Checkra1n Era - Ep 4 - Analyzing extractions "Before First Unlock"

I spent the last couple of weeks investigating iOS 13 acquisitions "Before First Unlock".

I want to start this blog post with an important point: USB Restricted Mode.

Since iOS 11.4.1, Apple introduced a new security measure called "USB Restricted Mode" that, basically, disables USB data connection under certain conditions.

The effects of USB Restricted Mode on an iOS device and possible ways to overcome it in a non-jailbroken device were intensively discussed on various blogs.

Some references on this topic are:
One of the cases in which USB Restricted Mode is activated is after a reboot: just after a reboot the USB port can be used only for charging and the passcode must be inserted to allow data transfer. 

This is true in a normal iOS boot.

With the checkm8 exploit it seems reasonable to think that the "USB Restricted Mode" limitation can be bypassed/disabled. As I wrote on Twitter, I am not an exploitation expert but I can share the results of different tests I did.

I tested Checkra1n version 0.95 on three different devices, specifically:
  • An iPhone 5s with iOS 12.4.3
  • An iPhone X with iOS 13.1.3
  • An iPhone 7 with iOS 13.2.2
In all of these cases I was able to have a successful access to the device BFU.

On a different iPhone 7, upgraded to iOS 13.2.3, I had to use checkra1n 0.96, as version 0.95 doesn't support the specific iOS version. In this case USB restricted mode was in place and I was not able to bypass it.

I am confident that someone in the forensics world will come up soon with a stable solution to allow the "exploit" of an iOS device by allowing USB data transfer also before first unlock.

In the meanwhile, it is in any case interesting to go on investigating which information can be extracted from an iOS device Before First Unlock, so basically which files are in the "NSFileProtectionNone" data protection class.

iOS 13 File System Layout

Before going into a detailed view of available files in BFU mode, it is useful to provide an overview on the file system layout in iOS 13.

Once connected to the device through SSH, by simply running the mount command you can get the partitions layout.


Unless your are doing a malware analysis on the device, all the relevant data from a forensic perspective is stored in /private/var folder.

By running df -ah you can easily examine the amount of data stored in each partition.


As a reminder: because of the complex and strong encryption method used by Apple to store files on the internal memory, at the moment there is no available/known technique that can be used to recover deleted files on an iOS device. We should then base our analysis on what can be found at the file system level.

With ls -la /private/var/ you can list the subfolders. 
Here is where you will find all the operating system configuration and user data. 

Extracting file information

By running commands like find /private/var -type f -name "*.ext" you can easily get the list of files with a specific extension. 

You can search, for example, for PDF, XLS, DOC and you will most probably find hints in the Mail folder related to an email attachment. You can find hits also in Third Party Applications like WhatsApp, Telegram or Signal.


Other useful find commands you can run are:
  • find /private/var -type d -name "*@g.us*", to extract WhatsApp groups folders name
  • find /private/var -type d -name "*@s.whatsapp.net*", to extract WhatsApp contacts list
  • find /private/var -type d -name "*IMAP-*", to extract email address configured in the native Mail app
  • find /private/var -type d -name "*Skype4LifeSlimCore*", to extract the path where the Skype username is included
  • find /private/var -type d -name "*com.twitter.TwitterSignalProtocol*", to extract the path where the Twitter username is included

Files available Before First Unlock

In this section we analyse which files are available in a "Before First Unlock" acquisition.

We can categorise these data in three types:
  • Operating system configuration
  • Operating system and applications usage log files
  • User data files
    • Native applications
    • Third party applications

Operating system configuration and preferences

In this section we include all the files storing operating system configuration and preferences.
The most relevant folders are:
  • /private/var/db/
  • /private/var/preferences/SystemConfiguration
  • /private/var/mobile/Library/Preferences/
  • /private/var/root/Library/Preferences
  • /private/var/wireless/Library/Preferences/
In /private/var/db you can find various subfolders


The dhcp_leases file contains IP addresses assigned to connected devices, when the Personal Hotspot was in use on the device.


