iPhone application analysis and reference
In this section, each of the default applications as
well as a select sample of popular third-party apps is analyzed. Each app is broken down to
show where the files are located on the iPhone's file system, or in other words the full path
to where that particular app's data is stored. Also within this subsection is a list of the
files an examiner can expect to find for that particular app. Next, for every app that contains
a database or plist full of important information, the structure of these files are shown,
including the database schema as well as the type of data that can be found in that specific
file. Finally, for every application there is an “Analysis Notes” section. Here, the reader is
instructed where to look for the most significant data for that app. Methods on viewing the
data in these files are also covered.
Default applications
The
subsections that follow describe the various applications that arrive by default on the
iPhone. For each app, the file system layout is described, including all the files that are
commonly recovered for that app. The database or plist files that contain significant data is
broken down and discussed in detail. Finally, there is an analysis notes section, which
explains how each of these files can be read to show where the important data
resides.
SMS
Text messages are one of the most significant data
items to be recovered from an iPhone. The following sections outline the files that can be
found on the device as well as where the most important information resides.
File system layout
/private/var/mobile/Library/SMS:
• Drafts: contains draft SMS messages in the form of “messages.plist”
• Parts: Contains
attachments to MMS or SMS messages, mostly .jpg files, but they can also be .mov or other
files.
•
sms.db: The SMS/MMS database.
Databases/plists
sms.db
The
sms.db is the most important file in this directory. It contains the text and multimedia
messages and can also contain deleted text messages. Here is a listing of the tables
contained within this database:
_SqliteDatabaseProperties
message
sqlite_sequence
msg_group
group_member
msg_pieces
Analyst notes
The “message” and “msg_pieces” tables are the two areas that should
be the main focus when analyzing the sms.db.
The messages
table contains each of the text messages, including the phone number from or to which the
message was sent, date and time of the message, the message content, a “flags” column
(specifies whether the message was sent or received), and other data. The following is a
breakdown of each of the columns within this table and a definition of each:
• ROWID: A sequential, unique number assigned to each
message. The “sqlite_sequence” table tracks the last assigned ROWID for the message table
as well as the other tables in the database.
• address: The phone number from or to which the
message was sent. If this field is blank, the message is most likely a multimedia message
(and the phone number is displayed in the “recipients” field).
• date: Unix Epoch
timestamp. When translated, this is the date and time at which the message was sent or
received.
• text: Message content. If it is an MMS message, this field will be
blank.
•
flags: Shows whether the message was sent or received: a “3” signifies a sent message, a
“2” signifies a received one.
• replace: Unknown. This field is always
zero.
•
svc_center: Unknown. This field is always null.
• group_id: An integer assigned to each
unique phone number. All messages sent to or from a particular number are considered one
group and, therefore, assigned their own group_id.
• association_id: Unknown. This field
sometimes contains a zero, and at other times will contain the same Unix Epoch timestamp
as displayed in the “date” field.
• height: Always a zero.
• UIFlags: Unknown. Typically a zero;
however, sometimes there are other one-digit integers found here.
• version: Unknown. This
field is always zero.
• subject: Unknown. This field is always null.
• country: The country code
is shown here (“us”).
• recipients: For a text message, this field will be empty. If the message is
a multimedia message, this field will contain the phone number from or to which the
message was sent. The phone number will be encoded in XML format.
• read: This field shows
whether the message was read by the user. There will be a “1” if it was
read.
The msg_pieces table contains the
text content that is sent along with an MMS message. The following is a breakdown of the
meaningful columns within this table and a definition of each:
• ROWID: A sequential, unique number assigned to each row in the msg_pieces table (not
necessarily unique to each message). The “sqlite_sequence” table tracks the last assigned
ROWID for the msg_pieces table as well as the other tables in the
database.
•
message_id: A unique ID assigned to each message. Typically, an MMS record will contain
three rows in the msg_pieces database: the first row has blank/zero/null data, the second
row contains the message within a text/plain document, and the third row is the actual
image that was attached. All three of these rows comprise one MMS message, and will all
have the same message_id. A message ID in the msg_pieces table matches up with the ROWID
in the message table.
• data: The text content that was sent along with the MMS
attachment.
• content_type: This field will be null, text (plain), image (jpeg), video (3gpp), or
application (smil).
• height: This field always contains a zero.
• version: This field contains a 0 or 1,
possibly referring to the plist version displayed in the recipients field of the message
table.
•
content_loc: This field will either be null or show as text_####.txt or IMG_####.jpg. The
IMG name is not the actual name of the image that is stored on the iPhone (such as
IMG_0001, IMG_0002, etc.). Typically in this field, there will be one of two.jpg names
shown: IMG_6807 or IMG_5249 (however, it is not uncommon to see others as well). It is
unknown what these filenames signify.
• headers: This field is
null.
Calendar
Calendar events that
have been manually entered by the user or synced using a mail app or other program are stored
on the device.
File system layout
/private/var/mobile/Library/Calendar:
• Calendar.sqlitedb:
This is the only file that is stored for the Calendar
app.
Databases/plists
Calendar.sqlitedb
This database file contains
each calendar event that was stored on the device as well as the metadata for each event.
The database can be more deeply analyzed to potentially recover deleted events. Here is a
listing of the tables contained within this database:
sqlite> .tables
Alarm OccurrenceCache
AlarmChanges OccurrenceCacheDays
Attendee Participant
AttendeeChanges Recurrence
Calendar RecurrenceChanges
CalendarChanges Store
Event Task
EventChanges TaskChanges
EventExceptionDate _Sqlite
Analyst notes
The “Event” table is the one that examiners should focus on;
however, other tables can also be analyzed as needed. The Event table contains information
relevant to the calendar events that were manually entered by the user or possibly synced up
with their e-mail account, MobileMe account, or another tool. The following is a breakdown
of each of the columns that contain relevant information and a definition of each. Many of
the columns have been omitted as they do not contain useful information.
• ROWID: A sequential, unique number assigned to each
calendar event. The “sqlite_sequence” table tracks the last assigned ROWID for the event
table as well as the Store and Calendar tables.
• summary: The actual text content of the
calendar event.
• location: An optional field where the user can enter the location of the
event.
•
description: An option field where the user can enter a description for the
event.
•
start_date: The start date and time of the event, displayed in OS X Epoch time (described
earlier in this chapter).
• start_tz: The time zone in which the device is
set.
•
end_date: The end date and time of the event, displayed in OS X Epoch
time.
•
calendar_id: The ID assigned to the calendar in which this event is stored. The user may
have synced up multiple calendars, and these will be shown in the “Calendar” table. The
“ROWID” that is assigned to each calendar is also its calendar_id in the Events
table.
Call History
Phone calls placed
by the user or placed to the user are stored on the device, along with other metadata that
could be of interest to an examiner.
File system layout
/private/var/mobile/Library/CallHistory/:
•
call_history.db: This table contains the call logs that have been stored on the
device.
