Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Chapter 1. Overview

Chapter points:

• iPhone Models

• Forensic Examination Approaches

This introductory chapter provides an overview of the iPhone, including a timeline of the events leading up to its development. Apple's strategy in focusing on touch-screen development is discussed, as is the significant growth of the iPhone and the active hacking community responsible for the development of many tools and techniques. Details related to the various models are outlined, including a definition of many of the hardware components that make up the device. Finally, the acquisition of an iPhone device is introduced by defining the various ways in which data can be extracted. Each of these topics is briefly touched on in this chapter and expanded upon in greater detail through the remainder of the book.

Keywords: iPhone models, iOS versions, iPhone hardware components, jailbreaking, iPhone leveling, iPhone acquisition

Introduction

Mobile devices have come a long way over the past few years. For a while, cell phones were simply used for making phone calls. As they continued to mature, the capability to send and receive text messages, create calendar events, and save contacts became readily available. Fast forward to the present day, and mobile devices are now being used extensively and serve many purposes. Around 4.6 billion individuals owned cell phones as of early 2010, and the number was expected to reach 5 billion by the end of the year (CBS, 2010). With this increase in popularity came an enormous demand for mobile forensics.

The iPhone was first released to consumers in June 2007. Ever since the first release, the device has increasingly gained in popularity, partly due to its advanced functionality and usability. With the iPhone, individuals now have the capability to check e-mail, take photos, browse the Internet, and do much more. These activities make the iPhone take the place of personal computers (PCs) and digital cameras. In addition to the standard capabilities that exist in the iPhone, endless applications are also available for download to assist with finances or organization, or simply for entertainment.

In the late 1980s, the Newton platform was the company's main focus. This platform was a personal data assistant (PDA), which never really took off. The project ultimately failed in 1998. One year prior to that, Steve Jobs became the CEO of the company. Before the idea of the iPhone was actually formulated, Jobs decided to have Apple start focusing on the idea of touch-screen development rather than PDAs and tablet PCs. Believing that cellular devices were going to become very popular, the company began developing a mobile device that could display pictures and videos and would ultimately have the capability to sync with iTunes. On November 2006, a patent was granted for the Apple iPhone, and in January 2007 Jobs announced the release of the iPhone at MacWorld (Wired, 2008).

Strategy

Apple's strategy over the past few years has shifted away from traditional computing. New and innovative ideas have been developed, disrupting the existing business model. In the music and video genre, several different applications and devices have been developed including the Apple TV, iTunes, and various iPod devices. The mobile category includes the iPhone, while the class of delivery channel items includes both iTunes for synchronization and downloads and the App Store. Finally, the development of the iPad (and previously the Newton device) falls within the Tablet category.

Many of these newer devices have been consolidated onto the iOS platform, with the exception of the Macintosh workstations, which are running OS X. There has been some debate in the past on whether Mac OS X will transform to iOS or perhaps a platform more similar to iOS. The Mac OS X Lion is to be released in the summer of 2011. This operating system is said to have similar qualities as the iOS devices, with the exception of a touch-screen feature. A Mac App Store was released in January of 2011, which enables Mac users to purchase software straight from their computer, similar to the way applications can be purchased through the iTunes App Store (Apple Inc., 2010).

As of 2009, the iPhone had taken third place in smart phone sales worldwide, which constituted 4.4% of the market share (McGlaun, 2010). During the first quarter of 2010 alone, 8.75 million were sold, which was more than half the number for the same period in 2009. Just prior to the release of the iPhone 4, over 50 million iPhones had been sold, and statistics from Q4 2010 show that Apple controlled 25% of the smart phone market in the United States (Slashdot, 2011). With the extreme popularity of the iPhone and the increasing number of devices sold, this mobile device has become one of the main focal points of many forensic investigations.

Development community

Apart from sales, the iPhone has an active hacking community, which has yielded research and tools that support forensic investigations. Some of these tools and techniques were originally used to assist with forensic imaging and are currently used for testing in order to better understand the device. Cydia is a popular application used for these purposes. It allows users with a modified phone to download and run iPhone or iPad applications that are not available in the App Store. More specifically, applications can be found here that may allow an examiner to better understand the iPhone file system and other data contents, such as Mobile Terminal. Jailbreaking, or modifying an Apple device, is not suggested, as it is not a forensically sound method; however, having the capability to remotely connect to a test device for educational purposes can be an invaluable learning experience for an examiner.

Another technique that is commonly used on the iPhone is referred to as “unlocking.” From 2007 to early 2011, AT&T was the only provider that offered service for the iPhone in the United States. In order to function properly, an AT&T SIM (subscriber identity module) card had to be placed into the device to identify itself on the carrier's network. In February 2011, the iPhone 4 became available through another carrier, Verizon. With the device being so exclusive and only available under these two carriers, many iPhone users search for other options. Unlocking an iPhone is a method that allows the device to be used on alternative networks, and various Apple tutorial sites, such as iClarified, provide steps on how to do this. The process typically involves installing an application, running it, and replacing the AT&T SIM card with that of a different carrier. As Verizon is on the CDMA (code division multiple access) network rather than GSM (global system for mobile communications), its version of the iPhone does not come with a SIM card. For this reason, unlocking the iPhone 4 from Verizon's network is impossible using the current methods. Having said that, the Apple user community will undoubtedly develop an alternative method in the future.