In the dhcpclient/leases folder you will find a plist file, named as the Wi-Fi Mac Address of the device, containing the last IP configuration and the connected SSID.


The analyticsd folder contains files named like Analytics-Journal-YYYY-MM-DD-HHMMSS.ips


Every single file contains a timestamp and the iOS version that was installed on the device at the specific timestamp.

In the timezone subfolder, localtime is an "alias", pointing to the timezone actually set on the device.


In the systemstats subfolder the last_build file contains the actually installed build number (iOS version).


In the spindump subfolder the UUIDToBinaryLocations is a plist file containing the build number and the mapping between UDID and Binary location for System binary files.


In /private/var/preferences/SystemConfiguration you can find:

com.apple.accounts.exists.plist
Information about configured accounts on the device, grouped by type (for example, Apple, Google, Facebook, E-mail, and so on)


NetworkInterfaces.plist
Information about network interfaces of the device.
This file can be parsed with Sysdiagnose Network Interfaces script.


com.apple.wifi.plist
Information about Wi-Fi networks configured on the device.
This file can be parsed with Sysdiagnose WiFi Plist script.


preferences.plist
Hostname and network preferences
This file can be parsed with Sysdiagnose Network Preferences script.


com.apple.radios.plist
Airplane mode on or off


In /private/var/mobile/Library/Preferences/ you can find:

com.apple.madrid.plist
It contains iMessage configuration


com.apple.MobileSMS.plist
It contains SMS configuration and can contain phone numbers


com.apple.identityservices.idstatuscache.plist
It contains contact information.
A good reference about this file is available on Cellebrite website


com.apple.purplebuddy.plist
It contains language and country code


com.apple.assistant.backedup.plist
It contains iCloud sync settings


com.apple.cmfsyncagent.plist
It contains a list of blocked contacts


com.apple.locationd.plist
It contains the "Location Services" setting (Enabled = 1; Disabled = 0).


com.apple.mobile.ldbackup.plist
It contains the last iTunes and last iCloud backup date and timezone.

com.apple.Preferences.plist
It contains information about disk usage (available storage, number of installed application, number of pictures in the Camera Roll, and so on). Similar content is available in the com.apple.atc.plist file


com.apple.sharingd.plist
It contains the device AirDrop ID


com.apple.timed.plist
It contains Auto Time and Auto Time Zone settings.


com.apple.preferences.datetime.plist
It contains the timezone set on the device


com.apple.cloud.quota.plist
It contains iCloud quota information (total space, total available and total used)


In /private/var/root/Library/preferences/ you can find:

com.apple.MobileBackup.plist
It contains Information about the last device reset. In particular, it contains the backup version of iOS, the iOS version installed on the device at the time of recovery, the recovery date, and whether the backup was restored from iCloud.
This file can be parsed with Sysdiagnose Mobile Backup script.

In /private/var/wireless/Library/preferences/ you can find:

com.apple.commcenter.plist
It contains information about the carrier in use, the SIM card ICCID and the associated phone 
number.


com.apple.commcenter.counts.plist
It contains statistics on the use of data and cellular network (for example, bytes received/sent, SMS received/sent, and so on).


com.apple.callservices.plist
It contains the last known iCloud account.

com.apple.commcenter.device_specific_nobackup.plist
It contains the device IMEI.

Operating system and applications usage log files

Information about operating system and applications usage can be found in different places among the device file system. 

/private/var/installd/Library/


The most interesting files here are /Logs/MobileInstallation/mobile_installation.log.N
In our experiments only mobile_installation.log.0 is available BFU, while the other(s) become available once the device is unlocked.

These files were extensively investigated and analysed by Alexis Brignoni and a peer reviewed article is available on DFRWS DFIR Review website.
Alexis also developed a parser for these logs, available on his GitHub account.

The LastBuildInfo.plist file contains the operating system version.