Databases/plists
call_history.db
The
call_history database contains each of the missed, placed, and received calls on the
device. The database can be more thoroughly analyzed to potentially recover deleted call
logs. Here is a listing of the tables contained within this database:
_SqliteDatabaseProperties
call
sqlite_sequence
data
Analyst notes
The “call” table is where most of the information is going to be
found; however, as with the other database files, the “sqlite_sequence” table tracks the
most recently used row ID for certain tables in the database. The following is a breakdown
of each of the columns within the call table that contain relevant information and a
definition of each.
• ROWID: A sequential,
unique number assigned to each call record in the table. The “sqlite_sequence” table
tracks the last assigned ROWID for the call table as well as the data
table.
•
address: The phone number from or to which the call was placed. If this field is blank,
it was most likely an unknown number.
• date: Unix Epoch timestamp. When translated, this is the
date and time at which the call was placed or received.
• duration: This field displays the duration
of the call (in seconds). A value of zero signifies a missed call.
• flags: Shows whether the
call was incoming (flag set to 4) or outgoing (flag set to 5).
• id: If an outgoing call
was placed to a contact within the user's address book, the id represents the
individual's contact id (or ROWID assigned to that contact).
• name: This field is
null.
•
country_code: This is the MCC described earlier in the geographical data section. For the
United States, the MCC is 310.
On the
iPhone, there is a call history limit of 100 logs. Any calls placed or received above 100
will be stored in the database, but the oldest record will be removed. Therefore, upon
viewing the call_history.db file in a SQLite database browser, an examiner will not see more
than 100 records in the call table. However, using the advanced analysis techniques
described earlier in this chapter (strings, hex editor, etc.), it is possible to recover the
old call logs that were replaced.
User dictionary/keyboard
Whenever a user manually types a word into the iPhone, the device generates a dynamic
dictionary file that stores words unique to that user. For example, anything entered into a
text message, e-mail, note, or other form of text entry would be stored in this
file.
File system layout
/private/var/mobile/Library/Keyboard:
• dynamic-text.dat
Analyst notes
While this is not a database or plist, the user's dynamic dictionary
file can contain interesting artifacts. A .dat file is a “data” file, and the way it is
viewed depends on its contents. Because it is known that this particular file stores text,
it can be opened in any text editor. However, when opened in this manner, all the words run
together and the analysis is difficult.
DynamicDictionary-4[testmailtesttestgolfclubsheywhattypeofclubswouldyour
firstchoicecallowaymailhowamsupposedtogetintothestoreafterhourscheckouts
ureisnicedayoutwhat'reyoudoingtodaydinneratgreatmayneedtoheadoutaroundbu
tthatshouldgiveusplentyoftimelakeoakparkoakparkillakeoakparkilpieceofcak
ecan'twaittotryoutonsundaytesttobradtesttobradwillyougogetmecoffeeguessy
ou'llneverknowviaforensicsgmailgolfsmithtaylormadesbcglobalsarpinosmccal
isterem
It is much more
efficient to use the “strings” command and either redirect the output into a text file or
display the output through the “less” command (see Chapter 1 on
how to use basic Linux commands).
Katie-Strzempkas-MacBook:Keyboard kstrzemp$ strings dynamic-text.dat |
less
DynamicDictionary-4
[test
mail
test
test
golf
clubs
what
type
clubs
would
your
first
choice
calloway
mail
supposed
into
store
after
hours
check
sure
Oftentimes, full text messages and e-mail content are found in this
file; however, it is impossible to determine any other information about the source, such as
date and time or the individual who sent or received the message.
Many examiners want to know whether passwords are stored in this file, and the
technical answer is no. If a user enters a password (or PIN) into a password field on the
device, such as when he or she logs into his or her e-mail account, the device knows not to
store that information. However, if the user decides to enter their password into a note,
document, or e-mail on the device, it is possible that it would be stored in the dynamic
text file.
When a user syncs their e-mail account(s)
to a device, account information as well as e-mail content is stored within the
device.
File system layout
/private/var/Keychain/:
• keychain-2.db: Contains e-mail account information.
/private/var/mobile/Library/Mail/:
• Mail Folder for each e-mail account synced to the device (containing.emlx and emlxpart
files: see “Analysis Notes” section).
• AutoFetchEnabled
• Envelope Index
/private/var/mobile/Library/Webkit/Databases:
• Databases.db: Contains a list of the webkit database files on the
device.
•
mail.yahoo.com folder with .db file: Contains data related to the Yahoo! mail
account.
•
mail.google.com folder with .db file: Contains data related to the Google mail
account.
•
Any other mail accounts that may have been synced to the
device.
Databases/plists
keychain-2.db
This database stores user login
credentials and other metadata related to those accounts. Wi-Fi accounts, application
logins, e-mail accounts, and more can be found here. The following tables can be found in
this database:
cert
genp
inet
keys
sqlite_sequence
tversion
The “inet” table
is where e-mail account data can be found. The “acct” column contains the e-mail address,
or for an Exchange account, the domain and username. The “srvr” column includes the mail
server that the device is retrieving content from, the “ptcl” and “port” columns list the
protocol and port used to connect to that mail server, and the “data” column contains the
encrypted password for that account.
Databases.db
This databases
contains three tables:
Databases
Origins
sqlite_sequence
The “Databases” table is the only one containing unique data, and
here the examiner can view the various webkit database files on the device. For example, if
the user synced both Yahoo and Gmail, the folder containing each database is listed in the
“origins” column. For the databases listed below, the origins are: http_m.mg.mail.yahoo.com_0 and https_mail.google.com_0 >. These are
subfolders, which also contain the database file. In the “Databases” table, the examiner
can also see the e-mail address for the user.
http_m.mg.mail.yahoo.com_0> 0000000000000004.db
The
database within the Yahoo mail folder contains a significant amount of important data,
including the e-mail addresses of the senders and the recipients of the e-mail, e-mail
subjects, timestamps, and even partial e-mail content. The following is a listing of the
tables contained within this database:
_WebKitDatabaseInfoTable_
action
message
folder
vfolder
contact
The two tables worth looking at are the “folder” and “message” tables.
The message table contains the full e-mail subject, partial e-mail
content (in the “snippet” column), the e-mail addresses of both the sender and receiver,
and finally the Unix Epoch timestamp. When converted, this is the date and time when the
e-mail was received. There is also a column called “hasAttachment,” which, as expected,
will have a “1” if there was a file attached to that particular e-mail (otherwise it will
have a “0”).
The folder table shows a list of all of the
folders within that e-mail account. The standard folders, such as Inbox, Sent, Trash, etc.,
may not be of importance, but this table also contains a list of the personal folders
created by the user. Along with the folder names, also included as part of this table is
the total number of messages within each folder and the number of messages:
https_mail.google.com_0> 0000000000000001.db
The database within the Google mail
folder also contains the e-mail addresses of the senders and the recipients of the e-mail,
e-mail subjects, timestamps, and partial e-mail content. The following is a listing of the
tables contained within this database:
__WebKitDatabaseInfoTable__
action_queue_11_crf
cached_queries
hit_to_data
cached_conversation_headers
cached_messages
cached_labels
cached_contacts
config_table
log_store
The two main tables
to focus on in this database are “cached_conversation_headers” and “cached_messages.” While
some of the contents between these two tables overlap, there are some differences making it
worthwhile to take a look at both.
