Apple forensic. Extract data from iOS devices using open source tools

As of July last year, Apple has sold over 800 million iOS devices. More than half of them are various iPhone models. With so many devices in circulation it is not at all surprising that they often become objects of computer-technical expertise (forensics). There are various solutions on the market for automating such examinations, but their price tag often makes them unaffordable. Therefore, today we will talk about how you can conduct such an examination with minimal cost or, more simply, using free and / or open source tools.

Some theory

During the examination, in most cases, physical access to the device is implied, and the expert has two tasks: to extract as much data and information from the device as possible and leave as few traces (artifacts) as possible. The second task is especially important if the results of the examination are presented in court: too many artifacts may prevent the re-examination, which, in turn, may put the results of the initial examination into question. In many cases, it is impossible to avoid the appearance of artifacts; They are trying to solve this problem by documenting in detail the artifacts created at various stages of the study.

Data stored on iOS devices is relatively well protected, and to retrieve it, you usually need to overcome the following obstacles:

1. Passcode. It protects the device from unauthorized access (including from expertise) and protects part of the data cryptographically. This means that even if the passcode is somehow bypassed, then some files and Keychain entries will be inaccessible, because the device will not be able to obtain the corresponding encryption keys without knowing the passcode.
2. Keychain (Keychain). This is a centralized repository for passwords, tokens, encryption keys, and other secrets, in which Apple recommends that application developers keep valuable data. Physically it is a SQLite3 database, the records in which are encrypted and accessed indirectly through requests to the `securityd` service.
3. File Encryption Unlike full disk encryption (FDE) systems, iOS encrypts each file with a separate key (something that resembles EFS in Windows). Some files are protected by a key derived from a unique device key, and can be decrypted without knowing passcode, some are protected in such a way that it is impossible to decrypt them without knowing passcode.

Together, these three mechanisms form the Data Protection subsystem, which appeared in iOS 4 and, by its appearance, made examinations much more difficult. After the release of iOS 4, Data Protection did not change very significantly, with one exception - the emergence of Secure Enclave in iPhone 5s and newer models. Secure Enclave is used within Data Protection for operations with fingerprints, passcode, encryption keys, and the like, but we will not consider it in this article.

Data retrieval

In practice, several methods are traditionally used to extract data from iOS devices:

1. “Physical extraction” allows you to get a bitwise disk image, all device encryption keys and, in most cases, also allows you to iterate over the passcode (if it is installed). Physical extraction generally requires the execution of the code on the device in the context of a user with full rights (root) and outside the sandbox (sandbox). This method was popular a few years ago, since the vulnerability in the boot loaders of old devices (such as the iPhone 4 or the first iPads) allowed arbitrary code to be executed on the device. On newer devices, physical extraction is possible (and even with reservations) only if there is a jailbreak, so today we will not consider it.
2. Logic extraction uses interfaces and services that are already on the device and are used by programs like iTunes or Xcode to get data. A classic example here is creating a backup of iTunes: to create it, no additional programs need to be installed on the device, and at the same time it contains a large amount of valuable information about the device (including a list of contacts and calls, correspondence history, location history, photo / video). But only one backup is not limited - on iOS devices there are other services that allow access to data.
3. Extract from iCloud allows you to download a backup of your device from the cloud. To do this, you need to know the authentication data configured on the Apple ID device: Apple ID and password or authentication token. A backup copy of iCloud also contains a ton of valuable information.

')

Pairing

When it comes to “logical” extraction, one of the key concepts is the pairing of the device and the host. In most cases, the device will respond to requests from only the host with which it was paired earlier (there may be more than one such host). The pairing record consists of two parts — one stored on the device and one on the host — and is created when the device is first connected to the new host. To create such a record, it is necessary that the device is unlocked (that is, for pairing it is generally necessary to enter the passcode) and the user confirms the creation of a pairing record on the device (starting with iOS 7; in earlier versions, a record was created automatically).



The pairing record contains encryption keys for all content stored on the device and, therefore, can be used to connect to the device and unlock it. In other words, from the point of view of access to encrypted data, pairing recording is equivalent to knowing passcode: the presence of any of these two factors allows you to unlock the device and access all data (in a cryptographic sense).

From a practical point of view, the above means that for a logical extraction, in general, an existing record of pairing from one of the trusted computers or passcode is necessary (in order to create this record). Without this, most iOS services will refuse to work and return data.

Practice

For our experiments, we need a virtual or physical machine running Linux. Linux, in principle, can be anything, it is important that `libusb` and` libimobiledevice` get together and work normally under it. I will use Santoku Linux - the distribution kit, which was also created to conduct research on Android and iOS devices. Unfortunately, Santoku Linux does not contain everything you need, so you still have to finish something.

