed714f0908cf2a19e54df877d2


2015 © A. Dhein 38 / 64

SS 2015, A. Dhein

20

Seite 20

iPhone Backup Extractor / JuicePhone (Mac)

• Parse local Mobile-Backups• Export Opportunities

• Specific Apps• iOS Home

• Library -> Apple Apps• Media -> Photos, Music etc.

• Keychains

http://supercrazyawesome.com (free)


http://www.addpod.de/juicephone (kostenlos)

2015 © A. Dhein 39 / 64

Problems since iOS8 (work in progress)

• Problems parsing iTunes backup

• Different folders for one single App• App-Folder(s)• ShareExtension• WatchKitExtension

• Lots of empty folders


2015 © A. Dhein 40 / 64

SS 2015, A. Dhein

21

Seite 21

Cellebrite UFED 4PC (extraction overview)Physical acquisition

2015 © A. Dhein 41 / 64


1. Data Acquisition



• Plist Files• SQLite Databases• Different Formats




2015 © A. Dhein 42 / 64

SS 2015, A. Dhein

22

Seite 22

• /mobile/Library/*• plist-Files

• Cookies, Maps (History, Routes), Safari (History, Bookmarks)

• SQLite3-Databases• Addressbook, Calendar, Caller Lists, Notes, SMS, VoiceMail• SQLiteBrowserFE (self-development)

• /mobile/Media/*• Pictures taken, Video recordings, audio recordings

• iTunes-Music Library, iTunes-Video Library,

• Photo Library, iBooks-Media

• /mobile/Applications/*• WhatsApp, Facebook, Skype, ICQ, Navigon, etc.

Where to find what in which domainData Analysis I

2015 © A. Dhein 43 / 64

• XML-Format (sometimes binary)• Integrated into MacOSX

• Windows-Version• plist Editor(*) (free)

Plist-Files (e.g. Safari History)

(*) http://www.iCopyBot.com/download.htm

Data Analysis I

2015 © A. Dhein 44 / 64

SS 2015, A. Dhein

23

Seite 23

SQLite extraction (e.g. SMS-messages)

(*) http://sqlitebrowser.sourceforge.net/

• terminal • SQLiteBrowser(*)

Microsoft Excel – Import von csv

(not applicable)

Data Analysis I

2015 © A. Dhein 45 / 64

SQLite extraction (e.g. SMS-messages)

• Specific Problems• Linebreaks in CSV files (table structure damaged)

• Html-tags in texts (no natural reading)

• Unix timestamps (standard)• Seconds since 01.01.1970 00:00:00 h• 1.434.653.657 -> Thu, 18 Jun 2015 18:54:17 GMT

• CFAbsoluteTime timestamp (Apple)• Seconds since 01.01.2001 00:00:00 h

cfabsolute = unix timestamp + 978.307.200 s

• Flags• 0 = no / 1 = yes• Odd = out / Even = in

Data Analysis I

2015 © A. Dhein 46 / 64

SS 2015, A. Dhein

24

Seite 24


1. Data Acquisition




• Addressbook• SMS/MMS• WhatsApp



2015 © A. Dhein 47 / 64

• SQLite3-Datenbank• /mobile/Library/AddressBook/AddressBook.sqlited

• Structure is different in different iOS-Versions

• Content is different according to user input (e.g. labels)

Addressbook

ABPERSONROWID First Last Organization Department Note Kind Birthday JobTitle Nickname CreationDate ModificationDate308 Andreas Dhein Polizei Koblenz Kriminaldirektion ... nein CFAbsolute PG TechEU Andi CFAbsolute CFAbsolute

ABMULTIVALUE

UID record_id label value47 308 8 Name48 308 7 + 49 ..49 308 3 + 49 ..50 308 4 0177 ..51 308 3 + 49 ..52 308 2 + 49 ..53 308 1 + 49 .. 54 308 5 0221 ..55 308 1 KDK ..56 308 3 Andr ..57 308 5 andr ..58 308 3 KDK ..59 308 5 adh ..60 308 1 info ..61 308 3 adh ..62 308 363 308 9 163 ..64 308 9 243 ..65 308 6 http: ..