The following is a
breakdown of each of the columns within the cached_conversation_headers table that contain
relevant information and a definition of each:
•
isInbox/isSpam/isTrash/etc.: These columns are flagged with a “1” if true. For example,
if the “isInbox” column contains a “1,” then the e-mail message in that row was
recovered from the user's Inbox.
• subject: Contains the message Subject.
• snippetHtml: Contains a
portion of the message body.
• senderListHtml: Contains the name assigned to the sender
in the e-mail contacts (not necessarily the e-mail address).
• dateMs: The date and
time the message was received in Unix Epoch (milliseconds). To convert manually, the
examiner will need to remove the last three digits; otherwise, it can be converted
through a website or other tool.
• modifyDateMs: The date and time the message was modified
in Unix Epoch (milliseconds). This is typically the same timestamp as the
dateMs.
•
hasAttachment: If the message has an attachment, this field will be flagged with a “1”
(otherwise it will be a “0”).
The
following is a breakdown of each of the columns within the cached_messages table that
contain relevant information and a definition of each.
• messageID: A unique ID assigned to each message.
• conversationId: An ID
assigned for each conversation (group of messages for each sender). This ID might be the
same as the message.
• isInbox/isSpam/isTrash/etc.: These columns are flagged with a “1” if true.
For example, if the “isInbox” column contains a “1,” then the e-mail message in that row
was recovered from the user's Inbox.
• subject: Contains the message Subject.
• snippetHtml: Contains a
portion of the message body.
• address_from: Contains the e-mail address of the
sender.
•
address_to/address_cc/address_bcc: Contains the e-mail address that the message was sent
to. If an individual was cc'd or bcc'd, that e-mail address would be listed in the
appropriate columns.
• receivedDateMs: dateMs: The date and time the message was received in Unix
Epoch (milliseconds). To convert manually, the examiner will need to remove the last
three digits; otherwise, it can be converted through a website or other
tool.
Analyst notes
From the files
described in the previous sections, one can see that there are various locations within the
iPhone file system where e-mail remnants can be found: the “Mail” folder and the “WebKit”
folder. The databases within the WebKit folder have been thoroughly discussed as they
contain allocated files. Next, the contents of the Mail folder are discussed.
As mentioned earlier, there is a specific folder assigned to each
Mail account synced to the device, and these files can be viewed with a physical image of
the device. For an exchange mail account, the folder will begin with “ExchangeActiveSync…,”
whereas a Gmail or Yahoo account might begin with “[email protected]”. Within this
folder, the following folders can be seen:
23K241-39E2-AP09-A284-B39T02955E.mbox (User's
Inbox - random string of characters)
Deleted Items.mbox
Drafts.mbox
Junk E-mail.mbox
Outbox.mbox
Sent
Items.mbox
Within these folders are
some of the actual e-mail messages in the form of a “.emlx” extension. These files can be
viewed in a text editor, or by importing them into the Mail program on a Mac. In addition to
e-mail messages, there are also files with a “.emlxpart” extension. This contains files that
have been attached to one or more of the e-mails. Let us assume that this file extension is
unknown. The following command can be run on a Linux machine to determine what type of file
this is, and thus understand what tool is needed to view it. First, we will list out the
files in the “Messages” folder and then determine the file type.
root@linux-001:~/mount/mobile/Library/Mail/ExchangeActiveSync-[Mail-ID].mbox/Messages#
ls -l
total 1428
-rw-r-?-r-?- 1 501 501 721191 2010-08-05 13:53
14.1.2.emlxpart
-rw-r-?-r-?- 1 501 501 148142 2010-08-05 13:05
16.emlx
-rw-r-?-r-?- 1 501 501 178494 2010-08-05 13:05
17.emlx
-rw-r-?-r-?- 1 501 501 403407 2010-08-05 13:05
20.emlx
root@linux-001:~/mount/mobile/Library/Mail/ExchangeActiveSync-[Mail-ID].mbox/Messages#
file 14.1.2.emlxpart
14.1.2.emlxpart: Zip archive data, at least v2.0 to
extract
root@linux-001:~/mount/mobile/Library/Mail/ExchangeActiveSync-[Mail-ID].mbox/Messages#
file 16.emlx
16.emlx: RFC 822 mail text
From the output of the “file” command, it can be seen that the .emlx file is text
and the .emlxpart file is a compressed archive, which must be unzipped. This file can be
copied to another location on the examiner's machine (since the iPhone dmg should be mounted
as read-only) and unzipped to view the file contents and attachments.
While messages in the user's “Deleted” mail folder can be recovered, those that
have been fully deleted or emptied from trash cannot be found in the Mail folder. A file
carving utility can be used to extract e-mails from a disk image (see the “File Carving”
section earlier in this chapter). Here, e-mails can be recovered, including those that have
been deleted. The examiner can then use the “grep” command to search through all the e-mail
files for specific keywords. In the following example, all the e-mail files (*.email) are
searched for the viaForensics e-mail address shown.
$ cd
scalpel-output/email-10-0
$ grep “[email protected]”
*.email
With the ability to
perform file carving on a full physical disk image, a significant amount of e-mail content
can be recovered from a device. Unfortunately, a physical acquisition is not always
possible. In the event that only a logical or backup acquisition is possible, the WebKit is
a good place for an examiner to start, and at the very least, e-mail account information can
always be found in the keychain database. Refer back to Chapter 5 for
details on how passwords stored in this database can be decrypted!
Maps
The Maps app allows the user to search for specific locations and directions using
Google Maps. This application will often times store the user's current location (see the
section on “Geographical Info” later in this chapter).
File system layout
/private/var/mobile/Library/Maps/:
•
Bookmarks.plist: Contains locations bookmarked by the user.
• Directions.plist:
Contains directions searched by the user.
• History.plist: Contains map history searched by the
user.
Analyst notes
Each of these
plists is in binary format. When hitting the space bar to open one of these files in Preview
(on a Mac), some of the data appears to be encrypted, or otherwise unreadable. However, when
opening it in a text editor, the directions, bookmarks, and history can be read. In this
instance, converting from binary to XML is not necessary. As an example, here is what
Directions.plist looks like when it is converted to XML and opened in a text
editor:
<?xml version=“1.0”
encoding=“UTF-8”?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN”
“http://www.apple.com/DTDs/PropertyList-1.0.dtd”>
<plist
version=“1.0”>
<dict>
<key>DirectionsFileVersion</key>
<integer>2</integer>
<key>DirectionsMode</key>
<integer>2</integer>
<key>EndSearchProto</key>
<data>
CAAQABgAIAA1AAAAAJoBDk4gQ2x5Ym91cm4gQXZlogEWVy1SZmlwNUticDJXaEhwNVBm
bFBkQagB16n/E7ABnMmY1v//////AbgB/////wfAAQDIAQDYDAA=
</data>
<key>Responses</key>
<array>
<dict>
<key>Mode</key>
<integer>2</integer>
<key>ResponseData</key>
<data>
CAAQACswADovCgtOIE1hcmlvbiBTdBIOCAVyCgiqxvknEOOM3lMa
DkZaVXhmd0lkemp6RS1nIAAsKzAAOjIKDk4gQ2x5Ym91cm4gQXZl
Eg4IBXIKCK7T/icQx+3OUxoORmRmVWZ3SWRuQ1RHLWcgACxDSp4F
When the same file is left as a binary plist and opened in a text
editor, the data is difficult to decipher, but the directions are legible (see Figure 6.9 ).
