Friday, January 27, 2012

iPod's, what's in a name?

iPod Device Names

iPod devices have a name.  It's set by the user when they initialize the device through iTune's (there are alternate initialization methods, but that is not the focus of this post).  When the focus of the investigation is determining the device owner, the device name is a good place to start.  The device name, for example, could be "John Doe" and you happen to know who is John Doe, or how to find out. 

Of course, the device name could be 'Pookie', which won't help you out too much.  But, don't give up, I've already demonstrated another, even more useful, method for identifying iPod owners through iTune's purchased media.  Take a look here if that interests you.

But, I got curious, where in the iPod can you find the device name?  It's clearly stored on the device, because, as any iPod owner can tell you, if you navigate from the main menu to the 'About' screen in 'Settings', you'll see something akin to "John Doe's iPod."

Where to Look

The first place to look in a FAT formatted iPod is the volume label of the data volume (aka partition).  The current device name is the volume name.  You can view it with blkid, or for the forensically inclinded, with the sluethkit at the root level.

I'll use recent 5th gen Nano I recently examined as an example.  I am operating as root because I am examining a device directly:

# blkid /dev/sdd1
/dev/sdd1: LABEL="PINK PANTHE" UUID="E0B8-3334" TYPE="vfat"

# fls /dev/sdd1
r/r 3:    PINK PANTHE (Volume Label Entry)
d/d 5:    iPod_Control
...

Now, I'm fairly worldly (all my friends are now rolling their eyes), but I suspected when I check Settings | About, the device name on this Nano, I'd find the device name was 'Pink Panther', not the truncated 'Pink Panthe' that was in the volume, which has a limit of 12 characters.  And sure enough, that's what I found: 'pink panther.'

So, if the 'r' in pather isn't in the volume, then the volume is not the source of the data in the About screen.  So, what is the source?  Turns out, after mounting the device read-only and employing my favorite keyword search utility (more on that one later), the source turns out to be the 'Library.itdb' SQLite database in the 'iPod_Control/iTunes/iTunes Library.itlp/' directory.

I found the table in which the device name resides as follows:

# sqlite3 '/media/iPod/iPod_Control/iTunes/iTunes Library.itlp/Library.itdb' .dump | grep 'pink panthe'
INSERT INTO "container" VALUES(-3226555229562403833,0,333435002,347345556,'pink panther',100,0,1,0,1,0,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL);


What I did there was dump the table contents, which shows the commands that were issued to create the database and populate it.  The dump, when saved to a file, can be used to backup and restore a database.  For my purpose, I see that a list of values, including 'pink panther' was inserted into the 'container' table.

Now, I can produce a nice query that can be used in future examinations to directly recover the device name from the Library.itdb database:

# sqlite3 -line '/media/iPod/iPod_Control/iTunes/iTunes Library.itlp/Library.itdb' 'select name from container'
 name = pink panther

Now I have two sources for the device name in a FAT formatted device.  And, the database query can be used for HFS formatted iPod Classics, presumably.  Combine that with the media search for Apple Store account and real name information, and even an unallocated search for MPEG-4 metadata (next post), and you have a robust, though not fool proof methodology for identifying iPod owners.

Thursday, January 19, 2012

Whose iPod?

iPods, iPods, everywhere...

...Which means they are frequently lost or stolen.  ...Which means they end up in my office with a request attached stating, "Can you please try to figure out who owns this?"

Device Name

iTunes, the principal means for managing iPod content, allows users to name their device.  Usually, owner's put their names, like 'John Doe,' so the the device is reported in iTunes as 'John Doe's iPod.'  In a fat32 formatted device, like an iPod Nano, the device name is recorded as the volume label. 

When it comes to linking the device to owners, though, the device name is seldom enough.  'John Doe' might be too common a name, not listed in the phone book or in your records management system.  Worse, the device name might be 'Wookie'.  What then?

What Apple Doesn't Tell You

The Apple Store, commonly known as the iTunes store, sells media for playback on the device.  Music and Video are popular purchases, and are sold in the MPEG-4 format with file extensions of .m4p (music) and .m4v (video).

The purchaser of this content has to create and use an Apple Store account.  For quite some time, the account name is the user's email address.  Users provide there real names as part of the creation process, which is necessary for credit card transactions.  Very standard business practices, nothing nefarious here.

The slight of hand comes on download (well, it would have to occur before download for you precise-types).  The Apple Store account name and the purchaser's real name are embedded in the media file!  MPEG-4 files contain metadata (data about data) such as the Artist, Title, Album, even album cover art.  The metadata takes the form of key:value pairs, often referred to as 'atoms.'