/private/var/log

No useful information was found in this folder during our tests, a part the corecaptured.log file that contains timestamps and can be useful when building a timeline.


/private/var/logs

Various timestamped logs are available in this folder: in particular keybagd.log* and lockdownd.log* can be useful to determine device usage. During our tests in BFU mode we were able to extract the keybagd.log.0 file and both the lockdownd logs.


/private/var/root/Library/

This folder contains various subfolders with application usage logs.


The /Logs/MobileContainerManager contains Mobile Container Manager logs, named containermanagerd.log.
These logs can be parsed with Sysdiagnose Mobile Container Manager script.


The MobileContainerManager folder contains the contaniners3.sqlite database, where you can find information about installed applications.


The Lockdown folder contains the pair_records and the the escrow_records subfolder where pairing plist files are stored. Here the data_ark.plist is also stored, containing various information about the device like the device name, the language, the timezone, the iOS version and the computer type and name where the last backup was executed.


The /Caches/locationd/cache.plist file contains the device UDID


Additional files are available only AFU like, for example:
  • /Caches/locationd/cache_encryptedB.db
  • /Caches/locationd/cache_encryptedC.db
  • /Caches/locationd/gyroCal.db
  • /Caches/com.apple.wifid/ThreeBars.sqlite
/private/var/wireless/

This folder contains various subfolders. 


The most interesting files are Library/Databases/CellularUsage.db and Library/Databases/DataUsage.sqlite.


The CellularUsage.db contains the list of SIM card ICCID’s which have been present in the device iPhone. This file is covered in a article on BlackBag website and on the Salt4n6.com blog.

The DataUsage.sqlite contains information about application usage and its content was analysed by Sarah Edwards on her blog. The APOLLO tool can be used to parse this file.

Two queries to extract information from this database are available in the APOLLO opensource tool.

Native and third party application data

The most important folder containing user information is the /private/var/mobile: it contains  data for native and third party applications and a lot of configuration and log files.


The most interesting folder during an analysis are: Containers, Library and Media.

/private/var/mobile/Library/ folder

The Library folder contains data and logs for native applications.


Most of the data in this folder is encrypted with the passcode, and so is available only After First Unlock, but a lot of information is not encrypted with the passcode and so is available also Before First Unlock.

The Accounts folder contains a database named Accounts3.sqlite: it stores details of the accounts configured on the device (for example, username and type of stored credentials such as password, OAuth, and so on). 


A simple SQL query that can be used to parse this file is

SELECT
ZACCOUNTTYPEDESCRIPTION,
ZUSERNAME,
DATETIME(ZDATE+978307200,'UNIXEPOCH','UTC' ) AS 'ZDATE TIMESTAMP',
ZACCOUNTDESCRIPTION,
ZACCOUNT.ZIDENTIFIER,
ZACCOUNT.ZOWNINGBUNDLEID
FROM ZACCOUNT
JOIN ZACCOUNTTYPE ON ZACCOUNTTYPE.Z_PK=ZACCOUNT.ZACCOUNTTYPE
ORDER BY ZACCOUNTTYPEDESCRIPTION


The AggregatedDictionary contains the ADDataStore.sqlitedb
This file was covered by Sarah Edwards in a blog post.


Two queries to extract information from this database are available in the APOLLO opensource tool.


The AppConduit folder contains two plist files. 


AvailableCompanionApps.plist contains a list of installed Apps


AvailableApps.plist seems containing the list of installed apps on the synced Apple Watch.


The ApplicationSync folder contains a single plist file. 


AssetSortOrder.plist
This file contains the application order on the SpringBoard. In my test this file was not recently updated, so it is possibly a remanence from previous iOS versions.


The Calendar folder contains various file, but not all of them are available BFU.
In particular the Calendar.sqlitedb, containing user calendar entries, is not available BFU.


Notifications.Calendar.Protected is a plist file that can contain references to calendar entries.