Notes
This application allows the user to create
notes, and stores the date and time when the note was created.
File system layout
/private/var/mobile/Library/Notes:
• notes.db:
Stores the note contents and other metadata.
• notes.idx: An index file which also contains note
fragments.
Databases/plists
notes.db
This database
contains all allocated notes as well as creation and modification timestamps. The following
tables are contained in the notes.db file:
Note
NoteChanges
_SqliteDatabaseProperties
note_bodies
sqlite_sequence
Analyst notes
This app is pretty straightforward. There is one file that needs to
be analyzed: notes.db. Upon opening it in a database browser, the “Note” table is where an
examiner should focus his or her attention. The “note_bodies” table also contains note
content; however, this same data is available in the Note table. The following is a
breakdown of each of the columns within the Note table that contain relevant information and
a definition of each:
• ROWID: A sequential,
unique number assigned to each note. The “sqlite_sequence” table tracks the last assigned
ROWID for the Note table.
• creation_date: Timestamp in OS X Epoch; when converted,
this will show the date and time the note was created (see “Advanced Forensic Analysis”
section for details on converted timestamps).
• title: Note content.
• modification_date:
Timestamp in OS X Epoch; when converted, this will show the date and time the note was
modified (see “Advanced Forensic Analysis” section for details on converted
timestamps).
Web browsing
The Safari web
application is used on an Apple device to allow web browsing. Various types of data can be
found within this application.
File system layout
/private/var/mobile/Library/Safari:
• Bookmarks.plist or
Bookmarks.db: Contains locations bookmarked by the user (with iOS 4, bookmarks are stored
in a database).
• History.plist: Contains the URL visited by the user; also stored is the last
visited URL and the date and time it was accessed.
• SuspendState.plist: May contain deleted web
history, Google search terms, and the last visited URL.
Databasess/plists
Bookmarks.plist or Bookmarks.db
These files contain information related to
websites that were bookmarked by the user. When looking at the XML plist in a text editor,
the data is organized as follows, with the URL and website title shown within the
<string> tags:
<?xml version=“1.0”
encoding=“UTF-8”?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN”
“http://www.apple.com/DTDs/PropertyList-1.0.dtd”>
<plist
version=“1.0”>
<dict>
<key>Children</key>
<array>
<dict>
<key>URIDictionary</key>
<dict>
<key></key>
<string>http://chicago.cubs.mlb.com/schedule/index.jsp?c_id=chc</string>
<key>title</key>
<string>2010 Cubs Schedule | cubs.com:
Schedule</string>
</dict>
<key>URLString</key>
<string>http://chicago.cubs.mlb.com/schedule/index.jsp?c_id=chc</string>
<key>WebBookmarkType</key>
<string>WebBookmarkTypeLeaf</string>
<key>WebBookmarkUUID</key>
<string>1CAFF247-95A0-4D99-8DF8-3EC5377798A7</string>
</dict>
For devices running iOS 4.0 or higher, bookmarks are stored in
bookmarks.db file. The database contains the following tables:
bookmark_title_words
bookmarks
generations
sync_properties
The
“bookmarks” table contains the most significant data, including the title of the website
and URL, similar to that shown in the plist. The database is, however, a bit easier to
read, as it is organized into rows and columns as opposed to XML format.
History.plist
The user's visited websites are stored in the History.plist file as
well as the last visited URL and the date and time it was accessed. In the example that
follows, there is one history item shown, which includes the URL as well as the OS X Epoch
timestamp for the last time this site was visited. To convert this timestamp, see the
“Advanced Forensic Analysis” section earlier in this chapter.
<dict>
<key></key>
<string>http://chicagocubs.com/</string>
<key>D</key>
<array>
<integer>1</integer>
</array>
<key>WebViewportArguments</key>
<dict>
<key>height</key>
<real>-1</real>
<key>initial-scale</key>
<real>-1</real>
<key>maximum-scale</key>
<real>-1</real>
<key>minimum-scale</key>
<real>-1</real>
<key>user-scalable</key>
<real>-1</real>
<key>width</key>
<real>-1</real>
</dict>
<key>lastVisitedDate</key>
<string>304450956.3</string>
<key>redirectURLs</key>
<array>
<string>http://chicago.cubs.mlb.com/index.jsp?c_id=chc</string>
</array>
<key>title</key>
<string>The
Official Site of The Chicago Cubs | cubs.com:
Homepage</string>
<key>visitCount</key>
<integer>1</integer>
</dict>
SuspendState.plist
This
file contains additional web history, some of which can also be found in History.plist.
However, deleted web history is also found in this file which is not the case for
History.plist. The data structure is similar for both files; however, only the URL and
website title is shown in Suspend State.
Analyst notes
Each of the Safari data files (Bookmarks, History, and Suspend State) by default are in
binary plist format, just as the files within the Maps directory. In this instance, however,
the data can be easily viewed and examined by opening the file with the space bar on a Mac.
When attempting to open the Safari binary plists in a text editor, the data is not formatted
appropriately. Using plutil, or another utility to convert the binary plists to XML, the
information is displayed in a more organized manner (as shown in the examples for each
plist).
Allocated web history will be stored in
History.plist, but in order to access deleted web browsing data, the SuspendState.plist must
be analyzed. The only downside to SuspendState.plist is that timestamps are not shown as
they are in History.plist.
Voicemail
The Voicemail app
stores messages that have been left for the user on the device.
File system layout
/private/var/mobile/Library/Voicemail:
•
voicemail.db: Contains information about each of the allocated voicemail
files.
•
_subscribed: This is typically an empty file.
• .amr files: These are the actual voicemail
files that can be listened to using a media player.
Databases/plists
voicemail.db
This database contains information about the voicemails stored on
the device. The following tables are contained in this file:
_SqliteDatabaseProperties
sqlite_sequence
voicemail
The “voicemail”
table should be the main focus for an examiner. The following is a breakdown of each of the
columns within the voicemail table that contain relevant information and a definition of
each:
• ROWID: A sequential, unique number assigned to each
voicemail. The “sqlite_sequence” table tracks the last assigned ROWID for the voicemail
table.
•
date: The date and time that the voicemail was created in Unix Epoch
timestamp.
• sender: The phone number of the user who left the voicemail.
• callback_num: The phone
number of the user who left the voicemail.
• duration: The duration of the voicemail
message.
