iPhone Forensics - PowerPoint PPT Presentation

About This Presentation
Title:

iPhone Forensics

Description:

iPhone Forensics Ruben Gonzalez – PowerPoint PPT presentation

Number of Views:213
Avg rating:3.0/5.0
Slides: 17
Provided by: Rube117
Category:

less

Transcript and Presenter's Notes

Title: iPhone Forensics


1
iPhone Forensics
  • Ruben Gonzalez

2
Agenda
  • I am the iPhone
  • iPhone Components
  • OS and System Architecture
  • Lets Dive into iPhone Forensics
  • Evidence Left Behind
  • Forensic Software Tools Needed to do the Job
  • Dissecting One Forensic Tool
  • Basic Things to Understand
  • One Last Thing

3
Hello I am the iPhone and I dont need
introduction!
45 million units will be sold this year!
4
OS and System Architecture
  • Arm Processor
  • Contrast with x86
  • Hardware
  • Various sensors
  • Accelerometer
  • Proximity Sensor
  • Multi-touch Capable Screen
  • Various Radios
  • User Interface Frameworks
  • Leopard or Tiger (iPhone Version)
  • Kernel (Signed Kernel)
  • Used to prevent tampering

5
iPhone Core Components
6
Lets Dive into iPhone Forensics
  • Facts about iPhone (Forensically Speaking)
  • It is extremely difficult to permanently delete
    data from an iPhone
  • Secure wipe has been installed in recent versions
  • iTunes "restore" process formats the device
  • In actuality, even this leaves a majority of the
    old data intactjust not directly visible
  • A refurbished iPhone may contain last owners
    information

7
Evidence Left Behind
  • Keyboard caches
  • usernames, passwords, search terms, and
    historical fragments of typed communication.
  • Even when deleted
  • Deleted images
  • Browsing cache and deleted browser objects
  • Exhaustive call history, beyond that displayed,
    is generally available

8
Evidence Left Behind ( cont)
  • Map tile images from the iPhone's Google Maps
  • Application direction lookups and GPS coordinates
  • Deleted voicemail recordings
  • Pairing records establishing trusted relationships

9
Forensic Software Tools Needed to do the Job
  • Commercial Tools
  • Device Seizure 2.0 (Paraben)
  • Aesco (Radio Tatics, LTD)
  • Sixth Legion (WOLF)
  • Open Source Tools
  • iLiberty (iPhone v.1.x)
  • Pwnage (iPhone v.2.x)

10
Dissecting One Forensic Tool
  • iLiberty
  • A basic Unix world
  • OpenSSH, a secure shell
  • The netcat tool, for sending data across a
    network
  • The md5 tool, for creating a cryptographic digest
    of the disk image
  • The dd disk copy/image tool
  • Is it really a forensic tool if you write to the
    HD?
  • Other tools may provide a similar solution

11
Basic Things to Understand
  • Apple File Communication Protocol (AFC)
  • Uses a framework (MobileDevice) to allow iTunes
    to write to the Media (jailed) Partition
  • iTunes can read info from device but not raw data
  • AFC is used to boot RAM disk containing forensic
    payload into the iPhones running memory
  • After rebooting, it installs UNIX tools (ssh, dd,
    etc)

12
Basic Things to Understand
  • Where Things are Written and Where can You Write
  • Think UNIX
  • There is a System Partition (root)
  • 300 MB
  • Read only
  • Intended to remain in factory state
  • This is where the Forensic Tool will be installed
  • Media Partition
  • The rest of the disk
  • Mounted as /private/var
  • Contains all user information
  • Writing to it Contamination

13
Basic Things to Understand
  • Avoid cross contamination
  • iPhone will Sync if not prevented
  • You must prevent this before connecting the phone
    to the desktop
  • As of today, there is no iPhone write blocker

14
iPhone with Payload Injected
UNIX Commands
root
directory
15
One Last Thing
  • Because of Apples IP
  • Apple has made it difficult for developers to
    make Forensic Tools to work as well as their
    desktop counter parts
  • Aforementioned tools not able to get a true
    physical HD image
  • iLiberty is exception, but not considered
    forensic
  • Hacking the System Partition violates Apples IP
  • There is no way at this point in time to get a
    perfect image from the user partition
  • Things may change once the new iPhone is released
    in June
  • Not necessarily a change for the better

16
Questions?
Write a Comment
User Comments (0)
About PowerShow.com