The Apple developer site is another resource that can benefit developers, examiners, or individuals interested in the iOS or OS X environments. Once a registered Apple developer, an individual can download Xcode and the iOS software development kit (SDK) to assist in application development. Included in this development suite are an Xcode integrated development environment (IDE), iOS simulator, and additional tools required for iPhone, iPad, and iPod touch application development.

Once the Xcode and iOS SDK are downloaded, the installer must be run in order to use the tools. Once installed, the tools and files shown in Figure 1.1 can be found in the following path: /Developer/Platforms/iPhoneSimulator.platform

B9781597496599000018/f01-01-9781597496599.jpg is missing

Figure 1.1

iPhone Simulator and Xcode Files.

One of the most useful tools within this package is the iOS simulator (as shown in Figure 1.2). This program allows the investigator to select an Apple device and version and use the simulator to test this particular model. For this example, the iPhone running firmware version 4.2 was selected. Among the other options were versions 3.2 (for the iPad) and 4.0.2 and 4.1 (for the iPhone). The software is memory intensive, so one can expect the testing to be a little slow. The simulator starts up with just a few general apps, including Photos, Settings, Game Center, Contacts, and Safari. The user is able to go into these apps, use them as though they were a real device, and even perform additional functions including Toggle In-Call Status Bar, Simulate a Memory Warning, Simulate a Hardware Keyboard, and Lock the device. Lacking from the simulator are some of the more common apps, such as SMS, Calendar, Camera, Notes, and the App Store in order to download additional applications.

B9781597496599000018/f01-02-9781597496599.jpg is missing

Figure 1.2

iPhone Simulator – Screenshots.

The main purpose of the simulator is to be used by application developers in conjunction with Xcode. When Xcode is used to develop an iPhone or iPad application, the code can be tested and run using the simulator on various firmware versions. Testing on the simulator will ensure that the application is performing the way it is expected to.

iPhone models

The original iPhone 2G was released in the United States in June 2007. Simultaneously, iTunes version 7.3 was also released, which would support synchronization with this device. Subsequent models were released in the following years: the 3G in July 2008, 3G(s) in June 2009, and the iPhone 4 in June 2010.

Each device arrives with its own firmware version, which can be found by navigating to Settings > General > About > Version. The purpose of the firmware is to enable certain features, fix bugs or security holes, and assist with the general functioning of the device. Apple will occasionally release new firmware upgrades to resolve some of these issues.

Table 1.1 displays the model number and the initial iOS versions for each device.

**Table 1.1** iPhone Models
Device	Model	Available iOS Versions
2G	A1203	iOS 1.0
3G	A1241	iOS 2.0
3G(s)	A1303	iOS 3.0
4G	A1332	iOS 4.0

In order to identify the device model with the phone powered off, there are a few different things to consider. The first to look for is the model number etched at the back of the casing. Also, the original iPhone had a metal casing, whereas the 3G and 3G(s) had a plastic casing. The 3G(s) has the writings at the back etched in silver to differentiate it from the 3G, which has only the Apple logo in silver. Finally, the iPhone 4 has a unique square design. The corners are less rounded, making it easier to differentiate between the earlier versions. Apple's knowledge base articles can be helpful for this purpose. Details on identifying iPhone models can be found at the following link: http://support.apple.com/kb/HT3939

Table 1.2 shows the specifications and features of each of the models, depending on the storage size (Costello, n.d.).

**Table 1.2** iPhone Specifications
	iPhone (8 GB/16 GB)	iPhone 3G (8 GB/16 GB)	iPhone 3G(s) (16 GB/32 GB)	iPhone 4 (16 GB/32 GB)
Songs held	2,000/4,000	2,000/4,000	4,000/8,000	4,000/8,000
Screen size	3.5	3.5	3.5	3.5
Resolution	480 × 320	480 × 320	480 × 320	960 × 480
Connectivity	Wi-Fi, GSM, Bluetooth	Wi-Fi, UMTS/3G, GSM, Bluetooth	Wi-Fi, UMTS/3G, GSM, Bluetooth	Wi-Fi, UMTS/HSDPA/HSUPA/3G, GSM, Bluetooth
Integrated GPS?	No	Yes	Yes	Yes
Support for App Store	With OS 2.0	Yes	Yes	Yes
Camera (Megapixel)	2	2	3	5
Records video?	No	No	Yes	Yes, 720p HD at 30 fps
Weight (in ounces)	4.8	4.7	4.8	4.8
Size (inch)	4.5 × 2.4 × 0.46	4.5 × 2.4 × 0.48	4.5 × 2.4 × 0.48	4.51 × 2.31 × 0.37
Battery life	Talk/Video/Web: 8/7/6 hours Audio: 24 hours	Talk/Video/Web: 5/7/5 hours Audio: 24 hours	Talk/Video/Web: 5/10/9 hours Audio: 30 hours	Talk/Video/Web: 7/10/10 hours Audio: 40 hours
Price (as of Q1 2011)	Discontinued	Discontinued	US$49	US$199/$299

There were three main differences that separated the 3G from the original iPhone device. One of these features is the addition of the CDMA cellular protocols. W-CDMA is the air interface standard for 3G networks. The intent of adding this protocol was for increased connection speed as well as more efficient support for a greater number of users. The second feature to differentiate the 3G from the 2G is the integrated global positioning system (GPS), which is also found in the 3G(s) and iPhone 4. Finally, the amount of NAND Flash memory increased by a factor of 2 (Semiconductor Insights, n.d.).

iPhone hardware

The iPhone, like most complex electronic devices, is a collection of modules, chips, and other electronic components from many manufacturers. Due to the complex and varied features of the iPhone, the list of hardware is extensive. Table 1.3 consists of a list of many of the components of an iPhone 3G(s), including the manufacturer and model or part number.

