NorthSec 2013 - iOS Forensics track
Track Write-up by original track author: François Proulx (francois (d0t) proulx (at-sign) gmail (d0t) com)
Files provided for the track
- An unmarked
*.tar.bz2file found on a random machine
- Full archive available for download here: http://bit.ly/11lxTsD
- Compressed archive contents:
CASE_GHB-2345453763-2239982_data_20130330-1458.dmg(> 500 MB)
- Some of these files are attached to this article, for the rest, you'll have to download the full archive
CASE_GHB-2345453763-2239982file provides all the tracks instructions
CASE_GHB-2345453763-2239982_data_20130330-1458.dmgis a full forensics dump of an iPhone 4 device (as described in the track instructions)
Tools required for the track
- A modern (OS X 10.7 and up) Mac computer comes bundled with all the tools
- On a PC running Windows or Linux:
- Cygwin (for Windows) to add the essential
find, etc. tools
- Scripting language (Python, Ruby, Perl, etc.)
- sqlite3 command-line tool and/or a SQLite compatible GUI client
- (on a Mac) plutil
- (on Linux or Window) libplist (available via apt-get, yum, etc)
- Optional tools (for the final iPhone App flag)
- Cygwin (for Windows) to add the essential
Where to find the flags
As is the case in all forensics investigation, there is rarely a single way to obtain a piece of data. Oftentimes, a forensics dump will contain numerous copies of the data (sometimes in different formats). Thus, the procedure describe below may not be the one you would've followed, nor is necessarly the fastest, easiest. Having the right set of tools and a creative mind will generally lead to good results.
Below, I will give you the flag and a list of files where you could have found it. As you do more and more forensics, you'll develop a sense to cut the crap and go straight to the good stuff... Everytime there is a new technique to extract the piece of data, I will take more time to show you how to use each tool.
- Mount the compressed DMG archive. On a Mac this is trivial, but it might take you more time on another system
- Carefully read the instructions (there are a few hints to help you)
- The mounted filesystem is found under /Volumes/Data (on a Mac)
- Start by exploring the mounted filesystem to give you an idea of its structure and a general understanding of where some of the files you are looking or might be hidden
- You will most likely pop a shell at some point and use other tools (like
- A good understanding of the user facing (with the GUI) of the system (in this case iOS) can be very useful
- Keep in mind that where data is stored often changes between version of the OS (in this case we are looking at iOS 6.1)
As you learn each tool, you'll probably want to setup some aliases to get your job done faster.
Here are some aliases, you might like:
alias plxml='plutil -convert xml1 -o -'
alias sqldump='echo ".dump" | sqlite3'
1. What is Raymond's cellphone number (international format) ?
- Flag: 15149676544
- Pro tip: RTFM
grepman page there are some goodies... Learn what
grep -Uslri "514.*967.*6544" .
- The Phone number could be found in:
- Probably the most reliable and trustworthy way to get the phone number associated with the phone (the one currently provisioning by the SIM card) is through commcenter (note the use of plutil to convert a binary PList file to XML)
plutil -convert xml1 -o - ./wireless/Library/Preferences/com.apple.commcenter.plist
- Here is a way to extract the phone number from the Address Book database (note the use of sqlite3 and the ".dump" command)
sqlite3 ./mobile/Library/AddressBook/AddressBook.sqlitedb .dump | grep Raymond | grep 514
- Here is another way to extract from the FaceTime settings
plutil -convert xml1 -o - ./mobile/Library/Preferences/com.apple.imservice.FaceTime.plist | grep 514
2. What is Raymond's GMail account and its password (e-mail/password) ?
- Flag: email@example.com/7JZ+GCIMx9yjPlRB
- You could probably start by grepping "@gmail.com" to get a list of interesting file. Also many people have their name in their email address, so you could include raymond's name...
grep -Uslri "raymond.*@gmail\.com" .
- Since Raymond uses his gmail.com account as his Apple ID as well, this will give you way more results than you'd like...
- Once you've confirmed that his address is firstname.lastname@example.org, you can proceed with the extraction of his password
- As a forensics expert, you should know that on an iPhone, passwords for system apps (as well as properly developed apps use the Keychain).
- The keychain can be found here
./Keychains/keychain-2.db, but you could've found it using
find . -type f -iname *keychain*
- The keychain data is encrypted using a encryption key derived from a hardware key (stored in the crypto processor)
- The hardware key and/or derived keys can only be extracted by inspecting the live memory, so there is no way to do this only using the provided dump.
- Since you need physical access to the device (connected via USB), I have provided the extracted keybag in the
- In order to use this file, you'll need to download the keychain_tool.py script found here
- This script uses the keybag file to decrypt the keychain
python keychain_tool.py -d CASE_GHB-2345453763-2239982_keychain-2.db CASE_GHB-2345453763-2239982_b512786b70a19df8-keybag.plist| grep "imap\.gmail"