• expiration: The date and timestamp when the voicemail expires (1 month after the
creation date).
• trashed_date: If applicable, this is the date and time that the user placed
the voicemail in the “Deleted” folder.
Analyst notes
The database contains details about each of the voicemails; however,
to actually listen to the messages, the examiner must open the “.amr” files using a media
player. These files are named after the ROWID in the database. For example, for ROWID “6,”
the equivalent voicemail will be “6.amr”.
The iPhone
contains a feature known as visual voicemail. This allows the user to visually see the
different voicemails contained on their device. If they wish to delete a voicemail, they can
select that option on the touch screen. However, from a forensic standpoint, it is important
to understand that when deleted, the voicemail first goes to a “Deleted” folder that can
actually be seen in the Voicemail application on the device. The user can then go into this
folder and either restore that voicemail or permanently delete it (think of this as a
Windows Recycle Bin). Oftentimes, a logical acquisition tool will report a voicemail as
“Deleted” when in fact it is simply sitting in the “recycle bin” on the device.
It is easy to determine from the voicemail database whether any
records have been permanently deleted by taking a look at the ROWIDs. Since they increment
by 1, if there is a missing number, it can be assumed that the missing record was deleted by
the user. SQLite analysis techniques can be used to try and recover these deleted
rows.
YouTube
The YouTube mobile application can be used to
search for and view videos on the Internet.
File system layout
/private/var/mobile/Library/Preferences/:
•
com.apple.youtube.plist: Contains YouTube video Bookmarks, History, and most recent
search terms.
Databases/plists
com.apple.youtube.plist
This
plist contains data related to the YouTube mobile application on the device. When a user
watched a video using this app, it is stored as a history item. The user also has the
ability to add videos to his or her “Favorites,” which show up as bookmarks in the plist
that follows:
<dict>
<key>Bookmarks</key>
<array>
<string>t1yPhNZ1B1Q</string>
<array/>
<key>History</key>
<array>
<string>t1yPhNZ1B1Q</string>
<string>Kxa0mnDj0bs</string>
<string>qla13aWrNP4</string>
<string>L_zRDchkDXg</string>
</array>
<key>lastSearch</key>
<string>golf swing
tips</string>
<key>selectedCategory</key>
<string>YTSearchCategoryController</string>
</dict>
Analyst notes
At
first glance, the bookmarks and history items appear to be encrypted data. However, the
characters within the <string> tags are actually a YouTube ID. This ID can be copied
into a URL in order to view the actual video. For example, here is the URL for a random
YouTube video: http://www.youtube.com/watch?v=1yk8bC6QDYo . The string of characters following the
“=” sign is the ID. By replacing this ID with one shown in the plist, the YouTube bookmarks
and history can easily be viewed.
The most recent YouTube
search performed by the user is also in this file, and is shown under the “last Search” key.
In this example, the most recent search was “golf swing tips.”
Photos/videos
Photos and videos that have been taken from or synced to the device
are also stored within the file system. The original iPhone model as well as the generation
following it (3G) did not originally contain an on-board application that allowed recording
videos from the device. For this reason, users turned to the App Store for applications that
would allow them to perform this function. However, this changed with the later models, and
the “Camera” could be used for both pictures and videos. Videos recording from the on-board
camera could then be recovered from the device.
File system layout
/private/var/mobile/Media/:
• /DCIM/100APPLE: Contains
the photos and videos that have been taken from the device.
• /DCIM/999APPLE: Contains
screen shots of the device taken by the user.
• /PhotoData/Photos.sqlite (iOS 4 only):
Contains metadata for photos and videos on the device.
Databases/plists
photos.sqlite
This table stores information about the allocated photos and videos
within the device. Photos.sqlite contains the following tables:
Globals
Keyword
Photo
PhotoAlbum
PhotoAlbumToPhotoJoin
PhotoExtras
sqlite_sequence
The
“Photo” table is where an examiner should focus his or her analysis in this database. The
following is a breakdown of the columns that contain important information as well as a
definition of each:
• title: The name of the
file (minus the extension).
• captureTime: The OS X Epoch timestamp for when the photo
or video was taken.
• width: The width of the photo; this field will show a “0” if the file is a
video.
•
height: The height of the photo; this field will show a “0” if the file is a
video.
•
directory: The path to where the file is stored within the file system. This field will
typically say “DCIM/100APPLE.”
• filename: The name of the file, including the extension
(usually .jpg or .mov).
• recordModDate: The OS X Epoch timestamp for when the
photo or video was modified.
Analyst notes
Most examiners will want to see not only the photos that were stored on the device but also
information about these photos. By using the information retrieved from the photos.sqlite
database in combination with the actual photos or videos stored in the 100APPLE or 999APPLE
folder, the examiner can determine information such as when those photos were taken or
modified. Some of the advanced techniques discussed earlier, such as using a hex editor or
the “strings” command, can help to locate deleted files within the database as well. While
deleted videos are extremely difficult to recover (and sometimes impossible), deleted photos
can be recovered through file carving. Unfortunately, at this time the metadata cannot be
paired up with the recovered file because the photo no longer has its original file name,
timestamps, etc.
User account info
User account and other login
data are stored in the device's Keychain file.
File system layout
/private/var/Keychains:
• keychain-2.db: Contains
e-mail account information.
Databases/plists
keychain-2.db
The keychain database contains various tables that store user login information for
various accounts and applications within the device. These may include wireless access
points, iTunes store logins, user credentials for any third-party applications, voicemail
accounts, and more. Here is a listing of the tables contained within this
database:
cert
genp
inet
keys
sqlite_sequence
tversion
Analyst notes
The “inet”
table is where e-mail account data can be found, and the “genp” table is where the remaining
login data can be located. As the “inet” table has been elaborated on in the Mail section,
we will discuss only the “genp” table here. The following is a breakdown of each of the
columns within the genp table that contain relevant information and a definition of
each:
• acct: Name of the account (i.e., username, Wi-Fi
connection, e-mail address).
• svce: Description of the account (i.e., AirPort, Enhanced
Voicemail, com.apple.itunesstored.keychain,
<third-party-application>).
• data: This field typically contains the password in
encrypted format.
• agrp: The name of the Keychain access group (these are used to share data
between applications).
In Chapter 5 , we
discussed the possibility of using Elcomsoft's iPhone Password Breaker to decrypt an
encrypted backup file, and therefore gain access to passwords within the keychain file. This
method is successful only with a device running iOS 4 or higher, and the backup file must be
encrypted.
Another option is available on jailbroken
devices only. The “keychain_dumper” utility, developed by Patrick Toomey, is run from the
device and can decrypt Keychain passwords on the fly. To acquire and use this tool, the
following instructions should be followed:
1. Download
keychain_dumper from: https://github.com/ptoomey3/Keychain-Dumper .
2. Look at the README files for details on
how to install. The developer steps the user through the installation
process.
3.