The CallHistoryDB folder contains Call History databases. In a BFU acquisition you can typically find this folder layout


The CallHistory.storedata file contains the real call history, and is not available BFU. The CallHistoryTemp.storedata file contains all the calls received on the device after the last successfull first unlock. This file is available, as expected, BFU.

The com.apple.itunesstored contains various SQLite databases related to activities on the iTunes store. 


The kvs.sqlitedb, for example, contains references to installed applications. In particular it contains an embedded plist file containing the list of downloaded apps.


The itunesstored2.sqlitedb also contains references to installed applications, with timestamps


The DataAccess folder contains a subfolder for each email account set in the native Mail app. In my tests the modified timestamp of the various subfolders where quite old, so probably this folder is not used anymore in recent iOS versions. 


The DeviceRegistry and the DeviceRegistry.state folders contain information synced from the paired AppleWatch.



Various interesting files are available in these folders. I suggest you to read my blog post on Elcomsoft website on Apple Watch Forensics Analysis.
As an example, the NanoMail/Registry.sqlite contains the list of synced email accounts.


The NanoAppRegistry folder contains a subfolder for each installed application. Every single folder contains a plist file detailing the version of the application, and other useful information.


The Frontboard folder contains a database named applicationState.db.


This database was covered by Alexis Brignoni in a blog post titled "Identifying installed and uninstalled apps in iOS". A good query to parse this file is available on Alexis GitHub account.


The Logs folder contains various files and subfolders.


The most interesting folders available BFU are AppConduit, CrashReporter and mobileactivationd.

The AppConduit folder typically contains two log files named AppConduit.log.0 and AppConduit.log.1. In my tests, only the first one is available BFU.


An AppConduit log file can be processed with the Sysdiagnose AppConduit Script.

The mobileactivationd folder typically contains 5 log files named mobileactivationd.log.N where N is a between 0 and 4. In my tests, only the first one is available BFU.


A mobileactivationd log file can be processed with the Sysdiagnose MobileActivation Script.

The CrashReporter folder contains Crash Logs, WiFi Manager logs and, eventually, user created Sysdiagnose logs. I strongly suggest you to read the document I wrote with Heather Mahalik and Adrian Leong on Crash and Sysdiagnose Logs

The WiFi subfolder is the most interesting one as it contains WiFi Manager logs. 


These files can be processed with Sysdiagnose WiFi Net Script and with Sysdiagnose WiFi KML Script.

The SMS folder contains SMS databases. Most of the files are not available BFU, but you could find a file named sms-temp.db that contains all the SMS messages received on the device after the last successful first unlock. 


The SpringBoard folder contains various file related to the Springboard.


The IconState.plist file contains the icons layout on the SpringBoard


The LockBackgroundThumbnail.jpg contains the background picture used when the device is locked.


The TCC folder contains a SQLite database name TCC.db


The TCC.db database contains access privileges assigned to applications (for example permissions to access Camera, Photos, Address Book, Microphone and so on).


Additional information can be found in the Caches folder, where, for example, I was able to find references to Wallet Passes in /private/var/mobile/Library/Caches/com.apple.mobilesms.compose/com.apple.Passbook

/private/var/mobile/Media/ folder

The Media folder contains data related to images, videos and audios.


The DCIM folder, containing the list of images and videos stored in the Photo Roll, is not available BFU. You can run an ls command in this folder BFU to extract the list of pictures, with related filesystem timestamps.


The iTunesControl/iTunes/MediaLibrary.sqlitedb database contains the user iCloud account ID and the shopping database on the iTunes Store. 

