Introduction
In 2023, Apple acquired the title of having the largest market share of smartphones [IDC., 2024]. As we know, the old adage goes, "Are you an Apple or Android user?".
Smartphones are arguably some of the most widely adopted technology, with their computing power managing to replace desktops for some. Think about it for a second: What do you use your smartphone for? Gaming, social media, and perhaps even office work. If an analyst was able to analyse these, what would they find? These devices provide an incredible insight into our daily lives.
Organisations often issue their employees with smartphones to aid in their work. These devices can provide an analyst with a treasure trove of information, as we will see in this room.
Use Cases
Because of their portability and computing power, smartphones are carried by a person at almost all times and store some of our most personal memories. These devices provide a great opportunity to investigators such as:
Law enforcement
Civil investigation
Legal proceedings
In the context of this room, mobile devices are a valuable asset in investigations of insider threats. While a large portion of investigation effort is spent on systems such as desktops and servers, mobile devices can also provide valuable insight.
Ethics & Caveats
Please note that this room has intentionally left out topics, including:
Bypassing iOS Security mechanisms (PIN code, etc)
Circumventing iPhone lockouts
Extraction of data without a known passcode
Jailbreaking an iPhone to obtain data
The scenario in this room has been created to simulate an organisation-owned and managed device that has been given to an employee (Janet) for work purposes. Any data, such as phone numbers, coordinates, and email addresses, are fictional.
Learning Objectives
Learn about the iOS filesystem
Discover the artefacts present in these devices
Get hands-on with an image of an iPhone and analyse this to uncover an insider threat
Prerequisites
To most benefit from this room, I highly recommend ensuring you have completed the following rooms:
iOS Pairing
Since 2018, Apple has enforced "Restricted Mode" on iPhones. This security feature disables data input/output via the iPhone unless the device has been unlocked. This security mechanism was implemented in the era of bad USB attacks and as a means to prevent "Juice jacking."
Trust Certificates
When plugging an iPhone into a device, you have likely been prompted with a pop-up similar to the one above. If you plug your iPhone into an outlet and receive the same prompt, it means you are actually connecting to a device and not an actual charging outlet.
Trust certificates are a security mechanism that allows the iPhone to trust the device it is syncing to. If the device is not trusted, the iPhone will only allow power through its lightning cable, and not data read/write. A trust certificate is a result of a cryptographic exchange in which a certificate is generated on both the remote device and iPhone using a private key stored on the iPhone's hardware. In Windows, these certificates are stored in C:\\ProgramData\\Apple\\Lockdown
. Below is an illustration of a trust certificate on a device such as a desktop.
Trust certificates
Have an expiry of 30 days
Contain a unique identifier of the device
Are stored on both the iPhone and the device that the iPhone is being synced to
Answer the questions below
What is the name of a type of certificate that is used when an iPhone and a device pair together?
Trust Certificates
What is the expiry timer on these certificates?
30 Days
Preserving Evidence
Preserving evidence is of the utmost importance when investigating smartphones, as it is when investigating other digital devices. Apple's iPhones incorporate numerous security measures that can result in data deletion. These features exist to protect the user in the event of theft, etc. For example, the iPhone can be remotely wiped using Apple's "Find My" application in the event of theft, deleting all data present on the device.
Additionally, an iPhone can be set to wipe itself after a certain number of successful login pin attempts, protecting against brute force. Methods to bypass this feature have been left out of this room for ethical considerations and complexity, as this involves interfering with the lockout mechanism.
iOS Lockout
The level of access one has to an iPhone's data is dependent on its "lock" status. We will come onto this a bit later in the "iOS Security" task. However, at this stage, it's worth noting that iOS encrypts data using a configured PIN code (or, in modern iOS versions, Touch ID or Face ID using biometrics). The data is fully encrypted when an iPhone is at its lock screen.
Whilst this room assumes that the passcode is known, in traditional means, when an iPhone is presented to you unlocked, it's imperative to disable the "auto lock" feature in Settings to prevent the device from locking itself.
Backups
Akin to the traditional process of digital evidence preservation, it is important to make a backup of the iPhone before any analysis is done for the preservation and protection of evidence. In fact, analyzing an iPhone via its backup is an incredibly useful technique.
Tooling such as iTunes, EaseUS, etc., can be used to acquire these backups. Now, iPhones also have security mechanisms to protect backups. More on this later in the room.