Make sure ldid is installed on the jailbroken iPhone. To do this, download the
“Aptbackup” package from Cydia, then run the following command on the device (this can be
done through the Mobile Terminal application from Cydia, or the command can be run
through a remote connection): $ apt-get install ldid (Hint: for details on how to
remotely connect to a jailbroken device, refer to Chapter 5 –
“Acquisition – Jailbroken Device”).
4. Upload keychain_dumper to iPhone /usr/bin using scp
(again, refer to Chapter 5 ).
5. Dump “entitlements” (aka access groups) from the keychain
database using the following command: ./keychain_dumper -e >
/var/tmp/entitlements.xml.
6. Sign the entitlements into keychain_dumper using the
following command (NO space between S and /var): ldid -S/var/tmp/entitlements.xml
keychain_dumper.
7. Dump contents to screen or output to a text keychain_dumper >
keychainresults.txt.
Assuming that
the application developer was leveraging the Keychain file and was not using an alternative
form of encryption, the passwords should be available in clear text and displayed in a
format similar to the following:
Service:
Facebook
Account: [email protected]
Entitlement Group:
AB92F8A1L.*
Label: Generic
Field: data
Keychain Data:
fbpassword987
Geographical info
Many
apps, both default and third party, store GPS data on the iPhone. As an example, both the
Camera and Google Maps application prompts the user to store their current GPS location prior
to taking a picture or searching directions. This type of data is stored within the iPhone's
file system and can be recovered.
File system layout
/private/var/root/Library/Caches/locationd: Some of the following files may or may not
appear in the locationd folder, depending on the firmware version running on the device.
Listed here are the files that contain significant data, and a couple of these are discussed
in further detail in the “Databases/plists” section that follows.
• cache.plist: Contains the device's last GPS fix.
• cells.plist: Contains
information related to the cell towers the device was connected to and the date and time
of connection.
• clients-b.plist: Contains a list of “blacklisted” or unauthorized
applications.
• h-cells.plist: Contains additional information on cell tower logs, including
GPS coordinates and timestamps.
• consolidated.db: Contains cell tower logs, GPS
coordinates, and wireless connections specific to the device as well as timestamps for
each of these occurrences.
Databases/plists
consolidated.db
The files contained in the locationd folder will vary depending on the iOS version. iOS 4
devices now contain the “consolidated.db” file. It contains a wealth of GPS data, cell
tower logs, and Wi-Fi connection information. This database has been discussed in the
“iPhone Data Storage Locations” section earlier in this chapter; however, its contents are
summarized here as well. The following is a listing of the tables contained within this
database:
Cell Fences
CellLocation Location
CellLocationBoxes LocationHarvest
CellLocationBoxes_node LocationHarvestCounts
CellLocationBoxes_parent Wifi
CellLocationBoxes_rowid WifiLocation
CellLocationCounts WifiLocationCounts
CellLocationHarvest WifiLocationHarvest
CellLocationHarvestCounts WifiLocationHarvestCounts
CompassSettings
The main
tables on which an examiner should focus his or her analysis are CellLocation and
WifiLocation; however, the other tables should also be reviewed to ensure that no
information is missed. For complete details related to the interpretation of the
information contained in the CellLocation and WifiLocation tables, refer to the earlier
section on “Geographical Location Data.”
cache.plist
This file
contains what is referred to as the last GPS fix on the device. More specifically, it
contains the most recent GPS location that the device was connected prior to being powered
off or disconnected from Wi-Fi/cellular networks. At the beginning of this file, the
following data is displayed:
<key>CLLocationCore::kLastFix</key>
<dict>
<key>Altitude</key>
<real>0.0</real>
<key>HorizontalAccuracy</key>
<real>500</real>
<key>Latitude</key>
<real>41.873892060000003</real>
<key>Lifespan</key>
<real>-1</real>
<key>Longitude</key>
<real>-87.794191889999993</real>
<key>Suitability</key>
<integer>65534</integer>
<key>SupportInfo</key>
<dict>
<key>kCLSupportInfoCell</key>
<dict>
<key>kCLSupportInfoCell_CI</key>
<integer>12781</integer>
<key>kCLSupportInfoCell_Index</key>
<integer>0</integer>
<key>kCLSupportInfoCell_LAC</key>
<integer>21205</integer>
<key>kCLSupportInfoCell_MCC</key>
<integer>310</integer>
<key>kCLSupportInfoCell_MNC</key>
<integer>410</integer>
<key>kCLSupportInfoCell_RSSI</key>
<integer>-105</integer>
<key>kCLSupportInfoCell_TA</key>
<integer>-1</integer>
<key>kCLSupportInfoCell_TATime</key>
<real>0.0</real>
</dict>
<key>kCLSupportInfoCell_Mineable</key>
<true/>
<key>kCLSupportInfoPos_Technology</key>
<string>kCLSupportInfoPos_Technology_Cell</string>
</dict>
<key>Timestamp</key>
<real>304616134.30302697</real>
<key>VerticalAccuracy</key>
<real>-1</real>
In the very first line, the “LastFix” key is displayed, followed by
a long list of data. The latitude and longitude coordinates are displayed, which must be
converted in order to recover the actual address of that location (Google Maps can be used
for this purpose as well as for performing a search within a web browser for “GPS
coordinates converter”). Cell tower logs are also listed as well as a Timestamp is shown in
OS X Epoch time.
cells.plist
This file contains information on
the cell towers that the device was connected to. The following is an example of the data
structure within cells.plist:
<key>310,410,0x1e7a</key>
<string>2,+41.88355916,-87.62691020,8000.000000,240,304557710.149</string>
<key>310,410,0x1e94</key>
<string>2,+41.93214869,-87.64807087,8000.000000,240,304557710.149</string>
<key>310,410,0x52d3</key>
<string>2,+41.95102542,-87.92777836,13030.000000,240,304557710.149</string>
<key>310,410,0x52d4</key>
<string>2,+41.87647861,-87.62853527,8000.000000,240,304557710.149</string>
Within the “key” tags is the MCC, the MNC, and the LAC in hex. To
convert from hex to decimal, an examiner can use a calculator or a web search for “hex to
decimal converter.”
Within the “string” tags are latitude
and longitude coordinates as well as a timestamp in OS X Epoch time. Information within
this file is very similar to that shown in the “CellLocation” table of the consolidated.db
file.
Analyst notes
While these files appear to contain very
important information on where the device was, what cell towers it was connected to, and the
specific dates and times of these occurrences, it is also important to note that there has
not been much research on these files. Oftentimes, the data in these files place the device
at multiple geographic locations at the same time. Therefore, this information should be
used as a guideline only when performing an investigation.
Third-party (downloaded) applications
A few of the popular applications that can be
downloaded on an iPhone are discussed in this section. Of course, maintaining a complete
reference would be nearly impossible due to the sheer number of applications. Just as with the
default applications, there is a standard location where much of the important data can be
recovered. Third-party apps are most commonly stored within the
/private/var/mobile/Applications folder, and the following sections highlight the specific
files that can be recovered for each of the listed apps as well as the techniques for viewing
these files.
