Mobile Triage and Origination

Mobile Triage and 

Origination 

EnFuse 2016 

Location: Las Vegas

Copyright 

This material is subject to copyright, is owned by BlackBag 

Technologies, and is proprietary. It is being provided to the recipient 

under license. By the recipient's receipt of this material, recipient 

acknowledges and agrees that recipient has been granted a limited 

and revocable right and license to use the information contained 

herein solely for general educational purposes. Recipient may not use 

these materials for any other purpose (including in connection with its 

business operations) and may not disclose these materials or its 

content, whether in written form or verbally, to any third party. 

PAGE: 2 

© BlackBag Technologies, Inc. 2016 Proprietary Information

Who are we? 

BlackBag’s mission is to find the truth in data 

BlackBag Technologies is a leading provider of digital forensics 

software, training, and services. Our team is solely focused on 

developing innovative and accessible solutions for the complex 

challenges presented by an increasingly vast digital crime scene. 

As the sea of data expands, we stand by our pledge to be an ally 

in pursuit of finding truth within it. 

Carpe Datum! 

PAGE: 3 


Derrick Donnelly 

Some background 

• Federal Law Enforcement Officer in Canada (5 years) 

• Have been an Instructor for FBI, DHS, USSS, DoD, and other 

Federal, State and Local agencies 

• Head of IT Security Apple Computer (5 years) 

• CTO/Founder BlackBag Technologies 

• Forensic Analyst Santa Clara Police Department, CA 

PAGE: 4 


iOS Forensics and Analysis 

Mobilyze 

Using Mobilyze for Triage 

• Types of devices recognized 

• How Mobilyze works 

• Who can use Mobilyze 

• What data is collected 

• Triage vs. full analysis 

PAGE: 5 



Mobilyze 

Case Manager (No Prior Case/Device) 

Initial window 

displayed upon 

launching Mobilyze 

PAGE: 6 



Mobilyze 

Case Manager (Device Trusted) 

PAGE: 7 



Mobilyze 

Android Information 

Case Manager Window 

• Must have PIN code 

• USB Debugging mode turned on 

• Connect phone 

• Phone displays - Allow USB Debugging? 

• RSA key fingerprint shown 

• Click OK 

• Available device shown 

PAGE: 8 



Mobilyze 

Case Manager (IOS Device Locked/Unpaired) 

Device is connected but unpaired, unable to acquire 

• Trust to pair the device 

PAGE: 9 



Mobilyze 

Collection Options 

Limited 

Full - All available items 

PAGE: 10 



Mobilyze 

Collection Options 

Limited Collection with nothing selected 

PAGE: 11 



Mobilyze 


Case Manager Window 

• Limited Collection button 

• MAY have third party applications available 

• Some are set for needing root access 

• May be able to set the order of collection 

• Based on OS allowed behavior 

PAGE: 12 



Mobilyze 


Collection process 

• BlackBag trusted agent written to the device 

• Removed after finished or “Stop Import” implemented 

• Do not touch the device until instructed 

• Can be disconnected and retain data for review 

Android data 

• Voicemail and voice memos not likely available 

• Internet - open pages 

• No pictures to correlate with the URL 

PAGE: 13 



Mobilyze 

Data Collection Started 

Data metrics populate 

shortly after starting as 

data is collected 

PAGE: 14 



Mobilyze 

Data Collection - iOS 8 and iOS9 

Devices running iOS 8.x are handled differently 

• Some connection methods now blocked by Apple 

• Complete processing for each data type may be 

necessary before its viewing is possible 

PAGE: 15 



Mobilyze 

Data Collection Completed 

• Mobilyze announces when the data collection 

process has completed and the device can be 

safely disconnected 

• Processing of the collected data will continue 

PAGE: 16 



Mobilyze 

Mobilyze User Interface 

Device View 

• Details and collection 

summary 

• Top 10 Contacts 

• Accounts 

• Filtering 

• Navigate to data 

PAGE: 17 



Mobilyze 

Filtering 

Allows user to concentrate on items of interest 

Filter by keyword 

or 

date range 

PAGE: 18 



Mobilyze 

Filtering 

Keywords and phrases can also be used to further filter 

the results 

PAGE: 19 



Mobilyze 

Communications 

“Comm” view consolidates all the communications 

data into one area 

Call History Messaging Contacts 

Voicemail 

Voice Memos 

PAGE: 20 



Mobilyze 

Messages 

• SMS 

• MMS 

• FaceTime 

• Skype 

• WhatsApp 

• Kik 

• textPlus 

• Textfree 

PAGE: 21 



Mobilyze 

Messages 

Conversation View 

PAGE: 22 


iOS Device Forensics 

iOS Analysis 

New California Privacy Laws SB 178 

Searching 

The law requires that after a device is searched, any information that was 

obtained that is not relevant to the investigation must be 

destroyed and cannot be retained by the law enforcement agency. This will 

have implications for the ECU, investigations, and anyone who dumps phones. 

