Here - SecurityLearn

advertisement
Part 1:
The video is going to cover in detailed analysis of iOS backups which will help during iPhone
forensics. It focuses on iPhone backups and explains the technical procedure to extract data from the
backup files. Forensic techniques on iTunes backup is useful in cases where we get physical access
to the suspect’s computer instead of the iPhone.
With iOS 5, iPhone data can be backed up to a computer with iTunes or to a cloud based storage
with iCloud. The video provides a deep analysis of iTunes backup.
For the video I am using a mac os x vm running on a windows 7 host . Demos are captured on iTunes
10 .6 .
Connect the iPhone to a Mac vm using an USB cable and open iTunes. It will display the connected
iPhone on the left frame.
When the iPhone is synced with iTunes, it copies all the iPhone contents to a folder. Path to this
folder is located by navigating to users , user , library directory. Library directory is protected and
cannot be opened by double clicking on it. To open the library directory press ctrl +shift+ g and type
the application support path (/users/user/Library/Application Support/) and press enter. It will move
you inside the library folder. Now you can navigate to mobilesync folder to open the backup folder.
The folder is currently empty because we haven’t performed any backup.
To initiate a backup from iTunes, right click on the device and select backup. iTunes display the
backup status on top of the toolbar. Backup time depends on the amount of information stored on the
device. A 16 giga bytes of data will take at least 10 minutes for the backup..
Once the backup is completed, iTunes will create a folder in the backup directory with device unique
Identifier (UDID) as the name. iTunes backup makes a copy of everything on the device like contacts,
photos, configuration files, keychain, cookies and application data, etc. It also backups device details
like mobile serial number, SIM number and the phone number.
Backup folder contains a list of files which are in un readable format. The folder consists of uniquely
named files with a 40 digit alphanumeric hex value without any file extension.
The whole backup is maintained by 4 meta files. We will look inside each meta file.
Status.plist is a property list file and contains the details about the backup. It includes backup state, a
flag to identify the full backup (IsFullBackup). On the initial sync of an iPhone, iTunes performs a full
backup. From there on it will only backup the files which are modified on the device.
Info.plist is a property list file and contains the device details like device name, build version, IMEI,
phone number, last backup date, product version, product type, serial number, sync settings and a list
of application names that were installed on the device.
Manifest.plist is a property list file and contains the Backup Keybag which stores all the backup
encryption keys, a flag to identify the passcode protected devices (WasPasscodeSet) and a flag to
identify the encrypted backup (IsEncrypted), application bundle details
Manifest.mbdb is a binary file which contains information about all other files in the backup along with
the file sizes and file system structure. The binary file can be viewed using a hex editor. For a better
look and feel I have opened the same mbdb file using a hex editor on windows machine.
The first 6 bytes in the file acts as a magic number to identify the mbdb file. Rest of the file contains
the information about backup files. For example search for the keychain word, to find out information
about backup keychain. On the iTunes backup, iPhone keychain database is stored as a property list
file under keychain domain. On iPhone, Domain name is decided upon the content of the file.
This 40 digit hex file name in the backup folder is derived from SHA1 hash value of the file path
appended to the respective domain name with a hyphen symbol.
I am using an online hash calculator to show how the iTunes create the file names.
For example to locate the iphone keychian in backup files, compute the SHA 1 hash for
KeychainDomain-keychain-backup.plist. In this keychainDomain is the domain name and keychainbackup.plist is the file name.
Sha 1 hash of KeychainDomain-keychain-backup.plist is computed to 51a46...
Now you can search the backup folder for the hash value and it will contain the keychain data. To
view what type of file it is, open it with an hex editor. The starting few bytes in the file indicates that it
is a plist file. To view the file contents, add .plist extension to the file. Upon adding the file extension
we can open the file using a plist editor. Now you can notice the plist file displays the table names like
genp, inept and a number of keychain items. But the keychain items are in encrypted fashion. So we
cannot see the actual values inside the keychain. During backup iTunes encrypts the keychain items
using a key which is computed by the iPhone hardware. In the next part of the video we will see how
to decrypt the keychain contents.
We will see an another example on, how a backup file name is calculated for a third party application
like skype. On iPhone, data stored by third party applications is categorized into APPDomain.
To find out the skype property list file in the backup, add AppDomain to the Skype property list file
path and compute SHA 1 hash of it. SHA 1 hash value for skype plist is - bc0e...
Now you can search the backup folder for the hash value. Once the file is identified, Drag the file to
an hex editor to find out the file type. The starting few bytes in the file indicates that it is a property list
file. To view the file contents, add .plist extension to the file. Open the file using a plist editor. Xcode
comes with a default plist editor. The Skype property list file displays the actual content because it is
not encrypted. It indicates that all the files in the backup are not encrypted.