Here follows a good query to parse this database.

select
ext.title AS "Title",
ext.media_kind AS "Media Type",
itep.format AS "File format",
ext.location AS "File",
ext.total_time_ms AS "Total time (ms)",
ext.file_size AS "File size",
ext.year AS "Year",
alb.album AS "Album Name",
alba.album_artist AS "Artist", 
com.composer AS "Composer", 
gen.genre AS "Genre",
art.artwork_token AS "Artwork",
itev.extended_content_rating AS "Content rating",
itev.movie_info AS "Movie information",
ext.description_long AS "Description",
ite.track_number AS "Track number",
sto.account_id AS "Account ID",
strftime('%d/%m/%Y %H:%M:%S', datetime(sto.date_purchased + 978397200,'unixepoch'))date_purchased,
sto.store_item_id AS "Item ID",
sto.purchase_history_id AS "Purchase History ID",
ext.copyright AS "Copyright"
from
item_extra ext
join item_store sto using (item_pid)
join item ite using (item_pid)
join item_stats ites using (item_pid)
join item_playback itep using (item_pid)
join item_video itev using (item_pid)
left join album alb on sto.item_pid=alb.representative_item_pid
left join album_artist alba on sto.item_pid=alba.representative_item_pid
left join composer com on sto.item_pid=com.representative_item_pid
left join genre gen on sto.item_pid=gen.representative_item_pid
left join item_artist itea on sto.item_pid=itea.representative_item_pid
left join artwork_token art on sto.item_pid=art.entity_pid 


The iTunesControl/iTunes/iTunesPrefs contains the list of computer where the device was connected to.

/private/var/mobile/Containers/ folder

The Containers folder contains data related to Native and Third Party Applications.
It contains two useful subfolders: Data and Shared


Here follows a list of files I was able to find in different extractions BFU for some of the most commonly used applications.

Mail

The native Mail application stores data in /private/var/Library/Mail, and email files are not available BFU. 

The app stores cached images in the /private/var/Containers/Application/<GUID>/Caches folder: these files are available also BFU and here you can typically find images sent or received by email.


The app also stores some emails in PDF format in the /private/var/Containers/Application/<GUID>/tmp/MFScreenshotsService folder.

WhatsApp

The WhatsApp app stores data both in Data and Shared subfolder.
Most of the Databases and plist configuration files are not available BFU, but log files are available.

In particular the folder /private/var/mobile/Containers/Application/<GUID>/Library/Logs contains various logs file about WhatsApp activities.


Viber

The Viber app stores data both in Data and Shared subfolder.
Most of the Databases and plist configuration files are not available BFU, but log files are available.

In particular the folder /private/var/mobile/Containers/Application/<GUID>/Documents contains a database named Settings.data containing user account information.

Conclusions

As you can see, although most of the user data is encrypted BFU, a lot of information can be extracted from an iOS device also when the passcode is not available.

Additional research is needed to find configuration and data files for both native and third party applications, but you can start your investigation by processing the following list of files and folders.

If you see any error or discrepancy, please let me know and I will be happy to integrate this list.

Operating System Configuration and Preferences

  • /private/var/db/analyticsd
  • /private/var/db/dhcp_leases
  • /private/var/db/dhcpclient/leases
  • /private/var/db/spindump
  • /private/var/db/systemstats
  • /private/var/db/timezone
  • /private/var/mobile/Library/Preferences/com.apple.madrid.plist
  • /private/var/mobile/Library/Preferences/com.apple.MobileSMS.plist
  • /private/var/mobile/Library/Preferences/com.apple.identityservices.idstatuscache.plist
  • /private/var/mobile/Library/Preferences/com.apple.purplebuddy.plist
  • /private/var/mobile/Library/Preferences/com.apple.assistant.backedup.plist
  • /private/var/mobile/Library/Preferences/com.apple.cmfsyncagent.plist
  • /private/var/mobile/Library/Preferences/com.apple.locationd.plist
  • /private/var/mobile/Library/Preferences/com.apple.mobile.ldbackup.plist
  • /private/var/mobile/Library/Preferences/com.apple.Preferences.plist
  • /private/var/mobile/Library/Preferences/com.apple.sharingd.plist
  • /private/var/mobile/Library/Preferences/com.apple.timed.plist
  • /private/var/mobile/Library/Preferences/com.apple.preferences.datetime.plist
  • /private/var/mobile/Library/Preferences/com.apple.atc.plist
  • /private/var/mobile/Library/Preferences/com.apple.cloud.quota.plist
  • /private/var/preferences/SystemConfiguration/com.apple.accounts.exists.plist
  • /private/var/preferences/SystemConfiguration/NetworkInterfaces.plist
  • /private/var/preferences/SystemConfiguration/com.apple.wifi.plist
  • /private/var/preferences/SystemConfiguration/preferences.plist
  • /private/var/preferences/SystemConfiguration/com.apple.radios.plist
  • /private/var/root/Library/preferences/com.apple.MobileBackup.plist
  • /private/var/root/Library/Caches/locationd/cache.plist
  • /private/var/wireless/Library/preferences/com.apple.commcenter.plist
  • /private/var/wireless/Library/preferences/com.apple.commcenter.device_specific_no_backup.plist
  • /private/var/wireless/Library/preferences/com.apple.commcenter.counts.plist
  • /private/var/wireless/Library/preferences/com.apple.callservices.plist

