iOS Forensics: tool validation based on a known dataset - Preamble

Hello world, it’s been a while since my last series of blog posts! But now I am ready to share with you the results of my recent research. I face many different challenges in my daily work as a digital forensics analyst, who deals mainly with mobile devices. All modern smartphones are encrypted (usually with file-based encryption (FBE)), so obtaining or cracking the passcode is required to gain access to all the data stored on the device. And even if we know the passcode (or the user has not set the passcode, which is increasingly rare these days), we still need an exploit to gain “root” access to the device to read and copy all the data and get our “best acquisition”, usually a full file system (FFS). And then what?  Then you have an enormous number of bytes stored in hundreds of thousands of files in which to search for relevant information for the case. In simple terms, you have a box and you need to find a small piece of information in that box. In the box there is some info

iOS Forensics References: a curated list

Following up my previous blog post, I decided to create a curated list of iOS Forensics References, organized by folder with specific references (links to blog post, research paper, articles, and so on) for each interesting file.  The list is available as a GitHub repository to make it easier to keep it updated. If you have any proposal for addition in terms of file/folders or a specific reference, please let me know and I'll be happy to add it to the list.

Sysdiagnose in iOS 16: a first look from a Digital Forensics perspective

Back in May 2019, along with my colleagues Heather Mahalik and Adrian Leong, we wrote the paper " Using Apple “Bug Reporting” for forensic purposes " and some scripts to parse data stored in Sysdiagnose logs. The paper is still available for download and, for the most part, is still accurate. But time goes on, and new iOS versions have come on the market in recent years. I took a first look at a sysdiagnose generated on a freshly wiped iPhone with iOS 16 natively installed. For sysdiagnose generation and extraction, nothing has changed since our paper. You can still generate it in a hardware or software way, and you can extract it with forensic tools (i.e. Elcomsoft iOS Forensic Toolkit ) or with iOS device manager tools (i.e. 3uTools ). Once extracted, the sysdiagnose is a TAR file that contains various files in the root folder and different subfolders. At first look, most of the files seem coherent with what we wrote in the paper. You can in fact find: sysdiagnose.log tas

Android Forensics References: a curated list

During the forensic analysis of a mobile device, we often have the need to understand the content of a specific file or folder. This is particularly true when a file or a folder is not parsed by our set of tools.  Our approach is, typically, to start googling the file or folder name to check if someone else has already done some researches on it. This approach is time consuming and it's not always easy to quickly find the proper reference. I also realized that I googled the same file/folder name multiple times..... So, I decided to create a curated list of Android Forensics References, organized by folder with specific references (links to blog post, research paper, articles, and so on) for each interesting file. I plan to realize in a near future a similar page for iOS. The list is available as a GitHub repository to make it easier to keep it updated. If you have any proposal for addition in terms of file/folders or a specific reference, please let me know and I'll be happy to

McAFuse - open source McAfee FDE decryption

This post is a guest post, where Andrea Canepa ( recently graduated at University of Genoa, Computer Science) will explain his Master Thesis . The topic is how to handle McAfee FDE acquisitions when doing a DFIR investigations. Suppose that you're asked to perform a forensic investigation on a laptop where McAfee FDE is used: the company will provide you the xml file (McAfee ePO) with the decrypting key. How would you proceed? Our usual approach has always been to perform a full disk acquisition of the encrypted disk, as is: this is most likely the best freeze of the current data you could get. Then, how would you decrypt the forensic image? McAfee provides the DETech tool and a proper manual : point is, you'd have to use it by creating a boot-able WinPE device (CD, USB) to run it and decrypt the original disk, sector by sector. What I've done in the past is a Powershell script which will take the file and it will "install" it inside a Windows syst

Oh no! I have a wiped iPhone, now what?

One of the most common questions I got asked during presentations and conferences is: " During a search and seizure we found a wiped iPhone, what can we do next? " First and foremost: you cannot recover data stored on the device before wiping occurred . The encryption keys you need to decrypt the data are gone forever. Full stop :) If you are aware of any method, technique, tool or magic box that can do that, please let me know :) You have three options to recover data: Data stored on computer (s) (Windows or Mac) On Windows you can search for Lockdown certificates C:\ProgramData\Apple\Lockdown iOS Backups  C:\Users\<username>\AppData\Roaming\Apple Computer\MobileSync\Backup C:\Users\<username>\Apple\MobileSync\Backup Synced CrashLogs C:\Users\<username>\AppData\Roaming\Apple Computer\Logs\CrashReporter\MobileDevice MediaStream C:\Users\<username>\AppData\Roaming\Apple Computer\MediaStream\ iPodDevices.xml C:\Users\<username>\AppData\Local\Apple

Triaging modern Android devices (aka android_triage bash script)

When dealing with mobile devices, you need to follow a procedure that includes various stages from identification to reporting. One of the key-point in this process is the  acquisition , where we extract a copy of the data stored in the mobile device.  While evaluating your acquisition method, you should always consider the old but gold rule of the  order of volatility  ( RFC 3227  - " When collecting evidence you should proceed from the volatile to the less volatile "). Our general goal is to obtain a physical dump of the internal memory, from the very first to the very last bit. On most modern smartphone devices, where file-based encryption (FBE) is in use, a full file system is typically our "best evidence".  These extraction methods often rely on vulnerabilities and exploits (either at the hardware or the software level) developed to overcome device security. We use various tools and techniques and sometimes also a physical approach. In some cases, especially

A journey into IoT Forensics - Episode 5 - Analysis of the Apple HomePod and the Apple Home Kit Environment (aka thanks RN Team!)

This is the fifth blog post on the analysis of IoT devices. The first blog post was about the  analysis of Samsung refrigerator , the second one was about the  analysis of an LG Smart TV , the third one was about the analysis of an  Ematic Android TV OS Box , and the fourth one was about the analysis of an iRobot Roomba 690 . All the previous blog posts were based on images made available for research by VTO Labs . This fifth post is about the acquisition and analysis of the Apple Homepod and the Apple HomeKit environment. This is based on a research developed by our RN team during 2020: in particular, it was the research topic of the thesis of our internship Francesca Maestri , who successfully obtained her computer science degree last year. Congrats and thanks for your great work Francesca! This work was first presented online in June 2020 at the DFRWS EU 2020, as a short presentantion. It was also the topic of the famous DFRWS Rodeo. Presentation from the DFRWS, the Rodeo dataset, q