Contact Us

HOWTO - iPhone Forensics with free and/or open source tools - 9-14-11

This presentation was delivered in September 2011 at the High Technology Crime Investigation Association (HTCIA) Annual conference

Browse the slide images in the gallery below. A PDF version is available; make sure you are
registered on the site
and then use this link: PDF Download

[portfolio_slideshow width=600 trans=fade]

iPhone Forensics with F/OSS ### A HOWTO for iPhone Forensics with free and/or open source tools Qualifications
Presentation Goals
iPhone Forensics with F/OSS tools • Commercial Tools exist but there are a growing number of F/OSS tools
• A Mac (OSX) or Linux workstation is used for many of these programs
• Focus on step-by-step examples Open source (MIT) iPhone backup analyzer by Mario Picci ( • Decodes files, presents in a hierarchical view, has some search and conversions
• Plist files are shown (binary plist files are automatically converted in ascii format)
• Image files are shown
• SQLite files are shown with the list of the tables they contain. By clicking on the tables list the selected table’s content is dumped in the main UI
• Unknown data files are shown as hex/ASCII data iTunes Backup Directories
Mac Os X: ∼/Library/Application Support/MobileSync/Backup/
Windows XP: \Documents and Settings(username)\Application Data\Apple Computer\MobileSync\Backup\
Windows Vista, Windows 7: \Users(username)\AppData\Roaming\Apple Computer\MobileSync\Backup\
Linux Install
On Ubuntu Workstation
sudo apt-get update
sudo apt-get install python-tk python-imaging python-imaging-tk git
Install pyttk
- Download:
- Extract: tar xzvf pyttk-0.3.2.tar.gz
- cd pyttk-0.3.2/
- Install: sudo python install
git clone git://
cd iPhone-Backup-Analyzer/
./ -d ~/Desktop/8737684969e72eccf5ff0cafed21b15ec1cb6d4d/
Zdziarski’s iOS forensic tools
Free for qualified law enforcement and government agencies • Based on F/OSS software and research (Cyanide, etc)
• Physical acquisition
• Logical acquisition
• PIN bypass
• Decrypts the encrypted files / slice
– iOS 3.x: fully decrypt slice, gets unallocated
– iOS 4.x: decrypts files, not unallocated (mostly)
• Decrypt Keychain
• Working on recovering deleted keys
with F/OSS
• @0naj iphone-dataprotection tools (Python and C)
– Brute force PIN code on device
– Recover device encryption keys
– Decrypt the keychain, all dataprotection encrypted files
– Scrape the HFS journal for deleted content
– Decrypt the entire raw disk
– Included with Jonathan Zdziarski’s toolset, or available separately to developers:
Mount the dmg image read-only (Linux)
• Determine file system offset in dd image:
• Mount HFS partition read only:
• Make sure file system was mounted
• Can check disk usage
• The Sleuth Kit by Brian Carrier
– Brain author of excellent book File System Forensics Analysis (FSFA)
– Actively maintained, just released 3.2.2 (06/13/2011)
– Supports NTFS, FAT, UFS 1, UFS 2, EXT2FS, EXT3FS, and ISO 9660
• Install:
• Programs to start with:
– mmls – Media Management ls, generally partition info:
• fsstat – File system info
• fls – Forensic list
– Power utility which can list allocated/deleted files
– Provides offset so recovery is possible
– Build MACB for timeline analysis
[email protected]:/mnt/hgfs/Desktop$ fls -z CST6CDT -s 0 -m ‘/‘ -f hfs -r -i raw iPhone-3g-313.dmg > ~/iPhone-timeline.body
human friendly
[email protected]:/mnt/hgfs/Desktop$ mactime -b ~/iPhone-timeline.body -z CST6CDT -d > ~/iPhone-timeline.csv
– Takes body file and turns into CSV or other format
• Kristinn Gudjonsson developed this software
– Written in Perl (trying to convince him to move to Python)
– Extracts timeline artifacts from many file types including