Operating system and applications usage log files

  • /private/var/installd/Library/Logs/MobileInstallation/
  • /private/var/installd/Library/MobileInstallation/LastBuildInfo.plist
  • /private/var/log
  • /private/var/logs
  • /private/var/root/Library/Logs/MobileContainerManager
  • /private/var/root/Library/MobileContainerManager/containers.sqlite3
  • /private/var/root/Library/Lockdown/data_ark.plist
  • /private/var/root/Library/Lockdown/pair_record
  • /private/var/root/Library/Lockdown/escrow_records
  • /private/var/wireless/Library/Databases/CellularUsage.db
  • /private/var/wireless/Library/Databases/DataUsage.db

Native and third party application data

  • /private/var/mobile/Library/Accounts/Accounts3.sqlite
  • /private/var/mobile/Library/AggregatedDictionary/ADDataStore.sqlitedb
  • /private/var/mobile/Library/AppConduit/AvailableCompanionApps.plist
  • /private/var/mobile/Library/AppConduit/AvailableApps.plist
  • /private/var/mobile/Library/ApplicationSync/AssetSortOrder.plist
  • /private/var/mobile/Library/Calendar/Notifications.Calendar.Protected
  • /private/var/mobile/Library/CallHistoryDB/CallHistoryTemp.storedata
  • /private/var/mobile/Library/com.apple.itunesstored/kvs.sqlitedb
  • /private/var/mobile/Library/com.apple.itunesstored/itunesstored2.sqlitedb
  • /private/var/mobile/Library/DataAccess
  • /private/var/mobile/Library/DeviceRegistry
  • /private/var/mobile/Library/DeviceRegistry.state
  • /private/var/mobile/Library/Frontboard/applicationState.db
  • /private/var/mobile/Library/Logs/AppConduit
  • /private/var/mobile/Library/Logs/mobileactivationd
  • /private/var/mobile/Library/Logs/CrashReporter
  • /private/var/mobile/Library/SMS/sms-temp.db
  • /private/var/mobile/Library/SpringBoard/IconState.plist
  • /private/var/mobile/Library/SpringBoard/LockBackgroundThumbnail.jpg
  • /private/var/mobile/Library/TCC/TCC.db
  • /private/var/mobile/Media/DCIM
  • /private/var/mobile/Media/iTunesControl/iTunes/MediaLibrary.sqlitedb
  • /private/var/mobile/Media/iTunesControl/iTunes/iTunesPrefs
  • /private/var/mobile/Containers/Application/<WHATSAPP-GUID>/Library/Logs/whatsapp-YYYY-MM-DD-HH-MM-SSS*.log
  • /private/var/mobile/Containers/Application/<MAILAPP-GUID>/Caches
  • /private/var/mobile/Containers/Application/<VIBER-GUID>/Documents/Settings.data

Comments

Popular posts from this blog

A first look at Android 14 forensics

Huawei backup decryptor

Dissecting the Android WiFiConfigStore.xml for forensic analysis