Logical extraction

For logical extraction of data from the device, we need libimobiledevice , a cross-platform library for communicating with various iOS services. Unfortunately, Santoku Linux 0.5 comes with an outdated version of `libimobiledevice` (1.1.5), which does not fully support iOS 8, so first install the latest version (1.1.7) and all its dependencies (download the archives from the specified links, unpack , go to the resulting folder and execute `./autogen.sh && make && sudo make install`):

• libplist-1.12 ;
• libusbmuxd-1.0.10 ;
• libimobiledevice-1.1.7 - here pay attention to the `--enable-dev-tools` key, it includes building additional utilities, which we will use to communicate with some iOS services:` ./autogen.sh --enable- dev-tools`;
• usbmuxd-1.1.0 - it looks like the `--without-systemd` key is required on Santoku 0.5, since without it, usbmuxd does not start:` ./autogen.sh --without-systemd`;
• ideviceinstaller-1.1.0 ;
• ifuse-1.1.3 .

If everything went well, now is the time to connect some iOS device to the computer (or virtual machine) and check that the host sees it:

santoku@santoku-vm:~$ idevice_id -l 23f88587e12c30376f8ab0b05236798fdfa4e853 santoku@santoku-vm:~$ 

This command should display the identifiers (UUID) of the connected devices.

Device info

The next step is to get more detailed information about the device. To do this, use the `ideviceinfo` utility. It can be used in two versions:

• `ideviceinfo –s` prints publicly available device information without attempting to create a new one or use an existing pairing between the host and the device;
• `ideviceinfo [-q <domain>] [-x]` displays substantially more detailed information, but requires pairing between the device and the host. The utility requests information from the `lockdownd` service running on the device. Information is a pair of key - value and keys are grouped into domains. Using the `-q` option, you can specify a specific domain from which you want to get data.

The `-x` parameter allows you to format the output of the program as XML (or rather, as a property list), so the output can be redirected to a file and further processed with other programs or scripts.

Applications

As part of logical extraction, you can access application data. To do this, you first need to get a list of installed applications using the `ideviceinstaller` utility:

 santoku@santoku-vm:~$ ideviceinstaller -l Total: 4 apps com.viaforensics.viaprotect-app - NowSecure 1 com.facebook.Facebook - Facebook 6017145 ph.telegra.Telegraph - Telegram 39280 com.getdropbox.Dropbox - Dropbox 3.6.2 santoku@santoku-vm:~$ 

As a result, for each application, we obtain its identifier (the so-called bundle ID), name and version. Knowing the application ID, we can access its data. For this, two iOS services are involved - `house_arrest` and` afc`. AFC (Apple File Conduit) is a file access service; with its help, in particular, iTunes provides access to music and other media files on the device. `house_arrest` is a less well-known service that allows you to run an AFC server in the sandbox of a particular application; in particular, it is used to implement the File Sharing feature in iTunes.

But this is all theory. In practice, to get access to the application files, it is enough to use the utility `ifuse`:

 santoku@santoku-vm:~$ ifuse --container com.getdropbox.Dropbox ~/Desktop/Applications/ santoku@santoku-vm:~$ 

As a result of this command, the application data directory will be mounted in the ~ / Desktop / Applications directory:

 santoku@santoku-vm:~$ ls ~/Desktop/Applications/ Documents Library StoreKit tmp santoku@santoku-vm:~$ 

You can unmount these applications with the command `fusermount –u ~ / Desktop / Applications`.

ITunes backup

The device backup traditionally serves as one of the popular data extraction vectors, which is not surprising given that a backup, by definition, must contain a lot of valuable information about the device and its owner. To create a backup, you can use the utility `idevicebackup2`:

 santoku@santoku-vm:~$ idevicebackup2 backup --full ~/Desktop Backup directory is "/home/santoku/Desktop" Started "com.apple.mobilebackup2" service on port 50066. Negotiated Protocol Version 2.1 Starting backup... Enforcing full backup from device. Backup will be unencrypted. Requesting backup from device... Full backup mode. [= ] 1% Finished Receiving files .... Received 237 files from device. Backup Successful. santoku@santoku-vm:~$ 

Depending on the amount of content on the device, creating a backup may take a long time (up to half an hour).

Another potential problem with backups is that they can be encrypted. Encryption of backups in iOS is carried out on the device side, so if the user protected the backup with a password, then all data sent by the device during the backup process will be encrypted. You can try to find a password - for this there are both commercial and free tools. Without a password, access to the contents of backup files is impossible.

By default, `idevicebackup2` saves a backup in the internal iOS format, which is not well suited for manual research, because, for example, it uses the value of the SHA-1 hash function from the file path instead of the file name. The advantage of this internal iOS format is that many programs know how to work with it, so to analyze the contents of a backup, it is enough to open it in one of these programs (for example, iOS Backup Analyzer , iBackupBot , or iExplorer ).

If for some reason you want to get a backup in a more “readable” format, you can use the command `unback`:

 santoku@santoku-vm:~$ idevicebackup2 unback ~/Desktop 

This command will create a `_unback_` directory on your desktop, in which a backup copy of the device will be saved as a traditional tree of files, and not as a list of files with pseudo-random names as before.

File system

The `ifuse` utility can also be used to access the file system of an iOS device. Immediately, I note that the standard AFC service allows you to access only the contents of the directory `/ var / mobile / Media`, which stores photo and video files, movies, music and other media content. This directory can be mounted using the `ifuse ~ / Desktop / Media /` command.

