Investigating Forensic Options for the Apple Ipad

The AFIT of Today is the Air Force of Tomorrow.

Investigating Forensic Options for the Apple iPad

Andrew Hay, Dennis Krill, Ben Kuhar, Gilbert Peterson

CCR - The Center for Cyberspace Research Aim High ... Fly-Fight-Win Overview

The AFIT of Today is the Air Force of Tomorrow.

• Background • Forensic Process • File System Access • Commercial Products • Manual Recovery (Jailbreak) • iTunes Backup • Collected Data Identification and Analysis

CCR - The Center for Cyberspace Research Aim High ... Fly-Fight-Win Background

The AFIT of Today is the Air Force of Tomorrow.

• Mobile device adoption is showing no signs of stopping • iPad sales reached 14.8 million as of 18 Jan 2011 • Because of hardware changes the forensic methods be continually refreshed • Last iOS survey from 2008 • iOS is a closed architecture, ‘jailed’ through firmware restrictions • Lacks traditional file system • Lacks device disk mode

CCR - The Center for Cyberspace Research Aim High ... Fly-Fight-Win iPad Forensics Process

The AFIT of Today is the Air Force of Tomorrow.

1. Commercial tool analysis 2. Refresh the Zdziarski method 3. Identify OS relevant information and method comparison

CCR - The Center for Cyberspace Research Aim High ... Fly-Fight-Win Commercial Tools The AFIT of Today is the Air Force of Tomorrow.

• NOTE: Limited to Free Trial/Demo versions, however each advertised no capability restrictions • Lantern v1.0.6.0 by Katana Forensics (Maryland) • GUI: Java-based (Mac) • Mobilyze v1.1 by BlackBag Technologies (California) * • Native application (Mac) • Designed specifically for iDevices • Oxygen Forensics Suite 2010 v2.8.1 (Russia) • Windows-based • Highly lauded in Reviews • Very versatile(1650 Mobile Devices)

* Following initial analysis, BlackBag announced plans to integrate Mobilyze functionality into their BlackLight forensics suite by Apr 2011

CCR - The Center for Cyberspace Research Aim High ... Fly-Fight-Win Manual Recovery The AFIT of Today is the Air Force of Tomorrow.

Three Methods 1. Apple assisted disk mode unlock through law enforcement 2. Apple unauthorized Jailbreak • Zdziarski analysis image updated method • Forensics Toolkit (FTK) to analyze 3. iTunes Backup file analysis

CCR - The Center for Cyberspace Research Aim High ... Fly-Fight-Win Jailbreak

The AFIT of Today is the Air Force of Tomorrow.

• Methods available (as of v4.2.1): • Spirit/Cydia (used for analysis with v3.2) • JailbreakMe + Cydia • redsn0w v0.9.6b6 independent of Cydia • Requires tethering, computer connection after each reboot • Jailbreaking justified by Zdziarski for forensic soundness based on MD5 hashing of User partition • Cydia software suite does not include an MD5 hash implementation • Using OpenSSH MD5 resulted in multiple spontaneous iPad reboots • Note: Dependence on jailbreak availability and Cydia software installation

CCR - The Center for Cyberspace Research Aim High ... Fly-Fight-Win Zdziarski Method Refresh The AFIT of Today is the Air Force of Tomorrow.

• PwnageTool (current v4.1.3) used to create custom iOS firmware images are unsupported for iPad iOS v4.2.1 • Several software dependencies in text not updated • redsn0w Jailbreak provides the ability to develop custom Zdziarski-like toolkit

CCR - The Center for Cyberspace Research Aim High ... Fly-Fight-Win iTunes Backup

The AFIT of Today is the Air Force of Tomorrow.

• Created automatically during ‘sync’ • Stored as series of binary Property List files • iPhone Backup Extractor allows contents to be browed using OS X file browser • Encrypted backups will not work

CCR - The Center for Cyberspace Research Aim High ... Fly-Fight-Win iPad Partitions/Access

The AFIT of Today is the Air Force of Tomorrow.

• System • Limited portion of overall file structure • ‘Tainted’ due to system reboot • Typically will not contain files of investigative value, assuming device is non-Jailbroken to start • User • Most free space • Application support files • 3rd party executables • Once Jailbroken, use AFC2Add package (PhoneDisk) • Installed using Cydia, allows USB access • Permits iPad root contents MacFUSE file system mount in OS x • Individual files hashed/copied from command line • NOTE: Mount is done R/W so files can still be inadvertently altered

CCR - The Center for Cyberspace Research Aim High ... Fly-Fight-Win File Analysis

The AFIT of Today is the Air Force of Tomorrow.