To create a backup, we can connect the device to iTunes and, under the device management page, select "Back Up Now". Please note there are two main types of backup:
Encrypted: This will back up the entire device, including account passwords, health data and such, as well as photos, apps, notes, music etc.
Unencrypted: This will only back up photos, apps, music, etc.
This can also be done with tools such as 3uTools.
Additionally, CLI frameworks such as libimobiledevice can be used to manage and create backups of iPhones. Task 6 will cover this more in-depth.
Physical Devices
Specialist hardware such as Cellebrite's UFED is used to extract data from mobile devices. This technology is often found in law enforcement and adjacent agencies and utilises techniques to extract data from these devices in a manner that can be presented in court.
Faraday Bags
Faraday bags/pouches follow the same concept as Faraday cages. They use special materials and linings to prevent electromagnetic signals (such as Wi-Fi, phone signals, etc.) from passing through. These pouches are imperative for the preservation of evidence, as they essentially take the device "offline," where data cannot be modified once in the analyst's possession. They also prevent data loss via remote wiping.
Answer the questions below
What is the name of the Apple feature that allows a device to be remotely wiped?
Find my
What "type" of backup would we perform if we wanted to backup the entire device
Encrypted
What is the name of an important piece of equipment that can block all signals, preventing the device from being remotely wiped?
Faraday Bags
The iOS Filesystem
Apple has created various filesystems for its ecosystem throughout its history. This task will introduce you to some of these proprietary formats, and you will see them in action later.
HFS+, or Mac OS Extended, is a legacy filesystem introduced by Apple in 1998 that is still supported today. This room will not cover the specifics, but it is important to know that:
HFS+ is not encrypted (by default)
Does not have integrity checksums
iPhones past iOS 10.3 will be converted to APFS
While Apple has not defined the P in APFS, the acronym is used to distinguish it from Apple's File Service, which is an older network transfer service. APFS is a highly-compatible filesystem that boasts modern-day mechanisms such as:
Full disk encryption
Smarter data management
Uses the GPT partition structure
Has integrity checking via checksums
And numerous crash protection mechanisms (such as metadata protection)
It is important to note that all iOS devices since March 2017 use APFS. Additionally, applications on iPhones do not have direct access to the phone's filesystem. Instead, they run in a sandbox with a "virtual" filesystem that only the application can see.
Additionally, the APFS separates itself into "domains". An example of these has been provided in the table below:
Domain | Description |
Data | Stores application data, settings and user files. |
Cache | Stores temporary files such as cached files from the web browser. |
System | This domain stores essential files related to the operating system. Normally, it is read-only to protect the operating system's security. |
Shared | This domain allows data from applications made by the same developer (Application group) to be shared amongst each other. |
Plists
Plists, short for property lists, are files used by iOS to store objects, with various types of objects including:
Strings
Numbers
Data
Arrays
Dictionaries
And come in two formats:
XML - Human-readable
Binary/etc - Non-human-readable
For example, the screenshot below provides an XML-formatted plist containing the cookies for a visited web application.
SQLite
iOS also makes use of storing various pieces of data as databases. For example, this includes data such as:
Photo metadata
Text messages
Contacts
Voicemail entries
These are simple SQLite databases that can be opened using any SQLite browser, such as DB Browser. Below is a screenshot of the database containing stored text messages.
Answer the questions below
After March 2017, what filesystem do all iPhones use?
APFS
What is the name of the "domain" that stores all files relating to the operating system?
System
Artefacts
As you can imagine, an iPhone has a plethora of data available to us. Including but not limited to:
Contacts
Message & call history
Wi-Fi History
GPS coordinates
Photos
Mailbox
Web browser history
From a previous task, we recall that the vast majority of data is stored either as an SQLite database or Apple's proprietary ".plist" extension, which can be XML or Hex files, as well as how Apple separates data into "domains". This task will highlight some notable directories on the iPhone and the data they contain.
Information
Contacts
The address book is used to store information about the contacts on the iPhone as an SQlite database. This is located in HomeDomain/Library/AddressBook
of the backup.
Photos
The iPhone stores all videos and pictures (including screenshots) in the Camera Roll, which is located in /CameraRollDomain/Media/DCIM
of the backup. These can be extracted from the backup and manually examined.
Calendar
The iPhone stores calendar entries as an SQLite database within /HomeDomain/Library/Calendar
of the backup.
Wi-Fi
Located within the /SystemPreferencesDomain
, you can find a plist containing a list of networks that the iPhone has connected to. While the password to this is encrypted, you can discover the SSIDs in plaintext, as well as the time it was added.