Where to look

The atoms 'name' and 'apID' contain the purchasers real name and account name (email address) respectively.  However, no tools I am aware of automatically display this content.  The excellent exiftool by Phil Harvey will display the account name (apID atom, i.e., email address) but not the purchasers real name. 

While Harvey's tool is excellent, it just doesn't do to run exiftool against every media file on an iPod.  First, not every media file is an MPEG-4 with Apple Store metadata.  iTunes allows users to convert their existing mp3 and CD collections to MPEG-4, for example.  These media files take on the .m4a file extension and do not contain purchaser information.  Nor do .mp3s, for that matter.

When I'm in a hurry, which is most of the time, I resort to a straight forward, compound command:

$ find /media/iPod/iPod_Control/Music -type f -name "*.m4[pv]" | while read i; do strings -f "$i"|grep -E -m1 'name.+'; strings -f "$i"| grep -E -m1 -A2 'apID'; done

Am I out of my flipping mind?  No.  That really works, works well, and works really, really fast.  Should I explain it?  No, not unless you really want me to.  The output looks like this:

/media/iPod/iPod_Control/Music/F49/PFLT.m4v: nameJohn Doe
/media/iPod/iPod_Control/Music/F49/PFLT.m4v: 8apID
/media/iPod/iPod_Control/Music/F49/PFLT.m4v: 0data
/media/iPod/iPod_Control/Music/F49/PFLT.m4v: jdoe@email.com

/media/iPod/iPod_Control/Music/F49/QQDN.m4p: nameJohn Doe
/media/iPod/iPod_Control/Music/F49/QQDN.m4p: 8apID
/media/iPod/iPod_Control/Music/F49/QQDN.m4p: 0data
/media/iPod/iPod_Control/Music/F49/QQDN.m4p: jdoe@email.com


Pretty?  Maybe not.  Does it answer the question of what is the real name and email address of the media purchaser?  Yes.  And did I mention, really, really fast?

I'm aware that some people might like or need nicer output for a report of some kind.  I wrote a bash script , called iphone_music that works with exiftool to produce nice output:

======== /media/iPod/iPod_Control/Music/F49/PFLT.m4v
File Type                       : M4V
Apple Store Account             :
jdoe@email.com
Apple Store Account Type        : iTunes
Apple Store Real Name           :
John Doe
 
======== /media/iPod/iPod_Control/Music/F49/QQDN.m4p
File Type                       : M4P
Apple Store Account             :
jdoe@email.com
Apple Store Account Type        : iTunes
Apple Store Real Name           : John Doe


Iphone_music is also quite fast and uses the same basic methodology as the find command first demonstrated.  Additionally, it can tell you the names, artists, albums, etc. of other media on the device for instances where the owner has no purchased media on the device but can describe the media on board (e.g., .mp3, .m4a).  You may have noticed from the paths of the media files demonstrated, iTunes does not name the files after their content.

Iphone_music can be vastly improved, such as sorting by artist, email, owner name, etc, and I'll likely rewrite the tool in python to facilitate implementing these features.

Final Note (pun intended)

The methods detailed here work on mounted file systems and allocated files.  It is possible to find the real name and email address on devices where the media files have been deleted by the iPod thief / finder.  I won't detail the process here, but it involves using the Sleuthkit to pipe unallocated space to strings and grep for the name and apID atoms.  Another method, though slower, would be to use photorec or another file carving tool to recover MPEG-4 files an then use the methods above to search the recovered files.

Unoconv is number one!

I discussed a recent case where I was seeking Enhanced Metafiles and discovered that LibreOffice could be used to open and view them (see, LibreOffice: An Unlikely Image Viewer).  I mentioned at the end of that post that unoconv could be used to automate the process of taking the difficult to view EMF files and convert them something very portable, like PDF.

Today, I actually undertook that task when carving form EMF files produced over 1000 files to be examined.  Doing so exposed me to the full capabilities of unoconv, and I'm quite excited about the possibilities.

What, exactly is unoconv?