• Potential evidentiary sources • Documents • Office, Adobe, HTML, ASCII, Text • Media (audio, video, images) • Support Files • Mail, Notes, Contacts, Safari, YouTube, Maps, Calendars • 3rd Party Applications • Miscellaneous Files

CCR - The Center for Cyberspace Research Aim High ... Fly-Fight-Win Documents/Media

The AFIT of Today is the Air Force of Tomorrow.

Documents • Numerous path locations • Oxygen and Backup found html and PDF only • Manual found all control files Media • /iTunes_Control/ and /mobile/Media/ • Lantern and Oxygen filed for most audio • Mobilyze had some .gif/.tiff recognition issues • Mobilyze and Manual found all files

CCR - The Center for Cyberspace Research Aim High ... Fly-Fight-Win Mail/Notes

The AFIT of Today is the Air Force of Tomorrow.

Mail: POP, IMAP • /mobile/Library/Mail/ • Mobilyze had some hits, but incomplete findings • Manual extraction via search/find was successful Notes • /mobile/Library/Notes/notes.db • All commercial and manual applications succeeded

CCR - The Center for Cyberspace Research Aim High ... Fly-Fight-Win Contacts/Safari

The AFIT of Today is the Air Force of Tomorrow.

Contacts • /mobile/Library/AddressBook/ • All commercial and manual applications successful • Only Lantern failed to acquire Contact Images Safari • /mobile/Library/Safari/, /Cookies/, /Caches/ • Searched History, Cookies, Recent Searches, Suspend State, Bookmarks, Cache and Webclips • All had some success with history • Manual found all files, Backup found all but Recent Searches and Cache files

CCR - The Center for Cyberspace Research Aim High ... Fly-Fight-Win YouTube/Maps

The AFIT of Today is the Air Force of Tomorrow.

YouTube • /mobile/Library/Preferences/com.apple.youtube.plist • Searched Account Details, History, Bookmarks • Bookmarks returned Null for Mobilyze, Manual and Backup. Believe Bookmarks not stored locally • Manual returned everything, including Maps • /mobile/Library/Maps/, /Caches/MapTiles/ • Searched Lat/Long viewed, History, Tile Cache and Bookmarks • Lantern/Mobilyze successful with history • Lantern/Oxygen had unsuccessful interfaces for bookmarks • Manual found all files, Backup found all but MapTile caches

CCR - The Center for Cyberspace Research Aim High ... Fly-Fight-Win Calendars/ 3rd Party Apps The AFIT of Today is the Air Force of Tomorrow.

Calendars • /mobile/Library/Calendar/ • Mobilyze displayed as UNIX timestamps (unreadable) • Oxygen provided clear graphic display including recurrences/ alarms • All tools extracted the data from the Calendar database 3rd Party Apps • /mobile/Applications/ and /Library/Caches/ • Mobilyze easiest interface • Lantern and Oxygen advertised capability but returned no results • Manual and Backup (using iPhone Backup Extractor) was time consuming, but successful in recovering data

CCR - The Center for Cyberspace Research Aim High ... Fly-Fight-Win Other Evidence

The AFIT of Today is the Air Force of Tomorrow. • Additional Other Evidence important to an investigation: Lantern Mobilyze Oxygen Manual Backup iTunes Download History  AppleID  Known WiFi Access Points    Location Services  Desktop Pairings  Keyboard Cache   User Dictionary    Wallpaper   Pasteboard contents  Bluetooth Address   Wi-Fi Address   Device Name     Serial No.     Unique Device ID     Product Version   Build Version   CCR - The Center for Cyberspace Research Aim High ... Fly-Fight-Win Conclusion

The AFIT of Today is the Air Force of Tomorrow.

• Manual media imaging and analysis provides the most comprehensive results • Inherent iOS security features including remote wipe, passcode lock, and backup encryption still need addressing • Relying on the cat-and-mouse game of Apple vs. Jailbreakers for tools is risky • As mobile device use rises, the need to analyze the devices will continue to increase in importance

CCR - The Center for Cyberspace Research Aim High ... Fly-Fight-Win The AFIT of Today is the Air Force of Tomorrow.

Questions?

CCR - The Center for Cyberspace Research Aim High ... Fly-Fight-Win Usable Images from Original Briefing

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research Aim High ... Fly-Fight-Win Lantern The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research Aim High ... Fly-Fight-Win Mobilyze

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research Aim High ... Fly-Fight-Win Oxygen

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research Aim High ... Fly-Fight-Win FTK Index Search

The AFIT of Today is the Air Force of Tomorrow.

CCR - The Center for Cyberspace Research Aim High ... Fly-Fight-Win