A first look at iOS 18 forensics

By -

This has been a tough year for me: my mom passed away in June, and I'm still slowly recovering from the hard blow. It's time to start again doing what I love: researching and sharing!

It's early September and like every year, that moment is approaching when everyone who deals with mobile forensics starts to tremble at the thought of the arrival of a new version of iOS!

First the good news: the basic and traditional techniques for logical acquisition (or Advanced Logical, if you want to call it that) still work on iOS 18!

A new cross-platform open-source tool has recently become available that enables this type of extraction from various types of Apple devices (iPhone, iPad, Apple TV, Apple Watch). 

The UFADE tool https://github.com/prosch88/UFADE), developed and maintained by Christian Peter, fully supports iOS 18 and was used to perform the tests described in this article.

The tests were performed on an iPhone 12 with iOS 18 beta operating system, which was reinstalled after a reset and without restoring from a previous backup. After configuration, an existing iCloud account was logged in, with subsequent synchronization of the existing data (e.g. photos, contacts, etc.).

After installation, the device was only used with native applications, and various acquisitions were performed:

  • iTunes backup
  • AFC
  • Crash logs and Sysdiagnose
While we wait for one of the gray/green/black/blue/orange tools that will allow us to obtain a full file system, we need to optimize the data we can extract by combining the traditional techniques.

Among the different techniques, the iTunes backup (encrypted, of course!) is still the one that can extract the most data. Below is a short list of the most important files already present in previous versions of iOS and available in an iTunes backup with iOS 18.

Basic device information and configuration

  • Device Model Number and Device Name
    • /private/var/preferences/SystemConfiguration/preferences.plist
  • Serial Number
    • /private/var/root/Library/Caches/locationd/consolidated.db
  • Last Known ICCID
    • /private/var/wireless/Library/Preferences/com.apple.commcenter.plist
  • SIM Card information
    • /private/var/wireless/Library/Databases/CellularUsage.db
    • /private/var/wireless/Library/Preferences/com.apple.commcenter.data.plist
  • Control Center
    • /private/var/wireless/Library/ControlCenter/ModuleConfiguration.plist
  • Timezone
    • /private/var/mobile/Library/Preferences/com.apple.AppStore.plist
  • Location Services setting
    • /private/var/mobile/Library/Preferences/com.apple.locationd.plist
  • Find my iPhone settings
    • /private/var/mobile/Library/Preferences/com.apple.icloud.findmydeviced.FMIPAccounts.plist
  • Backup information
    • /private/var/mobile/Library/Preferences/com.apple.MobileBackup.plist
    • /private/var/mobile/Library/Preferences/com.apple.mobile.ldbackup.plist

Native Apps

  • Accounts
    • /private/var/mobile/Library/Accounts/Accounts3.sqlite
  • Address Book
    • /private/var/mobile/Library/AddressBook/AddressBook.sqlitedb
    • /private/var/mobile/Library/AddressBook/AddressBookImages.sqlitedb
  • Calendar
    • /private/var/mobile/Library/Calendar/Calendar.sqlitedb
    • /private/var/mobile/Library/Calendar/Extras.db
  • Call History (Phone and FaceTime)
    • /private/var/mobile/Library/CallHistoryDB/CallHistory.storedata
  • Files
    • /private/var/mobile/Library/Application Support/CloudDocs/session/db/client.db
    • /private/var/mobile/Library/Application Support/CloudDocs/session/db/server.db
  • Maps
    • /private/var/mobile/Containers/Shared/AppGroup/<GUID>/Library/Maps/MapsSync_0.0.1
  • Media (Pictures/Videos)
    • /private/var/mobile/Media/DCIM/*
    • /private/var/mobile/Media/PhotoData/Photos.sqlite
    • /private/var/mobile/Media/PhotoData/CPL/*
    • /private/var/mobile/Media/PhotoData/Mutations/*
    • /private/var/mobile/Media/PhotoData/Thumbnails/*
  • Notes
    • /private/var/mobile/Library/Notes/notes.sqlite
  • Safari
    • /private/var/mobile/Library/Safari/Bookmarks.db
    • /private/var/mobile/Library/Safari/History.db
    • /private/var/mobile/Library/Safari/SafariTabs.db
  • SMS/MMS/iMessage
    • /private/var/mobile/Library/SMS/sms.db
    • /private/var/mobile/Library/Preferences/com.apple.MobileSMS.plist
  • Shortcuts
    • /private/var/mobile/Library/Shortcuts/Shortcuts.sqlite
  • Voicemail
    • /private/var/mobile/Library/Voicemail/voicemail.db
  • Weather
    • /private/var/mobile/Containers/Shared/AppGroup/<GUID>/Library/Preferences/group.com.apple.weather.plist