From the man page: "unoconv is a command line utility that can convert any file format that OpenOffice can import, to any file format that OpenOffice is capable of exporting."  This begs the question: what can OpenOffice (or LibreOffice) import and export?  Glad you asked:

$ unoconv --show
The following list of document formats are currently available:

  bib      - BibTeX [.bib]
  doc      - Microsoft Word 97/2000/XP [.doc]
  doc6     - Microsoft Word 6.0 [.doc]
  doc95    - Microsoft Word 95 [.doc]
  docbook  - DocBook [.xml]
  html     - HTML Document (OpenOffice.org Writer) [.html]
  odt      - Open Document Text [.odt]
  ott      - Open Document Text [.ott]
  ooxml    - Microsoft Office Open XML [.xml]
  pdb      - AportisDoc (Palm) [.pdb]
  pdf      - Portable Document Format [.pdf]
  psw      - Pocket Word [.psw]
  rtf      - Rich Text Format [.rtf]
  latex    - LaTeX 2e [.ltx]
  sdw      - StarWriter 5.0 [.sdw]
  sdw4     - StarWriter 4.0 [.sdw]
  sdw3     - StarWriter 3.0 [.sdw]
  stw      - Open Office.org 1.0 Text Document Template [.stw]
  sxw      - Open Office.org 1.0 Text Document [.sxw]
  text     - Text Encoded [.txt]
  txt      - Plain Text [.txt]
  vor      - StarWriter 5.0 Template [.vor]
  vor4     - StarWriter 4.0 Template [.vor]
  vor3     - StarWriter 3.0 Template [.vor]
  xhtml    - XHTML Document [.html]

The following list of graphics formats are currently available:

  bmp      - Windows Bitmap [.bmp]
  emf      - Enhanced Metafile [.emf]
  eps      - Encapsulated PostScript [.eps]
  gif      - Graphics Interchange Format [.gif]
  html     - HTML Document (OpenOffice.org Draw) [.html]
  jpg      - Joint Photographic Experts Group [.jpg]
  met      - OS/2 Metafile [.met]
  odd      - OpenDocument Drawing [.odd]
  otg      - OpenDocument Drawing Template [.otg]
  pbm      - Portable Bitmap [.pbm]
  pct      - Mac Pict [.pct]
  pdf      - Portable Document Format [.pdf]
  pgm      - Portable Graymap [.pgm]
  png      - Portable Network Graphic [.png]
  ppm      - Portable Pixelmap [.ppm]
  ras      - Sun Raster Image [.ras]
  std      - OpenOffice.org 1.0 Drawing Template [.std]
  svg      - Scalable Vector Graphics [.svg]
  svm      - StarView Metafile [.svm]
  swf      - Macromedia Flash (SWF) [.swf]
  sxd      - OpenOffice.org 1.0 Drawing [.sxd]
  sxd3     - StarDraw 3.0 [.sxd]
  sxd5     - StarDraw 5.0 [.sxd]
  tiff     - Tagged Image File Format [.tiff]
  vor      - StarDraw 5.0 Template [.vor]
  vor3     - StarDraw 3.0 Template [.vor]
  wmf      - Windows Metafile [.wmf]
  xhtml    - XHTML [.xhtml]
  xpm      - X PixMap [.xpm]

The following list of presentation formats are currently available:

  bmp      - Windows Bitmap [.bmp]
  emf      - Enhanced Metafile [.emf]
  eps      - Encapsulated PostScript [.eps]
  gif      - Graphics Interchange Format [.gif]
  html     - HTML Document (OpenOffice.org Impress) [.html]
  jpg      - Joint Photographic Experts Group [.jpg]
  met      - OS/2 Metafile [.met]
  odd      - OpenDocument Drawing (Impress) [.odd]
  odg      - OpenOffice.org 1.0 Drawing (OpenOffice.org Impress) [.odg]
  odp      - OpenDocument Presentation [.odp]
  otp      - OpenDocument Presentation Template [.otp]
  pbm      - Portable Bitmap [.pbm]
  pct      - Mac Pict [.pct]
  pdf      - Portable Document Format [.pdf]
  pgm      - Portable Graymap [.pgm]
  png      - Portable Network Graphic [.png]
  pot      - Microsoft PowerPoint 97/2000/XP Template [.pot]
  ppm      - Portable Pixelmap [.ppm]
  ppt      - Microsoft PowerPoint 97/2000/XP [.ppt]
  pwp      - PlaceWare [.pwp]
  ras      - Sun Raster Image [.ras]
  sda      - StarDraw 5.0 (OpenOffice.org Impress) [.sda]
  sdd      - StarImpress 5.0 [.sdd]
  sdd3     - StarDraw 3.0 (OpenOffice.org Impress) [.sdd]
  sdd4     - StarImpress 4.0 [.sdd]
  sti      - OpenOffice.org 1.0 Presentation Template [.sti]
  stp      - OpenDocument Presentation Template [.stp]
  svg      - Scalable Vector Graphics [.svg]
  svm      - StarView Metafile [.svm]
  swf      - Macromedia Flash (SWF) [.swf]
  sxi      - OpenOffice.org 1.0 Presentation [.sxi]
  tiff     - Tagged Image File Format [.tiff]
  vor      - StarImpress 5.0 Template [.vor]
  vor3     - StarDraw 3.0 Template (OpenOffice.org Impress) [.vor]
  vor4     - StarImpress 4.0 Template [.vor]
  vor5     - StarDraw 5.0 Template (OpenOffice.org Impress) [.vor]
  wmf      - Windows Metafile [.wmf]
  xhtml    - XHTML [.xml]
  xpm      - X PixMap [.xpm]