**Table 1.3** iPhone 3G(s) Hardware Components
Function	Manufacturer	Model/Part Number
Application processor (CPU)	Samsung	S5L8900B01 – 412 MHz ARM1176Z(F)-S RISC, 128 Mbytes of stacked, package-on package, DDR SDRAM
3D graphic acceleration	Imagination Technologies	Power VR MBX Lite
UMTS power amplifier (PA), duplexer and transmit filter module with output power detector	TriQuint	TQM676031 – Band 1 – HSUPA, TQM666032 – Band 2 – HSUPA, TQM616035 – Band 5/6 – W-CDMA/HSUPA PA-duplexer
UMTS transceiver	Infineon	PMB 6272 GSM/EDGE and W-CDMA, PMB 5701
Baseband processor	Infineon	X-Gold 608 (PMB 8878)
Baseband's support memory	Numonyx	PF38F3050M0Y0CE – 16 Mbytes of NOR Flash and 8 Mbytes of psuedo-SRAM
GSM/EDGE quad-band amp	Skyworks	SKY77340 (824- to 915-MHz)
GPS, Wi-Fi, and BT antenna	NXP	OM3805, a variant of PCF50635/33
Communications power management	Infineon	SMARTi Power 3i (SMP3i)
System-level power management	NXP	PCF50633
Battery charger/USB controller	Linear Technology	LTC4088-2
GPS	Infineon	PMB2525 Hammerhead II
NAND Flash	Toshiba	TH58G6D1DTG80 (8 GB NAND Flash)
Serial flash chip	SST	SST25VF080B (1 MB)
Accelerometer	ST Microelectronics	LIS331 DL
Wi-Fi	Marvell	88W8686
Bluetooth	CSR	BlueCore6-ROM
Audio codec	Wolfson	WM6180C
Touch-screen controller	Broadcom	BCM5974
Link display interface	National Semiconductor	LM2512AA Mobile Pixel Link
Touch-screen line driver	Texas Instruments	CD3239

The Samsung CPU is an RISC (reduced instruction set computer) processor that runs the core iPhone processes and works in conjunction with the PowerVR co-processor for graphics acceleration. The CPU is underclocked to 412 MHz (from a possible 667 MHz), presumably to extend battery life. Many of the internal components vary depending on the iPhone model. Semiconductor Insights is a significant resource in understanding the inner workings of many different types of devices. Their device library includes many mobile devices, including the iPhone. A report is completed for each device, which includes a description of the product, details on how to disassemble and reassemble the device, tear down photos, hardware components, and much more (Semiconductor Insights, n.d.).

The baseband is another essential component on the iPhone. The baseband manages all the functions that require an antenna, notably all cellular services. Unlocking the device was mentioned earlier. During this process, the baseband is the part of the device that is hacked in order to allow the iPhone to connect to a different cellular network. There are different baseband versions, which is why the unlocking process must constantly be modified. When a new device comes out, such as the iPhone 4, it will arrive with a different baseband version. The baseband version can be found under Settings > General > About > Modem Firmware, as shown in Figure 1.3.

B9781597496599000018/f01-03-9781597496599.jpg is missing

Figure 1.3

Baseband Version – Modem Firmware.

The baseband processor has its own RAM and firmware in NOR Flash, separate from the core resources. It functions as a resource to the main CPU. The Wi-Fi and Bluetooth are managed by the main CPU, although the baseband stores their MAC addresses in its NVRAM.

The images displayed in the next page, courtesy of Semiconductor Insights, were taken after an iPhone 3G(s) was manually dismantled: Figure 1.4 is an image of the top of the device and Figure 1.5 is of the bottom.

B9781597496599000018/f01-04-9781597496599.jpg is missing

Figure 1.4

iPhone Tear-down Image – Top.

B9781597496599000018/f01-05-9781597496599.jpg is missing

Figure 1.5

iPhone Tear-down Image – Bottom.

Forensic examination approaches

Similar to any forensic investigation, there are several approaches that can be used for the acquisition and analysis of information. A key aspect of any acquisition, arguably the most important, is that the procedure does not modify the source information in any manner. Or, if it is impossible to eliminate all modifications, which is the case with many live systems or mobile devices, the analyst must detail the changes and the reasons why it was necessary. Unlike traditional computer forensics, in the mobile world you cannot simply remove the hard drive, attach it to a write blocker, image, and finally analyze the data. However, the characteristic of NAND memory, the primary storage mechanism, is to retain data on the device, which heightens the forensic value.

As mentioned above, any changes made to the device must be thoroughly understood and documented. As an example, many of the logical acquisition tools write a small amount of data to the device in order to install their software. The program then gathers information from the other applications on the device and transports the data over a physical or wireless connection. Understanding what programs or files are being copied to the device as well as where they are being copied to is vital information for a forensic investigation.

The National Institute of Standards and Technology (NIST) has instituted the Computer Forensic Tool Testing Program. The intent of this project is to ensure scientific reliability and validity across the tools used in computer forensic investigations. Many of these tools are used internationally and are relied upon to provide electronic evidence for criminal cases. Since there are no standards set in the field to test the accuracy of these tools and techniques, NIST has decided to define requirements and test assertions to be used in this manner. Dating back to 2008, several different mobile device acquisition tools have been tested and validated. In Chapter 7, these tools will be discussed in detail and it will also be discussed whether each tool has been validated through NIST's Computer Forensic Tool Testing Program (NIST, 2010).