Networks and connected devices

  • Bluetooth
    • /private/var/containers/Shared/SystemGroup/<GUID>/Library/Database/com.apple.MobileBluetooth.ledevices.paired.db
    • /private/var/containers/Shared/SystemGroup/<GUID>/Library/Database/com.apple.MobileBluetooth.ledevices.other.db
  • Wi-Fi Networks
    • /private/var/preferences/com.apple.wifi.known-networks.plist
    • /private/var/preferences/SystemConfiguration/com.apple.wifi-private-mac-networks.plist
  • Home Kit (IoT Devices)
    • /private/var/mobile/homed/datastore3.sqlite

Application usage

  • Application State (Installed applications)
    • /private/var/mobile/FrontBoard/applicationState.db
  • iOS Screen Layout
    • /private/var/mobile/Library/SpringBoard/IconState.plist
  • TCC (Transparency, Consent and Control)
    • /private/var/mobile/Library/TCC/TCC.db
  • Data Usage
    • /private/var/wireless/Library/Databases/DataUsage.sqlite

Pattern of life

  • Health
    • /private/var/mobile/Library/Health/healthdb.sqlite
    • /private/var/mobile/Library/Health/healthdb_secure.sqlite
  • Keyboard Usage Stats
    • /private/var/mobile/Library/Keyboard/user_model_database.sqlite
  • InteractionC
    • /private/var/mobile/Library/CoreDuet/People/interactionC.db
  • Personalization Portrait
    • /private/var/mobile/Library/PersonalizationPortrait/PPSQLDatabase.db
  • Recents
    • /private/var/mobile/Library/Recents/Recents
The AFC protocol can be used to extract multimedia files (even if an iTunes backup password is already set on the device). In combination with the iTunes backup (so-called "Advanced Logical" or "Logical+"), additional files can be extracted, e.g. the Media Library of the iCloud account (/private/var/mobile/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb).

The Crash Reporter protocol can be used to extract crash logs as well as generated "sysdiagnose" stored in "/private/var/mobile/Library/Logs/CrashReporter/".
If you do not know what a "sysdiagnose" is, I recommend reading my 2019 paper available at https://www.for585.com/sysdiagnose. UFADE also supports the direct creation and extraction of a "sysdiagnosis". In my personal opinion, the extraction of sysdiagnose should always be included in an extraction workflow, especially if an exploit to obtain a FFS is not available. sysdiagnose also contains Apple Unified Logs, which can be crucial in certain types of investigations (e.g. a car accident).

When analyzing the sysdiagnose created under iOS 18, we can find the following relevant files and folders that were extracted from the iOS file system but are not included in an iTunes backup:
  • Mobile Installation Logs (useful to track app installation and uninstall)
    • /private/var/installd/Libary/Logs/MobileInstallation/
  • Mobile Activation Logs (useful to track device power on)
    • /private/var/mobile/Library/Logs/mobileactivationd/*
  • Lockdownd Logs (useful to track passcode changes)
    • /private/var/logs/lockdownd.log
  • Shutdown Logs (useful to track device power off/shutdown)
    • /private/var/db/diagnostics/shutdown.log
  • Logd Log (useful to track device power off/shutdown)
    • /private/var/db/diagnostics/logd.N.log
  • PowerLog.PLSQL (partial)
    • \private\var\containers\Shared\SystemGroup\<GUID>\Library\BatteryLife\CurrentPowerlog.PLSQL
  • Wi-Fi Manager Logs
A sysdiagnose also contains files that are typically included in an iTunes backup, such as the TCC database and the plist file for saving Wi-Fi networks. Remember that if a backup password is already set on the device and you reset it, one of the files affected is the list of known Wi-Fi networks! Another reason why extracting a sysdiagnose is a good choice!