For each application, the following is
provided:
• App information
• A list of important files
and directories
• Database or property list files that contain meaningful data
• Analyst
notes
With the Facebook iPhone application,
individuals can send messages to their friends, upload and view photos, and even check into
their favorite restaurant or store to let their friends know where they are. When this app is
used, much of this information is stored within the device and can easily be recovered with a
basic understanding of the file system.
File system layout
/private/var/mobile/Applications/<Facebook Application Identifier>/:
• /Documents/friends.db: Contains a list of all the user's
Facebook friends as well as a link to their profile pictures.
•
Library/Preferences/com.facebook.Facebook.plist: Contains the user's Facebook login
(which is also an e-mail address).
Databases/plists
friends.db
This
file contains two tables: “friend” and “meta”. The “friend” table stores full details
related to the user's Facebook friends, including their first and last names, links to
their profile pictures, and phone/cell/email fields, which are encrypted or formatted in a
way that is not readable by the examiner.
Analyst notes
In
addition to the allocated files recovered from the Application folder, much more app data
can be recovered through additional techniques. After running the “strings” command on the
entire disk image (refer to the earlier section on “Analysis Techniques” for details on
running strings), simply doing a search for the user's Facebook login will recover
additional data. Some of this data includes status updates, messages written on the user's
wall, and actual messages that were sent to or from the user.
Groupon
Groupon is a service that provides local deals and coupons, allowing users to
purchase gift certificates for various businesses at a large discount. The Groupon iPhone
application allows the user to purchase, manage, and redeem these coupons through their
mobile device. Some of the user's personal information, which is needed for this application,
is stored on the device.
File system layout
/private/var/mobile/Applications/<Application
Identifier>/Documents/v1/users/<username>/groupons:
• myGroupons.plist: Contains a list of the Groupons purchased by the user and when they
were purchased.
• userInfo.plist: Contains the user's personal information, including full
name, address, e-mail address, and more.
/private/var/mobile/Applications/<Application
Identifier>/Preferences/:
•
com.groupon.grouponapp.plist: Contains user ID and user login (e-mail
address).
Databases/plists
myGroupons.plist
This file
contains a list of the Groupons that were purchased by the user as well as when they were
purchased, and the price of the Groupons. The following is an example of the type of data
that might be seen for each purchased item:
<dict>
<key>available_quantity</key>
<real>1</real>
<key>deal_id</key>
<string>gap-inc-chicago</string>
<key>deal_title</key>
<string>$50 Groupon to
Gap</string>
<key>expires_at</key>
<string>2010-11-20T05:59:00Z</string>
<key>price</key>
<string>25.00USD</string>
<key>purchased_at</key>
<string>2010-08-19T18:48:44Z</string>
<key>total_quantity</key>
<real>1</real>
<key>unused_quantity</key>
<real>1</real>
<key>updated_at</key>
<string>2010-08-19T18:48:44Z</string>
<key>vendor_name</key>
<string>Gap</string>
</dict>
userInfo.plist
This file
contains a significant amount of personal user information. In order to purchase the
Groupons, a user typically sets up a credit card within their account. In this userInfo
file, data such as the name, address, expiration date, and last four digits of the credit
card number can be recovered (in the following example, the actual credit card numbers were
replaced with “1111” for security reasons). The user's personal e-mail address is also
stored here.
<key>user</key>
<dict>
<key>billing_records</key>
<array>
<dict>
<key>city</key>
<string>Oak
Park</string>
<key>country</key>
<string>United States</string>
<key>expires_at</key>
<string>8/2012</string>
<key>first_name</key>
<string>Katie</string>
<key>id</key>
<real>2618317</real>
<key>last_name</key>
<string>Strzempka</string>
<key>number</key>
<string>****-1111</string>
<key>postal_code</key>
<string>60301</string>
<key>state</key>
<string>IL</string>
<key>street_address_1</key>
<string>1000 Lake
Street</string>
<key>street_address_2</key>
<string></string>
<key>type</key>
<string>visa</string>
</dict>
</array>
<key>credits_available</key>
<real>0.0</real>
<key>email</key>
<string>[email protected]</string>
<key>email_addresses</key>
<array>
<string>[email protected]</string>
</array>
<key>first_name</key>
<string>Katie</string>
<key>id</key>
<string>katie-strzempka</string>
<key>last_name</key>
<string>Strzempka</string>
<key>referral_code</key>
<string>uu2198074</string>
<key>reward_points_available</key>
<real>0.0</real>
</dict>
Analyst notes
The information within these files is fairly straightforward. To view the property lists,
they have to be first converted from binary to XML using plutil (or another utility). The
date and time do not need to be converted. When this app is being analyzed, the plists in
the “dealLocations” and “deals” folders should not be confused with those listed under the
specific user name. The Groupons listed in those two folders are simply coupons that were
available, but the user did not actually purchase them.
Kik Messenger
Kik Messenger is an application downloaded by users in order to
replace the existing text messaging application on their device. It is intended to provide a
faster, more reliable interface for exchanging messages as well as a replacement for
expensive text messaging plans. Just as the SMS App Stores its content, Kik's data is also
stored in various locations on the device.
File system layout
/private/var/mobile/Applications/<Application Identifier>/:
• /Documents/kik.sqlite: Stores message content, and user names and display
names for all contacts within the app.
• /Library/Preferences/com.kik.chat.plist: Stores user name,
password, and e-mail address.
Databases/plists
kik.sqlite
Much
of the data specific to the applications is stored in the kik.sqlite database. The
following lists out the tables within:
ZKIKMESSAGE
ZKIKUSER
Z_METADATA
Z_PRIMARYKEY
The
ZKIKMESSAGE table contains the message content. The following is a listing of the
significant columns within this table as well as a description of each:
• ZTIMESTAMP: This is the timestamp (OS X Epoch) that
translates to the date and time when the message was sent or received.
• ZBODY: This field
contains the message body.
The
ZKIKUSER table stores all the contacts within the app. Within this table is each
individual's user name, kik.com address (“ZJID”), and display name.
com.kik.chat.plist
This file stores a significant amount of sensitive login
information, including e-mail address, first and last name, username, and password. An
example of the data that can be seen within this plist is as follows:
<dict>
<key>deviceToken</key>
<string>f32dd7c4ff4644ce2d0f8562a8b4f272a3df3c4a1066e443df2ed91bfb0df969</string>
<key>deviceTokenUpdated</key>
<false/>
<key>doAddressBookMatching</key>
<false/>
<key>email</key>
<string>[email protected]</string>
<key>emailConfirmed</key>
<false/>
<key>firstName</key>
<string>Via</string>
<key>has_asked_to_rate_app</key>
<false/>
<key>install_date</key>
<date>2010-11-09T17:33:50Z</date>
<key>lastName</key>
<string>Forensics</string>
<key>username</key>
<string>viaForensics</string>
<key>wipeCoreData</key>
<false/>
<key>xmppIsRegistered</key>
<true/>
<key>xmppPassword</key>
<string>789kik123</string>
<key>xmppUsername</key>
<string>viaForensics_dvy</string>
</dict>
Analyst notes
The files described in this section contain a significant amount of data; however, this is
data that has not been deleted from within the app. To recover deleted information, it is
suggested that an examiner use some of the additional analysis techniques described earlier
in this chapter. For example, looking at the disk image in a hex editor and searching for a
unique user name should recover messages sent to or from that user, including some deleted
data.