Instead of we computing the hash values and reading each and every file we can use free tools like
iPhone backup extractor to read the backups. Before reading the backups, remove the .plist extension
which we have added to the keychain and Skype files in the backup.
Read backup button in the Backup extractor list out all the available backups in the backup folder.
Choose a backup and the tool reads info.plist meta file and list out all the application identifiers. To
extract application files from the backup select all the values from the list. Here i am going to extract
only iOS files. Once you select the values, the tool prompts to choose a folder to store the extracte
files. Specify the extraction path, The tool parse the information stored in the Mbdb file and creates
the file structure. It converts the un readable backup files into a readable format and stores them in
the supplied directory.
Extracted backup files contain several plist files, keychain, photos and Sqlite database files. Plist files
can be opened using a plist editor. Sqlite database files stored in the extracted backup can be viewed
with the help sqlite client. To view the calendar Sqlite database, open terminal and supply the
calendar database path to sqlite3 command.
.tables sql command list out the table details.
As the file is not encrypted you can view the values stored in the tables with select command. Most of
the property list files and Sqlite database files stored in the backup are not encrypted.
Now we will take a look at the keychain-backup.plist. Opening the plist file displays the table structure
but the keychain items are displayed encrypted.
Jean Sigwald, a researcher at Sogeti ESEC labs has released open source forensic tool kit that can
be used to decrypt the backup keychain file. You can find their research on google code project
named iphone data protection. The forensic toolkit is developed in python language and it requires the
installation of few python modules. Download and install pycrypto, M2crypto, construct and
progressbar python modules by following the readme file. It will take a couple of minutes to install the
modules.
Download the mercurial software to check out the source code from Google repository. I am going to
cancel the download because I have already installed now you can check out the source code using
hg command. After running this command, it is going to create a new directory called iPhone data
protection in the current directory. You can notice that, it has downloaded around 121 files.
Navigate to iPhone data protection folder; it lists out all the downloaded files. Most of them are
python scripts and shell scripts.
We are going to use backup_tool python script which is similar to iPhone backup extractor. The
python script reads the backup and stores the extracted backup files in the output directory. if out put
path is not mentioned, then it will create a new folder in the iTunes backup folder .
I did not mention the output path here. So it created the device UDID_extract folder in the iTunes
backup directory. You can notice the script has extracted all the files from the backup. But the
keychain backup file is still encrypted. The keychain items are encrypted with the keychain data
protection class keys which are stored in the backup Keybag. Backup Keybag is protected by an
encryption key computed on the iphone hardware. So in order to grab the protection class keys, first
we have to grab the key 835 computed by the iPhone hardware key. iPhone hardware key is not
accessible to user land process. This restriction can be bypassed by patching a kernel service.
Jean sigwald wrote the code to patch kernel and to read encryption keys from the device. I have
compiled the code and prepared executable files which can be used directly on the device. I made
them available for download on my 4shared account. Link to the downloads are available in my blog.
To load the executables onto the device, jailbreak the iphone and install openssh from cydia. Connect
the iPhone and workstation to the same Wi-Fi network.
On OS X run Cyberduck and connect to the iPhone by typing iPhone IP address, root as username
and alpine as password. Drag the downloaded kernel patcher and device infos executables to
Cyberduck. It will copy the files from the workstation to iphone. Now from terminal connect to the
phone as a root user over ssh .
Grant executable permission to the uploaded files using chmod command.
Run kernel patcher, it will patch the IOAESAccelerator kernel services and gives access to the
hardware key. The kernel patcher executable works only for ios 5 devices. Now run device_infos, it
will compute all the encryption keys and store them in a property list file. View the property list file
using plutil command and note down the key 835 value. Key 835 is used to decrypt the backup
Keybag and extract data protection class keys.
To decrypt the backup keychain file, run keychain_tool python script by supplying keychain backup
plist and backup manifest file. The script prompts to enter key 835 value. Upon entering the right key
, it decrypts and displays the decrypted keychain values on the screen. I am not showing the
passwords here because it will reveal all my passwords. Keychain tool python script also comes with
several other flags using which you can store the output into csv files.
The method of managing the backups has changed with every major release of iTunes however the
method of converting the path names to the file names still remains the same.
On the iPhone, Key 0x835 is computed by the IOAESAccelerator kernel service at iOS boot by
encrypting a static value with a hardware encryption key embedded in the iPhone application
processor and it is unique for each device. iOS running on the iPhone cannot read the hardware key
but it uses the key to compute Key 0x835 in kernel mode. Hardware key is not accessible to user
land process.
Part 2:
This part of the video covers the complete analysis of encrypted iOS5 backups.