Listing the known/saved wifi connection profiles
cmnatic@thm cat com.apple.wifi.known-networks.plist
<key>wifi.network.ssid.TryHackMe Wifi</key>
<dict>
<key>AddReason</key>
<string>WiFi Settings</string>
<key>Hidden</key>
<false/>
<key>LowDataMode</key>
<false/>
<key>SSID</key>
<data>
VHJ5SGFja01lIFdpZmk=
</data>
<key>AddedAt</key>
<date>2024-06-12T12:38:05Z</date>
<key>__OSSpecific__</key>
<dict>
<key>WiFiNetworkAttributeIsMoving</key>
<false/>
<key>BEACON_PROBE_INFO_PER_BSSID_LIST</key>
<array>
<dict>
<key>BSSID</key>
<string>e2:89:XX:XX:XX:XX</string>
<key>OTA_SYSTEM_INFO_SENT</key>
<false/>
<key>OTA_SYSTEM_INFO_BEACON_ONLY_SENT</key>
<true/>
</dict>
</array>
<key>BSSID</key>
<string>e2:89:XX:XX:XX:XX</string>
<key>networkKnownBSSListKey</key>
<array>
<dict>
<key>CHANNEL_FLAGS</key>
<integer>10</integer>
<key>lastRoamed</key>
<date>2024-06-12T12:38:05Z</date>
<key>CHANNEL</key>
<integer>3</integer>
<key>BSSID</key>
<string>e2:89:XX:XX:XX:XX</string>
</dict>
</array>
Web Browser (Safari)
The iPhone's default web browser is Safari. Bookmarks and web browsing history are stored in databases within HomeDomain/Library/Safari
. It is worth noting that web browsers can be installed as applications, in which case the data is stored in the application domain.
Directories
/var/mobile
This directory contains data pertaining to user data and application storage. For example:
Data | Description |
Documents | Files created by either the user or application (save files, saved PDFs, etc). |
Library | Configuration and cache files for the OS. |
Tmp | Temporary files usually used by applications. |
User Data | User downloads as well as photos, videos & other media. |
/var/keychains
Data | Description |
Passwords | This directory stores saved credentials (for websites, etc) known as Apple "keychain". |
Certificates | This directory stores SSL/TLS certificates for web apps, VPNs, etc. |
Encryption keys & tokens | This directory stores various public keys as well as OAuth tokens and such. |
/var/logs
Data | Description |
System Logs | These types of logs relate to system performance and events, as well as a record of events triggered by the kernel. |
Application Logs | Applications store their logs in this directory. These can be stack traces and debugging info in the event an application crashes. |
Debugging | These types of logs retain information about system events that can be used in debugging, such as network activity, what applications were running, and a timeline of events. |
Update Logs | These logs contain information specifically for updates, i.e., checking for updates and storing information when the iPhone is updating. |
/var/db
This directory is one of the "juiciest" to an analyst, and it stores most of the SQLite database files.
Data | Description |
System Databases | Information such as contacts, messages, and calendar entries are stored in these databases. |
Application Databases | Applications store their data in these databases, such as game progress, a list of contacts, mailboxes, etc. |
Metadata | Information pertaining to metadata for media (photos, videos) is stored here, such as time taken, location, etc. |
Answer the questions below
In what directory of a backup is the Address Book (contacts) stored?
HomeDomain/Library/AddressBook
In what directory of the iPhone are passwords and certificates stored? This is known as the Keychain.
**/var/keychains**
Analysis
There are a variety of tools (both GUI and CLI) that are capable of creating a backup of an iPhone. This task will cover using the 3uTools GUI application as well as the libimobiledevice library on the CLI. However, there are alternatives out there.
Please note that you should do your own research into suitable tools and take caution that some applications that advertise these services often come bundled with some form of licensing. Always download from verified and reputable sources.
Before we proceed, it should also be noted that support & troubleshooting for connecting an iPhone to the tooling listed below will not be provided. When it comes to the practical, everything has already been done for you.
libimobiledevice
This library is a cross-platform toolkit that can interact with iOS devices. Caution should be used when using this toolkit, especially once a device is trusted, as you can make modifications to the iPhone itself.
To begin, let's connect our iPhone to our device and perform the trust process.