DropBox
The DropBox iPhone app allows the capability to
upload and download files to be stored in the cloud. With this app, users can download or
upload files for offline viewing, such as documents, photos, or videos.
File system layout
/private/var/mobile/Applications/<DropBox Application
Identifier>/:
• /Documents/Dropbox.sqlite: Contains names
of files stored within DropBox for those that have been viewed.
•
/Library/Preferences/com.getdropbox.Dropbox.plist: Contains the DropBox username (which
is an e-mail address) as well as DropBox favorites.
• /Library/Caches/Dropbox: Contains actual
documents.
• /Library/Caches/Three20: Contains JPG images that were uploaded or downloaded to or
from DropBox.
• /Library/Caches/Dropbox/FavoriteFiles.plist: Contains files marked by the
user as favorites.
Databases/plists
Dropbox.sqlite
This database
contains the following three tables:
ZCACHEDFILE
Z_METADATA
Z_PRIMARYKEY
The ZCACHEDFILE
table stores files that were viewed by the user as well as the metadata associated with
those files. The “ZPATH” column stores the file name, including the full path from DropBox.
It also contains an OS X Epoch timestamp for each file in the “ZLASTVIEWED” column, which
tells when the user last viewed that particular file.
com.getdropbox.Dropbox.plist
This file lists all the files that the user has marked as
favorites, as well as other metadata related to those files. The Dropbox user name is also
stored here. An example of the data that can be viewed is as follows:
<key>Dropbox
Favorites</key>
<array>
<dict>
<key>bytes</key>
<integer>289688</integer>
<key>icon</key>
<string>page_white_acrobat</string>
<key>is_deleted</key>
<false/>
<key>is_dir</key>
<false/>
<key>modified</key>
<string>Sat, 20 Nov 2010
18:12:13 -0500</string>
<key>path</key>
<string>/iPhoneBook/Physical-Acquisition.docx</string>
<key>revision</key>
<integer>142384111</integer>
<key>size</key>
<string>282.9KB</string>
<key>thumb_exists</key>
<false/>
</dict>
</array>
<key>Dropbox
Username</key>
<string>[email protected]</string>
<key>DropboxBrowseState</key>
Analyst notes
In addition to the allocated files described in this section, data
carving methods can also be performed on the iPhone.dmg file to recover the actual files
that were stored within DropBox, including deleted files. As data carving extracts .doc,
.pdf, .jpg, and more, this method can be very useful.
If
the iPhone user's computer is also available, be sure to look for a DropBox folder on their
machine in order to recover additional files.
Mint.com
Mint.com
allows an individual to collectively manage his or her finances in one central location. All
bank accounts, investments, loans, and more are synced to this app, allowing users to budget
and manage their money accordingly. This particular app also tends to store much of this
information on the device.
File system layout
/private/var/mobile/Applications/<Mint.com Application
Identifier>/Documents:
• mint_gala.db: Stores all
transactions within the app, including account name, balance information, and a
description of the transaction.
Databases/plists
mint_gala.db
This database contains several different tables, with many of these tables storing
sensitive application data. The following contains a list of the tables within
mint_gala.db:
account
alert
attributes
budget
budget_overall
category
fi_login
investment
refresh
spending
transaction_bankcc
transaction_usertag
user
user_tag
version
The account table stores a list of the accounts synced within the app. Here, an
examiner can view the name of the account and the user's balance for each
account.
The alert table contains details on the alerts
sent to the user. Within the app, there is a setting to allow mint.com to notify the user
when a bill is due, or the amount he or she spent within a certain category, or when a
deposit went through. Within this table, an examiner can view the details of that
particular alert, a Unix Epoch timestamp for when the alert was sent, and the alert “Type”
(such as Bill, Overbudget, or Large Deposit).
The
transaction_bankcc table stores a detailed description of each transaction completed for
each of the accounts. These transactions do not need to be done within the app on the
device. For example, for every purchase a user makes on his or her credit card, details
related to these purchases will be shown within this table. The following columns within
this table contain important data:
• description: A
description of the transaction (i.e., Chipotle, Best Buy, Transfer to Chase
Checking).
• amount: The amount of money credited or debited for that
transaction.
• categoryID: The category this transaction falls under; the category number
shown in this field corresponds with the category name shown in the “category”
table.
•
datePostedString: The date on which the transaction occurred.
• yodDesc: This field
contains more details related to the transaction, and depending on the account used, may
even contain account numbers.
Analyst notes
While only a few
of the tables have been discussed, there is additional data in the remaining tables. If an
examiner is required to analyze the mint.com mobile app, he or she should be sure to review
all the data meticulously so as not to miss any data.
With
this particular app, the user has the option to log out of the app. If this is done, no data
will be found in the mint_gala.db file. All of this information is still stored on the
device, but advanced techniques (such as those discussed earlier in the chapter) are
required to recover the data.
Windows Live Messenger
The
Windows Live Messenger app allows a user to use instant message, check e-mail, and use
certain features within Windows Live, Facebook, and MySpace. When used regularly, some of
this data can potentially be recovered from the device.
File system layout
/private/var/mobile/Applications/<Windows Live Messenger Application
Identifier>:
• /Documents/CurrentUserName.tmp: Contains
the current user's hotmail e-mail address used within the
application.
Databases/plists
The
CurrentUserName.tmp file is actually a plist, and when analyzed contains the user's hotmail
address. This is a binary plist and would typically require a tool such as plutil to be
converted to XML; however, as the file contains only the user name, viewing the binary plist
to retrieve this data works just as well.
Analyst notes
Aside from the
user name (or hotmail e-mail address in this case), Windows Live Messenger did not appear to
store specific app data. Keep in mind that version 1.1.1 was analyzed for this example, and
future versions may store additional data.
Summary
In this chapter, data and application analysis techniques were covered as well as where data is stored within the iPhone's file system. The task of mounting a disk image on various platforms was mentioned, followed by file carving and other data extraction techniques. Since many files on an iOS device have timestamps associated with them, timeline creation and analysis was mentioned as a key component to any investigation. The reader was walked through the process of installing a timeline analysis kit, running the tool, and finally analyzing the data. Advanced forensic techniques were also covered, specifically using a hex editor to analyze the disk image.
In the next section, the iPhone's file system hierarchy was stepped through in order to point out where common data was stored. The location of data files for default applications as well as downloaded third-party applications was outlined within this section, in addition to other important files that can be crucial to an investigation but are otherwise buried deep within the file system's folder structure.
The chapter is wrapped up with the iPhone application analysis and reference section. Here, a list of popular applications (including those that are incorporated by default on the device) is parsed in order to demonstrate to the reader where important data and files can be found. Also included is a detailed “Analysis Notes” section to describe the recovered files and, more importantly, the interpretation of this data.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.