ABMULTIVALUEENTRYKEYvalue

1 Country2 Street3 ZIP4 City5 CountryCode6 State7 Service8 Username

ABMULTIVALUEENTRY

parent_id key value62 1 Deutschland62 2 Im Palmen ..62 3 5607262 4 Koblenz – G ..62 5 de

ABMULTIVALUELABELvalue

1 _$!<Work>!$_2 _$!<Mobile>!$_3 _$!<Home>!$_4 _$!<WorkFAX>!$_5 _$!<Other>!$_6 _$!<HomePage>!$_7 _$!<HomeFAX>!$_8 _$!<Spouse>!$_9 _$!<Anniversary>!$_10 Singapore11 VOIP12 Singapur13 Skype14 _$!<Friens>!$_15 _$!<Main>!$_16 Arbeit17 _$!<Child>!$_18 iPhone19 _$!<Pager>!$_

ABGROUP

ROWID Name10 Gr. 111 Gr. 612 Freunde13 Gastro14 PP Koblenz15 Familie16 Gr. 217 Gr. 418 Gr. 3

ABGROUPMEMBERS

UID group_id member_id66 14 30881 15 308

Data Analysis II

2015 © A. Dhein 48 / 64

SS 2015, A. Dhein

25

Seite 25

• SQLite3-Database• /mobile/Library/AddressBook/AddressBookImages.sqlitedb

Addressbook (images)

• SQL-dump AB[FULLSIZE]IMAGE [ab 4.3.3]

• sh extractAddressBookImages.sh ABImages.txt• Dump „scraping“ out images• Execute unbinhex.pl

Data Analysis II

2015 © A. Dhein 49 / 64

SMS / MMS

• SQLite3-Database• /mobile/Library/SMS/sms.db

• SQL-Query (SMS)• SELECT * from MESSAGE

• SQL-Query (MMS)• SELECT * from MSG_PIECES

Data Analysis II

2015 © A. Dhein 50 / 64

SS 2015, A. Dhein

26

Seite 26

WhatsApp

• Short messages over the internet

• Based on mobile number as identity

• Different types of content• Multimediafiles, Images, etc• Geolocation Data

• /mobile/Applications/SHA1-HASH/Documents/ChatStorage.sqlite• /mobile/Applications/WhatsApp/Library/Media/*

Data Analysis II

2015 © A. Dhein 51 / 64

WhatsApp (manually)

• SQLite3-Database• /mobile/Applications/SHA1-HASH/Documents/ChatStorage.sqlite

SELECT datetime((zwamessage.zmessagedate + 978307200), 'unixepoch', 'localtime') as Time, zwamessage.zfromjid, zwachatsession.zpartnername, zwamessage.ztext, zwachatsession.zcontactjid, zwamessage.zmessagestatus, zwamessage.zmessagetype, zwamessage.zmediaitem

FROM zwachatsessionJOIN zwamessageON zwachatsession.z_pk

= zwamessage.zchatsession

Data Analysis II

2015 © A. Dhein 52 / 64

SS 2015, A. Dhein

27

Seite 27

WhatsApp (whatsapp_xtract.py) I

• Copy SQLiteDB/media-folder to whatsapp_xtract folder

• Execute whatsapp_xtract.py script• Open ChatStorage.sqlite.html

Data Analysis II

http://forum.xda-developers.com/showthread.php?t=1583021

2015 © A. Dhein 53 / 64

WhatsApp (whatsapp_xtract.py) II

• Index on all chat conversations

• Embeded and linked media

Data Analysis II

2015 © A. Dhein 54 / 64

SS 2015, A. Dhein

28

Seite 28


1. Data Acquisition



1. Data Analysis II


• iTunes Library• Camera-Roll• Audio recordings


2015 © A. Dhein 55 / 64

iTunes: Music

• Although created with iTunes no audio files inside backup

• /mobile/Media/iTunes_Control (only available via separate service)

• Filenames are 4-Characters „crypted“ (better use „sharepod“)

Data Analysis III

2015 © A. Dhein 56 / 64

SS 2015, A. Dhein

29

Seite 29

Media: Photos, Videos, Audio

• Included in the logical and the physical dump• Acquisition also possible using

Camera Assistant (Win/Mac)

• Taken Photos, Videos• /mobile/Media/DCIM/*

• Analyze EXIF-Data (GPS, timestamp , etc)• exifprobe -L filename.jpg (*)

• Audio recordings• /mobile/Media/Recordings

• recordings.db• *.m4a (Quicktime, VLC)

(*) https://github.com/hfiguiere/exifprobe

Data Analysis III

2015 © A. Dhein 57 / 64

Photo-Library (Thumbnails)