The logs are reorganized with different paths within a sysdiagnose file. If you want to process them with conventional forensic tools, you need to restore the correct file system (at the moment the only option is... manually). In the picture you can see the output generated by iLEAPP after path reordering.


By processing test acquisitions with different tools I found that they all failed in processing DataUsage.sqlite, so possibly something has changed in iOS 18 with this file. 

Let us finish with the bad news: what are you missing out on without a FFS extraction?

Short answer: a lot! Not only in terms of third-party applications (Telegram or Signal, to name but a few) but also for native databases and logs.

Detailed answer: Here is a list of the most important files that cannot be extracted with Advanced Logical (Logical+ in the UFADE GUI):
  • Emails
  • Location-related artifacts
    • Cached locations (Cache.sqlite)
    • Wi-Fi/Cell towers locations (cache_encryptedB.db)
    • Motion History (cache_encryptedC.db)
    • Significant Location (local.sqlite/cloud-V2.sqlite)
    • FindMy Devices
  • Device usage-related artifacts
    • Notifications (DuetExpertCenter folder)
    • CurrentPowerLog.PLSQL (complete)
    • Biome
    • knowledgec.db
    • Network Usage (netusage.sqlite)
    • Aggregated Dictionary (ADDataStore.sqlitedb)
    • Screen Time (RMAdminStore-Local.sqlite / RMAdminStore-Cloud.sqlite)

Comments

Post a Comment

Popular posts from this blog

A first look at Android 14 forensics

By -
Android 14 was released to the public by the Open Handset Alliance on October 4, 2023, and is now available on various smartphones, including the Google Pixel. This blog post aims to explore a list of the majr oartifacts you can find on this version of the Android OS.  For testing and review, I set up a Google Pixel 7A and used it for about a month, with a SIM card and various native and third-party apps installed. The blog post is organized by sections: Device information and general settings User accounts Information on Cellular, Wi-Fi, and Bluetooth connections Native Android applications Google applications Analysis of the use of native and third-party applications Other relevant information As always, I'll try to update this blog post as I test and research. Device information and general settings build.prop TXT format Stored in the root directory of the system partition  Among other things, it contains the device manufacturer, the device model, the operating system version, a
Keep reading

Huawei backup decryptor

By -
When doing Mobile Forensics the first and usually the hardest step is to get access to user's data . It depends on the case type, but the so called physical  acquisition is the analyst object of desire. The reason is simple: iOS and Android native backups, respectively adb  and iTunes , contain a subset of user data, because they respect the various apps configurations where they can specify " you can't include me in backups ". Which leads to inconsistent situations like, for example, having WhatsApp data in iTunes backups and not having it in Android adb backups. Not considering WhatsApp, the majority of apps in iOS and Android do not allow their data to be included in backups . In the scenario where  device is unlocked or the lock  code is known (the only scenario considered in this post), the analyst could use the device itself to make the analysis of the installed applications. Anyone who did that at least once knows how uncomfortable is this approach. Al
Keep reading

WhatsApp Xtract

By -
I don’t want to bore you explaining what is WhatsApp . If you have this serious gap, you can fill it here .  Forensically speaking, WhatsApp was a very cool app until the last June. After that, someone had decided to add the extension “crypt” to such excellent source of information which was msgstore.db . This database stores information about contacts and also entire conversations. But simply opening it with SQLite Browser , you can have some troubles in extracting a single chat session with a desired contact, or in reordering the messages. My last python script wants to overcome these problems, avoiding to deal with complex SQL queries. Now, you need only to decrypt that file! Go to the repo.
Keep reading