mac&ios hungary11216

7/25/2019 Mac&IOS Hungary11216

1/91

Mac & iOS Forensics and AnalysisBest practices for data collectionLocations of suspect data

Event:

Location:

Digital Forensics KFT Workshop

Budapest, Hungary


2/91

PAGE:

Mac & iOS Forensics and Analysis

BlackBag Technologies, Inc. 2015 Proprietary Information

Copyright

2

This material is subject to copyright, is owned by BlackBag

Technologies, and is proprietary. It is being provided to the recipient

under license.By the recipient's receipt of this material, recipient

acknowledges and agrees that recipient has been granted a limited

and revocable right and license to use theinformation contained

herein solely for general educational purposes. Recipient may not use

these materials for any other purpose (including in connectionwith itsbusiness operations) and may not disclose these materials or its

content, whether in written form or verbally, to any third party.


3/91

PAGE:



Locks and Encryption

Who are we?

BlackBags mission is to nd the truth in data

BlackBag Technologies is a leading provider of digital forensics

software, training, and services. Our team is solely focused on

developing innovative and accessible solutions for the complex

challenges presented by an increasingly vast digital crime scene.

As the sea of data expands, we stand by our pledge to be an ally

in pursuit of nding truth within it.

Carpe Datum!

3


4/91

PAGE:




BlackBag Technologies Update

Mobilyze

Mobile acquisition and triage

MacQuisition Imaging and incident response

BlackLight

Forensics on OS X and WindowsSoftBlock

Kernel-level write-blocking ofphysical devices

4


5/91

PAGE:



Stuart HUTCHINSON

5

23 Years of Policing - Scotland Yard, London

Special Branch Counter Terrorism Command

Part-Time Instructor BlackBag Four Years

Responsible for all International Operations

Based in the UK


6/91

BlackBag Technologies, Inc. 2015 Proprietary InformationPAGE:

OS X Device Forensics

MacQuisition Demo

6


7/91 BlackBag Technologies, Inc. 2015 Proprietary InformationPAGE:

iOS Device Forensics

BlackLight OverviewOverview

Adding iOS Devices/Backups

7


8/91PAGE:



BlackLight Overview

BlackLight Overview

Features

Runs on OS X 10.7.0 and later

Runs on Windows 7 and later Same look and feel on each OS

Except for any native OS functions

Analyzes OS X 10.0-10.8 and iOS 1.0-7.x Analyzes Windows - NTFS/FAT

8


9/91PAGE:



BlackLight Overview

BlackLight Features

Features

MD5, SHA1, and SHA256 hashing of les and content

Support for image le formats Raw (dd), DMG, sparse images/bundles

E01 and L01, SMART, vmdk

iOS physical images from most popular sources Direct read of iOS devices and backup les

9


10/91PAGE:



BlackLight Overview

Using BlackLight

The BlackLight Application Window

1. Command Bar

2. Component List

3. Content Pane

4. File Information Pane

5. File Content Viewer

6. Status Bar

10


11/91PAGE:




Adding an iOS Device or Backup

11

Select [Add Encrypted

iOS Disk Image]or

[Add iOS Backup]

Select [Add Disk Image]

or [Add USB Attached

Apple iOS Device]

Select Add


12/91PAGE:



BlackLight Overview

iOS Import/Processing Options

12

Select iOS Device

More Processing Options


13/91PAGE:



Encrypted Backups

Encrypted Backups

In BlackLight

Connect an iOS device

Provide the passcode to decrypt the backup

13


14/91PAGE:



BlackLight Overview

Adding A Backup From A Computer Case

BlackLight identies iOS Backups

14


15/91 BlackBag Technologies, Inc. 2015 Proprietary InformationPAGE:


Starting a CaseStart a Case in BlackLight

Examining an iOS Backup

15


16/91

PAGE:



BlackLight Overview

Start a New Case

16


17/91

PAGE:



BlackLight Overview

Adding an iOS Backup

Select [Add iOS Backup]

17


18/91

PAGE:



BlackLight Overview

Select the iOS Backup Folder

18


19/91

PAGE:



BlackLight Overview

Processing Completed

iOS Device Details

19


20/91



AcquisitionSecuring a Device

iOS 8 Implications

Acquisition Options

Power Loss - Dates and Times

Mobilyze

20


21/91

PAGE:



Acquisitions

Where to nd data?