• /mobile/Media/PhotoData/*

(*) http://keithwiley.com/software/keithsIPodPhotoReader.shtml (Mac)

Data Analysis III

2015 © A. Dhein 58 / 64

SS 2015, A. Dhein

30

Seite 30

Cellebrite UFED 4PC (gelocation infos from images)Physical acquisition

Photo takenNO GPS

UMTS cell tower

2015 © A. Dhein 59 / 64


1. Data Acquisition



1. Data Analysis II

1. Data Analysis III


2015 © A. Dhein 60 / 64

SS 2015, A. Dhein

31

Seite 31

• Introduction• Different aspects of device evolution

i.e. hardware, features, software• Limits to access content

-> What artifacts to get from which processing

• Data Acquisition• Need to understand: iTunes syncing philosophy• Logical Backup vs Physical Imaging (iTunes, Zdziarski, Commercial)

• Getting in touch with the content• Decoding iTunes backups manually/automatically

• Data Analysis I (Where to find what, how to deal with)• Different domains, different data sources, different data formats

• Data Analysis II (Extraction examples)• How to extract standard iOS-Software artifacts• Complexity in some cases, simplicity in general

• Data Analysis III (Media extraction)• Easy to catch -> Camera Roll <- connected device• More media to get -> Filesystem acquisition

Summary: What we‘ve learnt

A dvanced P hysical E xaminer

2015 © A. Dhein 61 / 64

iFix4: iPhone4 teardown. Ifixit.http://www.ifixit.com/Teardown/iPhone+4+Teardown/3130/3 [14.07. 2011] (goodresource for all kind of disassembly information)

iFix5: iPhone5 teardown. ifixit,http://www.ifixit.com/Teardown/iPhone+5+Teardown/10525/1, [21.09. 2012]

JZ1: iOS research (Automated tools). Jonathan Zdziarski, http://www.iosresearch.org,[24.07.2009] (restricted to law enforcement)

JZ2: Waterboard: Advanced Forensic Logical Acquisition for iOS Devices. JonathanZdziarski, http://www.zdziarski.com/blog/?p=2385;https://github.com/jzdziarski/waterboard, [12.06.2013] (free)

JZ3: iOS Forensic Investigative Methods. Jonathan Zdziarski,http://www.zdziarski.com/blog/?p=2287, [06.05.2013] (free)

References [all links checked on 26.4.2013]

2015 © A. Dhein 62 / 64

SS 2015, A. Dhein

32

Seite 32

1. What are the reasons for not being able to access an iDevice (physically)?

1. Describe the different content types to extract from logical/physical backup.

2. Name the two main objectives in iTunes Syncing philosophy.

3. Why is it important to prevent iTunes from syncing automatically before connecting an iDevice?

4. Find Mobile Backup locations in different Desktop Operating Systems.

5. Name the 3 different imaging approaches Zdziarski uses and describe the differences in extraction.

1. Explain how to parse a current iTunes Backup, i.e. decoding filenames fromManifest.mbdx.

2. What are the 3 different mobile-domains and which data to get from each?

3. Explain how to extract the caller list and name the 2 conversions that have to beundertaken.

4. What are ithmb files and how to deal with them?

Questions to check your knowledge

2015 © A. Dhein 63 / 64

1. Was sind die Gründe, die den physischen Zugriff auf ein iDevice verhindern?

1. Beschreibe die unterschiedlichen Inhaltstypen von logischen und physischen Extraktionen

1. Benenne die 2 Grundregeln der iTunes Synchronisierungsphilosophie

2. Warum ist es so wichtig, in iTunes vor dem Verbinden mit einem iDevice das automatische Synchronisieren zu verhindern?

1. Wo sind die mobile-backups in den verschiedenen Desktop Betriebssystemen zu finden?

2. Nenne die 3 unterschiedlichen Vorgehensweisen Zdziarskis und beschreibe die Unterschiede in der Extraktion.

1. Beschreibe die Vorgehensweise beim Parsen eines aktuellen iTunes Backup, d.h. das Dekodieren der Manifest.mbdx Datei

1. Was sind die 3 unterschiedlichen /mobile/-Domänen und welche Daten können jeweils extrahiert werden?

2. Wie kann man die Anruferliste extrahieren und welche 2 Konvertierungen sind notwendig?

3. Was sind ithmb-Dateien und wie kann man die Inhalt sichtbar machen?

Questions to check your knowledge

2015 © A. Dhein 64 / 64