Connect the iPhone to a Mac vm using an USB cable and open iTunes. In iTunes summary tab,
check encrypt local backup option. iTunes immediately prompts the user to enter a password. iTunes
does not impose any password rules here so we can use short passwords too. Encrypted backups
are designed for data migration between different iOS devices. Data migration is achieved by
encrypting the backup with a password supplied to iTunes instead of the key generated on the iPhone
hardware.
Once the backup process is completed, iTunes will create a folder in the backup directory located in
mobilesync folder. Press ctrl +shift+ g and type the application support path
(/users/user/Library/Application Support/) and press enter. It will move you inside the library folder.
Now you can navigate to mobilesync folder to open the backup folder. Backup folder contains a list of
files which are in un readable format. The folder consists of uniquely named files with a 40 digit
alphanumeric hex value without any file extension. Every file in the backup is encrypted with an
unique file key and the file keys are stored in the backup keybag. Encrypted backups are managed by
4 meta files and the meta files are not encrypted. Manifest.plist file contains a flag that indicates
whether the backup is encrypted or not. In this case, it shows isEncrytped flag as Yes which indicates
the backup is encrypted.
Now we will take a look at the files which are stored in the backup. For a better understanding I am
trying to view skype property list file in the backup. In order to locate the skype.plist file in the backup,
first we have to compute sha1 value for it. This can be computed by adding appdomain to skype
property list file path.
Once the hash value is computed, search the backup folder for that file. On the first part of the video,
we have identified that this file is a plist file using an hex editor. So I am adding .plist extension to the
file to open it with a plist editors.
Double click on the file and you can notice the file is corrupted message. File is not really corrupted
but it is encrypted. So OS cannot read the file headers and displays file corrupted message.
Tools like iPhone backup extractor can be still used to read the encrypted backups. But the tool can
only read the filenames but not the contents. Before reading the backup, remove the .plist extension
which we have added to the skype property list file .
Read backup button in the Backup extractor list out all the available backups in the backup folder.
Choose a backup. The tool reads the un encrypted meta files and list out all the application identifiers.
Here I am going to extract only iOS files. Once you select the values, the tool prompts to choose a
folder to store the extracted files. I am creating a new folder named enc-backupextract and extracting
the encrypted backup into it. The tool parse the information stored in the Mbdb file and creates the file
structure. It converts the un readable backup files into a readable format and stores them in the
supplied directory.
Extracted backup files contain several plist files, keychain, photos and Sqlite database files. When we
try to open the file it displays the file is corrupted message because the file is encrypted,. Keychain
backup file is also encrypted.
Jean Sigwald has released a open source forensic tool kit that can be used to decrypt the encrypted
iOS backup files. Watch first part of the video, to download the tool kit.
We are going to use backup_tool python script which is similar to iPhone backup extractor but it also
supports encrypted iTunes backups. The python script reads the backup and stores the extracted
backup files in the output directory. if output directory path is not mentioned, then it will create a new
folder in the iTunes backup folder .
The script prompts the user to enter iTunes password. If the password is unknown, we can write a
bruteforce script and attach it here.
Once the correct backup password is supplied, the script extracts and decrypts all the files in the
encrypted backup and stores them in the output path.
I’ve mentioned output directory as backupextract. From finder, navigate to backupextract folder which
is located in the user directory. Here you can notice all the extracted files. Now if we click on a plist
file, it gets open with a plist editor.
Keychain file is also decrypted. But the keychain items are still encrypted with the data protection
class keys. keychain data protection class keys are stored in the backup Keybag are protected by the
password which is used for backup encryption. In order to decrypt the keychain items first we have to
read the data protection class keys. This can be done with the help of keyhcian_tool python script.
Run keychain_tool python script by supplying keychain backup plist and backup manifest file. The
script prompts to enter key 835 value. Keychain Data protection class keys are classified into
migratable and this device only keys. Key 835 is computed on the iPhone hardware and it is required
to decrypt the keychain items which are tied to the device using this device only protection class keys.
Here I am going to decrypt only migratable keychain items so I am not supplying key 835. Backup
Keybag is already decrypted after running backup_tool script. So keychian_tool script automatically
reads the migratable protection class keys from Keybag and displays the decrypted keychain items on
the screen. I am not showing the passwords here because it will reveal all my own passwords.
Keychain tool python script also comes with several other flags using which you can store the output
into csv files.
Techniques illustrated in the article shows that forensics investigation is possible on the latest version
of iPhone backups. However the information recovered from the backup alone without physical
access to the device is less. Apple is also changing the backup mechanism with every major release
of iTunes. So it is always challenging to design the scripts to decrypt the iTunes backups.
Download