User can change from local to iCloud anytime

Local computers (Mac or PC)

iOS Backups and iCloud sync data

iCloud

Backups and iCloud sync data

Friends and work computers

Excellent source of pairing certicates

21


22/91

PAGE:



Acquisitions

New Techniques

Data collection must always be re-evaluated

Review and revise existing techniques

Re-verify processes and technologies Identify areas of concern

Locate new sources of relevant data

Utilize the latest tools for most complete results

22


23/91

PAGE:



Acquisitions

Securing an iOS Device

Protect the iOS device IMMEDIATELY

Ensure the device stays powered on

Place the device into Airplane Mode Remove the SIM card from the device

Secure the device in a Faraday bag or cage

23

Cellular Wi-Fi BluetoothGPS


24/91

PAGE:



Acquisitions

Control Center

Available by default on lock screen

24

Swipe up

from bottom

of device screen

Airplane Mode

(Tap to enable)


25/91

PAGE:



Acquisitions

Data Acquisition

iOS 8 makes signicant changes to data acquisition

iTunes Backup

Voicemail, voice memos, call history, SMS and iMessages,photos and videos

Apple File Conduit (AFC)

Music, pictures, videos, and third party app data

File Relay - DISABLED

Granular access to le system details

Ability to reach data points not available to AFC or iTunes

25


26/91

PAGE:



Acquisitions

After Power-on

When a PIN code (passphrase) is enabled:

Device enters Protect Until First User Authentication

No communication with device possible until

PIN code (passphrase) is entered once

This can be seen with your own device and iTunes

Restart your own iPhone

Connect to iTunes

Message displayed by iTunes stating device is locked

26


27/91

PAGE:



Acquisitions

Best Times to Seize a Device

When should you seize an iOS device?

UNLOCKED, available for use

Locked PIN code available

Locked, with pairing certicate, device has not

restarted Locked, no PIN, no pairing certicate = NO DATA

27


28/91

PAGE:




iOS 8 Protection

Requirement for Passcode

Device has restarted

Loss of power Shutdown

Requires passcode

Despite pairing certi

cate on computer More than 48 hours without a successful logon

28


29/91



Acquisition OptionsLogical Image

Physical Image

Power and Effects on Dates

29

M & iOS F i d A l i


30/91

PAGE:



Acquisition Options

Logical Image

BlackLight creates a logical image

Provides more information than iTunes backup

Call logs, messages, contacts, voicemail, voicememos, and calendar

Safari web artifacts

All pictures and videos Map information, memos, Wi-Fi networks

Third party applications full

30

M & iOS F i d A l i


31/91

PAGE:



Acquisition Options

Physical (Full Disk) Images

Data contained in a full image

The same items in the BlackLight backup, plus...

Email Log files

Deleted les in unallocated space (encrypted in iOS

4+) Google Map tiles (MapTiles.sqlitedb)

System and data partitions

31



32/91

PAGE:



Acquisition Options

iOS Imaging Solutions

Elcomsoft - http://www.elcomsoft.com

MPE+ - http://www.accessdata.com

iPhone-Dataprotection - http://code.google.com/p/iphone-dataprotection

Cellebrite - http://www.cellebrite.com

XRY - http://www.msab.com

iXam - http://www.ixam-forensics.com

Z Method - http://www.iosresearch.org

32

http://www.iphoneinsecurity.com/http://www.ixam-forensics.com/http://www.ixam-forensics.com/http://www.ixam-forensics.com/http://www.accessdata.com/http://www.accessdata.com/http://www.elcomsoft.com/


33/91

PAGE:



Acquisition Options

Acquire a Phone Using BlackLight

33



34/91

PAGE:



Power and Effect on Dates

Summary

Todays rules of acquisition

Keep device offnetwork, charged, and powered on

Obtain pairing certicate or PIN code (passphrase)

Always try for iCloud data

Look for other computers that may be involved

Apple cannot access iOS 8-based devices Apple can still help with iOS 7 and earlier devices

34



35/91

PAGE:



Mobilyze

Mobilyze

Easy to use Fast and accurate

Forensically sound Able to quickly gather actionable intelligence No forensic training or experience necessary

Data viewable almost immediately Customizable reporting on all or selected items

35



36/91

PAGE:



Mobilyze

Mobilyze Overview

Types of devices recognized

How Mobilyze works

Who can use Mobilyze What data is collected

Triage vs. full analysis

36



37/91

PAGE:



Mobilyze

Case Manager (No Prior Case/Device)

37

Initial window

displayed upon

launching Mobilyze



38/91

PAGE:

y


Mobilyze

Case Manager (Device Trusted)

38



39/91

PAGE:

y


Mobilyze

Android Information

Case Manager Window

Must have PIN code

USB Debugging mode turned on Connect phone

Phone displays - Allow USB Debugging?

RSA key ngerprint shown

Click OK

Available device shown

39



40/91

PAGE:

y


Mobilyze

Device is connected but unpaired, unable to acquire

Trust to pair the device

Case Manager (Device Locked/Unpaired)

40



41/91

PAGE: BlackBag Technologies, Inc. 2015 Proprietary Information

Mobilyze

Collection Options

41

Limited Full - All available items



42/91


Mobilyze

Collection Options

Limited Collection with nothing selected

42



43/91


Mobilyze

Android Information

Case Manager Window

Limited Collection button MAY have third party applications available

Some are set for needing root access May be able to set the order of collection

Based on OS-allowed behavior

43



44/91


Mobilyze

Android Information

Collection process

BlackBag trusted agent written to the device Removed after nished or Stop Import implemented

Do not touch the device until instructed Can be disconnected and retain data for review

Android data

Voicemail and voice memos not likely available Internet - open pages

No pictures to correlate with the URL

44



45/91


Mobilyze

Data Collection Started

45

Data metrics populate

shortly after starting as

data is collected



46/91


Mobilyze

Data Collection - iOS 8

Devices running iOS 8.x are handled differently

Some connection methods now blocked by Apple

Complete processing for each data type may be

necessary before its viewing is possible

46



47/91


Mobilyze

Data Collection Completed

47

Mobilyze announces when the data collectionprocess has completed and the device can be

safely disconnected

Processing of the collected data will continue



48/91


Mobilyze

Device View

Details and collectionsummary

Top 10 Contacts

Accounts

Filtering

Navigate to data

Mobilyze User Interface

48



49/91


Mobilyze

Filtering

Allows user to concentrate on items of interest

Filter by keyword

and/or

date range

49



50/91


Mobilyze

Filtering

Keywords and phrases can also be used to further lter

the results

50



51/91


Mobilyze

Communications

Comm view consolidates all the communicationsdata into one area

51

Call History Messages Contacts

Voicemail Voice Memos



52/91


Mobilyze

Phone Calls

Consolidated Call History

52



53/91


Mobilyze

Tagging

Tags are used to mark data of interest

Tag a le using:

1. Action!Tag Selected Rows

2. Right-click!Tag Selected Rows

3. Hotkey! CMD/CTRL + T

53



54/91


Mobilyze

Tag Icon

Once tagged the tag icon appears alongside the

item

To view a list of all tags in a case go to the Report

view where a summary is displayed

54



55/91


Mobilyze

Search / Find

Find - Mobilyzes search function

Mac: CMD + F Windows: CTRL + F

55



56/91


Mobilyze

Search / Find

56



57/91


Mobilyze

Messages

SMS

MMS

FaceTime

Skype

WhatsApp

Kik

textPlus

Textfree

57



58/91


Mobilyze

Messages

58

Conversation View



59/91


Mobilyze

Messages

59

List View


bil


60/91


Mobilyze

Contacts

Body Level One

Body Level Two

Body Level Three

Body Level Four

Body Level Five

60


M bil


61/91


Mobilyze

Contacts - Avatars

61


M bil


62/91


Mobilyze

Voicemail and Voice Memos

Voicemail and Voice Memos can be listened to within

Mobilyze

62


Mobilyze


63/91


Mobilyze

Media - Pictures

63

GPS indicator


Mobilyze


64/91


Mobilyze

Media - Videos

Play videos within Mobilyze

Body Level Two

Body Level Three

Body Level Four

Body Level Five

64


Mobilyze


65/91


Mobilyze

Locations - Wi-Fi

Dates

Remembered network ID's

Sorting each column

Find and filter functionality

65


Mobilyze


66/91


Mobilyze

Locations - Geo Tags

The following items are displayed in the Geo Tags

subview:

Pictures with GPS

Videos with GPS

Third party app data with GPS

Facebook

Foursquare, etc.