In addition to NIST, viaForensics has also performed independent testing of each tool that supports the iPhone device. This research reviewed techniques and software for retrieving data from an iPhone 3G device. Involved in this testing were the analysis of the installation process, acquisition of the device, reporting capabilities, and finally accuracy of the data recovered. Much of this information has been incorporated into Chapter 7, which covers the importance of commercial tools testing. In addition to the information found in this book, independent rankings of the tools are also provided in the iPhone Forensics white paper, which can be found at http://viaforensics.com/education/white-papers/iphone-forensics/

iPhone leveling

Understanding the various types of mobile acquisition tools and the data they are capable of recovering is paramount for a mobile forensic examiner. A mobile device forensic tool classification system was developed by Sam Brothers, a computer and mobile forensic examiner and researcher, in 2007. The objective of his classification system is to enable an examiner to place cell phone and GPS forensic tools into a category, depending on the extraction methodology of that tool. This categorization facilitates the comparison between different tools and provides a framework for forensic examiners.

The classification tool is displayed in Figure 1.6. Starting at the bottom and working upward, the methods and tools generally become more technical, invasive, time consuming, forensically sound, and expensive (Brothers, 2007). Level 1 (Manual Extraction) involves simply scrolling through the data on the device as any user does in a traditional manner. Level 2 (Logical Analysis) is used by most investigators today, as it is only mildly technical and requires little training. Level 3 (Hex Dump) is where many forensic examiners have moved over the last 2–3 years, and it has been gaining quickly in popularity and support in the forensics community. Level 4 (Chip-Off) is the “new frontier” for most examiners, as formal training classes teaching this type of analysis have only just become available. Finally, Level 5 is rarely performed and is not well documented at this time, as it is extremely technical, very expensive, and highly time consuming.

B9781597496599000018/f01-06-9781597496599.jpg is missing

Figure 1.6

iPhone Classification Tool.

It should be noted that there are pros and cons to performing analysis at each layer. The forensics examiner should be aware of these issues and should only proceed with the level of extraction that he/she has been trained to operate at. Evidence can be permanently destroyed if a given method or tool is not properly utilized. This risk increases the higher you move up in the pyramid. Thus, proper training is critical to obtaining the highest success rate in data extraction and proper forensic analysis of these devices (Brothers, 2007).

Each existing mobile forensic tool can be classified under one (or more) of the five levels. The following text contains a detailed description of each level as well as the methods that are used for data extraction at that given level (Brothers, 2007).

• Level 1 – Manual Extraction: A manual extraction involves viewing the data content on the phone directly as viewed on its screen through the use of the device's keypad. The information discovered is manually documented (generally using a digital camera). At this level, it is impossible to recover deleted information. Some tools have been developed that aid an investigator to easily document a manual extraction. These tools capture what is shown on the device, which is then captured digitally for future reference and storage (Brothers, 2007).

• Level 2 – Logical Extraction: Connectivity to the mobile device is generally established via a cable to either a piece of forensic hardware or a forensic workstation containing specialized software. The examiner may also choose to use Bluetooth for connectivity instead of a cable. Once connected, the software tool initiates a command to request and then extract allocated files on a given device. As explained by Brothers, the command is initiated by the computer and sent to the device, which is then interpreted by the processor in the device. Next, the requested data is retrieved from the device's memory and sent back to the forensic workstation to be reviewed by the examiner. Most iPhone forensic tools currently available perform at this level of the classification system, and are described further in Chapter 7. It should also be noted that several of these tools are capable of performing an analysis of iPhone backup files saved on a user's computer (Brothers, 2007). This type of extraction is described further in Chapter 5.

• Level 3 – Hex Dump: A hex dump, more commonly referred to as a “physical extraction,” provides the investigator with more data than was available at the lower levels. To perform this type of extraction, the device is connected to the forensic workstation generally via a cable. Occasionally, this connection to the computer is either through the device's data port, JTAG (an internal test connection), or even via Wi-Fi. Instead of initiating a command, unsigned code is copied to the device (most commonly into memory), instructing the phone to copy user data to the computer. The resulting data is copied, transferred, and stored as a raw disk image. Since the resulting image is in binary format, technical expertise is required for analysis at this level (Brothers, 2007). The currently available tools that will perform this type of acquisition on an iPhone are discussed in detail in Chapter 5.

• Level 4 – Chip-Off: Chip-off refers to the acquisition of data directly from the device's memory chip, which in the case of the iPhone is the NAND Flash memory. The chip is physically removed from the device and data stored on it is extracted by a chip reader. Brothers points out that this type of acquisition is analogous to imaging a hard drive from a computer or laptop using traditional hard disk imaging techniques. As the pyramid describes, this method is much more technically challenging than the manual, logical, or hex dumping acquisition techniques. The amount of required investigator knowledge greatly increases at this level as does the acquisition time. Some of the aspects that make this technique so advanced include the wide variety of chip types used, the myriad of raw binary data formats, and the risk of causing physical damage to the chip during the extraction process (Brothers, 2007).

• Level 5 – Micro Read: This process involves manually viewing and interpreting data seen on the memory chip. By analyzing the physical gates on the chip, the examiner can then translate the gate status to 0's and 1's to then determine the resulting ASCII characters. The process is time consuming and costly, and requires extensive knowledge of all aspects of Flash memory and the file system. There are currently no commercial tools available to perform a micro read on an Apple device (Brothers, 2007).

