Thursday, May 19, 2011

Open Source iPhone Exploits

There are numerous and costly--and closed source--methods for recovery data from the Apple iPhone, iPod Touch, and iPad.  If you are lucky enough to be part of Law Enforcement, then you have free access to Johnathan Zdziarski's tools and methodology (Thank you, Johnathan).  But what to do if you don't have the proprietary tools, or they just don't work on the version of iOS you encounter?

Allow me to introduce the libimobiledevice project.  It is a library that communicates to the aforementioned Apple devices, with the addition of Apple TV devices, but does not use any proprietary libraries, nor does it require jailbreaking to accomplish its goals.    I'll let the description on the project home page take over from here: libimobiledevie "allows other software to easily access the device's filesystem, retrieve information about the device and it's internals, backup/restore the device, manage SpringBoard® icons, manage installed applications, retrieve addressbook/calendars/notes and bookmarks and (using libgpod) synchronize music and video to the device."

That said, it is not designed as a forensics tool.  I may be characterizing it wrongly, but in short, it brings iTunes-like capabilities to Linux.  It does not give full filesystem access to the device, just the media folder and sub folders.  This means you can access the Photos and videos taken with the device, as well as access the music catalog through your file browser.  But be careful--you have read/write access.

Best practice requires that you disable automounting in your system to avoid changing data on the device when  you connect it to your system.  This can be done in a Gnome desktop by using gconf-editor to disable automounting in nautilus ( apps | nautilus | preferences | media_automount [uncheck] ).  It's a good idea to disable media_automount_open and enable media_autorun_never while you're at it.  You won't find your iPhone with fdisk when you connect it, which might leave you wondering just how in the world you're going to mount it?

Libimobiledevice is incorporated into Ubuntu and Linux Mint Debian Edition (my preference) and uses the Gnome Virtual File System (GVFS) for mounting the Media folder of devices in the .gvfs/ folder of your home directory.  But you've disabled automounting, so you need another method that allows read-only mounting.  That's handled with ifuse, but you'll likely have to install it.  With ifuse, the device can be mount read-only in a location you specifiy.  The device is automatically identified unless you choose to identify the device by its UUID (only necessary if you have more than one device connected at a time).  You mount with "ifuse [options] location", such as "iphone -o ro /mnt/analysis".  If you happen to have a jailbroken device, then adding the '--root' parameter will give you full logical access to the user partition on the device.

Mounting with ifuse, on a device that has not been jailbroken, gives access to the same to the device as libimobiledevice through GVFS, only with write protection.  Media files can be useful, as I indicated in an earlier post, but how does an investigator get to the meaty stuff, like SMS messages, call history, and the like?

Well, there are tools that have been built to use the imobiledevice library, aptly called imobiledevice-utils in the Debian package management system.  The utilities consist of the following tools: idevicebackup, ideviceimagemounter, idevicescreenshot, ideviceenterrecovery,  ideviceinfo, idevicesyslog, idevice_id, and idevicepair.  Of particular interest are ideviceinfo, and idevicebackup.

The ideviceinfo tool displays data about the phone itself, including the device name, serial number, OS version, and phone number.  Even locked phones provide useful data, though not as robust as an unlocked phone.  The idevicebackup tool works like iTunes backup.  It creates a device backup in a location specified by the user.  idevicebackup2 is required for iOS 4.3. and above, but can only be obtained by building it from source, which is available through a link on the imobiledevice website.  The backup includes photographs, videos, and databases from the device, including SMS messages, call history, address book, etc!

The files in an iPhone backup are renamed in hex and are referenced in two mbdb databases that index the original name, location and MAC times for the backup files.  The mbdb_parse.py utility can be used to identify the files.  I am working to modify mbdb_parse.py to automate renaming of the files, but the standard output can be used like an ls -lh output.  The limitation of mbdb_parse.py is that it displays user/group values in hex and MAC times in unixepoch time.  I have been able to modify the program to allow me to rename the files into their original names, but the program is not ready for release as yet.

I will cover forensic processing of the backup in a later post.

3 comments:

  1. Great article. I recently updated our child's iPod Touch to iOS6 and it wanted me to hook it up to iTunes then it would not recognize it. I did the "Restore" and because I did not have a recent backup nor iCloud, I lost 200+ pictures and video. Is there a way using any of your methodologies to recover from the "Restored" iPod undoing what was overwritten? Please help. Thanks

    ReplyDelete
    Replies
    1. I'm sorry Dathenus, but you are basically out of luck. First, you need a physical image of the user partition, and that basically takes expensive commercial tools or a lot of know how to achieve. Further, Since iOS4, the file system is encrypted. Deleted files are not recoverable because the keys to decrypt them are destroyed. Therefore, even if you had the physical image, you still would not be able to recover the files through file system carving techniques.

      The restore option you invoked deleted the user data on the Touch. You will not be able to recover it from the Touch. Only an iTunes or similar backup will help you. But, as you already said, you don't have a recent backup. I'm sorry I don't have better news for you.

      Delete
  2. Mr. Lehr,

    Thanks so much for responding. We are very disappointed that Apple pushed out iOS 6 and that it could cause the kind of problems it did. More disappointed for everything we lost, period. Again, thanks.

    ReplyDelete

Time Perspective

Telling time in forensic computing can be complicated. User interfaces hide the complexity, usually displaying time stamps in a human reada...