Reporting 

The law requires that subsequent to the service of a search warrant or other 

search of an electronic device, the law enforcement agency must provide 

notification to the owner of the device that the search was conducted. The AG 

has provided templates for this notification. This must be completed within 

72-hours of the service of the warrant and must include a copy of the 

warrant. The law identifies the specific information that must be provided to 

the owner. It is possible to obtain 9-day extensions in the case of on-going 

investigations or other situations where the notification would be detrimental 

to the investigation. In cases where a phone is searched and there is no 

identified owner, the law enforcement agency must report to the DOJ the 

above information as well as what was obtained. 

PAGE: 23 



iOS Analysis 

Found/Unclaimed Electronic Devices 

This law eliminates the concept of “abandoned” 

property. Found phones with no identified owner can 

no longer be searched for any information other than 

that which might help identify the owner. 

Probation / Parole / PRCS 

Beginning January 1st, Law enforcement cannot search a 

phone or other electronic device under probation or parole. 

The search of these devices will require “specific consent” or 

a search warrant. This fact is agreed upon by the A.G., CAO, 

and DA’s Office. The resolution for this will be having 

probationer and parolees sign SB178 specific waivers when 

they are released on probation/parole. 

PAGE: 24 


The Mystery Of Photos 

Where did the data come 

from? 

Who created the data? 

What was done with the 

data? 

PAGE: 25 


Internet Artifacts-Safari 

/mobile/Applications/com.apple.mobilesafari/Library/Safari/ 

History.db 

Advanced iOS Analysis 

© BlackBag Technologies Inc. 2003 - 2016 Proprietary Information 

26

Safari Continuity 

Pages available on iCloud connected device 



27

Effects of iCloud 

Web history cleared on iOS device 

• Web pages viewed on Mac computer 



28

Examine History Database 

iOS history file shows pages from OS X 

• These were not viewed on the iOS Device 

Advanced iOS Analysis © BlackBag Technologies Inc. 2003 - 2016 Proprietary Information 11- 29

Safari Suspended State 

Accessing Open Safari Pages 



30

Viewing Suspended State 

/mobile/Applications/com.apple.mobilesafari/Library/Safari/ 

SuspendState.plist 

• Lots of information in .plist 



31

Safari Thumbnails 

/mobile/Applications/com.apple.mobilesafari/Library/ 

Safari 

• A thumbnail of pages contained in Suspended State 

• Shows exactly how the page was viewed 

• Not all pages may get a thumbnail 

• May show pages in Private Viewing Mode 

• Similar to webpage previews in OS X 


Viewing the Thumbnails 

• .png preview of the web page (note zoom) 



33

Safari Bookmarks 

/mobile/Library/Safari/Bookmarks.db 

• Sqlite database 

• Bookmarks saved to device 

• Synced bookmarks from iCloud-enabled devices 



34

Safari Preferences 

/mobile/Applications/com.apple.mobilesafari/Library/ 

Preferences/com.apple.mobilesafari.plist 

• Sites added to Safari Reading List 

• Private Browsing Setting 

• Recent Web Searches 

• Date and time of actual search 

• Actual search term entered by user 



35

iOS Settings 

Various settings can be changed by user: 

• Shows ability to use device 

• Shows knowledge of certain features 

• Can assist in explaining why something is or is not 

available on this device 


Last Boot Time 

Last time the device started 

• /mobile/Library/Preferences/com.apple.aggregated.plist 


Determining Backups 

/mobile/Library/Preferences/com.apple.mobile.idbackup.plist 


Determine iCloud Account 

iOS Devices 

• icloudpairing.plist 


Is SIRI On? 

The SIRI assistant is normally turned on by the user at 

setup of the compatible iOS Device 

• Settings➔General➔SIRI 



40

AirDrop Settings 

AirDrop Status 



41

Determine Accounts 

Each device can be connected to: 

• An iCloud Account 

• iTunes Account 

Users can have different accounts to do different 

things 

• Home Sharing 

• HomeKit 

• Multiple email accounts 


Registered iCloud Account 

Can be found in many locations: 

• /mobile/Library/Preferences/com.apple.conference.plist 

• Key- registration.savedAccountName 

• /mobile/Library/Preferences/com.apple.Preferences.plist 

• Key- cachediCloudUsername 


Messages Accounts 

The Messages app displays SMS, MMS, and 

iMessages 

• One or several accounts can be used to send Messages 

• com.apple.ids.service.com.apple.private.alloy.sms.plist 

• Shows accounts being used to send receive messages 

• Shows iCloud account and (possible) phone number 

• Account ID 


Messages Accounts 

Vetted Aliases 

• Settings➔Messages➔Send&Receive 

• /mobile/Library/Preferences/com.apple.ids.service.com.apple.private.alloy.sms.plist 



45

Handoff 

Do you have all the data? 