Acquisition types

The following points break down the most commonly used acquisition techniques used on an Apple device. These methods may have some overlap with a couple of the levels discussed in the section on iPhone leveling, but will provide more details on the techniques and how they are used in conjunction with an iPhone.

Backup

One common approach to iPhone forensics is to analyze the backup directory. There is a difference between syncing an iPhone and backing it up. Basically, syncing makes sure that files on your computer and iPhone are in sync and some key information is backed up. On the other hand, a backup will make copies of SMS, Call Logs, Contact, and other application data. For a forensic analyst, the backup information can be very important, especially if he or she does not have access to the iPhone directly.

This procedure for this type of acquisition will read files from the iPhone backup files created through iTunes using Apple's synchronization protocol. The only data that can be acquired using this method are those files that have been explicitly synchronized by the protocol. Backup analysis is beneficial when the device is either unavailable or unable to be imaged for any particular reason.

Many key pieces of information can be retrieved in this way. Common data is stored in SQLite databases and Property List files, which are both supported by the synchronization protocol. Most allocated data or, in other words, data that still remains on the device, can be retrieved through a backup analysis. In addition, by querying the SQLite databases directly, additional data such as deleted SMS, Call Logs, and Contacts can generally be recovered.

Logical

This approach acquires data directly from the iPhone and is preferred over recovering files from the computer the iPhone was synced with. Many of the available commercial tools perform a logical acquisition. However, the forensic analyst must understand how the acquisition occurs, whether the iPhone is modified in any way, and what the procedure is unable to acquire.

Using the logical approach, active files and folders from the iPhone's file system are recovered; however, data contained in unallocated space (or slack space) is not. The following items include some of the common data that can be acquired from a logical acquisition: SMS, Call Logs, Calendar Events, Contacts, Photos, Web history, Synced e-mail accounts, and more. From these files, only data that have not been deleted from the phone can be fully recovered. For certain applications, it is sometimes possible to query the SQLite database file and extract some deleted data. Chapter 3 covers data storage in SQLite database files, and Chapter 6 demonstrates methods of extracting deleted data from these and other files.

Physical

A third method of imaging an iPhone is through a physical acquisition. This process creates a bit-by-bit copy of the file system, similar to the approach taken in most computer forensic investigations. While this approach has the potential for the greatest amount of data recovered (including deleted files), the process is more complicated and requires sophisticated analysis tools and techniques. Any type of data contained on the device can be recovered using this method. Advanced data analysis of the resulting disk image file also has the potential to recover GPS coordinates, cell tower locations, and even deleted text and multimedia messages.

Many times, the metadata extracted from various files can be pieced together in order to produce additional results. An example of this might be to compare the timestamps recovered from a photo taken on the device with the timestamps of an SMS record in order to show which recipient a photo may have been sent to. While this sort of analysis is also possible using information from a backup or logical acquisition, there is greater potential using a physical image since much more data is recovered with this technique.

Nontraditional

There are also some less common, and somewhat controversial, methods that allow an investigator to extract data from an Apple device which otherwise may not be able to be acquired. These methods involve modifying the firmware on the device in order to allow greater functionality.

Jailbreaking is one of these techniques. To jailbreak a device, the firmware partition is replaced with a hacked version. The hacked firmware partition contains an installer package that allows the user to download tools and other programs that are normally not available through the App Store. Apple took the stance that this technique would cause an increase in piracy as well as technical support costs for the company (Moren, 2010). For this reason, any device that has been jailbroken is no longer covered through Apple's manufacturer's warranty and, up until early 2010, was actually illegal.

Note

Jailbreaking

Jailbreaking an Apple device replaces the firmware partition with a hacked version, allowing the user to download software that is not explicitly available through the App Store. Jailbreaking also voids the manufacturer's warranty on the device.

The Digital Millennium Copyright Act (DMCA) has supported companies like Apple through the contained section regarding anti-circumvention of technology. Created in 1998, the DMCA includes a section on “Circumvention of Technological Protection Measures.” This portion of the document states that circumvention of technology that has been copyrighted is prohibited. Since jailbreaking an Apple device bypasses the standard firmware partition and modifies it to allow increased flexibility on the device, this technique was not exempt from the DMCA for several years (United States Copyright Office, 1998). Every three years, the DMCA is measured and reviewed in order to determine whether specific technologies still apply. With the most recent review, the Library of Congress declared that jailbreaking an Apple device is exempt from the DMCA. This ruling does not force Apple to cover jailbroken devices under the manufacturer's warranty; it simply means that individuals who may decide to modify their device in this manner will not be criminally prosecuted. In addition, any software downloaded on the device must be legally acquired; therefore, pirated software is still illegal under this act (Moren, 2010).

While this book will not delve into the process of jailbreaking any type of Apple device, it should be pointed out that there are methods available for just about any model and firmware version on the market. The Apple hacking community is continually developing new tools and techniques that allow users to have a better control over their device. In fact, recent apps have been released that allow even the Apple TV to be jailbroken. Using this method, an individual can even run applications such as the XBox Media Center on their Apple TV.