We can now verify that the iPhone has successfully connected to our device using ideviceinfo
. In this task, I will be using MacOS as it has native libraries that make working with toolkits like this easier. Please note, that the output of some entries has been redacted for privacy.
Displaying iPhone information using libmobiledevice
cmnatic@thm ideviceinfo
ActivationState: Activated
ActivationStateAcknowledged: true
ChipSerialNo: 00EAaUAXXXXXXX
DeviceClass: iPhone
DeviceColor: 1
DeviceName: iPhone
PasswordProtected: false
PhoneNumber: +44 REDACTED
PkHash: Hz9b38WSRXREDACTED
ProductName: iPhone OS
ProductType: iPhone10,5
ProductVersion: 14.6
Now that we have confirmed that we can see the iPhone, we can create a backup of the iPhone. First, we will need to ensure that encryption mode is configured to ensure that we can take a full backup. This can be done with the command idevicebackup2 -i encryption on
.
Now, let's proceed with creating the backup by providing a few options to the idevicebackup2 module:
backup
- instructs the module to backup-full
- create a full backup/path/to/store/backup
- the directory in which we wish to store the backup on our device
With the above, our full command will look like so: idevicebackup2 backup --full ./backup
It is important to note that the backup will be in a non-readable format, much like it would with iTunes. Other tooling such as ideviceunback
will need to be used.
3uTools
3uTools is a GUI application that can be used to manage an iOS device. We will be using it in the context of this room to create a backup and use the built-in file explorer to examine data on the iPhone. First, let's connect our iPhone to our device and proceed with the trusting process covered earlier in this task.
Click on the "Backup/Restore" icon located at the bottom, where a pop-up will open where we can configure our backup.
The time to backup will heavily depend on how much storage is in use. In most cases, expect anywhere from 15 minutes to 2 hours. Once our backup has been completed, we can now explore it within 3uTools:
Click on "View all data backups"
Click on the backup we just created. To the right, under the "View Backup" column, are two options "Pro Mode" and "Easy Mode". Easy mode will provide a quick insight, while Pro Mode will provide a detailed view of the backup
We can now explore the artefacts on the iPhone.
For example, exploring the stored Contacts/Address Book.
Manual Analysis
Once an iPhone backup has been extracted, the directory structure can be manually navigated using tools such as text editors and SQLite database viewers, such as below:
Answer the questions below
What is the name of the cross-platform toolkit that can interact with iOS devices? This is a CLI tool.
libimobiledevice
If we wanted to do a full iPhone backup using the aforementioned tool, with the directory being "backup", what would our command look like?
**idevicebackup2 backup --full ./backup**
Practical: Operation Timely Manner
There have been whisperings of an insider within Timely Incorporated selling corporate secrets to a competitor (OneMinute). After acting on verified intelligence, Janice's work-issued iPhone and laptop have been seized for analysis. Whilst your colleagues are examining the laptop, you have been tasked with investigating an extracted backup taken off the iPhone. The passcode was provided at the time of capture because it is a work-managed device.
You will need to find evidence that will prove that conversations and meetings between Janet and the competitor have taken place.
Deploy the machine attached to this task by pressing the green "Start Machine" button at the top-right of this task. The machine will start in Split-Screen view. In case the VM is not visible, use the blue Show Split View button at the top of the page.
If you would prefer, you can use the following details to RDP in yourself, remembering to connect to the TryHackMe VPN beforehand.
Username | Administrator |
Password | TimelyManner! |
IP | MACHINE_IP |
Remember, all of the evidence and tooling have been provided to you on the machine.
Answer the questions below
Investigate the evidence presented to you on the desktop of the analyst machine.
What is the name (SSID) of the Wi-Fi network the iPhone connected to?
OneMinuteStaff
What are the saved contact details for the competitor?
Answer format: Firstname,Lastname
Wayne,Garcey
On what day was the exchange of information to take place?
Answer format: DD/MM/YYYY
30/03/2024
(There is a calendar entry for this. You can sort by location id being true (1) in the "CalendarItem" table)
Conclusion
In the words of Porky Pig, "That's all folks!" This room was a brief but practical introduction to the acquisition of digital evidence iOS. Just to recap, we learnt:
How to preserve evidence on iPhones
How the trust and pairing process works
A quick introduction into the iOS filesystem
Tooling that can be used for data acquisition and analysis
This room only scratches the surface that is mobile forensics.
Answer the questions below
Terminate the machine that you deployed in this room.
Let us know what you thought this room on either our X (Twitter), Reddit or Discord.