• Determine accounts for Handoff and Continuity 

• /mobile/Library/Preferences/ 

com.apple.ids.service.com.apple.private.alloy.phonecontinuity.plist 



46


Advanced Analysis 

Determine the User 

How do we determine who the user is? 

Accounts 

Social Networking 

Email 

iCloud 

Computer(s) synced 

Personal Information 

Personalization 

PAGE: 47 




Account Information 

Finding a users account information 

/mobile/Library/Accounts/Accounts3.sqlite 

• AppleID 

• Profile ID 

• DSID 

• Email accounts 

• Full name of user 

PAGE: 48 




Accounts3.sqlite 

ZAccountproperty Table 

Embedded .plist file 

PAGE: 49 




Accounts 

Places to look for user information 

• mobile/Library/Preferences 

• com.apple.imservice.iMessage.plist 

• com.apple.imservice.FaceTime.plist 

• Shows iCloud Account 

• Any approved phone number 

• Any approved email address 

PAGE: 50 




Other Relevant Name Locations 

Listing of files that contain user information: 

• mobile/Library/Preferences/com.apple.conference.plist 

• shows AppleID of user 

• mobile/Library/Preferences/ 

com.apple.ids.service.com.apple.private.ac.plist 

• shows vetted accounts 

• /mobile/Library/Preferences/ 

com.apple.ids.service.com.apple.private.alloy.phonecontinuity.plist 

• shows IDs associated with phone for Handoff 

PAGE: 51 


The Mystery Of Photos 

Deeper analysis of 

photos 

DCIM Folder 

Photos Database 

Sharing Albums 

PAGE: 52 



iOS Analysis 

DCIM Folder 

/mobile/Media/DCIM/ 

• Folders named 100Apple, 200Apple, etc. 

• Maximum 999 pictures/videos in each folder 

• Contains 

• Pictures, videos, screenshots taken by device 

PAGE: 53 



iOS Analysis 

DCIM PLIST File 

/mobile/media/PhotoData/MISC/DCIM_APPLE.plist 

PAGE: 54 



iOS Analysis 

A Look Beyond The Pictures- iOS 

Photos.sqlite 

• Contains information on all pictures/videos in library 

• Face names 

• Indexed data on pictures 

• Any keyword searches entered by the user 

• Dates and times pictures/videos are uploaded to cloud 

• Extended metadata of pictures 

PAGE: 55 



iOS Analysis 

Photos.sqlite 

/mobile/Media/PhotoData/Photos.sqlite 

PAGE: 56 



iOS Analysis 

Cloud Master Table 

ZCLOUDMASTER 

ZCREATIONDATE 

ZIMPORTDATE 

ZCLOUDMASTERGUID 

ZIMPORTSESSIONID 

ZORIGINALFILENAME 

PAGE: 

57 



iOS Analysis 

Generic Album 

ZGENERICALBUM 

ZGUID 

ZCLOUDMETADATA 

ZTITLE 

ZUDID 

ZCLOUDPERSONID 

ZCLOUDCREATIONDATE 

ZCLOUDLASTCONTRIBUTIONDATE 

PAGE: 

58 



iOS Analysis 

Moment 

ZMOMENT 

ZENDDATE 

ZSTARTDATE 

ZREPRESENTEDDATE 

ZAPPROXIMATELOCATIONDATA 

ZREVERSELOCATIONDATA 

PAGE: 

59 



iOS Analysis 

Additional Asset Attributes 

ZADDITIONALASSETATTRIBUTES 

ZEXIFTIMESTAMPSTRING 

ZORIGINALFILENAME 

ZORIGINALPATH 

PAGE: 

60 



iOS Analysis 

Additional Tables 

ZKEYWORD- 

keyword searches conducted by user 

ZCLOUDSHAREDALBUMINVITATIONRECORD- shows albums 

that have been shared and to whom invitation sent 

ZPERSON- User identified faces 

ZGENERICASSET- shows list of images, their path, and dates 

associated dates including deleted date 

ZASSETDESCRIPTION- if the picture contains a description 

contained in the metadata it will be shown here 

PAGE: 61 



iOS Analysis 

Photo Sharing 

Albums are created and can be shared with other 

iCloud users 

• When album is created a share request is sent 

• Message sent by email 

• Once accepted recipients Photos album is updated with 

new pictures 

• Users can unsubscribe but information remains on sending 

device 

PAGE: 62 



iOS Analysis 

Photo Sharing 

Sharing “New Pictures” Album 

Album is shared 

Email to user is sent 

ZCLOUDSHAREDALBUMINVITATIONRECORD 

PAGE: 

63 



iOS Analysis 

Shared Album Accepted 

/mobile/Media/PhotoData/PhotoBulletins.plist 

PAGE: 64 



iOS Analysis 

Which Album Was Shared? 