As an investigator, working with a jailbroken device for testing purposes can be a highly educational experience. There are applications available, such as Mobile Terminal and OpenSSH, that allow an individual to remotely connect to the device using commonly known commands such as “ssh” or “ftp.” Once connected, the examiner has the capability to browse through the entire file system and understand the variety of files contained on the device. The directory structure is similar to what would be seen in a resulting disk image file after performing a physical acquisition; however, the structure is not exactly the same. Individual files or even the entire file system can be copied from the device to a forensic workstation using these same methods. Chapter 5 guides the examiner through an acquisition of the iPhone's raw disk image using a jailbroken device. Unfortunately, however, hard disk encryption is an issue when trying to acquire the raw disk image through this method on the 3G(s) and iPhone 4.

Forensics with Linux

While many of the commercial tools have been developed for Windows or Mac environments, the Linux platform deserves its own section, as it contains extremely powerful tools that can assist in a forensic investigation. Throughout the book, various hands-on exercises are performed to demonstrate to the user how a certain program or process is run. For example, forensic acquisitions are performed as well as various forensic tools run through a command prompt. Some tools make sense to run on a Mac workstation, while others are better performed on a Linux machine. Depending on the exercise, we will be jumping back and forth between operating systems, so be sure to note which platform is being used prior to following along. If you do not have a Linux or Macintosh workstation available, consider using a virtual machine to simulate the environment (building a Linux virtual machine is covered later in this section).

Introduction to Linux

In order to understand the Linux tools that will be used in Chapter 6, it is important to have an understanding of the Linux operating system as well as some of the basic commands. Linux was originally created by Linus Torvalds, a young student from Finland. The first version of the Linux Kernel (v1.0) was released in 1994, with the latest running version being 2.6. One of the more interesting aspects of the Linux kernel is that it was developed under the GNU General Public License. This means that the source code is freely distributed and available to the general public for use.

In Linux, all files are part of the same file structure, as opposed to a Windows environment, which has separate drives (C:/ - hard disk, D:/ - CD-ROM, etc.). If a user connects a hard drive and a USB drive to a Linux workstation, they will all be part of the same folder structure as shown in the following text:

kstrzempka@linux-001:/$ tree -L 1 /

/

├── bin

├── boot

├── cdrom

├── dev

├── etc

├── home

├── lib

├── lib32

├── lib64 —> /lib

├── lost+found

├── media

├── mnt

├── opt

├── proc

├── root

├── sbin

├── selinux

├── srv

├── sys

├── tmp

├── usr

├── var

In the above code, the “/” signifies the root of the file system. The following describes some of the folders in the root directories and the types of files they might contain:

• /etc: Configuration files for software that was downloaded and installed on the system.

• /home/<users>: Within the home directory, there will be a folder for each of the users on the system. Each user's files will then be stored within his or her particular folder.

• /dev: External devices that have been connected to the machine are listed here. Any SATA/SCSI devices connected over USB or firewire are listed as “/dev/sda,” “/dev/sdb,” etc. They are assigned letters in the order in which they are connected to the machine.

• /var: System log files are stored here.

For each folder or file on a Linux workstation, file permissions are shown for three different types of users: the owner, a group, and the world (others). They are listed as either “r” (read), “w” (write), or “x” (execute). In the following example, the user has read and write permissions, while the group and other have read-only. The “-” at the very beginning of each line signifies that the object is a file. If it were a directory, there would be a “d” in place of the hyphen, or an “l” if it were a link to another file or directory.

kstrzempka@linux-001:~/Desktop/book-screenshots$ ls -l

total 84

-rw-r- -r- - 1 kstrzempka kstrzempka 24655 2010-12-15 17:38 iPhone-connected-DFU.png

-rw--r- -r- - 1 kstrzempka kstrzempka 26203 2010-12-15 17:37 linux-iphone-normal.png

-rw--r- -r- - 1 kstrzempka kstrzempka 27311 2010-12-17 15:15 nano-hosts-file.png

Various commands can be used to modify permissions on a file or folder. To change permissions, it is important to understand the numerical (or “octal”) value for read, write, and execute assignments. Permissions are calculated based on the following values:

• Read = 4

• Write = 2

• Execute = 1

So, if a user, group, or other is assigned a “7,” they would have read, write, and execute permissions. The command to modify permissions as well as a few examples are shown in the “Basic Linux commands” section.

Basic Linux commands

The following sections provide a breakdown of some of the common Linux commands including a description of the command, its general usage, and one or more examples of how the command can be applied. For a reference guide, see Appendix X: Linux Cheat Sheet.

• manDescription: Pulls up online manuals for the requested command in the terminal window. Within the manual will be a detailed description of the command as well as its usage (including all of the options or “flags” for that command).

$ man [-][-k keywords] commands

In the following examples, the first command lists information on the “mount” command, while the second searches all manuals containing the characters “zip”:

$ man mount

MOUNT(8) Linux Programmer's Manual MOUNT(8)

NAME

mount - mount a filesystem

SYNOPSIS

mount [-lhV]

mount -a [-fFnrsvw] [-t vfstype] [-O optlist]

mount [-fnrsvw] [-o option[,option]…] device❘dir

mount [-fnrsvw] [-t vfstype] [-o options] device dir

DESCRIPTION

All files accessible in a Unix system are arranged in one big tree, the file hierarchy, rooted at /. These files can be spread out over seva eral devices. The mount command serves to attach the filesystem found on some device to the big file tree. Conversely, the umount(8) command will detach it again.

The standard form of the mount command is

<snip>

$ man -k zip

Archive::Any::Plugin::Zip (3pm) - Archive::Any wrapper around Archive::Zip

Archive::Zip (3pm) - Provide an interface to ZIP archive files.

