Thursday, February 21, 2013

iPhone 4S Analysis with UFED Cellebrite and XRY

Today I completed a file system analysis of the iPhone 4S with the UFED Cellebrite.  I wanted to do a physical extraction of the iPhone 4S, but Cellebrite cannot do a physical extraction for the iPhone 4S.

When I analyzed the file system extraction with the Physical Analyzer software by UFED I got the same results as the Oxygen Forensic Suite.  I was not surprised by this.  Here is what the file system looked like for the Snapchat app.

The Snapchat app contained a Documents folder and a Library folder.  In the Documents folder was a plist file called user.plist.  In the Library folder there was a Preferences folder that contained a plist file called com.toyopagroup.picaboo.plist.  These two plist files were the same plist files found by the Oxygen Forensic Suite.

I also wanted to try the mobile forensics tool XRY.  I used the XRY Complete, but unfortunately it could not do a physical extraction of the iPhone 4S. So, I did a logical extraction of the phone.

In the Documents section of the extraction I was able to locate the two plists that were found with the Oxygen Forensic Suite and the UFED Cellebrite.



The next step I will take in this project is to jailbreak the iPhone 4S so I can then create a physical dd image of the phone, and also take a memory dump.

Wednesday, February 20, 2013

iPhone 4S Analysis with Oxygen Forensic Suite

So, I decided to begin my project with the iPhone.  My Professor gave me his old iPhone 4S that he wiped, so I did not have to use my own personal iPhone 5 for this project.

The first thing I did with the iPhone was update the OS version to 6.1.2.  I then installed the Snapchat app, and created a user account.  I sent ten snapchats to the iPhone 4S from my iPhone 5.  One of the snapchats was a video.  Two of the picture snapchats were left unopened.  I created a spreadsheet of every single snapchat that I sent, which included what the snapchat was, what time it was received, and to what user it was sent to because I will be doing this with numerous devices.

I then created a backup of the iPhone 4S in iTunes because I plan on jailbreaking the phone in one of my next steps to get a physical image of the phone and for a memory dump.

The first tool I decided to use was the Oxygen Forensic Suite.  You can get a trial version for six months.  The Oxygen Forensic Suite is capable of doing a file system dump of iOS.

I completed the file system dump of the iPhone 4S, and started looking for snapchats.  I found no snapchats that I had sent to this device.

I had already done my research of where to find a downloaded application's data in the file system.  Cell phone applications that are downloaded are stored in /mobile/applications/. Each application also contains a Library, Documents, and a tmp folder.

Here is what the file system looked like for the Snapchat app in the Oxygen Forensic Suite.  The Oxygen Forensic Suite did not contain a tmp folder in the file system.

Inside the Library folder there was a Preferences folder that contained a plist file.  The plist file was called com.toyopagroup.picaboo.plist.

I used the Oxygen Forensic Plist Viewer to view the contents of the plist file.  I have never had experience with plist files, so I need to do more research into how to view them.  For what I can see so far is that this plist file contained the user name of each sender of each snapchat received, the time the snapchat was received, the snapchat username of the current user, the e-mail used to set up the snapchat account.

Inside the Documents folder there was another plist file.  This plist file was called user.plist.

Add caption
Still using the Oxygen Forensic Plist Viewer I viewed the contents of this plist file.  This plist file contained one thing, which was the last updated time of the app.

The last updated time of this app is 8:14 PM on 2/20/13.  I went back to my spreadsheet of snapchats I sent, and that was the last time I had sent one.

My next plan is to look more into how to analyze plists.  I also am going to use the UFED Cellebrite to see if I get any different results that I got with the Oxygen Forensic Suite.

Monday, January 21, 2013

Project Introduction

Snapchat is a mobile phone application that is now the latest trend.  I am an avid user of the app myself.  The app allows users to send pictures and videos to those on their friends list.  It allows the sender to select the amount of time, which is between one and ten seconds, that the receiver can view the photo or video and then it disappears.

This app is now causing controversy because many people are using it for sexting, or sending other inappropriate images.

So, everyone who has the app is wondering what exactly happens to this photo or video after it disappears?  Snapchat claims that the data is not stored on its servers, so how can it ever be recovered?  That is where my capstone project comes in.

The goal of my capstone is to see if it is possible to forensically recover the image or video sent through the snapchat app. The field of digital forensics is moving quickly over from computers to mobile devices such as cell phones and tablets.  So, if this project and research is a success this can benefit law enforcement in doing mobile forensics where the snapchat app is installed on the device.

Here is my plan of what devices and tools I will be using to complete my capstone:

  • iPad - iOS 6.0.1
  • iPhone 5 - iOS 6.1
  • AT&T Avail - Gingerbread Android Version 2.3.4
Forensic Tools
  • Cellebrite
  • XRY
  • Oxygen Forensic Suite
  • Volatility or other memory analysis tools

The first phase of this project is going to involve researching methods to recover data from mobile devices. 

Please follow my blog to see the progress I make on this project over the next few months!

Thursday, January 17, 2013

Hello World

Hello! My name is Christine Casey.  I am a senior studying Computer and Digital Forensics at Champlain College in Burlington, VT.  This blog is going to explain my research and progress for my senior Capstone project over the next few months.  Please follow my blog to see my progress throughout this project!