ZCLOUDSHAREDALBUMINVITATIONRECORD 

PAGE: 

65 



iOS Analysis 

Album Info 

Info.plist 

PAGE: 66 



iOS Analysis 

Adding Photos 

Person adds pictures to shared albums 

PAGE: 67 



iOS Analysis 

Notification On Device 

When a picture is added to an album 

Notifications 

PAGE: 

68 



iOS Analysis 

PhotoBulletins 

PhotoBullentins.plist 

PAGE: 69 



iOS Analysis 

Find Last Added Picture 

PhotoBullentins.plist 

Photos.sqlite- ZGENERICASSET 

PAGE: 70 



iOS Analysis 

Last Picture Added 

From Photos.sqlite—>ZGENERICASSET 

/mobile/Media/PhotoData/PhotoCloudSharingData/UUID/ 

100CLOUD 

PAGE: 

71 



iOS Analysis 

Who Sent That Picture? 

Photos.sqlite—>ZGENERICASSET 

cloudSharePersonInfos.plist 

PAGE: 72 



iOS Analysis 

Summary 

/mobile/Media/PhotoData/PhotoCloudSharingData/ 

cloudSharedEmails.plist 

• shows email of person sending invitation 

cloudSharedPersonalInfos.plist 

• shows full name and email address of recipient 

PAGE: 73 


Recently Deleted Photos 

Photos App and iOS Photos save deleted pictures 

• Photos are moved to a the ‘Recently Deleted’ album 

• Keeps deleted items for ‘up to 40 days’ 

• Apple’s documentation says 30 days 

• Provides visual notification as to when photo will be 

permanently deleted 

• Days are counted down and displayed in red 

• Jailbroken iPhones can hide this album in the UI 

• But function for now still works 




Picture Thumbnails 

Thumbnails contained in .ithmb 

• Thumbs of pictures/videos from DCIM folder 

• There are four resolutions of pictures 

• 3303.ithmb - very small 

• 3309.ithmb - small 

• 3319.ithmb - zoomed in 

• 4031.ithmb - full 

• /mobile/Media/PhotoData/Thumbnails 

PAGE: 75 


Recently Deleted iOS Devices 

Recently deleted pictures 

• Images taken or saved by the device and deleted 

• Are maintained in the /DCIM/ folder 

• Images synced through cloud and deleted 

• Are maintained in the iCloud/DCIM/ folder 


Delete A Picture 

Picture taken by iOS Device 

DCIM Folder 


Picture Deleted 

Recently Deleted Album 

DCIM Folder 


Locating Deleted Pictures 

/mobile/Media/PhotoData/Photos.sqlite 


Using SQLITE Command 

Using BlackLight’s sqlite command bar 

• SQLite databases often contain more data than 

needed 

• Entering SQLite commands can focus display 

SELECT ZTRASHEDSTATE, ZTRASHEDDATE, ZDIRECTORY, ZFILENAME FROM 

ZGENERICASSET WHERE ZTRASHEDSTATE = 1; 



80

Was The Picture Really Taken? 

Picture AirDropped to another iOS Deivce 



81

Picture Being Sent 

Sending device 


Picture Is Received 

AirDrop picture is accepted 



83

Analysis Of Device 

Analysis of receiving device 


MD5 Changed 

Value has changed between pictures 

Original 

Received 



85



Thumbnails 

Thumbnails/V2/DCIM/ 

• Folder that relates to parent image in DCIM folder 

• One folder per picture/video 

• Contained is a file named 5003.jpg 

• All thumbs have the same name 

• Lower resolution image of the parent from DCIM folder 

PAGE: 86 


Resources 

Support 

www.blackbagtech.com/support.html 

Free Tools 

www.blackbagtech.com/resources/freetools.html 

BlackBag Blog 

www.blackbagtech.com/blog 

PAGE: 87 


Staying Connected 

In Person: 

San Jose, CA (HQ) and Herndon, VA 

Remote offices in Texas, SoCal, New York and UK 

Online: 

www.BlackBagTech.com 

www.twitter.com/BlackBagTech 

www.linkedin.com/company/blackbagtech 

PAGE: 88 


BlackBag Technologies Update 

Mobilyze 

• Mobile acquisition and triage 

MacQuisition 

• Imaging and incident response 

BlackLight 

• Forensics on OS X and Windows 

SoftBlock 

• Kernel-level write-blocking of 

physical devices 

PAGE: 89 


Thank you! 

Questions? 

derrick@blackbagtech.com 

408-844-8890 

C A R P E D A T U M 

PAGE: 90

Mobile Triage and Origination

Create successful ePaper yourself

Delete template?

Save as template?