1 / 16

iPhone Forensics

iPhone Forensics. Ruben Gonzalez. Agenda. I am the iPhone iPhone Components OS and System Architecture Let’s Dive into iPhone Forensics Evidence Left Behind Forensic Software Tools Needed to do the Job Dissecting One Forensic Tool Basic Things to Understand One Last Thing.

jeromer
Download Presentation

iPhone Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. iPhone Forensics Ruben Gonzalez

  2. Agenda • I am the iPhone • iPhone Components • OS and System Architecture • Let’s Dive into iPhone Forensics • Evidence Left Behind • Forensic Software Tools Needed to do the Job • Dissecting One Forensic Tool • Basic Things to Understand • One Last Thing

  3. Hello … I am the iPhone and I don’t need introduction! 45 million units will be sold this year!

  4. OS and System Architecture • Arm Processor • Contrast with x86 • Hardware • Various sensors • Accelerometer • Proximity Sensor • Multi-touch Capable Screen • Various Radios • User Interface Frameworks • Leopard or Tiger (iPhone Version) • Kernel (Signed Kernel) • Used to prevent tampering

  5. iPhone Core Components

  6. Let’s Dive into iPhone Forensics • Facts about iPhone (Forensically Speaking) • It is extremely difficult to permanently delete data from an iPhone • Secure wipe has been installed in recent versions • iTunes "restore" process formats the device • In actuality, even this leaves a majority of the old data intact—just not directly visible • A refurbished iPhone may contain last owner’s information

  7. Evidence Left Behind • Keyboard caches • usernames, passwords, search terms, and historical fragments of typed communication. • Even when deleted • Deleted images • Browsing cache and deleted browser objects • Exhaustive call history, beyond that displayed, is generally available

  8. Evidence Left Behind (… cont) • Map tile images from the iPhone's Google Maps • Application direction lookups and GPS coordinates • Deleted voicemail recordings • Pairing records establishing trusted relationships

  9. Forensic Software Tools Needed to do the Job • Commercial Tools • Device Seizure 2.0 (Paraben) • Aesco (Radio Tatics, LTD) • Sixth Legion (WOLF) • Open Source Tools • iLiberty (iPhone v.1.x) • Pwnage (iPhone v.2.x)

  10. Dissecting One Forensic Tool • iLiberty • A basic Unix world • OpenSSH, a secure shell • The netcat tool, for sending data across a network • The md5 tool, for creating a cryptographic digest of the disk image • The dd disk copy/image tool • Is it really a forensic tool if you write to the HD? • Other tools may provide a similar solution

  11. Basic Things to Understand • Apple File Communication Protocol (AFC) • Uses a framework (MobileDevice) to allow iTunes to write to the Media (jailed) Partition • iTunes can read info from device but not raw data • AFC is used to boot RAM disk containing forensic payload into the iPhone’s running memory • After rebooting, it installs UNIX tools (ssh, dd, … etc)

  12. Basic Things to Understand • Where Things are Written and Where can You Write • Think UNIX • There is a System Partition (root) • 300 MB • Read only • Intended to remain in factory state • This is where the Forensic Tool will be installed • Media Partition • The rest of the disk • Mounted as /private/var • Contains all user information • Writing to it = Contamination

  13. Basic Things to Understand • Avoid cross contamination • iPhone will Sync if not prevented • You must prevent this before connecting the phone to the desktop • As of today, there is no iPhone write blocker

  14. iPhone with Payload Injected UNIX Commands root directory

  15. One Last Thing • Because of Apple’s IP • Apple has made it difficult for developers to make Forensic Tools to work as well as their desktop counter parts • Aforementioned tools not able to get a true physical HD image • iLiberty is exception, but not considered forensic • Hacking the System Partition violates Apple’s IP • There is no way at this point in time to get a perfect image from the user partition • Things may change once the new iPhone is released in June • Not necessarily a change for the better

  16. Questions?

More Related