Posts

Oh no! I have a wiped iPhone, now what?

One of the most common questions I got asked during presentations and conferences is: " During a search and seizure we found a wiped iPhone, what can we do next? " First and foremost: you cannot recover data stored on the device before wiping occurred . The encryption keys you need to decrypt the data are gone forever. Full stop :) If you are aware of any method, technique, tool or magic box that can do that, please let me know :) You have three options to recover data: Data stored on computer (s) (Windows or Mac) On Windows you can search for Lockdown certificates C:\ProgramData\Apple\Lockdown iOS Backups  C:\Users\<username>\AppData\Roaming\Apple Computer\MobileSync\Backup C:\Users\<username>\Apple\MobileSync\Backup Synced CrashLogs C:\Users\<username>\AppData\Roaming\Apple Computer\Logs\CrashReporter\MobileDevice MediaStream C:\Users\<username>\AppData\Roaming\Apple Computer\MediaStream\ iPodDevices.xml C:\Users\<username>\AppData\Local\Apple

Triaging modern Android devices (aka android_triage bash script)

Image
When dealing with mobile devices, you need to follow a procedure that includes various stages from identification to reporting. One of the key-point in this process is the  acquisition , where we extract a copy of the data stored in the mobile device.  While evaluating your acquisition method, you should always consider the old but gold rule of the  order of volatility  ( RFC 3227  - " When collecting evidence you should proceed from the volatile to the less volatile "). Our general goal is to obtain a physical dump of the internal memory, from the very first to the very last bit. On most modern smartphone devices, where file-based encryption (FBE) is in use, a full file system is typically our "best evidence".  These extraction methods often rely on vulnerabilities and exploits (either at the hardware or the software level) developed to overcome device security. We use various tools and techniques and sometimes also a physical approach. In some cases, especially

A journey into IoT Forensics - Episode 5 - Analysis of the Apple HomePod and the Apple Home Kit Environment (aka thanks RN Team!)

Image
This is the fifth blog post on the analysis of IoT devices. The first blog post was about the  analysis of Samsung refrigerator , the second one was about the  analysis of an LG Smart TV , the third one was about the analysis of an  Ematic Android TV OS Box , and the fourth one was about the analysis of an iRobot Roomba 690 . All the previous blog posts were based on images made available for research by VTO Labs . This fifth post is about the acquisition and analysis of the Apple Homepod and the Apple HomeKit environment. This is based on a research developed by our RN team during 2020: in particular, it was the research topic of the thesis of our internship Francesca Maestri , who successfully obtained her computer science degree last year. Congrats and thanks for your great work Francesca! This work was first presented online in June 2020 at the DFRWS EU 2020, as a short presentantion. It was also the topic of the famous DFRWS Rodeo. Presentation from the DFRWS, the Rodeo dataset, q