The following list of spreadsheet formats are currently available:

  csv      - Text CSV [.csv]
  dbf      - dBase [.dbf]
  dif      - Data Interchange Format [.dif]
  html     - HTML Document (OpenOffice.org Calc) [.html]
  ods      - Open Document Spreadsheet [.ods]
  ooxml    - Microsoft Excel 2003 XML [.xml]
  pdf      - Portable Document Format [.pdf]
  pts      - OpenDocument Spreadsheet Template [.pts]
  pxl      - Pocket Excel [.pxl]
  sdc      - StarCalc 5.0 [.sdc]
  sdc4     - StarCalc 4.0 [.sdc]
  sdc3     - StarCalc 3.0 [.sdc]
  slk      - SYLK [.slk]
  stc      - OpenOffice.org 1.0 Spreadsheet Template [.stc]
  sxc      - OpenOffice.org 1.0 Spreadsheet [.sxc]
  vor3     - StarCalc 3.0 Template [.vor]
  vor4     - StarCalc 4.0 Template [.vor]
  vor      - StarCalc 5.0 Template [.vor]
  xhtml    - XHTML [.xhtml]
  xls      - Microsoft Excel 97/2000/XP [.xls]
  xls5     - Microsoft Excel 5.0 [.xls]
  xls95    - Microsoft Excel 95 [.xls]
  xlt      - Microsoft Excel 97/2000/XP Template [.xlt]
  xlt5     - Microsoft Excel 5.0 Template [.xlt]
  xlt95    - Microsoft Excel 95 Template [.xlt]
So, what's missing?  The newer Microsoft 'x' formats: docx, xlsx, etc. (Microsoft Office XML) are not listed, but conversion is still possible!  Let you mantra be  "unoconv is a command line utility that can convert any file format that OpenOffice can import, to any file format that OpenOffice is capable of exporting."

Using unoconv

To use unoconv, you first have to start the listener:

$ unoconv -l &  #the '&' backgrounds the process and returns control of the 
                 terminal winodow to your
[1] 9998        #9998 is the process number of the listener.

We can see that the listener is a python program and the killall command to cancel the listener would have to be directed at python.  To avoid killing other processes, 'kill 9998' should be used rather than 'killall python':

$ ps 9998
  PID TTY      STAT   TIME COMMAND
 9998 pts/0    Sl     0:00 /usr/bin/python /usr/bin/unoconv -l


With the listener running, conversion of documents is straight forward, as we can see from the help:

$ unoconv -h
usage: unoconv [options] file [file2 ..]

Convert from and to any format supported by OpenOffice

unoconv options:
  -c, --connection=string  use a custom connection string
  -d, --doctype=type       specify document type
                             (document, graphics, presentation, spreadsheet)
  -e, --export=name=value  set export filter options
                             eg. -e PageRange=1-2
  -f, --format=format      specify the output format
  -i, --import=string      set import filter option string
                             eg. -i utf8
  -l, --listener           start a listener to use by unoconv clients
  -o, --outputpath=name    output directory
      --pipe=name          alternative method of connection using a pipe
  -p, --port=port          specify the port (default: 2002)
                             to be used by client or listener
  -s, --server=server      specify the server address (default: localhost)
                             to be used by client or listener
  -t, --template=file      import the styles from template (.ott)
  -T, --timeout=secs       timeout after secs if connections to OpenOffice fail
      --show               list the available output formats
      --stdout             write output to stdout
  -v, --verbose            be more and more verbose


 So, in its simplest form, conversion takes the following form:

$ unoconv test.docx

The command will finish silently if successful.  It creates a .pdf by default in the same directory as the document.  Add the -f [fmt] option to convert to a different format, for example:

$ unoconv -f txt test.docx

When your conversion work is done, close the listener with:

$ kill 9998

Now you see why unoconv is number one!

Time Perspective

Telling time in forensic computing can be complicated. User interfaces hide the complexity, usually displaying time stamps in a human reada...