If the device has been jailbreaked and the AFC2 service is installed, then the access to the file system is greatly enhanced. AFC2 is the same AFC, only having access to the entire file system, and not just the `/ var / mobile / Media` directory. The root file system of the device can be mounted as follows: `ifuse --root ~ / Desktop / Media /`. Unmounting the device is performed, as is the case with access to application data, using the `fusermount –u ~ / Desktop / Media` command.

FILE_RELAY

File_relay is one of the less well-known iOS services, which in some cases allows data to be accessed through other interfaces. The service is present in all versions of iOS, starting from 2.0 (then the OS was also called the iPhone OS), but the list of available data changes from version to version.

To extract data through the file_relay service, you can use the `filerelaytest` utility (it will be compiled only if you specify the` --enable-dev-tools` option when configuring `libimobiledevice`):

 santoku@santoku-vm:~$ filerelaytest Connecting... Requesting AppleSupport, Network, VPN, WiFi, UserDatabases, CrashReporter, tmp, SystemConfiguration Receiving ......................................................................................................... Total size received: 393414 santoku@santoku-vm:~$ 

Sources `file_relay` in iOS 8

AppleTV Baseband Bluetooth Caches CoreLocation CrashReporter CLTM demod Keyboard Lockdown MobileBackup MobileInstallation MobileMusicPlayer Network Photos SafeHarbor SystemConfiguration Ubiquity UserDatabases AppSuppor t Voicemail VPN WiFi WirelessAutomation MapsLogs NANDDebugInfo IORegUSBDevice VARFS HFSMeta tmp MobileAsset GameKitLogs Device-O-Matic MobileDelete itunesstored Accounts AddressBook FindMyiPhone DataAccess DataMigrator EmbeddedSocial MobileCal MobileNotes

This command will connect to the `file_relay` service and ask for a fixed set of" sources "(sources): AppleSupport, Network, VPN, WiFi, UserDatabases, CrashReporter, tmp, SystemConfiguration. Each such source is one file or more from the device. A complete list of sources for iOS 8 is provided in the box. To query a particular source, it is enough to use its name as a parameter for `filerelaytest`:

 santoku@santoku-vm:~$ filerelaytest Accounts Connecting... Requesting Accounts Receiving .......... Total size received: 31217 santoku@santoku-vm:~$ 

The result (that is, the extracted data) will be written to the dump.cpio.gz file in the current directory. It can be unpacked using the standard gunzip and cpio utilities:

 santoku@santoku-vm:~$ gunzip dump.cpio.gz santoku@santoku-vm:~$ cpio -idmv < dump.cpio . ./var ./var/mobile ./var/mobile/Library ./var/mobile/Library/Accounts ./var/mobile/Library/Accounts/Accounts3.sqlite ./var/mobile/Library/Accounts/Accounts3.sqlite-shm ./var/mobile/Library/Accounts/Accounts3.sqlite-wal ./var/mobile/Library/Preferences ./var/mobile/Library/Preferences/com.apple.accountsd.plist 6297 blocks santoku@santoku-vm:~$ 

Prior to iOS 8, this service was extremely useful and made it possible to get data that was not available through other interfaces (for example, if the backup is encrypted). But, starting with iOS 8, Apple introduced an additional check: for the `file_relay` service to work, a special configuration profile must be installed on the device, signed by Apple.

When you install such a profile, the file `com.apple.mobile_file_relay.plist` will be created in the directory` / Library / Managed Preferences / mobile / `with the following contents:

 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Enabled</key> <true /> </dict> </plist> 

`file_relay` at runtime checks for the presence of this file and the value of the` Enabled` key in it and returns data only if it is set to `true`.

Automation

One of the remarkable aspects of `libimobiledevice` is that this library, in addition to ready-made utilities for communicating with the device, provides an API for creating its own tools. It contains, for example, bindings for Python, providing the same level of access to various device services. Using this API, you can quickly create exactly the tools you need.

iCloud

Starting with iOS 5, devices can create their own backup in the iCloud cloud, as well as recover from such a copy during initial setup. Knowledge of Apple ID and password is required to access the data. One of the open source solutions for this is iLoot . The utility is quite simple to use, so it’s unnecessary to give any explanations: Apple ID and password are sent to the input, and backup copies downloaded from iCloud are output. At the time of this writing, iLoot does not work with accounts for which two-step authentication is enabled.

Conclusion

In the article I tried to talk about the available methods of extracting data from iOS devices - methods that do not require financial costs. This important aspect of the study, such as analyzing the extracted data, remains behind the scenes - this topic is much more extensive and essentially depends on the iOS version and the installed programs, so it’s difficult to solve the analysis topic “in general”. Nevertheless, I hope that the presented material was interesting and you learned something new from it. Happy hacking!



First published in the magazine "Hacker" from 02/2015.
Posted by: Andrey Belenko ( @abelenko )

Subscribe to "Hacker"

• Paper version
• Hacker on iOS / iPad
• "Hacker" on Android