Archive::Zip::FAQ (3pm) - Answers to a few frequently asked questions about Archive::Zip

Archive::Zip::MemberRead (3pm) - A wrapper that lets you read Zip archive members as if they were files.

Archive::Zip::Tree (3pm) - (DEPRECATED) methods for adding/extracting trees using Archive::Zip

bunzip2 (1) - a block-sorting file compressor, v1.0.4

bzcmp (1) - compare bzip2 compressed files

bzdiff (1) - compare bzip2 compressed files

bzegrep (1) - search possibly bzip2 compressed files for a regular expression

bzfgrep (1) - search possibly bzip2 compressed files for a regular expression

bzgrep (1) - search possibly bzip2 compressed files for a regular expression

bzip2 (1) - a block-sorting file compressor, v1.0.4

bzip2recover (1) - recovers data from damaged bzip2 files

bzless (1) - file perusal filter for crt viewing of bzip2 compressed text

bzmore (1) - file perusal filter for crt viewing of bzip2 compressed text

funzip (1) - filter for extracting from a ZIP archive in a pipe

gpg-zip (1) - encrypt or sign files into an archive

gunzip (1) - compress or expand files

gzip (1) - compress or expand files

Image::ExifTool::ZIP (3pm) - Read ZIP archive meta information

lz (1) - gunzips and shows a listing of a gzip'd tar'd archive

mzip (1) - change protection mode and eject disk on Zip/Jaz drive

prezip-bin (1) - prefix zip delta word list compressor/decompressor

tgz (1) - makes a gzip'd tar archive

unzip (1) - list, test and extract compressed files in a ZIP archive

unzipsfx (1) - self-extracting stub for prepending to ZIP archives

uz (1) - gunzips and extracts a gzip'd tar'd archive

zforce (1) - force a ‘.gz’ extension on all gzip files

zip (1) - package and compress (archive) files

zipcloak (1) - encrypt entries in a zipfile

zipgrep (1) - search files in a ZIP archive for lines matching a pattern

zipinfo (1) - list detailed information about a ZIP archive

zipnote (1) - write the comments in zipfile to stdout, edit comments and rename files in zipfile

zipsplit (1) - split a zipfile into smaller zipfiles

• helpDescription: Displays information on the requested command, including usage and examples, similar to “man.” Some commands use the - -help notation, while others simply use -h or -help.

$ mount - -help

Usage: mount -V : print version

mount -h : print this help

mount : list mounted filesystems

mount -l : idem, including volume labels

So far the informational part. Next the mounting.

The command is ‘mount [-t fstype] something somewhere’.

Details found in /etc/fstab may be omitted.

mount -a [-t │-O] … : mount all stuff from /etc/fstab

mount device : mount device at the known place

mount directory : mount known device here

mount -t type dev dir : ordinary mount command

Note that one does not really mount a device, one mounts a filesystem (of the given type) found on the device.

One can also mount an already visible directory tree elsewhere:

mount - -bind olddir newdir

or move a subtree:

mount - -move olddir newdir

One can change the type of mount containing the directory dir:

mount - -make-shared dir

mount - -make-slave dir

mount - -make-private dir

mount - -make-unbindable dir

One can change the type of all the mounts in a mount subtree

containing the directory dir:

mount - -make-rshared dir

mount - -make-rslave dir

mount - -make-rprivate dir

mount - -make-runbindable dir

A device can be given by name, say /dev/hda1 or /dev/cdrom, or by label, using -L label or by uuid, using -U uuid .

Other options: [-nfFrsvw] [-o options] [-p passwdfd].

For many more details, say man 8 mount .

• cdDescription: This command is used to change into another directory. In Linux, the special character “~” is used to represent the current user's home directory. For example, the user kstrzempka has a home directory on a Linux system at /home/kstrzempka. From anywhere in the file system, you can use ~ to refer to /home/kstrzempka. This works well for documentation, so throughout this book we refer to ~ and, even if you have set up a different user name, the command will still function as expected.

$ cd ~ (changes into the user's home directory from anywhere)

$ cd (changes into the user's home directory from anywhere)

$ cd ~/Desktop/Projects (changes into the “Projects” folder located on the user's Desktop)

$ cd .. (changes directories up 1 level (back into “Desktop”)

$ cd ../../ (changes directories up 2 levels)

$ cd / (changes into the root file system folder from anywhere)

• mkdirDescription: Creates a directory in the current location, unless otherwise specified.

$ mkdir iPhone (creates the “iPhone” folder in the current directory)

$ mkdir -p ~/iPhone/Forensics/Book (creates the full path of directories even if top levels do not exist)

• rmdir/rmDescription: Removes existing directories or files based on the flags specified. The “rmdir” command will only remove empty folders. If there are files within the directory, these will first need to be removed prior to running the “rmdir” command. The “rm” command can be used to remove both files and folders and will prompt the user prior to removing. You can override the prompt with the -f option, but use with caution.

$ rmdir Linux (removes only an empty folder)

$ rmdir -p /Linux/Forensics/Book (removes each folder within the specified path)

$ rm -r Linux (removes the specified folder and all of its contents)

$ rm -rf Linux (removes the specified folder and all of its contents without prompting)

$ rm test.txt (deletes the specified file)

$ rm *.txt (deletes all .txt files within the current directory)

$ rm * (deletes all files within the current directory)

• pico/nanoDescription: Both pico and nano are CLI text editors that allow the creation and modification of text files. These commands must be run within the directory in which the user wishes to save the file. Pico will be used for this example, but nano is run the same way. To create a file, simply type the command.