66

Latitude, Longitude, Altitude, Dates are sortable


67/91


Mobilyze


68/91


Mobilyze

Applications

68


Mobilyze


69/91


y

Internet

Collected information

Bookmarks

History

iOS - Safari browser

Android - other browsers

69


Mobilyze


70/91


y

Internet Filter and Find

Looking for terms of interest

70


Mobilyze


71/91


y

Internet Tagging and Export

Tagging

Highlight

[Action]![Tag

Selected Rows]

Export as CSV or tab delimited

Great intelligence info

71


Mobilyze


72/91


Internet - Open Pages

iOS

Browser history where tab wasnot closed

MAY have a picture saved onthe device, showing what was

viewable by the user

Android

Data only, no pictures

72


Mobilyze


73/91


Reporting

Mobilyze Report Preferences

Preferences icon

[Mobilyze]![Preferences]

Agency icon, name, address

73


Mobilyze


74/91


Reporting

Creating a report

Case information

No need to complete until ready to output the report

Report on:

Tagged Items

All Items

Clear Selected Tagsbutton

Can continue tagging and return to this window

74


Mobilyze


75/91


Generating a Report

Generate Report

Select Generate Report

Report le types

HTML

HTML and PDF

HTML opens automatically in users default browser

75


Mobilyze


76/91


Report Location

Macintosh

Users Desktop

Windows

Users Documentsfolder

Folder named Mobilyze_Report

Contains index.html Contains report.pdfle

76



77/91


Advanced

Analysis

77

Determine the User


Advanced Analysis


78/91


Determine the User

How do we determine who the user is?

Accounts

Social Networking

Email

iCloud

Computer(s) synced

Personal Information

Personalization

78


Advanced Analysis


79/91


Accounts

Places to look for user information

mobile/Library/Preferences

com.apple.imservice.iMessage.plist

com.apple.imservice.FaceTime.plist

Shows iCloud Account

Any approved phone number

Any approved email address

79


Advanced Analysis


80/91


Other Relevant Name Locations

Listing of les that contain user information:

mobile/Library/Preferences/com.apple.conference.plist

shows AppleID of user

mobile/Library/Preferences/

com.apple.ids.service.com.apple.private.ac.plist

shows vetted accounts

/mobile/Library/Preferences/com.apple.ids.service.com.apple.private.alloy.phonecontinuity.plist

shows IDs associated with phone for Handoff

80


Advanced Analysis


81/91


Hands-on Practical

Using the image le provided

Examine the com.apple.ids* .plist le(s)

Determine email accounts used on this device

Are there any other authorized accounts used on this

device?

Be prepared to discuss your ndings

81


Advanced Analysis


82/91


Personalization

Name of Device

/preferences/SystemConguration/com.apple.mobilegstalt.plist

82


Advanced Analysis


83/91


Is the Computer Synced to a Computer?

iTunesprefs

83


Advanced Analysis


84/91


Personalization

Icon State

/mobile/Library/SpringBoard/IconState.plist

Icon Lists

Shows app icons and folders

Button Bar

Shows icons that are in the bottom dock

84


85/91


Advanced Analysis


86/91


Has the Device Been Restored

Restored from a backup?

/root/Library/Preferences/com.apple.MobileBackup.plist

86


Advanced Analysis


87/91


SIM Card Swapping

Has the device changed numbers?

/wireless/Library/Databases/CellularUseage.db

87


Advanced Analysis


88/91


Frequent Locations

No longer available with iOS 8

88


89/91



90/91


Staying Connected

In Person:

San Jose, CA (HQ) and Herndon, VA

Remote offices in Texas, SoCal, New York and UK

Online:

90

www.twitter.com/BlackBagTech

www.linkedin.com/company/blackbagtech

www.BlackBagTech.com



91/91

C A R P E D A T U M

Questions?