Thursday, February 21, 2013

iPhone 4S Analysis with UFED Cellebrite and XRY

Today I completed a file system analysis of the iPhone 4S with the UFED Cellebrite.  I wanted to do a physical extraction of the iPhone 4S, but Cellebrite cannot do a physical extraction for the iPhone 4S.

When I analyzed the file system extraction with the Physical Analyzer software by UFED I got the same results as the Oxygen Forensic Suite.  I was not surprised by this.  Here is what the file system looked like for the Snapchat app.

The Snapchat app contained a Documents folder and a Library folder.  In the Documents folder was a plist file called user.plist.  In the Library folder there was a Preferences folder that contained a plist file called com.toyopagroup.picaboo.plist.  These two plist files were the same plist files found by the Oxygen Forensic Suite.

I also wanted to try the mobile forensics tool XRY.  I used the XRY Complete, but unfortunately it could not do a physical extraction of the iPhone 4S. So, I did a logical extraction of the phone.

In the Documents section of the extraction I was able to locate the two plists that were found with the Oxygen Forensic Suite and the UFED Cellebrite.



The next step I will take in this project is to jailbreak the iPhone 4S so I can then create a physical dd image of the phone, and also take a memory dump.

Wednesday, February 20, 2013

iPhone 4S Analysis with Oxygen Forensic Suite

So, I decided to begin my project with the iPhone.  My Professor gave me his old iPhone 4S that he wiped, so I did not have to use my own personal iPhone 5 for this project.

The first thing I did with the iPhone was update the OS version to 6.1.2.  I then installed the Snapchat app, and created a user account.  I sent ten snapchats to the iPhone 4S from my iPhone 5.  One of the snapchats was a video.  Two of the picture snapchats were left unopened.  I created a spreadsheet of every single snapchat that I sent, which included what the snapchat was, what time it was received, and to what user it was sent to because I will be doing this with numerous devices.

I then created a backup of the iPhone 4S in iTunes because I plan on jailbreaking the phone in one of my next steps to get a physical image of the phone and for a memory dump.

The first tool I decided to use was the Oxygen Forensic Suite.  You can get a trial version for six months.  The Oxygen Forensic Suite is capable of doing a file system dump of iOS.

I completed the file system dump of the iPhone 4S, and started looking for snapchats.  I found no snapchats that I had sent to this device.

I had already done my research of where to find a downloaded application's data in the file system.  Cell phone applications that are downloaded are stored in /mobile/applications/. Each application also contains a Library, Documents, and a tmp folder.

Here is what the file system looked like for the Snapchat app in the Oxygen Forensic Suite.  The Oxygen Forensic Suite did not contain a tmp folder in the file system.

Inside the Library folder there was a Preferences folder that contained a plist file.  The plist file was called com.toyopagroup.picaboo.plist.

I used the Oxygen Forensic Plist Viewer to view the contents of the plist file.  I have never had experience with plist files, so I need to do more research into how to view them.  For what I can see so far is that this plist file contained the user name of each sender of each snapchat received, the time the snapchat was received, the snapchat username of the current user, the e-mail used to set up the snapchat account.

Inside the Documents folder there was another plist file.  This plist file was called user.plist.

Add caption
Still using the Oxygen Forensic Plist Viewer I viewed the contents of this plist file.  This plist file contained one thing, which was the last updated time of the app.

The last updated time of this app is 8:14 PM on 2/20/13.  I went back to my spreadsheet of snapchats I sent, and that was the last time I had sent one.

My next plan is to look more into how to analyze plists.  I also am going to use the UFED Cellebrite to see if I get any different results that I got with the Oxygen Forensic Suite.