HOWTO – iPhone Forensics with free and-or open source tools – 9-14-11 – viaForensics « viaForensics, pdf

   

   

HOWTO – iPhone Forensics with free and-or open source tools – 9-14-11 – viaForensics « viaForensics

   

   

https://www.nowsecure.com/blog/2011/10/20/howto-iphone-forensics-free-andor-open-source-tools-91411/#viaforensics

   

   

   

iPhone Forensics with F/OSS ### A HOWTO for iPhone Forensics with free and/or open source tools Qualifications Presentation Goals iPhone Forensics with F/OSS tools • Commercial Tools exist but there are a growing number of F/OSS tools • A Mac (OSX) or Linux workstation is used for many of these programs • Focus on step-by-step examples Open source (MIT) iPhone backup analyzer by Mario Picci (http://ipbackupanalyzer.com/) • Decodes files, presents in a hierarchical view, has some search and conversions • Plist files are shown (binary plist files are automatically converted in ascii format) • Image files are shown • SQLite files are shown with the list of the tables they contain. By clicking on the tables list the selected table's content is dumped in the main UI • Unknown data files are shown as hex/ASCII data iTunes Backup Directories Mac Os X: ∼/Library/Application Support/MobileSync/Backup/ Windows XP: \Documents and Settings\(username)\Application Data\Apple Computer\MobileSync\Backup\ Windows Vista, Windows 7: \Users\(username)\AppData\Roaming\Apple Computer\MobileSync\Backup\ Linux Install On Ubuntu Workstation ------------------------------ sudo apt-get update sudo apt-get install python-tk python-imaging python-imaging-tk git Install pyttk - Download: http://pypi.python.org/pypi/pyttk/ - Extract: tar xzvf pyttk-0.3.2.tar.gz - cd pyttk-0.3.2/ - Install: sudo python setup.py install git clone git://github.com/PicciMario/iPhone-Backup-Analyzer cd iPhone-Backup-Analyzer/ ./main.py -d ~/Desktop/8737684969e72eccf5ff0cafed21b15ec1cb6d4d/ Zdziarski's iOS forensic tools Free for qualified law enforcement and government agencies • Based on F/OSS software and research (Cyanide, etc) • Physical acquisition • Logical acquisition • PIN bypass • Decrypts the encrypted files / slice – iOS 3.x: fully decrypt slice, gets unallocated – iOS 4.x: decrypts files, not unallocated (mostly) • Decrypt Keychain • Working on recovering deleted keys with F/OSS • @0naj iphone-dataprotection tools (Python and C) – Brute force PIN code on device – Recover device encryption keys – Decrypt the keychain, all dataprotection encrypted files – Scrape the HFS journal for deleted content – Decrypt the entire raw disk – Included with Jonathan Zdziarski's toolset, or available separately to developers: • http://code.google.com/p/iphone-dataprotection/ Mount the dmg image read-only (Linux) • Determine file system offset in dd image: • Mount HFS partition read only: • Make sure file system was mounted • Can check disk usage • The Sleuth Kit by Brian Carrier – Brain author of excellent book File System Forensics Analysis (FSFA) – Actively maintained, just released 3.2.2 (06/13/2011) – Supports NTFS, FAT, UFS 1, UFS 2, EXT2FS, EXT3FS, and ISO 9660 – http://sleuthkit.org/ • Install: • Programs to start with: – mmls – Media Management ls, generally partition info: • fsstat – File system info • fls – Forensic list – Power utility which can list allocated/deleted files – Provides offset so recovery is possible – Build MACB for timeline analysis – analyst@ubuntu:/mnt/hgfs/Desktop$ fls -z CST6CDT -s 0 -m '/' -f hfs -r -i raw iPhone-3g-313.dmg > ~/iPhone-timeline.body human friendly • analyst@ubuntu:/mnt/hgfs/Desktop$ mactime -b ~/iPhone-timeline.body -z CST6CDT -d > ~/iPhone-timeline.csv – Takes body file and turns into CSV or other format Log2timeline • Kristinn Gudjonsson developed this software – Written in Perl (trying to convince him to move to Python) – Extracts timeline artifacts from many file types including • Evt/extx, registry, $MFT, prefetch, browser history, etc. (46 and climbing) – 10+ export formats – http://log2timeline.net/ • Install log2timeline on Ubuntu 10.10 (lucid) – sudo add-apt-repository "deb http://log2timeline.net/pub/ lucid main" – wget -q http://log2timeline.net/gpg.asc -O- | sudo apt-key add - – sudo apt-get update – sudo apt-get install log2timeline-perl Log2timeline • sudo timescanner -d /home/analyst/mnt/hfs/ -z CST6CDT -w ~/iPhone-log2timeline.csv – 218 artifacts (either files or directories). – Run time of the script 24 seconds. • If you output in body format, can combine with TSK's fls output and generate full timeline of file system and file metadata (sometimes referred to as a "Super Timeline" Scalpel • Download scalpel src at: • wget http://www.digitalforensicssolutions.com/Scalpel/scalpel-2.0.tar.gz • Compile – tar xzvf scalpel-2.0.tar.gz – cd scalpel-2.0/ – sudo apt-get install libtre-dev libtre5 – ./configure; make – sudo cp scalpel /usr/local/bin • Run scalpel $ scalpel -c ~/scalpel.conf iPhone-3g-313.dmg • Examine data in "scalpel-output" directory Sample scalpel.conf viewer • Usage: $ xxd iPhone-3g-313.dmg | less • To auto skip 0's: $ xxd -a iPhone-3g-313.dmg | less Hex editor • Usage: $ hexedit iPhone-3g-313.dmg • Once in hex editor: – "/" = search hex/ASCII string (in "hexedit" use tab to change between ASCII and hex searches) – q = exit hex editor – h = help • Can quickly locate potential evidence • Other tools also available (hexeditor and many others) Grep Command • Searches through a file (or many files/folders) for a specified keyword(s) • Grep is case sensitive by default $ grep amr iPhone-3g-313.dmg • To do case-insensitive (more time consuming): $ grep –i AmR iPhone-3g-313.dmg • Can search for a phrase in quotes $ grep "Trace File" iPhone-3g-313.dmg $ grep -a "Trace File" iPhone-3g-313.dmg $ grep -a -A 1 -B 1 "Trace File" iPhone-3g-313.dmg Grep Command (continued) • Can also be used to search through many files • Grep through all files in a user's home directory for "viaF": analyst@ubuntu:~$ grep -R 312493 * Binary file scalpel-output/sqlitedb-9-0/00001.db matches Binary file scalpel-output/sqlitedb-9-0/00017.db matches Find all sms database files from iPhone (after scalpel) analyst@ubuntu:~$ grep -R svc_center sqlite* "Strings" Command • Strings is a powerful utility to extract ASCII or Unicode strings from binary data • Can be run against a file or a full disk image $ strings iPhone-3g-313.dmg > iPhone.str $ strings iPhone-3g-313.dmg | less • Can also search for Unicode $ strings -e b iPhone-3g-313.dmg | less "Strings" does more than ASCII • Strings is designed to extract ASCII and Unicode – 7-bit ASCII, 8-bit ASCII – 16-bit big-endian and little-endian – 32-bit big-endian and little-endian • From the strings manual page: Decrypting data – step 1 • Scenario: imaged iPhone and application has encrypted data which you need to view. • Our solution (but other approaches may work) • Noted app data was encrypted • Analyzed symbol table for app, saw entries such as: • 00091033 t -[NSData(AESAdditions) AES256DecryptWithKey:] • 00092015 t -[NSData(AESAdditions) AES256EncryptWithKey:] • 0009aA07e t -[NSData(AESAdditions) keyBytes:] • 00034261 t +[NSData(Base64) dataFromBase64String:] • 00034410 t -[NSData(Base64) base64EncodedString] • Determined app stored key in Keychain so cracked the key chain, found an entry with a Base64 encoded key • Decoded Base64 key • Wrote quick program that used "AES256DecryptWithKey" API, encrypted file and decode AES encryption key to access data • F/OSS Tools used: • Zdziarski's techniques to physically image device, crack keychain • Strings to determine encryption technique • XCode from Apple to write decrypt program Andrew Hoog Chief Investigative Officer ahoog@viaforensics.com http://viaforensics.com Main Office: 1000 Lake St, Suite 203 Oak Park, IL 60301 Tel: 312-878-1100 | Fax: 312-268-7281     출처: <https://www.nowsecure.com/blog/2011/10/20/howto-iphone-forensics-free-andor-open-source-tools-91411/>

 

 

 

직접 다운로드

viaForensics-iPhone-Forensics-with-FOSS.pdf