$ pico

Typing “pico” will open the text editor within the CLI, allowing the user to enter whatever text he or she wishes (see Figure 1.7).

B9781597496599000018/f01-07-9781597496599.jpg is missing

Figure 1.7

Create File using “pico.”

When the text has been entered, pressing “Ctrl+X” will “exit” the text editor and allow the user to save. As shown in Figure 1.7, this particular file was saved as “Test” and, upon hitting enter, was saved in the user's current directory.

To modify an already existing file, simply follow the command with the file name or full path and file name if the file is in a different directory:

$ pico existing-file.txt

• lsDescription: Lists files and folders. The “ls” command without any options specified will list the file/folder names only in the current directory. Adding the “-lh” options will provide a long listing with more details on the file, including permissions, ownership, size, and date and timestamps.

kstrzempka@linux-001:~/Desktop/book-screenshots$ ls

iPhone-connected-DFU.png linux-iphone-normal.png nano-hosts-file.png

kstrzempka@linux-001:~/Desktop/book-screenshots$ ls -lh

total 84K

-rw-r- -r- - 1 kstrzempka kstrzempka 25K 2010-12-15 17:38 iPhone-connected-DFU.png

-rw-r- -r- - 1 kstrzempka kstrzempka 26K 2010-12-15 17:37 linux-iphone-normal.png

-rw-r- -r- - 1 kstrzempka kstrzempka 27K 2010-12-17 15:15 nano-hosts-file.png

• treeDescription: Shows the hierarchy of folders for the directory specified. If no parameters are specified, the current directory will be used. In Linux, the current directory is referred to as a single “.” while one directory up is a double period “..”. In the following output, the current directory is used, which happens to be the current user's home directory. The user can specify how many directory levels he or she wishes to view with the “-L” flag. In the first example, one level is shown, whereas in the second example, two levels of the source directory and files are shown. One must not forget that all the details of a command can be learnt by examining the man page (man tree) or specifying the command's help parameter (tree - -help).

kstrzempka@linux-001:~$ tree -L 1.

├── Desktop

├── Documents

├── Downloads

├── mnt

├── Music

├── Pictures

├── Public

├── sleuthkit-3.1.2

├── Templates

├── Ubuntu One

└── Videos

kstrzempka@linux-001:~$ tree -L 2 Desktop/

Desktop/

├── AutomatedTools

│ ├── Linux

│ ├── OSX

│ ├── README

│ └── README.Multiplatform

├── book-screenshots

│ ├── iPhone-connected-DFU.png

│ ├── linux-iphone-normal.png

│ └── nano-hosts-file.png

├── Directions for viewing recovered iPhone data.pdf

├── command-output

│ ├── 19691231.1910

│ ├── 19691231.1920

│ ├── 19700105.1955

│ ├── 20100817.1145

│ ├── 20100817.1149

│ ├── 20100903.1146

│ ├── 20100907.1118

│ ├── 20100907.1126

│ ├── 20100909.1034

│ └── 20100919.1031

├── iPhoneapp-mount

├── keychain.png

├── Photos.sqlite

├── plutil.pl

├── python-var-int.png

└── WXP-PRO-OEM.iso

• lessDescription: Displays specified text one page at a time. This command is commonly used in conjunction with other commands to show output one page at a time. The following command will display the contents of “large-document.pdf” one screen at a time within the terminal window:

$ less large-document.pdf

Once you are in the less utility, there are a few key commands to remember.

• h: access help menu

• q: quit help menu

• spacebar: display one screen/page down

• b: display one screen/page up

• /: search for a pattern

• Enter: move one line down

• y: move one line up

There are many more commands and tricks to this powerful utility, so read the help screens, man page, or simply search the Internet for more helpful tips.

• catDescription: Outputs the contents of a file to the screen or to a new file if specified (without retaining the format of the file).

kstrzempka@linux-001:~/Desktop$ cat textfile.txt

iphone forensics is so much fun.

This file contains unnecessary information used to display the workings of the “cat” command.

The “cat” command can be used in conjunction with “less” in order to display the contents of a file one page at a time.

This command can also be used to combine files into one (i.e., for split forensic images). This is often referred to as concatenating files.

$ cat file1.txt file2.txt file3.txt > final.txt

• findDescription: Used to search for files in a directory hierarchy. The following command will list all of the files, including the full path, contained on the specified user's desktop:

$ find /home/kstrzempka/Desktop

The find command can also be used in combination with another command. For example, the following will run the “md5sum” command on the files from the “find” command:

$ find . -type f -exec md5sum {} ; > ~/md5.txt

In this example, the command instructs the computer to find a regular file (-type f) in the current directory (“.”) and execute (-exec) the strings command on all files found ({}). The “;” signifies the end of the -exec command. It then takes that output and redirects it (>) to “md5.txt” in the user's home directory (Grundy, 2008).

If one runs a command against the results of a large number of files, one can run into issues. In those cases, one should research piping the output of the file command to a utility called xargs.

• chmodDescription: Short for “change mode,” this command changes file or folder permissions, as described in the previous section. Many examples are provided in the following text. Note that these commands must either be run in the directory in which “textfile.txt” is stored, or the full path to the file must be provided.

*Provides details on the file permissions for “textfile.txt”