• Evt/extx, registry, $MFT, prefetch, browser history, etc. (46 and climbing)
– 10+ export formats • Install log2timeline on Ubuntu 10.10 (lucid)
– sudo add-apt-repository “deb lucid main”
– wget -q -O- | sudo apt-key add -
– sudo apt-get update
– sudo apt-get install log2timeline-perl
• sudo timescanner -d /home/analyst/mnt/hfs/ -z CST6CDT -w ~/iPhone-log2timeline.csv
– 218 artifacts (either files or directories).
– Run time of the script 24 seconds. • If you output in body format, can combine with TSK’s fls output and generate full timeline of file system and file metadata (sometimes referred to as a “Super Timeline”
• Download scalpel src at:
• wget
• Compile
– tar xzvf scalpel-2.0.tar.gz
– cd scalpel-2.0/
– sudo apt-get install libtre-dev libtre5
– ./configure; make
– sudo cp scalpel /usr/local/bin • Run scalpel
$ scalpel -c ~/scalpel.conf iPhone-3g-313.dmg • Examine data in “scalpel-output” directory
Sample scalpel.conf
• Usage:
$ xxd iPhone-3g-313.dmg | less • To auto skip 0’s:
$ xxd -a iPhone-3g-313.dmg | less Hex editor
• Usage:
$ hexedit iPhone-3g-313.dmg • Once in hex editor:
– “/” = search hex/ASCII string (in “hexedit” use tab to change between ASCII and hex searches)
– q = exit hex editor
– h = help • Can quickly locate potential evidence • Other tools also available (hexeditor and many others) Grep Command
• Searches through a file (or many files/folders) for a specified keyword(s) • Grep is case sensitive by default
$ grep amr iPhone-3g-313.dmg • To do case-insensitive (more time consuming):
$ grep –i AmR iPhone-3g-313.dmg • Can search for a phrase in quotes
$ grep “Trace File” iPhone-3g-313.dmg
$ grep -a “Trace File” iPhone-3g-313.dmg
$ grep -a -A 1 -B 1 “Trace File” iPhone-3g-313.dmg
Grep Command (continued)
• Can also be used to search through many files • Grep through all files in a user’s home directory for “viaF”: [email protected]:~$ grep -R 312493
Binary file scalpel-output/sqlitedb-9-0/00001.db matches
Binary file scalpel-output/sqlitedb-9-0/00017.db matches Find all sms database files from iPhone (after scalpel)
[email protected]:~$ grep -R svc_center sqlite
“Strings” Command
• Strings is a powerful utility to extract ASCII or Unicode strings from binary data • Can be run against a file or a full disk image
$ strings iPhone-3g-313.dmg > iPhone.str
$ strings iPhone-3g-313.dmg | less • Can also search for Unicode
$ strings -e b iPhone-3g-313.dmg | less “Strings” does more than ASCII
• Strings is designed to extract ASCII and Unicode
– 7-bit ASCII, 8-bit ASCII
– 16-bit big-endian and little-endian
– 32-bit big-endian and little-endian • From the strings manual page:
Decrypting data – step 1
• Scenario: imaged iPhone and application has encrypted data which you need to view. • Our solution (but other approaches may work)
• Noted app data was encrypted
• Analyzed symbol table for app, saw entries such as:
• 00091033 t -[NSData(AESAdditions) AES256DecryptWithKey:]
• 00092015 t -[NSData(AESAdditions) AES256EncryptWithKey:]
• 0009aA07e t -[NSData(AESAdditions) keyBytes:]
• 00034261 t +[NSData(Base64) dataFromBase64String:]
• 00034410 t -[NSData(Base64) base64EncodedString] • Determined app stored key in Keychain so cracked the key chain, found an entry with a Base64 encoded key
• Decoded Base64 key
• Wrote quick program that used “AES256DecryptWithKey” API, encrypted file and decode AES encryption key to access data • F/OSS Tools used:
• Zdziarski’s techniques to physically image device, crack keychain
• Strings to determine encryption technique
• XCode from Apple to write decrypt program Andrew Hoog
Chief Investigative Officer
[email protected]
Main Office:
1000 Lake St, Suite 203
Oak Park, IL 60301
Tel: 312-878-1100 | Fax: 312-268-7281